First of all, this is clearly a PHP problem, not a Postgresql problem. But
that's ok.
The lack of the standard database API is one of the biggest reasons I gave up on
PHP last Spring after trying it for a couple months. I knew that sooner or later
I'd find myself in exactly the mess you seem to be in. No offense of course.
;-) Perl's DBI works pretty much the same across platforms, especially in how
it takes care of the quoting issue you describe. There are a number of ways to
embed perl code in html pages much like PHP, including HTML::Mason and Embperl.
Staying with PHP, you probably want to look at magicquotes related functions and
configuration options, and the addslashes and stripslashes functions. In
particular, I think there's a magic_quotes_sybase option that looks like it may
play well with postgres.
Good luck,
Wes Sheldahl
Kirk Strauser <kirk%nmotioninc.com@interlock.lexmark.com> on 11/28/2001 11:53:13
AM
To: pgsql-general%postgresql.org@interlock.lexmark.com
cc: (bcc: Wesley Sheldahl/Lex/Lexmark)
Subject: [GENERAL] Could be a FAQ: prepare/execute in PHP?
My company is migrating our PHP4 web sites from Interbase (boo!) to
PostgreSQL (yay!). One big snag, though, is that we had been using the
ibase_prepare() and ibase_execute() functions quite heavily throughout all
of the sites, and PHP's PostgreSQL API doesn't *seem* to include similar
functionality.
Now, I don't know that it would have a negative performance impact.
Frankly, I haven't delved into the code, so for all I know, it uses a lot of
internal caching to emulate prepare/execute. The main problem, though, is
that the prepare/execute style lets you avoid a lot of quoting issues when
inserting data. For example, in our old code, we'd use:
$sth = ibase_prepare($dbh, "insert into foo (bar, baz) values (?, ?)");
ibase_execute($sth, $var1, $var2);
Since the PHP backend would map the placeholders directly to the fields bar
and baz, we didn't have to worry about any great level of sanity checking.
Any values of $var1 and $var2 would be cheerfully written into bar and baz,
regardless of quotes or embedded SQL statements or anything else. The lack
of an pg_execute() function means that we'll have to build the SQL queries
from scratch and rewrite large chunks of our code.
So, does anyone have any suggestions for how we can work around this, or how
other people have handled the situation, or even why the PostgreSQL API is
better or worse than the MySQL/Interbase API?
A million thanks,
--
Kirk Strauser
Internet Software Engineer
NMotion, Inc.
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://archives.postgresql.org
