php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #40891 mysqli_stmt_bind_param should accept array of parameters to bind
Submitted: 2007-03-22 13:24 UTC Modified: 2011-01-06 14:48 UTC
Votes:9
Avg. Score:4.7 ± 0.7
Reproduced:8 of 9 (88.9%)
Same Version:2 (25.0%)
Same OS:1 (12.5%)
From: john dot navratil at sbcglobal dot net Assigned: mysql
Status: Assigned Package: MySQLi related
PHP Version: 5.2.1 OS: Fedora Core 5
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2007-03-22 13:24 UTC] john dot navratil at sbcglobal dot net
Description:
------------
I've read bug #31096 and this is a variant of the same bug, but I beseech you to reconsider.

The C API to mysql defines my_bool mysql_stmt_bind_param(MYSQL_STMT *stmt, MYSQL_BIND *bind) to accept an array of parameters to bind to a prepared statement.  PHP 5.2.1 does not and requires the number of parameters to match both the number of characters in the type string (essentially an array of types) and the number of parameters in the prepared statement.  This works well for static statements but makes dynamic statements impossible to prepare unless one resorts to something like:

$arr = <array-of-values-to-be-bound>
array_unshift($arr, $typeString);
call_user_func_array(array(& $mysqli, "stmt_bind_param"), $arr);
array_shift($arr);

One can argue that this is sufficient (a point which I will concede), but the beauty of PHP is not in its sufficiency (machine code is sufficient, ultimately) but in its expressivity.  The foregoing is not very expressive, is tightly bound to the mysqli_stmt_bind_result signature, and does not mirror the underlying API (which is another PHP strong point).

Would you please consider a variant which accepts two arguments with the second being an array of values to bind to the prepared statement?

Thanks!


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-01-01 23:52 UTC] jani@php.net
-Package: Feature/Change Request +Package: MySQLi related
 [2011-01-06 14:48 UTC] uw@php.net
-Assigned To: +Assigned To: mysql
 [2011-02-03 21:48 UTC] ndavis at tenablesecurity dot com
Agree with John. The current implementation makes writing a mysqli class much more complex than it needs to be. As of 5.3.3 the function signature is still the same.

You could overload bind_param() so that if there's 2 arguments, process the old way. If there's one argument, process it with the input array feature, as an array.

This would be a very good way to maintain backward compatibility.

The expected array input could be:
array('type'=>'value', etc)

This way we could feed an array to a statement value binding function and it would Just Work(tm) without needing to write our own class just to process input variables into the expected input. We can take an array, apply input filtering to it, and feed the array directly to the function.

The current implementation is rather inflexible and doesn't lend itself well to use inside a database class.

thanks!
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri May 26 16:01:37 2017 UTC