I posted an example on the Writing secure code page, and the patch is attached. Simply, str_repeat is going to scale better than two function calls that create two different structures. Additionally, the current code issues a warning when no parameters are provided. The following pages (among others) should be modified if this change is applied:
http://drupal.org/writing-secure-code
http://drupal.org/node/101496
I am open to stylistic changes, so please let me know if you want mt to spell out the ternary with an if/else.
Thanks!
Comment | File | Size | Author |
---|---|---|---|
#27 | drupal-db_placeholders-485618-27.patch | 810 bytes | mikeytown2 |
#25 | db_placeholders_performance-485618-25.patch | 810 bytes | jrchamp |
#23 | db_placeholders_performance-485618-23.patch | 990 bytes | jrchamp |
#20 | db_placeholders_performance-485618-20.patch | 945 bytes | jrchamp |
#18 | db_placeholders_performance-485618-18.patch | 945 bytes | jrchamp |
Comments
Comment #1
Dries CreditAttribution: Dries commentedAdding a line of documentation, and using a regular if-statement would improve readability a lot, IMO.
Comment #2
jrchamp CreditAttribution: jrchamp commentedThis patch uses a regular if-statement and has an added line of documentation (hopefully it is in line with what you had in mind). Also, I reversed the order of the str_repeat so that it is clear that the first one is assumed and any additional ones are appended. This mindset seems to be more straightforward than "repeat all but the last one, then append the last one".
Please let me know if the documentation I added is inadequate, the formatting is incorrect, or you notice any other issue. Thank you!
Comment #3
Crell CreditAttribution: Crell commenteddb_placeholders() is deprecated in Drupal 7 and will be removed as soon as it is expunged from core. This could be a useful performance enhancement for Drupal 6. I defer to Gabor on that front.
Comment #4
jrchamp CreditAttribution: jrchamp commentedAlright. Here is the same patch, instead against the Drupal 6 tag.
[edit] How do I get in touch with Gabor?
Comment #5
jrchamp CreditAttribution: jrchamp commented@Crell: Thanks to #474072: Use taxonomy_load functions in blogapi.module, db_placeholders() is expunged from core. Should I open an issue with a patch which simply removes it from core?
Comment #6
Crell CreditAttribution: Crell commented@jrchamp: Please do!
Comment #7
Crell CreditAttribution: Crell commentedWait, never mind, it's already been taken care of: #508756: RIP db_placeholders()
The rest of this issue is still relevant for Drupal 6, though.
Comment #8
mikeytown2 CreditAttribution: mikeytown2 commentedarray_fill "Throws a E_WARNING if num is less than one."
Fresh install of 6.17 on ubuntu 10.04 throws this error
http://api.drupal.org/api/function/db_placeholders/6
Re-rolled #4
Comment #9
mikeytown2 CreditAttribution: mikeytown2 commentednot a bug. This was the issue I was having
http://drupal.org/node/833486
Patch is still valid
Comment #10
jrchamp CreditAttribution: jrchamp commentedTechnically, it is a bug that a situation exists where an empty array is passed in which causes array_fill to throw a warning.
The solution depends on viewpoint. The calling function could verify that it has some work to perform (i.e. verify that the array is not empty) before passing in the values. Or the calling function should expect the parameters to be validated by the function being called (which has the benefit of collapsing the logic in to the function itself, but does not prevent the *useless* query from being executed which is likely worse for performance).
Of course, the patch on this issue returns empty string for the 0 case, which - although it avoids the array_fill and implode warnings - has the disadvantage of still resulting in an SQL syntax error. This might not be a problem. Rather, it could be viewed as "here is a place which doesn't adequately determine whether it should even execute a query before it does so". I believe this is the best viewpoint, because avoiding wasteful queries is a big +1. If, however, the goal is to silence such syntax errors, the zero case for this function should return the string containing the empty string as follows:
Comment #11
Damien Tournoud CreditAttribution: Damien Tournoud commentedI'm not at all convinced that this way is any better.
Comment #12
Damien Tournoud CreditAttribution: Damien Tournoud commentedWasn't meaning to change the status.
Comment #13
jrchamp CreditAttribution: jrchamp commentedI believe this is better for the following reasons:
I have attached a modified version which saves time in the zero case and is much more competitive (similar to HEAD) in the one case.
Comment #14
jrchamp CreditAttribution: jrchamp commentedRerolled.
Comment #16
jrchamp CreditAttribution: jrchamp commented#14: db_placeholders_performance-485618-14.patch queued for re-testing.
Comment #18
jrchamp CreditAttribution: jrchamp commentedComment #20
jrchamp CreditAttribution: jrchamp commentedRerolling again. I don't understand why this keeps failing.
Comment #21
jrchamp CreditAttribution: jrchamp commentedComment #23
jrchamp CreditAttribution: jrchamp commentedI can't get the test bot to be happy with the patch, Drupal 7 is out and this probably doesn't matter in the larger scheme of things.
It might still be good to update http://drupal.org/writing-secure-code
Comment #25
jrchamp CreditAttribution: jrchamp commentedGit reroll.
Comment #27
mikeytown2 CreditAttribution: mikeytown2 commentedRe-roll #25
Comment #28
pdrake CreditAttribution: pdrake commentedThis patch applied cleanly and works well for me.
Comment #29
Gábor HojtsyNot sure about this one. I've seen several debugging sessions where warnings about the zero case for an IN query helped debug the issue. Sounds like your change would kill the messages there, so people would just get an empty result set back instead of any errors(?). While the issue is not in fact here but the caller invoking with an empty placeholder set. If we gracefully swallow that error, we just make it harder to debug the issues no?
Comment #30
pdrake CreditAttribution: pdrake commentedWhile the PHP Warning(s) about array_fill() requiring a positive number of elements and invalid arguments passed to implode() will no longer occur, with an IN query, the database will still error with an invalid syntax message which should be sufficient.
Comment #31
mahendra.sharma CreditAttribution: mahendra.sharma commenteddb_placeholders_performance.patch queued for re-testing.
Comment #32
hefox CreditAttribution: hefox commentedI recall the PHP warnings indicating something is wrong (in some cases it didn't produce a mysql error perhaps). Should db_placeholders really silently handle being called with wrong arguments? IMO no, trying to optimize error condition seems wrong.
Other than that, patch looks nice, plan to try it out