On Sun, 14 Jun 2015 at 20:39:20, Marcel Korpel wrote: > * Lukas Fleischer <[email protected]> (Sun, 14 Jun 2015 17:45:24 > +0200): > > Wow. This part of the code is really ugly. Using "%s" for integer > > values and not escaping strings in queries. I wonder if somebody > > cares enough to rewrite it, though... > > Wouldn't the use of (PDO) prepared statements be much neatier in > general? Not that string concatenation is unsafe when values are > properly escaped, so there's no immediate threat at the moment (as far > as I can see), but prepared statements are easier to read and less > error-prone when changing code (and yes, I know this is about Python > code, which I don't know, but the PHP parts are full of string > concatenation, too). >
Of course, we already use prepared statements in all the modern Python scripts (everything under git-interface/ and scripts/). The gendummydata script is old and full of hacks. > If we want to change everything to prepared statements, I can create > patches for PHP parts next month. > That is greatly appreciated! Please make sure you make small, easy to review commits. > Best, Marcel
