On 27/02/2021 16:57, Kamil Tekiela wrote:
If product_id is actually an integer column, this function is
technically broken: given a non-integer input, it will produce an
error
in the database.
I'm sorry, but I do not understand why would that code produce an
error. The value is properly escaped and formatted so there should be
no error at all. Is this based on some SQL setting? That SQL looks
correct to me and I do not see any syntax errors.
That's precisely why it's the kind of code that goes unfixed for years,
but it is broken: if $product_id is the string 'hello world', then this
line...
$sql = "Select * From products Where product_id = '" .
$dbWrapper->escape($product_id) . "'";
...produces this SQL:
Select * From products Where product_id = 'hello world'
If product_id is a column of type int, then the database will raise an
error about incompatible types.
If the PHP database wrapper just swallows this error and returns false,
then somewhere else in the code, you can write this:
$product = get_product($_GET['product_id']);
if ( ! $product ) {
display_error_message('Sorry, we could not find that product.');
}
So although the code is wrong, the user always gets a reasonable error
message. Now replace the database implementation with one that throws
exceptions, and that message will never display; if you're lucky,
there's a default exception handler set; if not, the user will get a
blank white page.
Regards,
--
Rowan Tommins
[IMSoP]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
