php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81260 PDOStatement::execute(array $params)
Submitted: 2021-07-15 12:00 UTC Modified: 2021-07-15 12:19 UTC
From: suconghou at gmail dot com Assigned:
Status: Not a bug Package: PDO MySQL
PHP Version: 7.3.29 OS: mac
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: suconghou at gmail dot com
New email:
PHP Version: OS:

 

 [2021-07-15 12:00 UTC] suconghou at gmail dot com
Description:
------------
as the https://www.php.net/manual/en/pdostatement.execute.php

say, 

An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR.

why not auto detect string and int and others , and set PDO::PARAM_STR and PARAM_INT ...


is it difficult ?


why we leave it alone for years, 


I don't know why , we can do fix these small issue to make php better.







Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-15 12:19 UTC] dharman@php.net
-Status: Open +Status: Not a bug
 [2021-07-15 12:19 UTC] dharman@php.net
Thanks for taking the interest in improving PHP, but this is not a bug. Guessing the binding type from the variable contents would lead to terrible bugs. The safest option is to bind everything as a string. PDO does let you avoid binding as strings with methods like bindParam and bindValue. The binding type should correlate to the type of the column in your SQL, not the data that you are sending. Use other binding types only when you are certain of what you are doing and you understand type juggling.
 [2021-07-15 14:15 UTC] suconghou at gmail dot com
the most use case was prepare('where id = ?')

and execute([1])

but got sql.   where id = '1'

not where id = 1 

why the latter case was not safer than the former .
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 07:01:29 2024 UTC