eZ Components 1.1.2

Getting Started

Components

Archive (1.1)
Base (1.1.1)
Cache (1.1.2)
Configuration (1.0.4)
ConsoleTools (1.1.3)
Database (1.1.3)
DatabaseSchema (1.0.2)
Debug (1.0.1)
EventLog (1.0.2)
EventLogDatabaseTiein (1.0)
Execution (1.0.1)
File (1.0.1)
ImageAnalysis (1.0.1)
ImageConversion (1.1.2)
Mail (1.1.3)
PersistentObject (1.1)
PersistentObjectDatabaseSchemaTiein (1.0)
PhpGenerator (1.0.1)
SystemInformation (1.0.1)
Template (1.0)
Translation (1.1.1)
TranslationCacheTiein (1.1)
UserInput (1.0.1)

Database

[ Tutorial ] [ Class tree ] [ Element index ] [ ChangeLog ] [ Credits ]

Introduction
- Supported databases
Class overview
- Handlers
- Query abstraction
Handler usage
Query abstraction Usage
- Bind Parameters
- Multi-join Syntax
Avoiding SQL injection
Notable differences between databases
Adding support for a new database

Introduction

Before attempting to use the the Database component you should make yourself familiar with the PDO documentation. The Database component builds upon PDO and we do not provide examples of the PDO basics.

The Database component consists of two main parts:

Database handlers derived from PDO with some added functionality. A database handler provides a common API for all databases to execute queries on a a database. An introduction can be found in the PHP PDO documentation. Most importantly the handlers in the components add support for nested ezcDbHandler::beginTransaction() and ezcDbHandler::commit() calls. The handlers also provide factory methods for the query abstraction layer.
The query abstraction layer. This layer provides an object oriented API for creating SELECT, INSERT, UPDATE and DELETE queries. Using a single interface you can create syntactic equal queries for the supported database. This layer removes all need to do string processing in order bo build your queries and helps avoiding syntax errors. Note that the query layer does not remove semantical/logical differences between databases.

Supported databases

The Database component currently supports:

MySQL
PostgreSQL
Oracle
SQLite

Class overview

This section gives you an overview of the main classes of the Database component.

Handlers

ezcDbHandler: ezcDbHandler extends PDO and provides the common interface for all the components database handlers. The handlers should be instantiated using ezcDbFactory.
ezcDbFactory: ezcDbFactory is exactly that: a factory for database handlers. It should always be used when instanciating a database handler.
ezcDbInstance: Usually you want to use the database on several different places throughout your application. It is inconvenient to pass the handler around and insecure to store in a global variable. The singleton ezcDbInstance allows you to store any number of database handlers and use these everywhere in your application.

Query abstraction

ezcQuerySelect: Interface to create SELECT queries. Instances of ezcQuerySelect should be retrieved from the database handler factory method ezcDbHandler::createSelectQuery().
ezcQueryInsert: Interface to create INSERT queries. Instances of ezcQueryInsert should be retrieved from the database handler factory method ezcDbHandler::createInsertQuery().
ezcQueryUpdate: Interface to create UPDATE queries. Instances of ezcQueryUpdate should be retrieved from the database handler factory method ezcDbHandler::createUpdateQuery().
ezcQueryDelete: Interface to create DELETE queries. Instances of ezcQueryDelete should be retrieved from the database handler factory method ezcDbHandler::createDeleteQuery().
ezcQueryExpression: ezcQueryExpression provides the interface to create SQL statements common to SELECT, INSERT, UPDATE and DELETE queries. Examples are methods like ezcQueryExpression::add() to add two or more numbers and ezcQueryExpression::now() to create the current time. Each query has an expression object available through the variable $expr on the query.

Handler usage

This chapter shows how to use the factory and the instance as well as how to execute some typical queries. For more details on how to perform queries using the handlers we recommend reading the PHP PDO documentation.

In order to get started you need a database handler. The first example shows how to create one using ezcDbFactory and how to store the handler in ezcDbInstance so it can easily be retrieved later:

  1. <?php
  2. 
  3. $db = ezcDbFactory::create( 'mysql://user:password@host/database' );
  4. ezcDbInstance::set( $db );
  5. 
  6. // anywhere later in your program you can retrieve the db instance again using
  7. $db = ezcDbInstance::get();
  8. 
  9. ?>

Executing a simple query and get the result right away can be done with the PDO::query() method:

  1. <?php
  2. 
  3. $db = ezcDbInstance::get();
  4. 
  5. $rows = $db->query( 'SELECT * FROM quotes' );
  6. 
  7. // Iterate over the rows and print the information from each result.
  8. foreach( $rows as $row )
  9. {
 10.     print_r( $row );
 11. }
 12. ?>

Next, we show a simple example with statements and the use of bind. Binding values can be very valuable both in terms of efficiency and security. The main difference with normal queries is that the bound value will be transfered to the SQL server independently from the main query. See the chapter 'Avoiding SQL injection' below.

  1. <?php
  2. 
  3. $db = ezcDbInstance::get();
  4. $stmt = $db->prepare( 'SELECT * FROM quotes where author = :author' );
  5. $stmt->bindValue( ':author', 'Robert Foster' );
  6. 
  7. $stmt->execute();
  8. $rows = $stmt->fetchAll();
  9. 
 10. ?>

Query abstraction Usage

This chapter gives you a basic introduction on how to build queries using the query abstraction layer.

We will start out with recreating the first query example:

  1. <?php
  2. 
  3. $db = ezcDbInstance::get();
  4. 
  5. $q = $db->createSelectQuery();
  6. $q->select( '*' )->from( 'quotes' );
  7. 
  8. $stmt = $q->prepare();
  9. $stmt->execute();
 10. 
 11. ?>

As you can see, building the query itself follows the build up of a normal query and is pretty straight forward. The rest of the example is a bit more verbose, this is mainly due to the fact that you need to fetch the query object from the handler and that you are required to use prepared statements with the query abstraction layer. The factory methods in the handler to fetch the query object ensures that you get a query of the correct type regardless of what database you use.

Bind Parameters

The next example builds on the previous one, but builds a more complex query and introduces the usage of bind parameters in the query:

  1. <?php
  2. 
  3. $db = ezcDbInstance::get();
  4. 
  5. $q = $db->createSelectQuery();
  6. $e = $q->expr; // fetch the expression object
  7. $q->select( '*' )->from( 'quotes' )
  8.     ->where( $e->eq( 'author', $q->bindValue( 'Robert Foster' ) ) )
  9.     ->orderBy( 'quote' )
 10.     ->limit( 10, 0 );
 11. 
 12. $stmt = $q->prepare();
 13. $stmt->execute();
 14. 
 15. ?>

The query will fetch the ten first quotes by Robert Foster sorted by the quote itself. Note that string parameters must be either bound using ezcQuery::bindParam()/ezcQueryBindValue() or escaped and quoted manually.

As you can see logical expressions are built up using the expression object of the type ezcQueryExpression. Note that the methods for logical or and and are named lOr and lAnd respectively. This is because and and or are reserved names in PHP and can not be used in method names.

The next example shows that you in a similar way to the SELECT query can insert, update and delete rows from a table using the query abstraction layer.

The example shows how to create and use basic INSERT, UPDATE and DELETE query objects.

  1. <?php
  2. 
  3. $db = ezcDbInstance::get();
  4. 
  5. // Insert
  6. $q = $db->createInsertQuery();
  7. $q->insertInto( 'quotes' )
  8.   ->set( 'id', 1 )
  9.   ->set( 'name', $q->bindValue( 'Robert Foster' ) )
 10.   ->set( 'quote', $q->bindValue( "It doesn't look as if it's ever used!" ) );
 11. $stmt = $q->prepare();
 12. $stmt->execute();
 13. 
 14. // update
 15. $q = $db->createUpdateQuery();
 16. $q->update( 'quotes' )
 17.   ->set( 'quote', 'His skin is cold... Like plastic...' )
 18.   ->where( $q->expr->eq( 'id', 1 ) );
 19. $stmt = $q->prepare();
 20. $stmt->execute();
 21. 
 22. // delete
 23. $q = $db->createDeleteQuery();
 24. $q->deleteFrom( 'quotes' )
 25.   ->where( $q->expr->eq( $q->bindValue( 'Robert Foster' ) ) );
 26. $stmt = $q->prepare();
 27. $stmt->execute();
 28. ?>

Multi-join Syntax

The next examples show how to use multi-join syntax to build queries with several joined tables using inner, right or left join.

The innerJoin(), rightJoin() and leftJoin() method can be used in three forms:

The first form takes two string arguments (table name and join condition) and returns an ezcQuery object. Each invocation joins one table. You can invoke the *Join() methods multiple times.

  1. <?php
  2. 
  3. $db = ezcDbInstance::get();
  4. 
  5. $q = $db->createSelectQuery();
  6. 
  7. // Right join of two tables. Will produce SQL:
  8. // "SELECT id FROM table1 RIGHT JOIN table2 ON table1.id = table2.id".
  9. $q->select( 'id' )->from( 'table1' )->rightJoin( 'table2', $q->expr->eq('table1.id', 'table2.id' ) );
 10. 
 11. $stmt = $q->prepare();
 12. $stmt->execute();
 13. 
 14. // Right join of three tables. Will produce SQL:
 15. // "SELECT id FROM table1 RIGHT JOIN table2 ON table1.id < table2.id RIGHT JOIN table3 ON table2.id > table3.id".
 16. $q->select( 'id' )
 17.         ->from( 'table1' )
 18.             ->rightJoin( 'table2', $q->expr->lt('table1.id', 'table2.id' ) )
 19.             ->rightJoin( 'table3', $q->expr->gt('table2.id', 'table3.id' ) );
 20. 
 21. $stmt = $q->prepare();
 22. $stmt->execute();
 23. ?>

Simplified version of 1. where join condition is always set to "equal".

rightJoin( 'table1', 'table1.id', 'table2.id' ) is a shorter equivalent of rightJoin( 'table1', $this->expr->eq('table1.id', 'table2.id' ) );

  1. <?php
  2. 
  3. $db = ezcDbInstance::get();
  4. 
  5. $q = $db->createSelectQuery();
  6. 
  7. // Right join of three tables. Will produce SQL:
  8. // "SELECT id FROM table1 RIGHT JOIN table2 ON table1.id = table2.id RIGHT JOIN table3 ON table2.id = table3.id".
  9. $q->select( 'id' )
 10.         ->from( 'table1' )
 11.             ->rightJoin( 'table2', 'table1.id', 'table2.id' )
 12.             ->rightJoin( 'table3', 'table2.id', 'table3.id' );
 13. 
 14. $stmt = $q->prepare();
 15. $stmt->execute();
 16. 
 17. 
 18. ?>

Simple form, could be used to join only two tables. Takes 4 string arguments and return SQL string. This way does mainly exist for BC reasons.

  1. <?php
  2. 
  3. $db = ezcDbInstance::get();
  4. 
  5. $q = $db->createSelectQuery();
  6. 
  7. // $q->rightJoin( 'table1', 'table2', 'table1.id', 'table2.id' ) will produce
  8. // string "table1 RIGHT JOIN table2 ON table1.id = table2.id"
  9. // that should be added to FROM clause of query.
 10. // resulting query is "SELECT id FROM table1 RIGHT JOIN table2 ON table1.id = table2.id".
 11. $q->select( 'id' )->from( $q->rightJoin( 'table1', 'table2', 'table1.id', 'table2.id' ) );
 12. $stmt = $q->prepare();
 13. $stmt->execute();
 14. 
 15. ?>

The final example shows how to build subselect queries inside SELECT

  1. <?php
  2. 
  3. $name = 'IBM';
  4. $q = new ezcQuerySelect( ezcDbInstance::get() );
  5. 
  6. // Creating subselect object
  7. $q2 = $q->subSelect();
  8. 
  9. // $q2 will build the subquery "SELECT company FROM query_test WHERE
 10. // company = :ezcValue1 AND id > 2". This query will be used inside the SQL for
 11. // $q.
 12. $q2->select('company')
 13.         ->from( 'query_test' )
 14.             ->where( $q2->expr->eq( 'company', $q2->bindParam( $name ) ), 'id > 2' );
 15. 
 16. // $q the resulting query. It produces the following SQL:
 17. // SELECT * FROM query_test
 18. // WHERE  id >= 1  AND
 19. //     company IN ( (
 20. //         SELECT company FROM query_test
 21. //         WHERE company = :ezcValue1 AND id > 2
 22. //     ) )
 23. $q->select('*')
 24.         ->from( 'query_test' )
 25.             ->where( ' id >= 1 ', $q->expr->in( 'company', $q2->getQuery() ) );
 26. 
 27. $stmt = $q->prepare();
 28. $stmt->execute();
 29. 
 30. ?>

Avoiding SQL injection

SQL injection is possibly the biggest single cause of major security problems in web applications. SQL injections are caused when building SQL statements and parts of the statement is built up of untrusted data. If the untrusted data is not escaped properly or checked for proper input you will have a possible SQL injection problem.

With the introduction of bound values it is possible to avoid SQL injection altogether. Simply always use bind to insert untrusted data into a query. This is usually also more efficient since you don't need to escape the data and the SQL server does not have to parse it as part of the query string.

Notable differences between databases

Even though the query abstraction layer creates syntactic equal queries for the supported databases, the results may still differ. This is due to a large amount of differences between the databases. We will list the most important ones here as a reference.

SQLite does not support rebinding of values. E.g if you have an insert query and you want to reuse it like this you will get an error:

$q->insertInto( 'query_test' )
    ->set( 'id', 1 )
    ->set( 'company', $q->bindValue( 'eZ systems' ) )
    ->set( 'section', $q->bindValue( 'Norway' ) )
    ->set( 'employees', 20 );
$stmt = $q->prepare();
$stmt->execute();

$q->insertInto( 'query_test' );
$q->set( 'id', 2 );
$q->set( 'company', $q->bindValue( 'Trolltech' ) );
$q->set( 'section', $q->bindValue( 'Norway' ) );
$q->set( 'employees', 70 );
$stmt = $q->prepare();
$stmt->execute();

Instead you should use bindParameter() to achieve the same effect:

$company = 'eZ systems';
$section = 'Norway';
$q->insertInto( 'query_test' )
     ->set( 'id', 1 )
     ->set( 'company', $q->bindParam( $company ) )
     ->set( 'section', $q->bindParam( $section ) )
     ->set( 'employees', 20 );
$stmt = $q->prepare();
$stmt->execute();

$q->insertInto( 'query_test' );
$q->set( 'id', 2 );
$q->set( 'employees', 70 );
$company = 'Trolltech';
$section = 'Norway';
$stmt = $q->prepare();
$stmt->execute();

Adding support for a new database

This chapter explains the basic steps you have to go through when creating support for a new database. The following steps are rudimentary but should help you along the way. If you require additional information, feel free to ask in the forums.

Check out the Database component from the eZ systems SVN server. This is necessary in order to use the testing system. This allows you to easily see if your code works as it should.
Create a handler for the new database. The handler must inherit from ezcDbHandler. Don't reimplement the methods for the query abstraction layer. They will then default to MySQL syntax.
Run the test system and check if any of them fail. If any tests fail you have to extend the class and method in question and make sure that the generated SQL is correct for your database. When no tests fail: congratulations you are done.

Last updated: Thu, 01 Nov 2007

eZ Components

User menu

Path