Basic sql parameter quote handling and updated readme describing problems.

Author: dustingraham

README.md

@@ -111,6 +111,46 @@ The mysqli::real_escape_string requires a link. But, the link is one of many.
 Last minute escaping once the command and connection were married from the pool.
 Could potentially have one dedicated link for escaping.
 
+### Query Building Support
+
+Many MySQL wrapper packages have been analyzed, but none are completely independent of
+a connection object that could be found.
+
+For now, we will escape parameters, but require the user to provide a sql query that quotes the parameters.
+
+This is obviously sub-optimal since a variable like $created_at could be NOW() or '2016-01-01' or NULL. 
+
+The litmus test I have been using is the following query:
+
+    INSERT INTO `simple_table` (`id`, `name`, `value`, `created_at`)
+    VALUES (NULL, 'John\'s Name', 7, NOW());
+
+The key points here are:
+
+ - Support for putting the parameter in quotes! This is the first step. The rest is intelligently knowing when not to quote.
+ - Support for a null value converted to NULL.
+ - Support for escaping the parameter using either \\\' or '' is fine.
+ - Support for not escaping functions such as NOW()
+ - Support for recognizing integer values. Optional, since '7' will work fine.
+
+### Wrapper Options Reviewed
+
+ 1. [nilportugues/php-sql-query-builder](https://github.com/nilportugues/php-sql-query-builder) - No connection required! But, odd syntax.
+ 1. [usmanhalalit/pixie](https://github.com/usmanhalalit/pixie) - Requires connection. Pretty close to needs.
+ 1. [joshcam/PHP-MySQLi-Database-Class](https://github.com/joshcam/PHP-MySQLi-Database-Class) - Requires connection.
+ 1. [aviat4ion/Query](https://git.timshomepage.net/aviat4ion/Query) - Requires connection.
+ 1. [rkrx/php-mysql-query-builder](https://github.com/rkrx/php-mysql-query-builder) - Requires connection.
+ 1. [stefangabos/Zebra_Database](https://github.com/stefangabos/Zebra_Database) - Requires connection, does more than needed.
+ 1. [indeyets/MySQL-Query-Builder](https://github.com/indeyets/MySQL-Query-Builder) - Not maintained. Odd syntax.
+
+The nilportugues/php-sql-query-builder package is very close, but it does not quote the parameters.
+
+## Install
+
+The recommended way to install this library is through Composer.
+
+    $ composer require dustingraham/react-mysql
+
 ## Credits
 
 Much appreciation to the hard work over at [reactphp/react](https://github.com/reactphp/react).

src/Command.php

@@ -63,11 +63,51 @@ public function bindValues($params)
      */
     public function getPreparedQuery(Connection $connection)
     {
-        $this->params = $connection->escape($this->params);
+        $quotedSql = $this->quoteIntoSql($connection); 
 
-        return strtr($this->sql, $this->params);
+        return $quotedSql;
     }
 
+    /**
+     * TODO: This is exactly what I don't want to do. "Roll my own" SQL handler.
+     * However, the requirements for this package have led to this point for now.
+     * 
+     * @param Connection $connection
+     * @return mixed
+     */
+    protected function quoteIntoSql(Connection $connection)
+    {
+        $quotedSql = $this->sql;
+        $quotedParams = [];
+        
+        foreach($this->params as $key => $value)
+        {
+            if (is_null($value))
+            {
+                $quotedParams[$key] = 'NULL';
+            }
+            else if (is_integer($value))
+            {
+                $quotedParams[$key] = (int)$value;
+            }
+            else if (in_array($value, $this->reserved_words))
+            {
+                $quotedParams[$key] = $value;
+            }
+            else
+            {
+                $quotedParams[$key] = '\''.$connection->escape($value).'\'';
+            }
+        }
+        
+        return strtr($quotedSql, $quotedParams);
+    }
+    
+    // TODO: Find all of these...
+    protected $reserved_words = [
+        'NOW()'
+    ];
+    
     /**
      * @return \React\Promise\PromiseInterface
      */

tests/DatabaseTest.php

@@ -43,7 +43,7 @@ public function testMysqliSynchronous()
         $c = $this->getMysqliConnection();
 
         $result = $c->query('SELECT * FROM simple_table;');
-        $this->assertEquals(2, $result->num_rows);
+        $this->assertEquals(3, $result->num_rows);
 
         $tempTableName = 'temptable123';
         $c->query('CREATE TEMPORARY TABLE ' . $tempTableName . ' LIKE simple_table;');
@@ -69,7 +69,7 @@ public function testMysqliAsynchronous()
         $c->query('SELECT * FROM simple_table;', MYSQLI_ASYNC);
 
         $result = $c->reap_async_query();
-        $this->assertEquals(2, $result->num_rows);
+        $this->assertEquals(3, $result->num_rows);
     }
 
     public function testCreateCommandGetPromise()
@@ -141,8 +141,6 @@ public function testSimpleCommandParameterBinding()
 
     public function testComplexCommandParameterBinding()
     {
-        $this->markTestSkipped('TODO: Implement binding null values.');
-        
         $db = new Database();
 
         $cmd = $db->createCommand();

tests/sql.sql

@@ -1,19 +1,23 @@
-DROP TABLE IF EXISTS `abc`;
+SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
+SET time_zone = "+00:00";
+
 DROP TABLE IF EXISTS `simple_table`;
 CREATE TABLE IF NOT EXISTS `simple_table` (
-  `id`   INT(10) UNSIGNED NOT NULL,
-  `name` VARCHAR(255)     NOT NULL
-)
-  ENGINE = InnoDB
-  AUTO_INCREMENT = 3
-  DEFAULT CHARSET = utf8;
+  `id` int(10) unsigned NOT NULL,
+  `name` varchar(255) NOT NULL,
+  `value` int(11) NOT NULL,
+  `created_at` datetime NOT NULL
+) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;
+
+INSERT INTO `simple_table` (`id`, `name`, `value`, `created_at`) VALUES
+  (1, 'a', 2, '2016-04-12 05:23:31'),
+  (2, 'b', 5, '0000-00-00 00:00:00'),
+  (3, 'John''s Cafe', 54321, '2016-04-26 16:18:59');
 
-INSERT INTO `simple_table` (`id`, `name`) VALUES
-  (1, 'a'),
-  (2, 'b');
 
 ALTER TABLE `simple_table`
 ADD PRIMARY KEY (`id`);
 
+
 ALTER TABLE `simple_table`
-MODIFY `id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT, AUTO_INCREMENT = 3;
+MODIFY `id` int(10) unsigned NOT NULL AUTO_INCREMENT,AUTO_INCREMENT=4;