MySQLi, PHP, generate automated preparedStatement dynamically

Question

My basic Problem is to generate a automatised prepared Statement for DB Request

  $this->stmt_prep->bind_param("sss", $input[0], $input[1], $input[X]);

There are basically 2 "variables", Ive creating for this Request:

the Datatype "ssss"
the Userinput fields as "$Array_as_single_Values"

Assume:

$this->stmt_prep->bind_param("sss", $Array_as_single_Values);
$Array_as_single_Values = "Value1", "Value2", "ValueX"

I read out UserInput as

$Value = Array[$input1=> value1, $input2=> value2, $inputX=> valueX]

How isit possible, to convert each Values of this Array, as variable or its Value

Expected Result:

$Array_as_single_Values [$input1 => "value1"; 
$input2 => "value2"; 
$inputX => "valueX";]        //how to Convert this to needed Data?

$this->stmt_prep->bind_param("sss", $Array_as_single_Values);

same as:

$this->stmt_prep->bind_param("sss", $input1, $input2, $inputX);

or

$this->stmt_prep->bind_param("sss", "value1", "value2", "valueX");

Purpose: If I have 100 different Input Values, I do not have to re-wirte all statements

Are you asking how to bind the parameters when you don't know in advance how many parameters there will be? If so, then the answer is already here: https://stackoverflow.com/questions/24627086/unknown-number-of-parameters-in-bind-param (and in a few other places online) — ADyson, Sep 03 '20 at 13:22
Have an upvote for for generating an automatised prepared Statement. Only one out 100 people asking here ever has such a good idea — Your Common Sense, Sep 03 '20 at 13:31
yes, I didnt write down 9values, but there are as much values as operators. sorry :) — Carlson, Sep 03 '20 at 13:34
If you want to use the explicit typing, just make it optional. See my [mysqli helper function](https://phpdelusions.net/mysqli/simple) for the example — Your Common Sense, Sep 03 '20 at 18:52

Cid · Accepted Answer · 2020-09-03T13:38:25.553

3

Use the splat operator ... :

$this->stmt_prep->bind_param("sssssssss", ...$Array_as_single_Values);

Small example :

function foo ($a, $b, $c)
{
    echo "$a $b $c";
}

$arr = [ "hello", "world", "42" ];

foo(...$arr); // output hello world 42

Without the operator, this causes an error "Fatal error: Uncaught ArgumentCountError: Too few arguments to function foo()"

If you want to automate the generation of "s" and are sure you'll use only VARCHAR types, you can re-write your function call like this :

$this->stmt_prep->bind_param(str_repeat("s", count($Array_as_single_Values)), ...$Array_as_single_Values);

edited Sep 03 '20 at 13:38

answered Sep 03 '20 at 13:24

Cid

14,968
4
30
45

yes, I didnt write down 9values, but there are as much values as operators – Carlson Sep 03 '20 at 13:33
The splat operator will work with 9 arguments aswell – Cid Sep 03 '20 at 13:36
The splat will even work if you put the datatypes in the first element of the passed array like `bind_param(...$full_array_with_datatypes_then_vals)`. – IncredibleHat Sep 03 '20 at 13:39
`"s"` works with `INT`, `DOUBLE`, `BLOB`, etc types as well. – IncredibleHat Sep 03 '20 at 13:42
@IncredibleHat I beg to differ. – Funk Forty Niner Sep 03 '20 at 13:46
2

@FunkFortyNiner Prove it ;) Because it works on one of my servers, even in strict mode. Its best to use the right datatype "s" "i" "d" ... for consistency, but its not absolutely required. – IncredibleHat Sep 03 '20 at 13:47
1

@IncredibleHat Reason why I said that, was because I've seen many questions asked where that if the data types didn't match, it'd error out. – Funk Forty Niner Sep 03 '20 at 13:49
@FunkFortyNiner hmm ... I like this answer https://stackoverflow.com/a/59985233/2960971 lol ... from everyone's favorite person :D – IncredibleHat Sep 03 '20 at 13:50
2

@IncredibleHat Heh! Magnus had the right idea. Quite a different animal there huh? :-)) – Funk Forty Niner Sep 03 '20 at 13:52
1

@FunkFortyNiner yeah... my own older mysqli db object loops through the values and does is_int, is_double, is_string on them to set i s d... but pdo is so much more yummy these days screw mysqli. I think maybe we should clean up our comments :D – IncredibleHat Sep 03 '20 at 13:55
1

@IncredibleHat I think most of our comments are relevant, should anyone else feel the same about what I thought about the data types. They also should not be flagged, *ahem* Mr. "You know who you are". – Funk Forty Niner Sep 03 '20 at 13:56
lovely!!! <3 thank alot – Carlson Sep 03 '20 at 14:23
fyI: I already defined datatypes (s, i, d) in another function. But didnt show here, in this example – Carlson Sep 03 '20 at 16:00
1

@Carlson Let me warn you against the automatized type sniffing.There is a subtle but catastrophic chance that PHP will bind a number for a string field and then all matches will be spoiled. Just once have all your table deleted with a query like this DELETE FROM users WHERE email = 0 and you'll touch such a "smart" type sniffing with a long pole. Instead, bind all your values as strings. It is safe and does no harm whatsoever. PDO does it all the way. Don't take the authors of mysqli as dummies. If it was the right thing to do - to deduce the bind type, it would have been done already. – Your Common Sense Sep 03 '20 at 18:50
foreach($sql_prepare as $numb=>$input){ if(is_string($input) === true){ $parameter[$numb] = "s"; } else if(is_int($input) === true){ $parameter[$numb] = "i"; } else if(is_float($input) === true){ $parameter[$numb] = "d"; } else{ $parameter[$numb] = "s"; $this->Error = "Warning; undefinied Datatype, set as String"; } } – Carlson Sep 07 '20 at 14:27

MySQLi, PHP, generate automated preparedStatement dynamically

1 Answers1