> So, the fix is quite simple, stop using compile_insert_string() and
> compile_update_string() and let query_parameters() do the work. This
> way we can be sure that we won't be inserting strings with special
> formatting characters into the format portion of the
> query_parameters() call.
>
> I'll take care of fixing this as soon as I get back home.
>
> Chris
I was not really comfortable with that solution. compile_update_string was very
nice for aligning the field with the value so it looked very clean. The trouble
with doing it this way is that it is more prone to errors but if you say that is
OK with you then I suppose it will do for me too.
I agree about the formatting. It was easier to line things up with
the other external call to compile_*_string().
It may seem more prone to errors but this is how pear db, adodb, .net
and others recommend performing queries. query_parameters() will
ensure that the correct number of tokens is present for the number of
variables provided so if there is a mismatch the query won't be
executed.
I think the formatting you chose looks good and is just as good as
what we had before.
Chris
