HAYCORN — 25 March 2006
I’ve been working on a PHP project for the last few weeks. I don’t mind PHP all that much–it’s an awful language, of course, but it’s not bad for getting things done. (The on-line man pages, in particular, are much better than that of any other language.)
However. PHP does pull some really stupid shit sometimes. Today I was trying to do a simple insert into a database and it kept failing with a “file not found” error message. Eventually I got it down to three lines; this may not be exactly right, but it was something very close to:
$dbh = odbc_connect($DATABASE, $USERNAME, $PASSWORD); $sth = odbc_prepare($dbh, "INSERT INTO ArtObject('name') VALUES(?)"); $res = odbc_execute($sth, array("'j'"));
And still it gave the error message! Worse, if I created a file “j”, it would do the insert without complaint!
As it turns out, this is by design. If you insert a string that begins and ends with a single quote, the bit between the quotes is treated as a filename (!) whose contents make up the value of the placeholder (!!). It might help to be a programmer to appreciate this, but this behaviour is utterly insane.
Everyone knows there are quoting issues with database inserts, but: (a) in every other language/library, if you use placeholders, you don’t have to worry about this; and (b) if there is some quoting issue you get broken SQL or similar–you don’t get the insert function trying to read from a file.