> On Jun 24, 2021, at 6:33 AM, Stephen Reay <php-li...@koalephant.com> wrote:
>
>> On 24 Jun 2021, at 17:07, Kamil Tekiela <tekiela...@gmail.com> wrote:
>>
>> Hi Stephen,
>>
>> I believe the idea was for dynamically generate table names, or numbered
>> tables/columns. E.g.
>>
>> function getTable(string $table){
>> // is_literal check here
>> }
>>
>> $number = (int) $_GET['tableno'];
>> if($number < 0 || $number > 10) {
>> throw new Exception("Invalid number");
>> }
>>
>> $tablename = 'table_'.$number;
>> getTable($tablename);
>>
>> The number is concatenated to the table name.
>>
>> —Kamil
>
> Hi Kamil,
>
> Thanks for at least trying to answer this question.
>
> I’m sure someone somewhere does that and thinks its a good idea. I
> respectfully (to you; probably less respectfully to someone if they tell me
> they do this) disagree. I don’t think PHP should necessarily shy away from
> features because they’re potentially dangerous, but I also don’t think it
> should be adding new features/functions that are more dangerous, just to make
> some weird (IMO bad-practice) edge cases easier.
WordPress Multisite does exactly that.
Whether or not them doing so is a "good idea" is irrelevant as there are a
large number of website that use that mode of WordPress currently active on the
web.
> I’d suggest if they insist on that bizarre naming pattern, _and_ want to use
> a literal string check, they could define an array of string numbers that
> represent their table names.
>
> $tbls = [‘0’, ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ...];
>
> getTable(’table_’ . $tbls[$number]);
Some WP MS installations support millions of thousands sites. See WordPress.com
<http://wordpress.com/>.
But yes, I guess it could be possible for them to hack hack together
'table_983761' out of literals via a Rube Goldbergian-function, if forced to.
> On Jun 24, 2021, at 6:35 AM, Stephen Reay <php-li...@koalephant.com> wrote:
>
>> On 24 Jun 2021, at 17:16, Craig Francis <cr...@craigfrancis.co.uk> wrote:
>>
>> On Thu, 24 Jun 2021 at 10:55, Stephen Reay <php-li...@koalephant.com> wrote:
>>
>>> but still I have to keep asking: Why integers at all?
>>>
>>
>> While I'm not a fan of this approach, there is a lot of existing code and
>> tutorials that use:
>>
>> $sql = 'WHERE id IN (' . implode(',', array_map('intval', $ids)) . ')';
>>
>> $sql = sprintf('SELECT * FROM table WHERE id = %d;', intval($id));
>>
And WordPress (and I am sure a lot of other legacy code) does not support
parameterized queries in the DB object, at least not without jumping through
tons of hoops. Not to mention the 60k existing open-source plugins and the
likely million custom plugins in the wild.
-Mike
P.S. Of course we could ignore the entirety of WordPress, but that just does
not strike me as a prudent course of action.
