As a PHP developer, may I say I think this is an oversimplification of
the issue. The reality is that you can't stop people from writing bad
SQL. Also, there are times when more than just a where clause has to be
built dynamically. So, you end up writing your own user space code to
deal with this anyway. Don't complicate my life and make me have to do
it in userspace and use a clunky function, class, hellhole (ie PDO mysql
prepared syntax) bit of code on top of it for every single query I write.
I mean, exec() is pretty damn unsafe too. If you don't want people using
it, you disable it via the ini settings. The same could be done for
mysql_query or drizzle_query. But, you will never get around people
building their own queries and sending them in. This query:
$stmt = $mysqli->prepare("SELECT name from publication where
publication_id=$id");
works just as well as
$stmt = $mysqli->prepare("SELECT name from publication where
publication_id=?");
$stmt->bind_param("i", $id);
So, you can't stop people from writing bad SQL. You just can't. So,
please don't make it suck for all the real developers out there that
know how to write code.
Thanks,
Brian.
http://brian.moonspot.net
On 3/29/11 9:11 AM, Olaf van der Spek wrote:
Hi,
mysql_query() is unsafe (by default/design) and drizzle_query()
appears to be as bad.
For whatever reason PHP devs did not want to fix mysql_query(), but
IMO we should ensure drizzle_query() is safe.
Are there any plans to achieve this?
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
