17 Oct
2008
17 Oct
'08
10:44 p.m.
I agree with gnul - thanks for outlining the issue that way. As I
already said before - if prepared statements are used correctly there
is no need for quoting!
Dennis,
Could you please elaborate a bit more on that issue? I don't quite
understand what you are trying to say. If the bug is fixed so it not
longer crashed the SQL statement, what remains unfixed?
lg, Mike
--
Michael Baierl
http://mbaierl.com/
On 17.10.2008, at 20:45, "Dennis P. Nikolaenko" dennis@nikolaenko.ru
wrote: > gnul wrote: >>> $sql = "update contacts set firstname = 'test's' where
>>> contact_id=?"; >>> $sql_result = $RCMAIL->db->query($sql,'91'); >>> >>> >> >> The above SQL is not using prepared statements correctly. Every >> parameter in a query that may be user-defined should use the "?". I >> don't know the exact syntax for db->query(), but the above should
>> look >> something like this: >> >> $sql = "update contacts set firstname = ? where contact_id=?"; >> $sql_result = $RCMAIL->db->query($sql,"test's", "91"); >> >> Note there is NO escaping of single quotes. If using prepared >> statements correctly, you should never need to escape anything. >> > The problem is that the tables can be enhanced with new columns, that > will require additions of more code than with current approach. > Using ? placeholders for everything may workaround the bug in MDB2,
> but > the bug still remains to be fixed. > -- > Dennis > > _______________________________________________ > List info: http://lists.roundcube.net/dev/ _______________________________________________ List info: http://lists.roundcube.net/dev/
wrote: > gnul wrote: >>> $sql = "update contacts set firstname = 'test's' where
>>> contact_id=?"; >>> $sql_result = $RCMAIL->db->query($sql,'91'); >>> >>> >> >> The above SQL is not using prepared statements correctly. Every >> parameter in a query that may be user-defined should use the "?". I >> don't know the exact syntax for db->query(), but the above should
>> look >> something like this: >> >> $sql = "update contacts set firstname = ? where contact_id=?"; >> $sql_result = $RCMAIL->db->query($sql,"test's", "91"); >> >> Note there is NO escaping of single quotes. If using prepared >> statements correctly, you should never need to escape anything. >> > The problem is that the tables can be enhanced with new columns, that > will require additions of more code than with current approach. > Using ? placeholders for everything may workaround the bug in MDB2,
> but > the bug still remains to be fixed. > -- > Dennis > > _______________________________________________ > List info: http://lists.roundcube.net/dev/ _______________________________________________ List info: http://lists.roundcube.net/dev/