On Sun, 14 Jun 2015 at 20:39:20, Marcel Korpel wrote:
* Lukas Fleischer <lfleischer@archlinux.org> (Sun, 14 Jun 2015 17:45:24 +0200):
Wow. This part of the code is really ugly. Using "%s" for integer values and not escaping strings in queries. I wonder if somebody cares enough to rewrite it, though...
Wouldn't the use of (PDO) prepared statements be much neatier in general? Not that string concatenation is unsafe when values are properly escaped, so there's no immediate threat at the moment (as far as I can see), but prepared statements are easier to read and less error-prone when changing code (and yes, I know this is about Python code, which I don't know, but the PHP parts are full of string concatenation, too).
Of course, we already use prepared statements in all the modern Python scripts (everything under git-interface/ and scripts/). The gendummydata script is old and full of hacks.
If we want to change everything to prepared statements, I can create patches for PHP parts next month.
That is greatly appreciated! Please make sure you make small, easy to review commits.
Best, Marcel