On Tue, 2011-03-29 at 19:20 +0200, Olaf van der Spek wrote: > On Tue, Mar 29, 2011 at 7:15 PM, Andrew Hutchings > <[email protected]> wrote: > >> With by design I mean that the 'Hello Drizzle' example should use the > >> safe API. The safe case should be simpler than the unsafe case, > >> instead of the other way around, like it's now. > >> > >> Something like this: drizzle_query("select name from users where > >> user_id = ?", $_GET['user_id']); > > > > That is similar to the prepared statement API in PHP's mysqli which is > > probably what we should aim to emulate. We could then do true prepared > > statements for a PDO module. Hopefully we will be able to implement > > something like this in Drizzle8 since libdrizzle is going through some > > large changes right now. > > > > If anyone wants to take this on feel free, I'm not going to be able to > > do much coding until after the MySQL Users Conference. > > The syntax is similar, but there's no reason to use (or wait on) > prepared statements to solve this safety issue.
I would probably rather this as a separate PHP function personally, since drizzle_query is already established and I think intended to be similar to the MySQL functionality for minimal changes during conversion. I'm personally not sure in the 3 seconds of thought I have given it how to implement correctly it without the client side knowing the data type. But feel free to work on this. Kind Regards -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
