View more context



You're right Dylan, I definitely need to do some reading up on it. I'm fine to confess SQL isn't one of my strengths due to lack of time spent with it.

Very true, no updating or deletion, just getting data from it. I've never met Damian, but from the modules of his I've seen, he seems to be a human wizard. If he's saying there's a high risk of injection, I've taken that at face value and am trying to adjust my PR to ensure he's happy with it. I'll check with him about altering part of the query to be paramaterised, while table names to be variable substituted.

Not just for testing, Jack. I chose to join the query via implode rather than to using dots to concat a string. Do you think that's a bad idea?


you can still concact the field to teh table


I'm admitting to you too Tom that paramaterised queries are a part of SQL I've not touched enough to be able to give you solid advice :) Damian is a sourcerer, yup.


The important part to parameterise is the variable part of the query - the user input :)


the other option @taoceanz is to use SQLQuery which may be better. It uses parameterised queries internally iirc, and will do most of the heavy lifting for you :)


Not sure how well it works with MATCH though :< These are parts of the ORM I've seldom had to dive into.