pg_query_params

(PHP 5 >= 5.1.0)

pg_query_paramsSubmits a command to the server and waits for the result, with the ability to pass parameters separately from the SQL command text.

Description

resource pg_query_params ([ resource $connection ], string $query , array $params )

Submits a command to the server and waits for the result, with the ability to pass parameters separately from the SQL command text.

pg_query_params() is like pg_query(), but offers additional functionality: parameter values can be specified separately from the command string proper. pg_query_params() is supported only against PostgreSQL 7.4 or higher connections; it will fail when using earlier versions.

If parameters are used, they are referred to in the query string as $1, $2, etc. The same parameter may appear more than once in the query; the same value will be used in that case. params specifies the actual values of the parameters. A NULL value in this array means the corresponding parameter is SQL NULL.

The primary advantage of pg_query_params() over pg_query() is that parameter values may be separated from the query string, thus avoiding the need for tedious and error-prone quoting and escaping. Unlike pg_query(), pg_query_params() allows at most one SQL command in the given string. (There can be semicolons in it, but not more than one nonempty command.)

Parameters

connection

PostgreSQL database connection resource. When connection is not present, the default connection is used. The default connection is the last connection made by pg_connect() or pg_pconnect().

query

The parameterized SQL statement. Must contain only a single statement. (multiple statements separated by semi-colons are not allowed.) If any parameters are used, they are referred to as $1, $2, etc.

User-supplied values should always be passed as parameters, not interpolated into the query string, where they form possible SQL injection attack vectors and introduce bugs when handling data containing quotes. If for some reason you cannot use a parameter, ensure that interpolated values are properly escaped.

params

An array of parameter values to substitute for the $1, $2, etc. placeholders in the original prepared query string. The number of elements in the array must match the number of placeholders.

Values intended for bytea fields are not supported as parameters. Use pg_escape_bytea() instead, or use the large object functions.

Return Values

A query result resource on success or FALSE on failure.

Examples

Example #1 Using pg_query_params()

<?php
// Connect to a database named "mary"
$dbconn pg_connect("dbname=mary");

// Find all shops named Joe's Widgets.  Note that it is not necessary to
// escape "Joe's Widgets"
$result pg_query_params($dbconn'SELECT * FROM shops WHERE name = $1', array("Joe's Widgets"));

// Compare against just using pg_query
$str pg_escape_string("Joe's Widgets");
$result pg_query($dbconn"SELECT * FROM shops WHERE name = '{$str}'");

?>

See Also

Коментарии

This is a useful function for preventing SQL injection attacks, so, for those of us who are not yet able to upgrade to PHP5.1, here is a replacement function which works similarly on older versions of PHP...

<?php   # Parameterised query implementation for Postgresql and older versions of PHP

       
if( !function_exists'pg_query_params' ) ) {

                function 
pg_query_params__callback$at ) {
                        global 
$pg_query_params__parameters;
                        return 
$pg_query_params__parameters$at[1]-];
                }

                function 
pg_query_params$db$query$parameters ) {

                       
// Escape parameters as required & build parameters for callback function
                       
global $pg_query_params__parameters;
                        foreach( 
$parameters as $k=>$v )
                               
$parameters[$k] = ( is_int$v ) ? $v "'".pg_escape_string$v )."'" );
                       
$pg_query_params__parameters $parameters;

                       
// Call using pg_query
                       
return pg_query$dbpreg_replace_callback'/\$([0-9]+)/''pg_query_params__callback'$query ) );

                }
        }

       
// Example: pg_query_params( $db_resource, "SELECT * FROM table WHERE col1=$1 AND col2=$2", array( 42, "It's ok" ) );
?>
2006-09-02 08:17:33
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
Автор:
If you are trying to replicate the function pg_query_params, you might also want to support NULL values. While is_int returns true for a NULL value, the formatting for the SQL.

function pg_query_params( $db, $query, $parameters ) {
    // Escape parameters as required & build parameters for callback function
    global $pg_query_params__parameters;
    foreach( $parameters as $k=>$v ) {
        if ( is_null($v) ) {
            $parameters[$k] = 'NULL';
        } else {
            $parameters[$k] = ( is_int( $v ) ? $v : "'".pg_escape_string( $v )."'" );
        }
    }
    $pg_query_params__parameters = $parameters;
       
    // Call using pg_query
    return pg_query( $db, preg_replace_callback( '/\$([0-9]+)/', 'pg_query_params__callback', $query));
}
2006-10-04 11:18:38
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
If you need to provide multiple possible values for a field in a select query, then the following will help.

<?php
// Assume that $values[] is an array containing the values you are interested in.
$values = array(1458);

// To select a variable number of arguments using pg_query() you can use:
$valuelist implode(', '$values);
$query "SELECT * FROM table1 WHERE col1 IN ($valuelist)";
$result pg_query($query)
    or die(
pg_last_error());

// You may therefore assume that the following will work.
$query 'SELECT * FROM table1 WHERE col1 IN ($1)';
$result pg_query_params($query, array($valuelist))
    or die(
pg_last_error());
// Produces error message: 'ERROR: invalid input syntax for integer'
// It only works when a SINGLE value specified.

// Instead you must use the following approach:
$valuelist '{' implode(', '$values '}'
$query 'SELECT * FROM table1 WHERE col1 = ANY ($1)';
$result pg_query_params($query, array($valuelist));
?>

The error produced in this example is generated by PostGreSQL.

The last method works by creating a SQL array containing the desired values. 'IN (...)' and ' = ANY (...)' are equivalent, but ANY is for working with arrays, and IN is for working with simple lists.
2006-12-22 02:11:16
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
When inserting into a pg column of type bool, you cannot supply a PHP type of bool.  You must instead use a string "t" or "f". PHP attempts to change boolean values supplied as parameters to strings, and then attempts to use a blank string for false.

Example of Failure:
pg_query_params('insert into table1 (bool_column) values ($1)', array(false));

Works:
pg_query_params('insert into lookup_permissions (system) values ($1)', array(false ? 't' : 'f'));
2007-09-26 18:57:31
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
Regarding boolean values, just typecast them as (integer) when passing them in your query -- '0' and '1' are perfectly acceptable literals for SQL boolean input:

- http://www.postgresql.org/docs/8.2/interactive/datatype-boolean.html

It is also safe to write your paramerized query in double-quotes, which allows you to mix constant values and placeholders in your query without having to worry about how whether PHP will attempt to substitute any variables in your parameterized string.

Of course this also means that unlike PHP's double-quoted string syntax, you CAN include literal $1, $2, etc. inside SQL strings, e.g:

<?php
// Works ($1 is a placeholder, $2 is meant literally)
pg_query_params("INSERT INTO foo (col1, col2) VALUES ($1, 'costs $2')", Array($data1));

// Throws an E_WARNING (passing too many parameters)
pg_query_params("INSERT INTO foo (col1, col2) VALUES ($1, 'costs $2')", Array($data1$data2));
?>
2009-05-24 12:03:17
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
pg_query and pg_query_params can be combined into a single function.  This also removes the need to construct a parameter array for pg_query_params:

<?php
function my_query($conn$query)
{
  if(
func_num_args() == 2)
    return 
pg_query($conn$query);

 
$args func_get_args();
 
$params array_splice($args2);
  return 
pg_query_params($conn$query$params);
}
?>

Usage:

<?php
/* non-parameterized example */
my_query($conn"SELECT $val1 + $val2");

/* parameterized example */
my_query($conn"SELECT $1 + $2"$val1$val2);
?>
2010-01-01 12:45:30
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
You can't run multiple statements with pg_query_params, but you can still have transaction support without falling back to pg_query:

<?php
$connection 
pg_connect("host=127.0.0.1 port=5432 dbname=foo user=bar password=baz");
pg_query($connection'DROP TABLE IF EXISTS example');
pg_query($connection'CREATE TABLE example (col char(1))');
pg_query($connection'INSERT INTO example (col) VALUES (\'a\')');
// 'SELECT col FROM example' in another session returns "a"
pg_query($connection'BEGIN');
pg_query_params($connection'UPDATE example SET col = $1', array('b'));
// 'SELECT col FROM example' in another session still returns "a"
pg_query_params($connection'UPDATE example SET col = $1', array('c'));
// 'SELECT col FROM example' in another session still returns "a"
pg_query($connection'COMMIT');
// 'SELECT col FROM example' in another session returns "c"
?>
2011-06-15 06:00:42
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
Note that due to your locale's number formatting settings, you may not be able to pass a numeric value in as a parameter and have it arrive in PostgreSQL still a number.

If your system locale uses "," as a decimal separator, the following will result in a database error:

pg_query_params($conn, 'SELECT $1::numeric', array(3.5));

For this to work, it's necessary to manually convert 3.5 to a string using e.g. number_format.

(I filed this as bug #46408, but apparently it's expected behavior.)
2012-04-18 06:17:25
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
Third parameter $params of pg_query_params() ignores nay part of the string values after a zero byte character - PHP "\0" or chr(0). That may be a result of serialize().

See https://bugs.php.net/bug.php?id=63344
2012-10-25 00:39:24
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
pg_query_params() *does* accept NULLs.  They will automatically be transformed, correctly, into SQL NULL. Thus, for example:

<?php
$sql 
"UPDATE tbl_example SET column_a = $1, column_b=$2";
$params = array(NULL42);
$result pg_params ($sql$params);

//is equivalent to:
$result pg_query ("UPDATE tbl_example SET column_a = NULL column_b  = '42')";

//and not, as one might fear,  either of these (incorrect) things:
// ... column_a = ''      ...
// ... column_a = 'NULL'  ...
?>

Note that you can use NULLs this way in an UPDATE or INSERT statement, but NOT in a WHERE clause. This isn't a restriction of pg_query_params(), but rather it is a consquence of the SQL language.
So, if you want a query of the type:

<?php
//depending on data,  the where-test parameter may or may not be NULL
//the following is WRONG for $1.
$sql "SELECT * from  tbl_example WHERE column_a = $1 and column_b = $2";
$params = array(NULL42);
$result pg_params ($sql$params);
?>

This will fail as invalid SQL:  because you should use "= 42" but "IS NULL".  The solution is to use the SQL construct "IS [NOT] DISTINCT FROM". 

<?php
$sql 
"SELECT ... WHERE column IS NOT DISTINCT FROM $1"
$params = array (42);    //this works, the same as  "where column = 42"
$params = array (NULL);  //this works, the same as "where column is null"
?>

(Aside: though this is annoying, the behaviour is correct. There is a postgresql compatibility option "transform_null_equals", but it won't help you here, even though you might expect it to.)
2014-05-20 19:20:17
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
A note on type-juggling of booleans:
pg_query_params() and friends do seamless, automatic conversion between PHP-NULL and SQL-NULL and back again, where appropriate.
Hoever, everything else goes in (and comes out) as a string.
The following approach may be helpful when handling boolean fields:

<?php
$sql 
" ... ";
$params = array (123truefalse);

//Convert booleans to 'true' and 'false'.  [NULLS are already handled].
foreach ($params as &$value){
    if (
is_bool($value)){
       
$value = ($value) ? 'true':'false';
    }
}

//Now do the query:
$result pg_query_params ($sql$params);
$row pg_fetch_assoc ($result,0//first row

//For booleans, convert 't' and 'f' back to true and false. Check the column type so we don't accidentally convert the wrong thing.
foreach ($row as $key => &$value){ 
   
$type pg_field_type($result,pg_field_num($result$key));
    if (
$type == 'bool'){
       
$value = ($value == 't');
    }
}

//$row[] now contains booleans, NULLS, and strings.
?>
2014-05-20 19:35:33
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
Debugging parameterised queries can be tedious, if you want to paste the query directly into PSQL. Here is a trick that helps:

<?php
$sql 
"SELECT * from table WHERE col_a = $1 and col_b=$2 and col_c=$3";
$params = array (42"a string"NULL);

$debug preg_replace_callback
       
'/\$(\d+)\b/',
        function(
$match) use ($params) { 
           
$key=($match[1]-1); return ( is_null($params[$key])?'NULL':pg_escape_literal($params[$key]) ); 
        },
       
$sql);

echo 
"$debug";
//prints:   SELECT * from table WHERE col_a = '42' and col_b='a string' and col_c=NULL
?>

This works correctly, except in the (unusual) case where we have a literal $N;  the regexp replaces it where it shouldn't.  For example:
<?php
//Both  ' ... $1 ... '   and  $1   get replaced; the former is wrong, the latter is right.
$sql "SELECT 'Your bill is for $1' AS invoice WHERE 7 = $1";
$params = array(7);
//$debug:  SELECT 'Your bill is for $7' AS invoice WHERE 7 = '7'"
?>
2014-05-20 19:53:27
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
For a parameterised date, the value NOW() is not allowed (it gets turned into a literal string and makes postgres choke),  however 'now'
is allowed as a parameter, and has the same effect.
2014-05-23 05:55:07
http://php5.kiev.ua/manual/ru/function.pg-query-params.html
Автор:
If one of the parameters is an array,  (eg. array of ints being passed to a stored procedure),   it must be denoted as a set within the array,  not php array notation. 

eg:  var_dump output  of 2 parms an integer and array of int
aaa is: Array
(
    [0] => 1
    [1] => {2,3}
)

you do not want:

bbb is: Array
(
    [0] => 1
    [1] => Array
        (
            [0] => 2
            [1] => 3
        )

)
2017-03-04 19:52:22
http://php5.kiev.ua/manual/ru/function.pg-query-params.html

    Поддержать сайт на родительском проекте КГБ