pg_query_params

(PHP 5 >= 5.1.0, PHP 7, PHP 8)

pg_query_params SQL コマンドとパラメータを分割してサーバーへ送信し、その結果を待つ

説明

pg_query_params(PgSql\Connection $connection = ?, string $query, array $params): PgSql\Result|false

コマンドをサーバーに送信し、その結果を待ちます。パラメータを SQL コマンド とは別に渡すことが可能です。

pg_query_params()pg_query() と似ていますが、追加の機能を有しています。それはパラメータ値が コマンド文字列と分離しているということです。 pg_query_params() は PostgreSQL 7.4 以降の接続でのみ サポートされます。それ以前のバージョンでは失敗します。

パラメータを使用する際は、query 文字列内で $1、$2 のように参照されます。 query の中で同じパラメータを何度も使えます。 その場合は、それぞれに同じ値が渡されます。 params で 実際の値を指定します。null を指定すると、SQL の NULL とみなされます。

pg_query() に対する pg_query_params() の最大の利点は、パラメータの値を query 文字列から 分離できることです。そのため、退屈でエラーの元となりやすいクォート・ エスケープなどをしなくてもよくなります。pg_query() と異なり、pg_query_params() ではひとつの SQL コマンドしか実行できません(クエリ文字列にセミコロンを含めることは 可能です。しかしそれ以降にコマンドを続けることはできません)。

パラメータ

connection

PgSql\Connection クラスのインスタンス。 connection が指定されない場合は、デフォルトの接続を使います。 デフォルトの接続とは、pg_connect() または pg_pconnect() によって確立された直近の接続です。

警告

PHP 8.1.0 以降では、デフォルトの接続を使うことは推奨されなくなりました。

query

パラメータ化した SQL 文。ひとつの文のみである必要があります (複数の文をセミコロンで区切る形式は使用できません)。パラメータを 使用する際は $1、$2 などの形式で参照されます。

ユーザーから受け取った値は常にパラメータとして渡すべきです。 直接クエリ文字列に組み込んではいけません。そうしてしまうと、 SQL インジェクション 攻撃を受けてしまう可能性があります。また、クォート文字を含むデータの処理でバグの原因になります。 何らかの理由でパラメータが使えない場合は、値を 適切にエスケープするようにしましょう。

params

プリペアドステートメント中の $1、$2 などのプレースホルダを 置き換えるパラメータの配列。配列の要素数はプレースホルダの 数と一致する必要があります。

bytea フィールド用の値は、パラメータとして指定できません。 pg_escape_bytea() を使うか、ラージオブジェクト関数を使うようにしましょう。

戻り値

成功した場合に PgSql\Result クラスのインスタンスを返します。 失敗した場合に false を返します

変更履歴

バージョン 説明
8.1.0 PgSql\Result クラスのインスタンスを返すようになりました。 これより前のバージョンでは、リソース を返していました。
8.1.0 connection は、PgSql\Connection クラスのインスタンスを期待するようになりました。 これより前のバージョンでは、リソース を期待していました。

例1 pg_query_params() の使用法

<?php
// "mary"という名前のデータベースに接続
$dbconn = pg_connect("dbname=mary");

// Joe's Widgets という名前の店を探す。"Joe's Widgets" を
// エスケープする必要がないことに注意
$result = pg_query_params($dbconn, 'SELECT * FROM shops WHERE name = $1', array("Joe's Widgets"));

// pg_query を使用した場合と比較
$str = pg_escape_string("Joe's Widgets");
$result = pg_query($dbconn, "SELECT * FROM shops WHERE name = '{$str}'");

?>

参考

add a note add a note

User Contributed Notes 15 notes

up
8
victor dot engmark at terreactive dot ch
13 years ago
You can't run multiple statements with pg_query_params, but you can still have transaction support without falling back to pg_query:

<?php
$connection
= pg_connect("host=127.0.0.1 port=5432 dbname=foo user=bar password=baz");
pg_query($connection, 'DROP TABLE IF EXISTS example');
pg_query($connection, 'CREATE TABLE example (col char(1))');
pg_query($connection, 'INSERT INTO example (col) VALUES (\'a\')');
// 'SELECT col FROM example' in another session returns "a"
pg_query($connection, 'BEGIN');
pg_query_params($connection, 'UPDATE example SET col = $1', array('b'));
// 'SELECT col FROM example' in another session still returns "a"
pg_query_params($connection, 'UPDATE example SET col = $1', array('c'));
// 'SELECT col FROM example' in another session still returns "a"
pg_query($connection, 'COMMIT');
// 'SELECT col FROM example' in another session returns "c"
?>
up
5
dt309 at f2s dot com
18 years ago
If you need to provide multiple possible values for a field in a select query, then the following will help.

<?php
// Assume that $values[] is an array containing the values you are interested in.
$values = array(1, 4, 5, 8);

// To select a variable number of arguments using pg_query() you can use:
$valuelist = implode(', ', $values);
$query = "SELECT * FROM table1 WHERE col1 IN ($valuelist)";
$result = pg_query($query)
    or die(
pg_last_error());

// You may therefore assume that the following will work.
$query = 'SELECT * FROM table1 WHERE col1 IN ($1)';
$result = pg_query_params($query, array($valuelist))
    or die(
pg_last_error());
// Produces error message: 'ERROR: invalid input syntax for integer'
// It only works when a SINGLE value specified.

// Instead you must use the following approach:
$valuelist = '{' . implode(', ', $values . '}'
$query = 'SELECT * FROM table1 WHERE col1 = ANY ($1)';
$result = pg_query_params($query, array($valuelist));
?>

The error produced in this example is generated by PostGreSQL.

The last method works by creating a SQL array containing the desired values. 'IN (...)' and ' = ANY (...)' are equivalent, but ANY is for working with arrays, and IN is for working with simple lists.
up
2
ac at esilo dot com
14 years ago
pg_query and pg_query_params can be combined into a single function.  This also removes the need to construct a parameter array for pg_query_params:

<?php
function my_query($conn, $query)
{
  if(
func_num_args() == 2)
    return
pg_query($conn, $query);

 
$args = func_get_args();
 
$params = array_splice($args, 2);
  return
pg_query_params($conn, $query, $params);
}
?>

Usage:

<?php
/* non-parameterized example */
my_query($conn, "SELECT $val1 + $val2");

/* parameterized example */
my_query($conn, "SELECT $1 + $2", $val1, $val2);
?>
up
1
php at richardneill dot org
10 years ago
Debugging parameterised queries can be tedious, if you want to paste the query directly into PSQL. Here is a trick that helps:

<?php
$sql
= "SELECT * from table WHERE col_a = $1 and col_b=$2 and col_c=$3";
$params = array (42, "a string", NULL);

$debug = preg_replace_callback(
       
'/\$(\d+)\b/',
        function(
$match) use ($params) {
           
$key=($match[1]-1); return ( is_null($params[$key])?'NULL':pg_escape_literal($params[$key]) );
        },
       
$sql);

echo
"$debug";
//prints:   SELECT * from table WHERE col_a = '42' and col_b='a string' and col_c=NULL
?>

This works correctly, except in the (unusual) case where we have a literal $N;  the regexp replaces it where it shouldn't.  For example:
<?php
//Both  ' ... $1 ... '   and  $1   get replaced; the former is wrong, the latter is right.
$sql = "SELECT 'Your bill is for $1' AS invoice WHERE 7 = $1";
$params = array(7);
//$debug:  SELECT 'Your bill is for $7' AS invoice WHERE 7 = '7'"
?>
up
1
peter dot kehl+nospam at gmail dot com
12 years ago
Third parameter $params of pg_query_params() ignores nay part of the string values after a zero byte character - PHP "\0" or chr(0). That may be a result of serialize().

See https://bugs.php.net/bug.php?id=63344
up
1
strata_ranger at hotmail dot com
15 years ago
Regarding boolean values, just typecast them as (integer) when passing them in your query -- '0' and '1' are perfectly acceptable literals for SQL boolean input:

- http://www.postgresql.org/docs/8.2/interactive/datatype-boolean.html

It is also safe to write your paramerized query in double-quotes, which allows you to mix constant values and placeholders in your query without having to worry about how whether PHP will attempt to substitute any variables in your parameterized string.

Of course this also means that unlike PHP's double-quoted string syntax, you CAN include literal $1, $2, etc. inside SQL strings, e.g:

<?php
// Works ($1 is a placeholder, $2 is meant literally)
pg_query_params("INSERT INTO foo (col1, col2) VALUES ($1, 'costs $2')", Array($data1));

// Throws an E_WARNING (passing too many parameters)
pg_query_params("INSERT INTO foo (col1, col2) VALUES ($1, 'costs $2')", Array($data1, $data2));
?>
up
0
php at richardneill dot org
10 years ago
A note on type-juggling of booleans:
pg_query_params() and friends do seamless, automatic conversion between PHP-NULL and SQL-NULL and back again, where appropriate.
Hoever, everything else goes in (and comes out) as a string.
The following approach may be helpful when handling boolean fields:

<?php
$sql
= " ... ";
$params = array (1, 2, 3, true, false);

//Convert booleans to 'true' and 'false'.  [NULLS are already handled].
foreach ($params as &$value){
    if (
is_bool($value)){
       
$value = ($value) ? 'true':'false';
    }
}

//Now do the query:
$result = pg_query_params ($sql, $params);
$row = pg_fetch_assoc ($result,0//first row

//For booleans, convert 't' and 'f' back to true and false. Check the column type so we don't accidentally convert the wrong thing.
foreach ($row as $key => &$value){
   
$type = pg_field_type($result,pg_field_num($result, $key));
    if (
$type == 'bool'){
       
$value = ($value == 't');
    }
}

//$row[] now contains booleans, NULLS, and strings.
?>
up
0
alec at smecher dot bc dot ca
12 years ago
Note that due to your locale's number formatting settings, you may not be able to pass a numeric value in as a parameter and have it arrive in PostgreSQL still a number.

If your system locale uses "," as a decimal separator, the following will result in a database error:

pg_query_params($conn, 'SELECT $1::numeric', array(3.5));

For this to work, it's necessary to manually convert 3.5 to a string using e.g. number_format.

(I filed this as bug #46408, but apparently it's expected behavior.)
up
0
jsnell at e-normous dot com
17 years ago
When inserting into a pg column of type bool, you cannot supply a PHP type of bool.  You must instead use a string "t" or "f". PHP attempts to change boolean values supplied as parameters to strings, and then attempts to use a blank string for false.

Example of Failure:
pg_query_params('insert into table1 (bool_column) values ($1)', array(false));

Works:
pg_query_params('insert into lookup_permissions (system) values ($1)', array(false ? 't' : 'f'));
up
-2
Anonymous
7 years ago
If one of the parameters is an array,  (eg. array of ints being passed to a stored procedure),   it must be denoted as a set within the array,  not php array notation. 

eg:  var_dump output  of 2 parms an integer and array of int
aaa is: Array
(
    [0] => 1
    [1] => {2,3}
)

you do not want:

bbb is: Array
(
    [0] => 1
    [1] => Array
        (
            [0] => 2
            [1] => 3
        )

)
up
-1
mledford
18 years ago
If you are trying to replicate the function pg_query_params, you might also want to support NULL values. While is_int returns true for a NULL value, the formatting for the SQL.

function pg_query_params( $db, $query, $parameters ) {
    // Escape parameters as required & build parameters for callback function
    global $pg_query_params__parameters;
    foreach( $parameters as $k=>$v ) {
        if ( is_null($v) ) {
            $parameters[$k] = 'NULL';
        } else {
            $parameters[$k] = ( is_int( $v ) ? $v : "'".pg_escape_string( $v )."'" );
        }
    }
    $pg_query_params__parameters = $parameters;
       
    // Call using pg_query
    return pg_query( $db, preg_replace_callback( '/\$([0-9]+)/', 'pg_query_params__callback', $query));
}
up
-1
cc+php at c2se dot com
18 years ago
This is a useful function for preventing SQL injection attacks, so, for those of us who are not yet able to upgrade to PHP5.1, here is a replacement function which works similarly on older versions of PHP...

<?php   # Parameterised query implementation for Postgresql and older versions of PHP

       
if( !function_exists( 'pg_query_params' ) ) {

                function
pg_query_params__callback( $at ) {
                        global
$pg_query_params__parameters;
                        return
$pg_query_params__parameters[ $at[1]-1 ];
                }

                function
pg_query_params( $db, $query, $parameters ) {

                       
// Escape parameters as required & build parameters for callback function
                       
global $pg_query_params__parameters;
                        foreach(
$parameters as $k=>$v )
                               
$parameters[$k] = ( is_int( $v ) ? $v : "'".pg_escape_string( $v )."'" );
                       
$pg_query_params__parameters = $parameters;

                       
// Call using pg_query
                       
return pg_query( $db, preg_replace_callback( '/\$([0-9]+)/', 'pg_query_params__callback', $query ) );

                }
        }

       
// Example: pg_query_params( $db_resource, "SELECT * FROM table WHERE col1=$1 AND col2=$2", array( 42, "It's ok" ) );
?>
up
-3
php at richardneill dot org
10 years ago
pg_query_params() *does* accept NULLs.  They will automatically be transformed, correctly, into SQL NULL. Thus, for example:

<?php
$sql
= "UPDATE tbl_example SET column_a = $1, column_b=$2";
$params = array(NULL42);
$result = pg_params ($sql, $params);

//is equivalent to:
$result = pg_query ("UPDATE tbl_example SET column_a = NULL column_b  = '42')";

//and not, as one might fear,  either of these (incorrect) things:
// ... column_a = ''      ...
// ... column_a = 'NULL'  ...
?>

Note that you can use NULLs this way in an UPDATE or INSERT statement, but NOT in a WHERE clause. This isn't a restriction of pg_query_params(), but rather it is a consquence of the SQL language.
So, if you want a query of the type:

<?php
//depending on data,  the where-test parameter may or may not be NULL
//the following is WRONG for $1.
$sql = "SELECT * from  tbl_example WHERE column_a = $1 and column_b = $2";
$params = array(NULL42);
$result = pg_params ($sql, $params);
?>

This will fail as invalid SQL:  because you should use "= 42" but "IS NULL".  The solution is to use the SQL construct "IS [NOT] DISTINCT FROM". 

<?php
$sql
= "SELECT ... WHERE column IS NOT DISTINCT FROM $1"
$params = array (42);    //this works, the same as  "where column = 42"
$params = array (NULL);  //this works, the same as "where column is null"
?>

(Aside: though this is annoying, the behaviour is correct. There is a postgresql compatibility option "transform_null_equals", but it won't help you here, even though you might expect it to.)
up
-7
travismowens at gmail dot com
14 years ago
Unfortunately the params will not respect string representations of NULL or NOW().  If your code pushes these values, they be considered a string and inserted literally as "NULL" and "NOW()".

Ideally, there should be an additional parameter that you can assign to force this text as pgSQL functions/reserved words and not wrap them up as strings (assuming pgSQL's parameterized queries support this.

This same problem also occurs for comma lists used in "WHERE column IN (1,2,3,4)", params treats "1,2,3,4" as a string, not a list of numbers, and runs it with quotes also.

For debugging, I use this function to simulate params, keep in mind this is not 100% accurate, it only attempts to simulate the actual SQL that param queries create.

<?php
   
function pg_query_params_return_sql($query, $array)
    {
       
$query_parsed = $query;
       
        for (
$a = 0, $b = sizeof($array); $a < $b; $a++)
        {
            if (
is_numeric($array[$a]) )
            {
               
$query_parsed = str_replace(('$'.($a+1)), str_replace("'","''", $array[$a]), $query_parsed );
            }
            else
            {
               
$query_parsed = str_replace(('$'.($a+1)), "'".str_replace("'","''", $array[$a])."'", $query_parsed );
            }
        }
       
        return
$query_parsed;
    }
?>
up
-4
php at richardneill dot org
10 years ago
For a parameterised date, the value NOW() is not allowed (it gets turned into a literal string and makes postgres choke),  however 'now'
is allowed as a parameter, and has the same effect.
To Top