https://bugzilla.wikimedia.org/show_bug.cgi?id=20275
--- Comment #4 from Aryeh Gregor <[email protected]> 2009-08-24 19:55:54 UTC --- (In reply to comment #3) > The $dbr->like( 'bar%' ) variant is clearer, but it requires you to take care > of its parameter manually, i.e. to escape 'bar' but not '%', if you really > mean > "all pages starting with 'bar'". To reduce the possibility of creating an > unescaped LIKE statement (not calling escapeLike may result in a query that > does not do what it is intended to do, not escaping quotes properly is an > outright security threat). My proposed function takes care of most uses of > LIKE -- that only need to select things starting with a given string. For > those > cases where the LIKE statement needs to be much trickier, no predefined > function can take care of 100% of cases, that's why I proposed to create > escapeSyntax(). People should be able to use it directly when building a query > manually. I'm not convinced this is the best API. Currently we do fine with calling escapeLike() manually; I don't see any better way in general. You're right that my previous suggestion doesn't work, but how about: $dbr->like( $dbr->escapeLike( $foo ) . '%' . $dbr->escapeLike( $bar ) ) addQuotes() would be handled by like(). I think this is a better syntax than ' LIKE ' . $this->addQuotes( $this->escapeLike( $foo ) . '%' . $this->escapeLike( $bar ) ) . $this->escapeSyntax() or such. In particular, escapeSyntax() exposes a weird implementation detail of SQLite, which nobody is going to understand, so they're probably just going to forget to add it. It's easier to remember "all LIKEs should use the like() method" than "all LIKEs should have the output of some method tacked on the end, what was that called again?" Also, like() gives us more flexibility in case some other DBMS has odd LIKE handling in the future. It's possible that an extra method to handle the common prefix case would be good, like $dbr->likePrefix( $foo ) == $dbr->like( $dbr->escapeLike( $foo ) . '%' ). But then people might not realize that both methods exist, and so might resort to manually crafting non-prefix LIKEs. Unless there are really almost none of those, I think just having like() is probably the best syntax here. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
