我不明白这里是如何使用“？”的

Question

So, I have this PHP code:

$tabid = getTabid($module);
if($tabid==9)
  $tabid="9,16";
$sql = "select * from field ";
$sql.= " where field.tabid in(?) and";

Now, how exactly does the ? work here? I vaguely understand that in PHP, ?: is a ternary operator, but the colon isn't being used here, and ? is part of a Postgresql query anyway.

The final query looks a bit like this:

select * from field where field.tabid in('9,16')

So, the question mark is replaced by the contents of $tabid, how does that happen?

The issue is that ('9,16') is not accepted by Postgres as an integer, it needs to be written like (9,16) , so how do I do that? How do I remove the apostrophes?

Thanks a lot for the help, have a good day!

edit: More code was requested:

$sql.= " field.displaytype in (1,2,3) and field.presence in (0,2)";

followed by if statements, I think this is the relevant one:

if($tabid == 9 || $tabid==16)
{
    $sql.= " and field.fieldname not in('notime','duration_minutes','duration_hours')";
}
$sql.= " group by field.fieldlabel order by block,sequence";
$params = array($tabid);
//Running the query.
$result = $adb->pquery($sql, $params);

Oh, I think I see now, I think it is a place holder, a part of the pquery function:

function pquery($sql, $params, $dieOnError=false, $msg='') {
  Stuff
  $sql = $this->convert2Sql($sql, $params);
  }

Now, this is where it seems to get fun, here's part of the convert2Sql function:

function convert2Sql($ps, $vals) {
   for($index = 0; $index < count($vals); $index++) {   
        if(is_string($vals[$index])) {
            if($vals[$index] == '') {
                $vals[$index] = "NULL";
            }
            else {
                $vals[$index] = "'".$this->sql_escape_string($vals[$index]). "'";
            }
        } 
    }
    $sql = preg_replace_callback("/('[^']*')|(\"[^\"]*\")|([?])/", array(new PreparedQMark2SqlValue($vals),"call"), $ps); 

    return $sql;
}

The problem I think lies in the
$vals[$index] = "'".$this->sql_escape_string($vals[$index]). "'"; line. The sql_escape_string($str) function just returns pg_escape_string($str) .

Sorry for the super long edit, but I still haven't been able to get past I am afraid, thanks for all the help!

Edit 2: I fixed the problem, all it took was changin $tabid = "9,16" to $tabid = array(9,16) . I have no idea why, oh and I also had to remove the group by statement because Postgresql requires every field to be placed in that statement.

Answer 1

it is a positional parameter for a prepared statement

See: http://php.net/manual/en/function.pg-prepare.php

You don't actually 'remove' the quotes, you have to pass SQL array of ints instead of a string value into the parameter when doing pg_execute

An example:

// Assume that $values[] is an array containing the values you are interested in.
$values = array(1, 4, 5, 8);

// To select a variable number of arguments using pg_query() you can use:
$valuelist = implode(', ', $values);

// You may therefore assume that the following will work.
$query = 'SELECT * FROM table1 WHERE col1 IN ($1)';
$result = pg_query_params($query, array($valuelist))
     or die(pg_last_error());
// Produces error message: 'ERROR: invalid input syntax for integer'
 // It only works when a SINGLE value specified.

Instead you must use the following approach:

$valuelist = '{' . implode(', ', $values . '}'
$query = 'SELECT * FROM table1 WHERE col1 = ANY ($1)';
$result = pg_query_params($query, array($valuelist));