DB API Usage - How to write DBAL compliant code

2,434 views
2,350 views

Published on

What you need to know to write code compliant to the database abstraction layer in TYPO3 version 4, a.k.a DBAL.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,434
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DB API Usage - How to write DBAL compliant code

  1. 1. DB API Usage How to write DBAL compliant code Karsten Dambekalns karsten@typo3.org
  2. 2. t3lib_db ● TYPO3 has a centralized DB API ● it is contained in t3lib_db ● Available during runtime in $GLOBALS['TYPO3_DB']
  3. 3. SELECT queries ● exec_SELECTquery() ● generates SQL ● executes the query, returns result pointer ● parameters: $select_fields,$from_table,$where_clause, $groupBy='',$orderBy='',$limit=''
  4. 4. SELECTquery problems ● mixing things in parameters ● complex SQL ● checking possible with – Extension Development Evaluator – DBAL Debug BE module ● never forget to escape values in WHERE clause, stay secure!
  5. 5. INSERT queries ● exec_INSERTquery() ● generates SQL ● executes query ● parameters: $table,$fields_values, $no_quote_fields=FALSE
  6. 6. UPDATE queries ● exec_UPDATEquery() ● generates SQL ● executes query ● parameters: $table,$where,$fields_values, $no_quote_fields=FALSE
  7. 7. UPDATEquery problems ● almost none, very easy to use ● automatic escaping breaks SQL: – you might want to have SQL expressions in your update, that should not be escaped – solvable by using $no_quote_fields
  8. 8. DELETE queries ● exec_DELETEquery() ● generates SQL ● executes query ● parameters: $table,$where
  9. 9. UPDATEquery problems ● almost none, very easy to delete everyting :) ● escape values in WHERE clause yourself!
  10. 10. Escaping values ● various methods: – fullQuoteStr() – quoteStr() – fullQuoteArray() – escapeStrForLike() ● escape values matching the database used ● needs to know the table name – table inidcates the database being used
  11. 11. Fetching data ● exec_SELECTquery() returns a result pointer ● methods to know for using this result pointer: – sql_fetch_row() – sql_fetch_assoc() – sql_num_rows() – ... ● very similar to mysql_*() methods
  12. 12. Converting extensions ● Making old extensions use the DB API is easy ● Queries have to be done using the methods explained ● Fetching data can be done like before, only the method names change ● Keep an eye on escaping, stay safe!

×