[aur-dev] Prepared statements, was: Re: [PATCH] Adding PackagerUID to the generated dummy data

Lukas Fleischer lfleischer at archlinux.org
Sun Jun 14 19:11:30 UTC 2015

On Sun, 14 Jun 2015 at 20:39:20, Marcel Korpel wrote:
> * Lukas Fleischer <lfleischer at archlinux.org> (Sun, 14 Jun 2015 17:45:24
> +0200):
> > Wow. This part of the code is really ugly. Using "%s" for integer
> > values and not escaping strings in queries. I wonder if somebody
> > cares enough to rewrite it, though...
> Wouldn't the use of (PDO) prepared statements be much neatier in
> general? Not that string concatenation is unsafe when values are
> properly escaped, so there's no immediate threat at the moment (as far
> as I can see), but prepared statements are easier to read and less
> error-prone when changing code (and yes, I know this is about Python
> code, which I don't know, but the PHP parts are full of string
> concatenation, too).

Of course, we already use prepared statements in all the modern Python
scripts (everything under git-interface/ and scripts/). The gendummydata
script is old and full of hacks.

> If we want to change everything to prepared statements, I can create
> patches for PHP parts next month.

That is greatly appreciated! Please make sure you make small, easy to
review commits.

> Best, Marcel

More information about the aur-dev mailing list