SQLite3Stmt: add an optional array parameter to execute() method, like in PDOStatement #9814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

bohwaz wants to merge 1 commit into php:master

from bohwaz:sqlite3/execute-params

Open

SQLite3Stmt: add an optional array parameter to execute() method, like in PDOStatement #9814

bohwaz wants to merge 1 commit into php:master from bohwaz:sqlite3/execute-params

Conversation

bohwaz

Copy link

Contributor

@bohwaz bohwaz commented Oct 24, 2022

This change adds a new array parameter to $stmt->execute() to be able to quickly pass parameters values, without having to use bindValue method.

This is to improve the usability of the SQLite3 extension API and motivate people to use parameterized values for security reasons.

For convenience, the array is treated as if it starts at index 1 instead of index zero.

Usage is the same as in PDO:

$db = new SQLite3(':memory:');
$st = $db->prepare('SELECT ?;');
$r = $st->execute(['test']);
var_dump($r->fetchArray());

BC-break: none.

@github-actions github-actions bot added the Extension: sqlite3 label

Oct 24, 2022

@bohwaz


 Add an optional array parameter to SQLite3Stmt::execute() method, lik...

6d48f18

...e in PDOStatement

@bohwaz bohwaz force-pushed the sqlite3/execute-params branch from a8d9d1a to 6d48f18 Compare

October 24, 2022 02:18

@cmb69

Copy link

Member

cmb69 commented Oct 25, 2022

I think this makes sense, but I wonder whether there should be a way to specify the types of the binding (SQLITE3_INTEGER etc.) Maybe nested arrays? Likely more an issue for other databases which are strictly typed.

@bohwaz

Copy link

Contributor Author

bohwaz commented Oct 25, 2022

I think this makes sense, but I wonder whether there should be a way to specify the types of the binding (SQLITE3_INTEGER etc.) Maybe nested arrays? Likely more an issue for other databases which are strictly typed.

This seems quite unintuitive, it's better to use bindValue for that. Also, the SQLite3 extension is already deducing the SQLite type from the PHP type :)

So [42, null, 'string'] will be treated as INTEGER, NULL, and TEXT :)

So you can just cast a string to an int for example if you want to have it stored as INTEGER.

@bohwaz bohwaz requested a review from kocsismate as a code owner

October 7, 2023 13:51

@PiotrZ5

Copy link

PiotrZ5 commented Jul 25, 2025

Can we mimic how execute_query works in mysqli or sqlsrv_query in sqlite3 world to achieve one-liner sql-injection safety?
https://www.php.net/manual/en/mysqli.execute-query.php
https://www.php.net/manual/en/function.sqlsrv-query.php

$db = new SQLite3(':memory:');
$st = $db->execute_query('SELECT ?,?,?',['a','b','c']);

or even extend query() and exec() functions with parameters array

$st = $db->query('SELECT ?,?,?',['a','b','c']);
$st = $db->exec('UPDATE MyTable set col1=?, col2=? where col3=?',['a','b','c']);

@PiotrZ5

Copy link

PiotrZ5 commented Jul 25, 2025

I think this makes sense, but I wonder whether there should be a way to specify the types of the binding (SQLITE3_INTEGER etc.) Maybe nested arrays? Likely more an issue for other databases which are strictly typed.

You can define your table using strict mode to achieve type safety so type hints are not needed anymore.