The article alludes to a security issue. Anyone know what it is? I get the stability concerns, which is why I coded in an extra layer at my end. The SQL statements get rewritten into a numeric variable bind syntax before passing to the db layer in my implementation for just this reason. A band of versions that include php 5.2.2 might be fatal to that idea :). If this makes it in it sounds like it should be part of an XML specific db wrapper, but it sure doesn't sound like it make sense to focus my energies there. Dave On Feb 10, 2009, at 12:23 PM, andrew morton wrote:
On Mon, Feb 9, 2009 at 2:00 PM, Larry Garfield <larry@garfieldtech.com> wrote:
That's a different question, I think. DBTNG uses arrays and named placeholders. It sounds like David is talking about XPath based queries, which are another animal entirely and not DB portable. David, can you elaborate here?
DBTNG does not allow the reuse of placeholders within the same query, because PDO doesn't either.
--Larry Garfield
Well technically only certain versions of the PDO don't allow it: http://paul-m-jones.com/?p=243
I can't find the php.net issue for this but I seem to remember that the change was eventually reverted leaving a band of versions that don't allow it.
andrew