Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Is there a way to ensure that queries only use bound parameters?

I want to make it so that it is not possible to perform queries that use literals in the conditions.

So this would become impossible and would throw an exception:

$conditions = "name = 'bob' AND type = 'megabot'";

It would be required to use bound parameters like this.

$conditions = "name = :name: AND type = :type:";

The reason that I need this is that I'm creating a layer above model that will interpret all of the find parameters. I have create four tables that will represent all user data and in this scheme some queries are invalid and features are present that will be represented with a semi-custom syntax or at least with special aliases and names. It will make my life a lot easier if I can ensure that only certain name parameters are used and that anything else which is added will result in some sort of exception.

So an option that disallowed string literals would be great.



46.9k
Accepted
answer

It looks like I found the feature with Disabling/Enabling Features phqlLiterals.

I don't want to disable it throughout hte system but only in that section. Its something that I'll have to work around but I'm happy to have the feature.



46.9k

Unfortunately it doesn't look like this is going to work because there of this bug Literals and magic methods.



46.9k

All known issues regarding phql literals were fixed in 2.0.4.