* Lukas Fleischer <[email protected]> (Sun, 14 Jun 2015 17:45:24 +0200): > Wow. This part of the code is really ugly. Using "%s" for integer > values and not escaping strings in queries. I wonder if somebody > cares enough to rewrite it, though...
Wouldn't the use of (PDO) prepared statements be much neatier in general? Not that string concatenation is unsafe when values are properly escaped, so there's no immediate threat at the moment (as far as I can see), but prepared statements are easier to read and less error-prone when changing code (and yes, I know this is about Python code, which I don't know, but the PHP parts are full of string concatenation, too). If we want to change everything to prepared statements, I can create patches for PHP parts next month. Best, Marcel
