[aur-dev] Prepared statements, was: Re: [PATCH] Adding PackagerUID to the generated dummy data
johannes at kyriasis.com
Sun Jun 14 19:11:02 UTC 2015
On 14/06, Marcel Korpel wrote:
>* Lukas Fleischer <lfleischer at archlinux.org> (Sun, 14 Jun 2015 17:45:24
>> Wow. This part of the code is really ugly. Using "%s" for integer
>> values and not escaping strings in queries. I wonder if somebody
>> cares enough to rewrite it, though...
>Wouldn't the use of (PDO) prepared statements be much neatier in
>general? Not that string concatenation is unsafe when values are
>properly escaped, so there's no immediate threat at the moment (as far
>as I can see), but prepared statements are easier to read and less
>error-prone when changing code (and yes, I know this is about Python
>code, which I don't know, but the PHP parts are full of string
>If we want to change everything to prepared statements, I can create
>patches for PHP parts next month.
Python doesn't have prepared statements, but it has similar
parameterized queries. I can look into replacing the interpolation with
PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1495 bytes
Desc: not available
More information about the aur-dev