[support] db_select()->condition()
Larry Garfield
larry at garfieldtech.com
Sat May 26 17:41:08 UTC 2012
PHP's documentation is sometimes a little quirky when it comes to
arrays, because there are arrays, then there are iteratable things (some
objects plus arrays), []-accessible things (some other objects plus
arrays), etc. It's kinda screwy. :-)
For the record, yes, both db_query() and db_select()->execute() give you
back an identical statement object. db_select() is more flexible, but
adds a dozen or two function calls to the process before you get to the
actual query execution. Don't do that unless you need to.
Also, the previous code had a security hole.
db_select('mytable', 'mt')
->fields('mt', array('myvar'))
->condition('mystring', '%' . $somrvariable . '%', LIKE)
->execute();
You actually want db_like($somevariable), which handles DB-specific
escaping in LIKE strings. Forgetting to do so is almost the only
possible SQL injection attack vector left in Drupal unless you bypass
DBTNG entirely. :-)
--Larry Garfield, primary author, DBTNG
On 05/26/2012 09:47 AM, Earnie Boyd wrote:
> Please accept my apology. I did try db_select()->execute()->fetch()
> and was returned an "Undefined method" error but now I try it and it
> worked. Thanks for the explanations and push Michael.
>
> Also the php.net/foreach syntax diagram suggest array_expression as
> required which is why I was also thinking it must be an array. But
> the sentence before the diagram states "array or object". The do give
> a link to php.net/manual/en/language.oop5.iterations.php which gives
> an example of object iteration.
>
> Earnie
>
> On Fri, May 25, 2012 at 11:47 PM, Michael Prasuhn<mike at mikeyp.net> wrote:
>> On May 25, 2012, at 2:16 PM, Earnie Boyd wrote:
>>
>>> Uh, no it does not return the same thing or I would be able to do
>>> db_select()->execute()->fetch().
>>>
>>> You must use foreach(db_select()->execute() as $row) to get the data
>>> and the data type of the first parameter of foreach is an array.
>> Nope, db_query() and SelectQuery::execute() *DO* return the same thing, and it's NOT an array. Just because you can use foreach does not make it an array.
>>
>> Both db_query() and SelectQuery::execute() return the exact same thing: an object of class DatabaseStatmentBase (may be different depending on the database being used) that implements DatabaseStatementInterface. These classes both implement the iterator interface which allows them to be, well, iterated upon as if they were arrays.
>>
>> If you read the code at http://api.drupal.org/api/drupal/includes%21database%21database.inc/function/db_query/7 and http://api.drupal.org/api/drupal/includes%21database%21select.inc/function/SelectQuery%3A%3Aexecute/7 you can clearly see that they are both calling the same function as their return value.
>>
>> Before you say that the code you suggested doesn't work please give it a try and actually run this:
>>
>> <?php
>> $result = db_query("SELECT * FROM {node}");
>> print get_class($result) . "\n";
>>
>> $result_2 = db_select('node', 'n')->fields('n')->execute();
>> print get_class($result_2);
>>
>> Or this call to fetch() from the result of db_query() which you claim doesn't work:
>>
>> <?php
>> $result = db_query("SELECT * FROM {node}");
>> var_dump($result->fetch());
>>
>> $result_2 = db_select('node', 'n')->fields('n')->execute();
>> var_dump($result_2->fetch());
>>
>> You'll notice that in the second example the results are identical.
>>
>> You can read more about the Iterator interface at: http://www.php.net/manual/en/class.iterator.php.
>>
>> -Mike
>>
>> __________________
>> Michael Prasuhn
>> http://mikeyp.net
>>
>>
>> --
>> [ Drupal support list | http://lists.drupal.org/ ]
>
>
More information about the support
mailing list