#5557 - Support multi-dimensional arrays in where query for _get_where_expand

By PDStig
Added 17th Jan 2024, 9:31 PM
7 views

Identifier	#5557
Issue type	Feature request or suggestion
Title	Support multi-dimensional arrays in where query for _get_where_expand
Status	Closed (no changes needed)
Tags	Risk: Changes core website behaviour (custom) Roadmap: Over the horizon (custom) Roadmap: v11 partial implementation (custom)
Handling member	Deleted
Addon	core
Description	Add support for the following in the where array passed to _get_where_expand: * <, >, <=, >= support... via ['field_name' => ['<=' => value]] - WHERE (field_name <= value) * LIKE support, via ['field_name' => ['LIKE' => 'value%']] - Uses db_encode_like - WHERE field_name LIKE 'value%' * <> and != support via ['field_name' => ['!=' => not_value]] (SQL <> for numbers, db_string_not_equal_to for strings; != is just an alias) - WHERE (field_name <> not_value) * OR conditions, via ['field_name' => ['possible_value_1', 'possible_value_2'...]] - WHERE (field_name IN ('possible_value_1', 'possible_value_2')) * NOR conditions, via ['field_name' => ['!=' => ['value1', 'value2'...]]] - WHERE (field_name NOT IN ('value1', 'value2')) * AND conditions with operators, via ['field_name' => ['>' => value, '<=' => value2]] - WHERE (field_name > value AND field_name <= value2) * OR conditions with operators, via ['field_name' => [['>' => value], ['<=' => value2]]] (though this might be useless) - WHERE (field_name > value OR field_name <= value2) Adding these supports will drastically reduce the amount of times we need to use $end or just a flat query instead of more efficient query_select / query_select_value / etc.
Steps to reproduce
Additional information	* Implement support for this in v11 * Consider using this as a standard in v12 Need to carefully consider this implementation; make sure all SQL drivers will support it. Adapt accordingly. Document it. Unit test it.
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 18th Jan 2024, 2:00 PM

This could also be incorporated into our frameworks for conposr and conposr++ for nice ORM-like support

By Guest posted 24th Mar 2024, 2:51 PM

I think it'd be more flexible, a lot less new code, and perhaps easier for the developer, just to use parameterised queries for these cases. See query_parameterised.

By Guest posted 25th Mar 2024, 12:57 PM

That makes sense. I had no idea that existed as I've never used it or seen it.

By Guest posted 27th Mar 2024, 9:35 AM

It was added because at some point I realised that it was bad that there was a percentage of queries our abstractions couldn't handle cleanly, forcing people to write SQL, and I know most people do not know how to write SQL securely. So it was never used, but it was put there as an important tool for developers to be able to use.

(As an aside, I interviewed someone for my bay area employer the other day, an experienced programmer and team leader - and they didn't know how to assemble native SQL to avoid SQL injections. That kind of demonstrates why parameterised queries are important.)

By Guest posted 27th Mar 2024, 9:51 AM

I can see that. Raw SQL is a very bad idea whenever user input is involved (I wouldn't even use it for the most trusted of users because an accidental unescaped character could cause chaos). And parameterised queries help do some of the escaping for you.