On 14/06, Johannes Löthberg wrote:
On 14/06, Marcel Korpel wrote:
* Lukas Fleischer <lfleischer@archlinux.org> (Sun, 14 Jun 2015 17:45:24 +0200):
Wow. This part of the code is really ugly. Using "%s" for integer values and not escaping strings in queries. I wonder if somebody cares enough to rewrite it, though...
Wouldn't the use of (PDO) prepared statements be much neatier in general? Not that string concatenation is unsafe when values are properly escaped, so there's no immediate threat at the moment (as far as I can see), but prepared statements are easier to read and less error-prone when changing code (and yes, I know this is about Python code, which I don't know, but the PHP parts are full of string concatenation, too).
If we want to change everything to prepared statements, I can create patches for PHP parts next month.
Python doesn't have prepared statements, but it has similar parameterized queries. I can look into replacing the interpolation with those later.
Heh, just realized that the python script just writes a SQL file which the bash script executes.. I should just make the python script do all of it. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/