View more context



TL:DR; might be best to do some reading on parameterised queries :)


Then you can be the expert and inform us both :P


I see in that PR you're not actually doing anything with the tables anyway (they're a statically defined string, used once). I might suggest you simply put them into the query directly, and just have the single ? for the AGAINST part.


well, maybe not inline them directly, but continue using the variable to build the param'd query.


It isn't adapting to user input, nor even function input. Chance of injection is ~extremely low~ nil.


wait implode o.0 are twe taking a bunch of stuff to make a string qeury?


You're right Dylan, I definitely need to do some reading up on it. I'm fine to confess SQL isn't one of my strengths due to lack of time spent with it.

Very true, no updating or deletion, just getting data from it. I've never met Damian, but from the modules of his I've seen, he seems to be a human wizard. If he's saying there's a high risk of injection, I've taken that at face value and am trying to adjust my PR to ensure he's happy with it. I'll check with him about altering part of the query to be paramaterised, while table names to be variable substituted.

Not just for testing, Jack. I chose to join the query via implode rather than to using dots to concat a string. Do you think that's a bad idea?