I see in that PR you're not actually doing anything with the tables anyway (they're a statically defined string, used once). I might suggest you simply put them into the query directly, and just have the single
? for the
well, maybe not inline them directly, but continue using the variable to build the param'd query.
It isn't adapting to user input, nor even function input. Chance of injection is ~extremely low~ nil.
wait implode o.0 are twe taking a bunch of stuff to make a string qeury?
or was that just for testing
You're right Dylan, I definitely need to do some reading up on it. I'm fine to confess SQL isn't one of my strengths due to lack of time spent with it.
Very true, no updating or deletion, just getting data from it. I've never met Damian, but from the modules of his I've seen, he seems to be a human wizard. If he's saying there's a high risk of injection, I've taken that at face value and am trying to adjust my PR to ensure he's happy with it. I'll check with him about altering part of the query to be paramaterised, while table names to be variable substituted.
Not just for testing, Jack. I chose to join the query via implode rather than to using dots to concat a string. Do you think that's a bad idea?
why not just use arrays
you can still concact the field to teh table
I'm admitting to you too Tom that paramaterised queries are a part of SQL I've not touched enough to be able to give you solid advice :) Damian is a sourcerer, yup.
The important part to parameterise is the variable part of the query - the user input :)