[aur-dev] Prepared statements, was: Re: [PATCH] Adding PackagerUID to the generated dummy data
johannes at kyriasis.com
Sun Jun 14 19:15:22 UTC 2015
On 14/06, Johannes Löthberg wrote:
>On 14/06, Marcel Korpel wrote:
>>* Lukas Fleischer <lfleischer at archlinux.org> (Sun, 14 Jun 2015 17:45:24
>>>Wow. This part of the code is really ugly. Using "%s" for integer
>>>values and not escaping strings in queries. I wonder if somebody
>>>cares enough to rewrite it, though...
>>Wouldn't the use of (PDO) prepared statements be much neatier in
>>general? Not that string concatenation is unsafe when values are
>>properly escaped, so there's no immediate threat at the moment (as far
>>as I can see), but prepared statements are easier to read and less
>>error-prone when changing code (and yes, I know this is about Python
>>code, which I don't know, but the PHP parts are full of string
>>If we want to change everything to prepared statements, I can create
>>patches for PHP parts next month.
>Python doesn't have prepared statements, but it has similar
>parameterized queries. I can look into replacing the interpolation
>with those later.
Heh, just realized that the python script just writes a SQL file which
the bash script executes.. I should just make the python script do all
PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1495 bytes
Desc: not available
More information about the aur-dev