[aur-dev] Prepared statements, was: Re: [PATCH] Adding PackagerUID to the generated dummy data

Johannes Löthberg johannes at kyriasis.com
Sun Jun 14 19:15:22 UTC 2015


On 14/06, Johannes Löthberg wrote:
>On 14/06, Marcel Korpel wrote:
>>* Lukas Fleischer <lfleischer at archlinux.org> (Sun, 14 Jun 2015 17:45:24
>>+0200):
>>>Wow. This part of the code is really ugly. Using "%s" for integer
>>>values and not escaping strings in queries. I wonder if somebody
>>>cares enough to rewrite it, though...
>>
>>Wouldn't the use of (PDO) prepared statements be much neatier in
>>general? Not that string concatenation is unsafe when values are
>>properly escaped, so there's no immediate threat at the moment (as far
>>as I can see), but prepared statements are easier to read and less
>>error-prone when changing code (and yes, I know this is about Python
>>code, which I don't know, but the PHP parts are full of string
>>concatenation, too).
>>
>>If we want to change everything to prepared statements, I can create
>>patches for PHP parts next month.
>>
>
>Python doesn't have prepared statements, but it has similar 
>parameterized queries. I can look into replacing the interpolation 
>with those later.
>

Heh, just realized that the python script just writes a SQL file which 
the bash script executes.. I should just make the python script do all 
of it.

-- 
Sincerely,
  Johannes Löthberg
  PGP Key ID: 0x50FB9B273A9D0BB5
  https://theos.kyriasis.com/~kyrias/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1495 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-dev/attachments/20150614/c263116b/attachment.asc>


More information about the aur-dev mailing list