View more context

 

nightjarnz

well, maybe not inline them directly, but continue using the variable to build the param'd query.

nightjarnz

It isn't adapting to user input, nor even function input. Chance of injection is ~extremely low~ nil.

phyzical

wait implode o.0 are twe taking a bunch of stuff to make a string qeury?

taoceanz

You're right Dylan, I definitely need to do some reading up on it. I'm fine to confess SQL isn't one of my strengths due to lack of time spent with it.

Very true, no updating or deletion, just getting data from it. I've never met Damian, but from the modules of his I've seen, he seems to be a human wizard. If he's saying there's a high risk of injection, I've taken that at face value and am trying to adjust my PR to ensure he's happy with it. I'll check with him about altering part of the query to be paramaterised, while table names to be variable substituted.

Not just for testing, Jack. I chose to join the query via implode rather than to using dots to concat a string. Do you think that's a bad idea?

phyzical

you can still concact the field to teh table

nightjarnz

I'm admitting to you too Tom that paramaterised queries are a part of SQL I've not touched enough to be able to give you solid advice :) Damian is a sourcerer, yup.

nightjarnz

The important part to parameterise is the variable part of the query - the user input :)