Tuesday, January 20, 2009

Evil Access

I was thinking today about database APIs when inspiration struck. I ended up hacking out the following class, which I think demonstrates a rather interesting approach to interfacing with a database (interesting enough at least to post here).
class DBQuery implements Iterator
protected $_db;
protected $_query;
protected $_result;
protected $_index;
protected $_num_rows;

public function __construct($host, $dbname, $username,
$password) {
$this->_db = new PDO("mysql:dbname=$dbname;host=$host",
$username, $password);

public function __get($query) {
$this->_query = $query;
$this->_result = $this->_db->query($query);
return $this->_num_rows = $this->_result->rowCount();

public function quote($value) {
return PDO::quote($value);

public function __call($query, $values) {
$this->_query = $query;
$this->_result = $this->_db->prepare($this->_query);
return $this->_num_rows = $this->_result->rowCount();

public function clear() {
$this->_index = 0;
$this->_num_rows = 0;
$this->_query = '';

public function rewind() {
$this->_index = 0;

public function current() {
return $this->_result->fetch(PDO::FETCH_ASSOC,
PDO::FETCH_ORI_ABS, $this->_index);

public function key() {
return $this->_index;

public function next() {

public function valid() {
return ($this->_index < $this->_num_rows);

public function __toString() {
return $this->_query;
DBQuery isn't your typical database access class. In fact, I would suggest it's slightly evil since it distorts traditional PHP syntax by abusing taking advantage of three specific PHP features.
  1. PHP allows special characters in an identifier if the string is quoted and is enclosed by {}. So, $myValue and ${"my value"} are both equally valid variable identifiers.

  2. The magic overloading methods allow you handle undefined properties and methods in your class. Specifically, I've made use of __get() and __call().

  3. A class that implements the Iterator interface can be traversed using a foreach loop.
Here's a look at how DBQuery would be used:
// connect to the database
$dbq = new DBQuery("localhost", "test", "dbuser",

// query the database if the user is authorized
$username = "administrator";
$password = sha1("password");
if (!$dbq->{"SELECT * FROM admin_user WHERE username=? " .
"AND password=?"}(array($username, $password))) {

// query the database and display some records
$dbq->{"SELECT id, first_name, last_name FROM employee"};
foreach ($dbq as $result) {

// casting the object as a string yields the query string
echo "Query: $dbq";
Don't try this at home, though, my friends. Just because you can write code like this doesn't mean you should.


  1. Amazing concept, but I'm afraid if I ever see ANY of this code in production in the future I will be forced to strangle you... Consider yourself warned :)

  2. You could make it even hackier by using func_get_args() in __call so the usage would turn out as

    $dbq->{"SELECT * FROM admin_user WHERE username=? AND password=?"}($username, $password)

  3. Yep this is a pretty cool idea. Wouldn't go as far as Commenter #1, but I think it may be a good idea to not bend the rules this much ;)

    ps: why do I have to log in to comment? I don't want to - please make it possible to comment by just leaving your name =)

  4. this looks pretty neat.
    but I don't understand why you shouldn't use something like this ?
    what rules it bends ?