[aur-dev] Prepared statements, was: Re: [PATCH] Adding PackagerUID to the generated dummy data

Johannes Löthberg johannes at kyriasis.com
Sun Jun 14 19:11:02 UTC 2015

On 14/06, Marcel Korpel wrote:
>* Lukas Fleischer <lfleischer at archlinux.org> (Sun, 14 Jun 2015 17:45:24
>> Wow. This part of the code is really ugly. Using "%s" for integer
>> values and not escaping strings in queries. I wonder if somebody
>> cares enough to rewrite it, though...
>Wouldn't the use of (PDO) prepared statements be much neatier in
>general? Not that string concatenation is unsafe when values are
>properly escaped, so there's no immediate threat at the moment (as far
>as I can see), but prepared statements are easier to read and less
>error-prone when changing code (and yes, I know this is about Python
>code, which I don't know, but the PHP parts are full of string
>concatenation, too).
>If we want to change everything to prepared statements, I can create
>patches for PHP parts next month.

Python doesn't have prepared statements, but it has similar 
parameterized queries. I can look into replacing the interpolation with 
those later.

  Johannes Löthberg
  PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1495 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-dev/attachments/20150614/4466da08/attachment.asc>

More information about the aur-dev mailing list