|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2009-05-15 05:49 UTC] kexianbin at diyism dot com
Description:
------------
Provide a function to get variables from caller scope.
I knew ticket 47454, 40339, 34210 are similar,
but this is indeed a useful function that was overlooked.
Reproduce code:
---------------
Currently:
$name="myname";
$value="lk,jdsk'jlkjdf";
function safe($sql)
{$sql=strtr($sql, array('"'=>'\"', '\\'=>'\\\\'));
return 'return "'.preg_replace(array('/\{#(.*?)\}/'), array('".addslashes($\1)."'), $sql).'";';
}
$sql="insert into z_test (name, value) values ('{$name}', '{#value}')";
mysql_query(eval(safe($sql)));
If we have function get_caller_vars() in caller's scope:
(similar to get_defined_vars() in current scope)
$name="myname";
$value="lk,jdsk'jlkjdf";
function mysql_query_safe($sql)
{extract(get_caller_vars());
$sql=strtr($sql, array('"'=>'\"', '\\'=>'\\\\'));
return 'return "'.preg_replace(array('/\{#(.*?)\}/'), array('".addslashes($\1)."'), $sql).'";';
$sql=eval($sql);
mysql_query($sql);
}
$sql="insert into z_test (name, value) values ('{$name}', '{#value}')";
mysql_query_safe($sql);
Expected result:
----------------
We have a function to get variables in caller scope.
Actual result:
--------------
No such function.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Nov 21 16:00:01 2025 UTC |
You will say to use PDO, but these code is so ugly: $sql=$pdo->prepare("select * from sem_SearchChangeShow where Keyword=:Keyword and BatchNum=:BatchNum and OldChannelID=:ApvChannelID_old and OldCategoryID=:ApvCategoryID_old "); $sql->execute(array(':Keyword'=>$v['Keyword'], ':BatchNum'=>$v['BatchNum'], ':ApvChannelID_old'=>$v['ApvChannelID_old'], ':ApvCategoryID_old'=>$v['ApvCategoryID_old'] ) ); $tmp=$sql->fetch(PDO::FETCH_ASSOC);Maybe currently i could write like this: $sql=eval(safe( "insert into z_test (name, value) values ('{$name}', '{#value}')" )); mysql_query($sql);Or i could write like this: $_='addslashes'; $sql="insert into z_test (name, value) values ('{$name}', '{$_($value)}')"; mysql_query($sql);For the most convenience of we php programmers, maybe we should make a patch to the variable parsing module of double quoted strings in the php engine, to parse variables, while add slashes to them for such formats: "{#variable_name}", for example: <? $name="myname"; $value="my'value"; echo "insert into z_test (name, value) values ('{$name}', '{#value}')"; ?> we should get: insert into z_test (name, value) values ('myname', 'my\'value')Why set this as bogus? Why don't you realize that the advantage of PHP is right the incredible convenience for web programmers?! For example, 'substr' is of the best design in all these languages: java, sql, javascript, python, ruby, etc, ...substr($aStr,index_start,length(>=0)/index_after_end(<0))... that is just the right PHP tradition. I know PDO and prepared statements is ok, but those method is really trivial and by no means intuitive. Why don't you just make a little change to the variable parsing function of the double quoted strings to save we programmers a very enormous time wasting? In fact, we have no way to reduce the code if we adopt PDO and prepared statements, obviously every variable name apears twice(even apears as a question mark): $sql=$pdo->prepare("select * from sem_SearchChangeShow where Keyword=:Keyword and BatchNum=:BatchNum and OldChannelID=:ApvChannelID_old and OldCategoryID=:ApvCategoryID_old "); $sql->execute(array(':Keyword'=>$v['Keyword'], ':BatchNum'=>$v['BatchNum'], ':ApvChannelID_old'=>$v['ApvChannelID_old'], ':ApvCategoryID_old'=>$v['ApvCategoryID_old'] ) ); $tmp=$sql->fetch(PDO::FETCH_ASSOC);Rasmus, Why not have a think about adding addslash function to double-quoted strings? That maybe the simplest solution for variables replacement in sql query string. With the addslash function in double-quoted strings, we could code like this: $rs=$pdo->query("select * from sem_SearchChangeShow where Keyword={#Keyword} and BatchNum={#BatchNum} and OldChannelID={#ApvChannelID_old} and OldCategoryID={#ApvCategoryID_old} "); $data=$rs->fetch(PDO::FETCH_ASSOC); But, without it, we have to code like these: $sql=$pdo->prepare("select * from sem_SearchChangeShow where Keyword=:Keyword and BatchNum=:BatchNum and OldChannelID=:ApvChannelID_old and OldCategoryID=:ApvCategoryID_old "); $sql->execute(array(':Keyword'=>$Keyword, ':BatchNum'=>$BatchNum, ':ApvChannelID_old'=>$ApvChannelID_old, ':ApvCategoryID_old'=>$ApvCategoryID_old ) ); $data=$sql->fetch(PDO::FETCH_ASSOC); Please don't set the feature request to "won't fix".Derick, The problem is right in prepared statements: $sql=$pdo->prepare("select * from sem_SearchChangeShow where Keyword=:Keyword and BatchNum=:BatchNum and OldChannelID=:ApvChannelID_old and OldCategoryID=:ApvCategoryID_old "); $sql->execute(array(':Keyword'=>$Keyword, ':BatchNum'=>$BatchNum, ':ApvChannelID_old'=>$ApvChannelID_old, ':ApvCategoryID_old'=>$ApvCategoryID_old ) ); $data=$sql->fetch(PDO::FETCH_ASSOC); We need not preparation similar to other languages, we need immediate escape and parse for varialbles in query strings: $rs=$pdo->query("select * from sem_SearchChangeShow where Keyword={#Keyword} and BatchNum={#BatchNum} and OldChannelID={#ApvChannelID_old} and OldCategoryID={#ApvCategoryID_old} "); $data=$rs->fetch(PDO::FETCH_ASSOC);For matching preciseness, we could only support the format: "...{#BatchId}...", not to support this format: "...#BatchId...".function safe_query($scope, $sql) {extract($scope); $sql=strtr($sql, array('"'=>'\"', '\\'=>'\\\\')); $sql=eval('return "'.preg_replace(array('/\{#(.*?)\}/'), array('".addslashes($\1)."'), $sql).'";'); mysql_query($sql); } safe_query(get_defined_vars(), "insert into z_test (name, value) values ('{$name}', '{#value}')" );