why not use pg_query_params for postgres?

[wcw]

Parameterized queries via pg_query_params work since 5.1 on postgres since 7.4. Why not use it to replace current sanitization code in postgres.inc.php with simpler queries using that function?

[garvinhicking]

Hi!

Because then all SQL queries in all of s9y's code would need to be changed, and since pramatrization works differently on mysql and sqlite, this is harder to achieve. Serendipity was built before PDO, and since we are very fond of backwards compatibility, this is a thing that will only get changed when a developer comes along with very much spare time to correct all of s9y's core and additional plugins code, and use a way of implementation that does not affect BC.

Regards,
Garvin

[wcw]

I only poked my nose in the code for two seconds, but making an internal fork that uses parameterization on postgres where your php/postgres both support it doesn't look that intractable to me. Maybe I need to spend four minutes; it's easy to be overconfident about other people's codebases.

As for the other programs, I don't think php on mysql or sqlite supports parameterization, does it? Is s9y separable from php?