[aur-dev] Prepared statements, was: Re: [PATCH] Adding PackagerUID to the generated dummy data
Marcel Korpel
marcel.korpel at gmail.com
Sun Jun 14 18:39:20 UTC 2015
* Lukas Fleischer <lfleischer at archlinux.org> (Sun, 14 Jun 2015 17:45:24
+0200):
> Wow. This part of the code is really ugly. Using "%s" for integer
> values and not escaping strings in queries. I wonder if somebody
> cares enough to rewrite it, though...
Wouldn't the use of (PDO) prepared statements be much neatier in
general? Not that string concatenation is unsafe when values are
properly escaped, so there's no immediate threat at the moment (as far
as I can see), but prepared statements are easier to read and less
error-prone when changing code (and yes, I know this is about Python
code, which I don't know, but the PHP parts are full of string
concatenation, too).
If we want to change everything to prepared statements, I can create
patches for PHP parts next month.
Best, Marcel
More information about the aur-dev
mailing list