[TYPO3-mvc] Transition Guide for Persistance Rewrite
Jochen Rau
jochen.rau at typoplanet.de
Tue Aug 4 10:49:49 CEST 2009
Hi Bastian.
>> I'd like to change this to
>>
>> $query->statement('SELECT * FROM tx_blogexample_domain_model_blog
>> WHERE SUBSTRING(title,1,1) LIKE BINARY '?' AND description LIKE '%?%'
>> ORDER BY title ASC', array('B', 'blog));
>>
>> to enable prepared statements in the Storage Backend.
>
> +1 for prepared statements!
> But usually the placeholders are quoted in prepared statements and I
> prefer that way as it takes away the responsibility of proper quoting
> (and escaping!) from the user. The statement would then be:
>
> $query->statement('SELECT * FROM tx_blogexample_domain_model_blog WHERE
> SUBSTRING(title,1,1) LIKE BINARY ? AND description LIKE ? ORDER BY title
> ASC', array('B', '%blog%'));
>
> see http://de.wikipedia.org/wiki/Prepared_Statement and
> http://de.php.net/manual/de/pdo.prepared-statements.php
>
> What do you think?
Yes, of course. That's how it should be. It was too late ;-)
Regards
Jochen
BTW The GET/POST parameter are already escaped in index_ts.php. That
secures the parameter but may have side effects using other data sources
than (My)SQL based sources. I encountered this while I tried to quote
and escape the parameters in the Storage Backend.
--
Every nit picked is a bug fixed
More information about the TYPO3-project-typo3v4mvc
mailing list