• News
• About
• License
• Download
• Support
  • Mailing Lists
  • Report a Bug
• Documentation
  • Installation
  • Creole Guide
  • Jargon Guide
  • FAQ
  • API Docs
  • Driver Specific Notes
• Development
  • SVN
  • How to Contribute
  • Guidelines
  • Coding Standards
• PHP4
  • Download

You are here: WikiStart/Documentation/FAQ

---

1. General
   1. What is Jargon?
2. Creole
   1. Does Creole support LOBs?
   2. Why isn't there a quote() function?
   3. Does Creole support autoincrement/sequences?

Frequently Asked Questions

General

What is Jargon?

Jargon is an extension to Creole. It is essentially a set of classes that use the core Creole classes, adding some of the very convenient data access functions from libraries like PEAR::DB (and MDB) and concepts like DataSet? taken from Working-Dogs Village (Java).

Creole

Does Creole support LOBs?

Yes. Using the creole.util.Blob and creole.util.Lob classes, you can update and retrieve LOB values. LOB support in databases can get tricky -- especially when you add the different variables that control max packet sizes, etc. Send a message to the Mailing List if you encounter problems with CLOB/BLOB support in Creole.

Why isn't there a quote() function?

Because as a rule you should use the PreparedStatement? class and the setter/mutator methods to insert values from PHP into SQL. This will not only make your SQL more readable but it will go a long way to protecting you from SQL injection attacks. Also, a single quote() function doesn't account for the fact that some values need specialy handling -- e.g. BLOB/CLOB columns. Many of the native APIs have special functions for these (e.g. pg_escape_bytea()). Getting in the practice of using the PreparedStatement? setter methods will also ensure that you write portable code. For example the set methods will translate TRUE to 1 (MySQL), 't' (PostgreSQL), etc.

Many developers fail to realize just how easy it is to make your code susceptible to SQL injection. If all values were carefully quoted and escaped, SQL injection would not be an issue. The fact is, though, that many assumptions are made in PHP about the type of a variable. These assumptions lead to practices like the one below.

The *wrong* way:

<?php
$sql = "UPDATE mytable SET strcol = '".addslashes($strval)."' WHERE id = ".$intval;
$con->executeUpdate($sql);

A malicious user would only have to get $intval to be set to a value like "1 OR 1 = 1" (by specifying it in the URL, etc.) in order to alter the entire database table. There's an assumption that $intval is an integer, but unless it is explicitly cast as an integer this is just an assumption.

The right way:

<?php
$sql = "UPDATE mystable SET strcol = ? WHERE id = ?";
$stmt = $con->prepareStatement($sql);
$stmt->executeUpdate($sql, array($strval, $intval));
// or:
// $stmt->setString(1, $strval);
// $stmt->setInt(2, $intval);
// $stmt->executeUpdate();

Using the PreparedStatement? setter methods ensures that values are property quoted and escaped or (e.g. in the case of numeric valeus) that they are first cast to their numeric type before being insert.

Does Creole support autoincrement/sequences?

Yes, although not in the same way that is done by PEAR DB or MDB. Creole does not emulate sequences as the PEAR packages do. Creole has an IdGenerator? class for each database. That class returns useful information to help you get either the next id in the sequence or the last inserted id. This means that you have to do a little more work as an application developer, but the benefit is that you are using the databases native id generation method rather than an emulated one.

<?php
$idgen = $conn->getIdGenerator();
// do we get id before or after performing insert?
if($idgen->isBeforeInsert()) {
   $id = $idgen->getId($seqname);
   // now add that ID to SQL and perform INSERT
   $conn->executeUpdate("INSERT .... ");
} else { // isAfterInsert()
   // first perform INSERT
   $conn->executeUpdate("INSERT .... ");
   $id = $idgen->getId($seqname);
}