On Fri, 13 Apr 2007 12:15:30 +0200, Alexander Presber
<aljoscha@xxxxxxxxxxxx> wrote:
Listmail schrieb:
Then, other languages will make you feel the pain of having to
quote all your arguments YOURSELF and provide all results as string.
The most famous offender is PHP (this causes countless security
holes).
I partially did this for PHP. It's a lifesaver. No more
addslashes() ! Yay !
What about PEAR MDB2?
http://pear.php.net/manual/en/package.database.mdb2.php
Is it any good?
Cheers, Alex
Well, the problem with a lot of PHP libraries is that they are written by
people who don't think.
Python's interface for doing a query in your code is close to the ideal,
which should be something like that :
query( "SELECT * FROM duhhh WHERE id=%s AND date < %s", id, date )
(python's API has an extra set of () and it also takes named parameters )
If id is an python integer and date a python datetime object, format
conversion is automatic.
If they are not, first they should be, but whatever error the programmer
makes DOES NOT make a SQL injection. At most psql will complain that you
try to compare a date with something that is not a date, but you don't get
hacked, since in order to put an un-quoted argument into the SQL you have
to do it really on purpose.
Now, I use many database queries in my web applications (so does
everyone), therefore I consider a system that needs me to type a lot of
crap in order to work is DUMB.
PEAR::DB2 says :
$query = 'INSERT INTO tablename (id, itemname, saved_time) VALUES ('
. $mdb2->quote($id, 'integer') .', '
. $mdb2->quote($name, 'text') .', '
. $mdb2->quote($time, 'timestamp') .')';
$res =& $mdb2->query($query);
As you see,
- it's a lot less compact and readable
- it's a pain to use, so I will copypaste code, which is the GREAT EVIL
and a good source of bugs
- you have to repeat the variable types (who cares ?)
- if I am not well awake I may forget to type that crap because I'm sure
the variable is an integer, why bother (but am I really sure ? => get
hacked)
Since PHP has no type for date, a much better way of doing this would be :
query( "INSERT INTO ... VALUES %s,%s,%s", $id, $name,
DB::datetime( $timestamp ) )
with all the basic types being quoted as they come (ie like a string
since postgres doesn't care between 1 and '1'), and a few adapters for
other types (like date).
Also the ORM part of PEAR::DB2 is braindead since the field specifiers
are not objects that you can custmize and derive...
