> What is the + there for?
Its a template. The problem cropped up when I was data-mining my
current pages to convert the system into a mysql solution.
> One day I'd like a simple plugin to move the "pages"
> back end to a database. It's set up for it architecturally, just need
> to hammer out the code.
give me 5 minutes... Actually no, I'd have to decide what to do about
the whole folders thing. Dum di dum...
I'm prone to disagree with your statement. To truly be set up
architecturally to be page storage independant, the code explicitly
handling file access (file_exists, and fread) should be independantly
extendable.
if( function_exists('myBOLTreadpage') ) $contents = myBOLTreadpage
($location);
else $contents = BOLTreadpage($location);
if( $contents === NULL ) return '';
Of course, the page store is largely superfluous, and this doesn't
jack into searches now that mysql can handle groups and searching
faster than php...
Meh, this took longer than 5 minutes.
> I might suggest a more parameterized breakdown. Something like:
>
> <(mysql insert field=title value="{:title}" db=tablename)>
This was my first thought. I assumed it would let me control access
better, have seperate auths for insert, select, drop table, etc.
It fails when you realize how many possible parameters there are in
mysql. So I changed it to use the php command "mysql_query" and let
security be based on which mysql user is used. This prevents me from
reinventing the wheel, among many other things. The mysql querys are
kept close to the final product, and as I've said in other posts,
google showed me a method that escapes parametrised, potentially
dangerous code, in a nice way: any code that could ever come from
someone other than you should be an "insert".
>
> Then depending on the $args[1], in this case "insert" you check all
> the parameters and construct your query.
The java-like parametrized query seemed simpler. It works really well,
and as long as I get past boltwires quotation needs, everything is
correctly escaped.
> I think you would have fewer
> problems. Of course this doesn't solve the problem of what if " is in
> the "{:title}". I don't see any way around that... There's no way
> BoltWire can tell which ' to escape and which not to.
Well... it could. You could escape inserted code in certain ways. '
coming from {?inserts} are prepended by a \0, treat them differently
in the regexps... . Keeps text-replacements bounded in php objects and
implode the final output only at the end. There are ways.
I think the easiest non-buggy way would involve generating boltwires
parsing with a parser generator...
Not without rebuilding the engine from near - scratch though. 4.0?
5.0?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en
-~----------~----~----~----~------~----~------~--~---
