[RFC] Escape PDO "?" parameter placeholder

  105810
May 31, 2019 11:26 php@beccati.com (Matteo Beccati)
Hi everyone,

following some recent unrest in the comments of the related PR, I've
decided to invest a bit of time on it and finally move it to draft status:

https://wiki.php.net/rfc/pdo_escape_placeholders

The PR is currently closed, but I will soon rebase and update it.

Any feedback kindly accepted!


Cheers
-- 
Matteo Beccati

Development & Consulting - http://www.beccati.com/
  105811
May 31, 2019 14:33 levim@php.net (Levi Morrison)
On Fri, May 31, 2019 at 5:27 AM Matteo Beccati <php@beccati.com> wrote:
> > Hi everyone, > > following some recent unrest in the comments of the related PR, I've > decided to invest a bit of time on it and finally move it to draft status: > > https://wiki.php.net/rfc/pdo_escape_placeholders > > The PR is currently closed, but I will soon rebase and update it. > > Any feedback kindly accepted! > > > Cheers > -- > Matteo Beccati > > Development & Consulting - http://www.beccati.com/ > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php
My initial thought is that unless 2 or more database vendors we support have this feature then it shouldn't get added. From our manual:
> The PHP Data Objects (PDO) extension defines a lightweight, consistent > interface for accessing databases in PHP. Each database driver that > implements the PDO interface can expose database-specific features > as regular extension functions.
As this proposal affects syntax I think such changes are unwise.
  105812
May 31, 2019 14:54 php@beccati.com (Matteo Beccati)
On 31/05/2019 16:33, Levi Morrison wrote:
> My initial thought is that unless 2 or more database vendors we > support have this feature then it shouldn't get added. From our > manual: > >> The PHP Data Objects (PDO) extension defines a lightweight, consistent >> interface for accessing databases in PHP. Each database driver that >> implements the PDO interface can expose database-specific features >> as regular extension functions.
The point is that the driver cannot expose anything in this case as the parser is global.
> As this proposal affects syntax I think such changes are unwise.
Could you please elaborate? Cheers -- Matteo Beccati Development & Consulting - http://www.beccati.com/
  105813
May 31, 2019 16:18 rowan.collins@gmail.com (Rowan Collins)
On Fri, 31 May 2019 at 12:27, Matteo Beccati <php@beccati.com> wrote:

> Hi everyone, > > following some recent unrest in the comments of the related PR, I've > decided to invest a bit of time on it and finally move it to draft status: > > https://wiki.php.net/rfc/pdo_escape_placeholders >
Hi Matteo, This sounds like a very useful change. As you say in the RFC, these operators are going to be more and more common for Postgres users now that they've been defined for JSON types, and users of most other DBMSes will be completely unaffected. I wonder if there's any way we can gauge the BC impact, specifically this case:
> The only exception to that is that Postgres (and possibly other RDMSs) allows the creation of custom operators: anyone having a custom “??”
operator in use would need to escape it as “????”. - Are there any standard or public Postgres extensions that define a "??" operator? e.g. anything published on https://pgxn.org/ - Are there any other databases supported by PDO that allow custom operators, or which might have a "??" operator or syntax token? If there is a risk of this affecting a reasonable number of people, we could add a deprecation notice on encountering "??" in any SQL string in 7.4, and postpone adding the escaping mechanism until 8.0. One other thing worth clarifying is the precise circumstances where ?? will be treated as an escape. Is it only when it's a separate "word" (start/end of string or surrounded by whitespace)? For instance, would "A ??= B" be "unescaped" to "A ?= B" or passed through as is? Note that this changes the scope of the BC break, as well as the usability of the chosen syntax, as both "?=" and "??=" could be defined as operators. Regards, -- Rowan Collins [IMSoP]
  105814
June 1, 2019 06:46 php@beccati.com (Matteo Beccati)
Hi Rowan,

On 31/05/2019 18:18, Rowan Collins wrote:
> This sounds like a very useful change. As you say in the RFC, these > operators are going to be more and more common for Postgres users now that > they've been defined for JSON types, and users of most other DBMSes will be > completely unaffected.
Thanks, the patch is been sitting on my HD since a few years now. Mostly no one complained about the geometric operators containing a "?", but for JSON I guess it's already a bit too late.
> I wonder if there's any way we can gauge the BC impact, specifically this > case: > >> The only exception to that is that Postgres (and possibly other RDMSs) > allows the creation of custom operators: anyone having a custom “??” > operator in use would need to escape it as “????”. > - Are there any standard or public Postgres extensions that define a "??" > operator? e.g. anything published on https://pgxn.org/
I couldn't find anything, but I can try and ask on the postgres mailing lists.
> - Are there any other databases supported by PDO that allow custom > operators, or which might have a "??" operator or syntax token?
Not that I know of. Researching that hasn't been easy, but it seems that most of the databases use "?" for positional parameters in prepared queries. Any additional help would be appreciated.
> If there is a risk of this affecting a reasonable number of people, we > could add a deprecation notice on encountering "??" in any SQL string in > 7.4, and postpone adding the escaping mechanism until 8.0.
Nice catch. I thought one couldn't have "??" but it seems the parser currently doesn't allow two consecutive positional parameter question marks and "??" was sent as-is. I'll try doing more research on the topic.
> One other thing worth clarifying is the precise circumstances where ?? will > be treated as an escape. Is it only when it's a separate "word" (start/end > of string or surrounded by whitespace)? For instance, would "A ??= B" be > "unescaped" to "A ?= B" or passed through as is? Note that this changes the > scope of the BC break, as well as the usability of the chosen syntax, as > both "?=" and "??=" could be defined as operators.
No word boundaries involved. Any occurrence of "??" outside comments will be translated into "?", so that operators containing the "?" ("A ?| B", "A ?& B") can be used. If one had defined both "?=" and "??=", they would need to be escaped in PDO as "??=" and "????=". Cheers -- Matteo Beccati Development & Consulting - http://www.beccati.com/