On 14/06, Marcel Korpel wrote:
* Lukas Fleischer <[email protected]> (Sun, 14 Jun 2015 17:45:24 +0200):Wow. This part of the code is really ugly. Using "%s" for integer values and not escaping strings in queries. I wonder if somebody cares enough to rewrite it, though...Wouldn't the use of (PDO) prepared statements be much neatier in general? Not that string concatenation is unsafe when values are properly escaped, so there's no immediate threat at the moment (as far as I can see), but prepared statements are easier to read and less error-prone when changing code (and yes, I know this is about Python code, which I don't know, but the PHP parts are full of string concatenation, too). If we want to change everything to prepared statements, I can create patches for PHP parts next month.
Python doesn't have prepared statements, but it has similar parameterized queries. I can look into replacing the interpolation with those later.
-- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
signature.asc
Description: PGP signature
