colshrapnel
8 years ago
committed by
GitHub
1 changed files with 74 additions and 0 deletions
@ -0,0 +1,74 @@ |
|||||||
|
SafeMySQL |
||||||
|
========= |
||||||
|
|
||||||
|
SafeMySQL is a PHP class for safe and convenient handling of MySQL queries. |
||||||
|
- Safe because <b>every</b> dynamic query part goes into the query via <b>placeholder</b> |
||||||
|
- Convenient because it makes application code short and meaningful, without useless repetitions, making it ''extra'' <abbr title="Don't Repeat Yourself">DRY</abbr> |
||||||
|
|
||||||
|
This class is distinguished by three main features |
||||||
|
- Unlike standard libraries, it is using **type-hinted placeholders**, for the **everything** that may be put into the query |
||||||
|
- Unlike standard libraries, it requires no repetitive binding, fetching and such, |
||||||
|
thanks to set of helper methods to get the desired result right out of the query |
||||||
|
- Unlike standard libraries, it can parse placeholders not in the whole query only, but in the arbitary query part, |
||||||
|
thanks to the indispensabe **parse()** method, making complex queries as easy and safe as regular ones. |
||||||
|
|
||||||
|
Yet, it is very easy to use. You need to learn only a few things: |
||||||
|
|
||||||
|
1. You have to **always** pass whatever dynamical data into the query via *placeholder* |
||||||
|
2. Each placeholder have to be marked with data type. At the moment there are six types: |
||||||
|
* ?s ("string") - strings (also ```DATE```, ```FLOAT``` and ```DECIMAL```) |
||||||
|
* ?i ("integer") - the name says it all |
||||||
|
* ?n ("name") - identifiers (table and field names) |
||||||
|
* ?a ("array") - complex placeholder for ```IN()``` operator (substituted with string of 'a','b','c' format, without parentesis) |
||||||
|
* ?u ("update") - complex placeholder for ```SET``` operator (substituted with string of `field`='value',`field`='value' format) |
||||||
|
* ?p ("parsed") - special type placeholder, for inserting already parsed statements without any processing, to avoid double parsing. |
||||||
|
3. To get data right out of the query there are helper methods for the most used: |
||||||
|
* query($query,$param1,$param2, ...) - returns mysqli resource. |
||||||
|
* getOne($query,$param1,$param2, ...) - returns scalar value |
||||||
|
* getRow($query,$param1,$param2, ...) - returns 1-dimensional array, a row |
||||||
|
* getCol($query,$param1,$param2, ...) - returns 1-dimensional array, a column |
||||||
|
* getAll($query,$param1,$param2, ...) - returns 2-dimensional array, an array of rows |
||||||
|
* getInd($key,$query,$par1,$par2, ...) - returns an indexed 2-dimensional array, an array of rows |
||||||
|
* getIndCol($key,$query,$par1,$par2, ...) - returns 1-dimensional array, an indexed column, consists of key => value pairs |
||||||
|
4. For the whatever complex case always use the **parse()** method. And insert |
||||||
|
|
||||||
|
The rest is as usual - just create a regular SQL (with placeholders) and get a result: |
||||||
|
|
||||||
|
* ```$name = $db->getOne('SELECT name FROM table WHERE id = ?i',$_GET['id']);``` |
||||||
|
* ```$data = $db->getInd('id','SELECT * FROM ?n WHERE id IN (?a)','table', array(1,2));``` |
||||||
|
* ```$data = $db->getAll("SELECT * FROM ?n WHERE mod=?s LIMIT ?i",$table,$mod,$limit);``` |
||||||
|
|
||||||
|
The main feature of this class is a <i>type-hinted placeholders</i>. |
||||||
|
And it's a really great step further from just ordinal placeholders used in prepared statements. |
||||||
|
Simply because <b>dynamical parts of the query aren't limited to just scalar data!</b> |
||||||
|
In the real life we have to add identifiers, arrays for ```IN``` operator, and arrays for ```INSERT``` and ```UPDATE``` queries. |
||||||
|
So - we need <b>many</b> different types of data formatting. Thus, we need the way to tell the driver how to format this particular data. |
||||||
|
Conventional prepared statements use toilsome and repeating bind_* functions. |
||||||
|
But there is a way more sleek and useful way - to set the type along with placeholder itself. It is not something new - well-known ```printf()``` function uses exactly the same mechanism. So, I hesitated not to borrow such a brilliant idea. |
||||||
|
|
||||||
|
To implement such a feature, no doubt one have to have their own query parser. No problem, it's not a big deal. But the benefits are innumerable. |
||||||
|
Look at all the questions on Stack Overflow where developers are trying in vain to bind a field name. |
||||||
|
Voila - with the identifier placeholder it is as easy as adding a field value: |
||||||
|
|
||||||
|
```php |
||||||
|
$field = $_POST['field']; |
||||||
|
$value = $_POST['value']; |
||||||
|
$sql = "SELECT * FROM table WHERE ?n LIKE ?s"; |
||||||
|
$data = $db->query($sql,$field,"%$value%"); |
||||||
|
``` |
||||||
|
|
||||||
|
Nothing could be easier! |
||||||
|
|
||||||
|
Of course we will have placeholders for the common types - strings and numbers. |
||||||
|
But as we started inventing new placeholders - let's make some more! |
||||||
|
|
||||||
|
Another trouble in creating prepared queries - arrays going to the IN operator. Everyone is trying to do it their own way, but the type-hinted placeholder makes it as simple as adding a string: |
||||||
|
|
||||||
|
```php |
||||||
|
$array = array(1,2,3); |
||||||
|
$data = $db->query("SELECT * FROM table WHERE id IN (?a)",$array); |
||||||
|
``` |
||||||
|
|
||||||
|
The same goes for such toilsome queries like ```INSERT``` and ```UPDATE```. |
||||||
|
|
||||||
|
And, of course, we have a set of helper functions to turn type-hinted placeholders into real brilliant, making almost every call to the database as simple as one or two lines of code for all the regular real life tasks. |
||||||
Loading…
Reference in new issue