-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dev: upsert()/setData() and binds #6688
Comments
@codeigniter4/database-team Can you comment? |
I don't know if this is relevant to this case, On the other hand, if we use QueryBuilder to escape values when generating a query, Therefore, it is safer to change the implementation to execute queries as prepared statements by default. |
I thought of taking a look at using binds with upsert. Just had a lot going on and haven't had the chance yet. One problem for now with using binds is that |
+1 for binds. |
|
Allowing you to decide whether or not to use binds allows the developer to choose based on performance. Surely if your only updating a few records the performance wouldn't be such an issue. |
Taking a look at binds it appears it does just about absolutely nothing but use escape() which is done anyways with *batch(). I thought it was using mysqli prepared statements but it is not. Everything is done here: /**
* Match bindings
*/
protected function matchNamedBinds(string $sql, array $binds): string
{
$replacers = [];
foreach ($binds as $placeholder => $value) {
// $value[1] contains the boolean whether should be escaped or not
$escapedValue = $value[1] ? $this->db->escape($value[0]) : $value[0];
// In order to correctly handle backlashes in saved strings
// we will need to preg_quote, so remove the wrapping escape characters
// otherwise it will get escaped.
if (is_array($value[0])) {
$escapedValue = '(' . implode(',', $escapedValue) . ')';
}
$replacers[":{$placeholder}:"] = $escapedValue;
}
return strtr($sql, $replacers);
} |
Yes, we should use the database's prepared statements, but the feature is missing now. |
See #6600 (comment)
The following test (MySQL) fails now. Should
upsert()
also use binds?The text was updated successfully, but these errors were encountered: