rfc:pdo_escape_placeholders

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:pdo_escape_placeholders [2017/06/07 10:52] mbeccatirfc:pdo_escape_placeholders [2020/08/01 23:55] (current) – RFC was implemented carusogabriel
Line 1: Line 1:
 ====== PHP RFC: Escape PDO "?" parameter placeholder ====== ====== PHP RFC: Escape PDO "?" parameter placeholder ======
-  * Version: 0.+  * Version: 1.0 
-  * Date: 2016-12-18+  * Date: 2019-05-31
   * Author: Matteo Beccati <mbeccati@php.net>   * Author: Matteo Beccati <mbeccati@php.net>
-  * Status: Pre-Draft+  * Status: Implemented
   * First Published at: http://wiki.php.net/rfc/pdo_escape_placeholders   * First Published at: http://wiki.php.net/rfc/pdo_escape_placeholders
 +  * Targets: PHP 7.4
  
 ===== Introduction ===== ===== Introduction =====
Line 28: Line 29:
 The parsing of the "??" character sequence within queries is going to change, but only when they are outside of literal strings or comments. Since such character sequence isn't normally valid SQL syntax, no BC break is expected.  The parsing of the "??" character sequence within queries is going to change, but only when they are outside of literal strings or comments. Since such character sequence isn't normally valid SQL syntax, no BC break is expected. 
  
-The only exception to that is that Postgres (and possibly other RDMSs) allows the creation of custom operators: anyone having created a "??" operator would need to escape it as "????".+The only exception to that is that Postgres (and possibly other RDMSs) allows the creation of custom operators: anyone having a custom "??" operator in use would need to escape it as "????".
  
 Since the change affects the PDO SQL parser, all the drivers could potentially use escaping, unless they use the "?" character themselves as prepared statement parameter placeholder. In that case "??" will be sent to the database as-is do avoid any confusion. Since the change affects the PDO SQL parser, all the drivers could potentially use escaping, unless they use the "?" character themselves as prepared statement parameter placeholder. In that case "??" will be sent to the database as-is do avoid any confusion.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
-Next PHP 7.x, which is 7.2.+Next PHP 7.x, which is 7.4.
  
 ===== RFC Impact ===== ===== RFC Impact =====
Line 49: Line 50:
  
 ===== Alternative proposals ===== ===== Alternative proposals =====
 +
 +==== Why not \? ====
 +That was my first idea, but backslash is the escaping symbol for strings themselves, which was potentially making eventual escaping quite confusing: in order to send a backslash followed by a positional parameter placeholder one would have to write "\\\?" or "\\\\?", as "\\?" is in fact equivalent to "\?".
 +
 +==== New PDO Flags ====
 It had been proposed to add some flags to enable/disable usage of positional and/or named PDO parameter placeholders. After some evaluation, I've discarded it as I would find them unpractical to use (e.g. set the flag, execute, restore previous flags), potentially harmful for any code that follows (e.g. flags not reset after catching an exception), if at all a viable option for users of ORM or abstraction libraries. It had been proposed to add some flags to enable/disable usage of positional and/or named PDO parameter placeholders. After some evaluation, I've discarded it as I would find them unpractical to use (e.g. set the flag, execute, restore previous flags), potentially harmful for any code that follows (e.g. flags not reset after catching an exception), if at all a viable option for users of ORM or abstraction libraries.
  
-Likewise, using different styles for placeholders to match the database engine in use seems a huge step backwards.+==== Custom placeholder styles for drivers ==== 
 +Another suggestion was to use different styles for placeholders to match the database driver in use, which to me seems a huge step backwards.
  
 ===== Unaffected PHP Functionality ===== ===== Unaffected PHP Functionality =====
 Everything not PDO. Everything not PDO.
  
-===== Future Scope ===== +===== Vote ===== 
-This sections details areas where the feature might be improved in future, but that are not currently proposed in this RFC.+Started 7th July 2019Ends 22nd July 2019 
 +<doodle title="Add ?? as a way to escape ? in PDO parametrised queries?" auth="mbeccati" voteType="single" closed="true"> 
 +   * Yes 
 +   * No 
 +</doodle>
  
 ===== Proposed Voting Choices ===== ===== Proposed Voting Choices =====
-Since there is no language change, this RFC requires a 50%+1 majority+This RFC requires a 2/3 majority
  
 ===== Patches and Tests ===== ===== Patches and Tests =====
-[[https://github.com/php/php-src/pull/1967]]+[[https://github.com/php/php-src/pull/4217]]
  
 ===== References ===== ===== References =====
-[[https://externals.io/thread/81#email-10436]]+  * [[https://bugs.php.net/bug.php?id=71885]] (Feature request) 
 +  * [[https://github.com/php/php-src/pull/1967]] (Original PR)
  
rfc/pdo_escape_placeholders.1496832744.txt.gz · Last modified: 2017/09/22 13:28 (external edit)