Hi, On Thu, Jul 31, 2008 at 8:09 AM, paul POULAIN <[EMAIL PROTECTED]> wrote: > Andrew Moore a écrit : >> On Thu, Jul 31, 2008 at 7:31 AM, paul POULAIN <[EMAIL PROTECTED]> wrote: >> >>> /me disagree : the $dbh->quote() does exactly the same thing as the >>> placeholder : ie escaping SQL to avoir SQL injections. So this patch >>> solves nothing on this aspect ;-) >>> >> Very well. I wouldn't object to backing these patches out. >> > The resulting code is correct. The previous code was also correct. So I > think both are valid. It's fair not to rollback according. I just wanted > to point for future, that there is no injection risk with quote()
But there are other problems: 1. Not using placeholders can reduce the effectiveness of query caching. 2. If one relies on $dbh->quote(), it is too easy to miss when someone forgets to use it. If we settle on using placeholders and bind variables for all queries, it's much easier to verify by visual inspection whether a given query has an obvious vector for an injection bug. I am *not* in favor of backing out this patch. Regards, Galen -- Galen Charlton VP, Research & Development, LibLime [EMAIL PROTECTED] p: 1-888-564-2457 x709 skype: gmcharlt _______________________________________________ Koha-patches mailing list [email protected] http://lists.koha.org/mailman/listinfo/koha-patches
