Page 1 of 1
why not use pg_query_params for postgres?
Posted: Wed Dec 24, 2008 7:12 am
by wcw
Parameterized queries via pg_query_params work since 5.1 on postgres since 7.4. Why not use it to replace current sanitization code in postgres.inc.php with simpler queries using that function?
Re: why not use pg_query_params for postgres?
Posted: Fri Dec 26, 2008 3:03 pm
by garvinhicking
Hi!
Because then all SQL queries in all of s9y's code would need to be changed, and since pramatrization works differently on mysql and sqlite, this is harder to achieve. Serendipity was built before PDO, and since we are very fond of backwards compatibility, this is a thing that will only get changed when a developer comes along with very much spare time to correct all of s9y's core and additional plugins code, and use a way of implementation that does not affect BC.
Regards,
Garvin
Re: why not use pg_query_params for postgres?
Posted: Mon Feb 23, 2009 11:40 pm
by wcw
I only poked my nose in the code for two seconds, but making an internal fork that uses parameterization on postgres where your php/postgres both support it doesn't look that intractable to me. Maybe I need to spend four minutes; it's easy to be overconfident about other people's codebases.
As for the other programs, I don't think php on mysql or sqlite supports parameterization, does it? Is s9y separable from php?