0

I hope this is blindingly obvious: I'm looking for the fastest way to replace a repeating element in a string with the elements in a given array, e.g. for SQL queries and parameter replacement.

$query  = "SELECT * FROM a WHERE b = ? AND c = ?";
$params = array('bee', 'see');

Here I would like to replace the instances of ? with the corresponding ordered array elements, as so:

SELECT * FROM a WHERE b = 'bee' and c = 'see'

I see that this might be done using preg_replace_callback, but is this the fastest way or am I missing something obvious?

Edit: I am already using prepared statements which achieves the above. I am looking for a way to get the raw query back to show as part of debug output.

Improve this question

5 Answers 5

Reset to default
2

Are you looking for prepared statements?

<?php
$stmt = $dbh->prepare("SELECT * FROM REGISTRY where name = ?");
if ($stmt->execute(array($_GET['name']))) {
  while ($row = $stmt->fetch()) {
    print_r($row);
  }
}
?>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

David & Dominic: thanks, I am already using prepared statements which achieves the above. I am looking for a way to get the raw query back to show as part of debug output.
1

I would also recommend using PDO as @David Dorward already suggests. Then:

$stmt = $dbh->prepare('SELECT * FROM a WHERE b = ? AND c = ?');
$stmt->execute(array('bee', 'see'));
Improve this answer

Comments

1

Use PDO to do your SQL queries. It does parametrized queries, so you don't need to roll your own method.

For a more generic method, see sprintf() (which won't escape data to make it safe, so don't use it for database access).

Improve this answer

2 Comments

Of course you can use sprintf for database stuff, but mysql_real_escape_string should be used to escape the parameters.
I said "don't" not "you can't". This would be pointless wheel reinvention, there are good parametrized query systems in PHP already.
0

I once found the following in an inherited codebase, which I thought was a nifty way of doing these kind of substitutions:

function do_substitution($query, $params) {
    $params = array_unshift($params, $query);
    $query = call_user_func_array('sprintf', $params);

    return $query;
}

Ofcourse, you are substituting %s, %d, etc. marks this way.

Improve this answer

1 Comment

Thanks Rodin. Looks like the fastest way is a straight loop and strpos - there are rarely more than 3-5 parameters in a query.
0

Found this years after it was asked. For anyone else looking and not satisfied with the other answers. This is how I did ended up doing it:

echo preg_replace(array_fill(0,count($params),'/\?/'),$params,$query,1);

Note: This is purely for debugging and does no data cleaning.

This could probably be expanded, if you knew the intended datatype for each parameter, to add in any quotes around values. These are automatically created when using something like sqlsrv_query($conn,$query,$params);

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.