Skip to content

SQLite3Stmt: add an optional array parameter to execute() method, like in PDOStatement #9814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

SQLite3Stmt: add an optional array parameter to execute() method, like in PDOStatement #9814

wants to merge 1 commit into from
+93 −3

Conversation

bohwaz
Copy link
Contributor

@bohwaz bohwaz commented Oct 24, 2022

This change adds a new array parameter to $stmt->execute() to be able to quickly pass parameters values, without having to use bindValue method.

This is to improve the usability of the SQLite3 extension API and motivate people to use parameterized values for security reasons.

For convenience, the array is treated as if it starts at index 1 instead of index zero.

Usage is the same as in PDO:

$db = new SQLite3(':memory:');
$st = $db->prepare('SELECT ?;');
$r = $st->execute(['test']);
var_dump($r->fetchArray());

BC-break: none.

@bohwaz bohwaz force-pushed the sqlite3/execute-params branch from a8d9d1a to 6d48f18 Compare October 24, 2022 02:18
@cmb69
Copy link
Member

cmb69 commented Oct 25, 2022

I think this makes sense, but I wonder whether there should be a way to specify the types of the binding (SQLITE3_INTEGER etc.) Maybe nested arrays? Likely more an issue for other databases which are strictly typed.

@bohwaz
Copy link
Contributor Author

bohwaz commented Oct 25, 2022

I think this makes sense, but I wonder whether there should be a way to specify the types of the binding (SQLITE3_INTEGER etc.) Maybe nested arrays? Likely more an issue for other databases which are strictly typed.

This seems quite unintuitive, it's better to use bindValue for that. Also, the SQLite3 extension is already deducing the SQLite type from the PHP type :)

So [42, null, 'string'] will be treated as INTEGER, NULL, and TEXT :)

So you can just cast a string to an int for example if you want to have it stored as INTEGER.

@bohwaz bohwaz requested a review from kocsismate as a code owner October 7, 2023 13:51
@PiotrZ5
Copy link

PiotrZ5 commented Jul 25, 2025

Can we mimic how execute_query works in mysqli or sqlsrv_query in sqlite3 world to achieve one-liner sql-injection safety?
https://www.php.net/manual/en/mysqli.execute-query.php
https://www.php.net/manual/en/function.sqlsrv-query.php

$db = new SQLite3(':memory:');
$st = $db->execute_query('SELECT ?,?,?',['a','b','c']);

or even extend query() and exec() functions with parameters array

$st = $db->query('SELECT ?,?,?',['a','b','c']);
$st = $db->exec('UPDATE MyTable set col1=?, col2=? where col3=?',['a','b','c']);

@PiotrZ5
Copy link

PiotrZ5 commented Jul 25, 2025

I think this makes sense, but I wonder whether there should be a way to specify the types of the binding (SQLITE3_INTEGER etc.) Maybe nested arrays? Likely more an issue for other databases which are strictly typed.

You can define your table using strict mode to achieve type safety so type hints are not needed anymore.

@PiotrZ5 PiotrZ5 mentioned this pull request Jul 25, 2025
Open
kocsismate
kocsismate reviewed Jul 25, 2025
View reviewed changes
ext/sqlite3/tests/sqlite3_41_prepared_stmt_params.phpt
$stmt = $db->prepare("SELECT * FROM test WHERE id = ? ORDER BY id ASC");
$foo = 'a';
echo "BINDING Value\n";
$results = $stmt->execute([$foo]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be useful to have tests for zero (when the array is empty) and multiple parameters too in order to test the if and the for

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kocsismate kocsismate kocsismate left review comments

Assignees
No one assigned
Labels
Extension: sqlite3
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bohwaz @cmb69 @PiotrZ5 @kocsismate