On 27 Sep 2006, at 9:35 AM, Dries Buytaert wrote:
Any particular reason not to use %d and %s? I'd favor the use of % d and %s (instead of %) for two reasons:
1. Security. It allows us to cast URL parameters to their proper type. This helps to prevent XSS/SQL injection attacks.
2. Consistency. People familiar with the database API can easily guess what they do. It DRAMATICALLY increases the number of possible matches.
Secondly, I don't feel that chx actually explained this correctly, but we store the generated menu items, into a normalised database table. So we can get the callback through a single 'select * from {menu_tree} where path in (/* generated list of possible options */) order by likelihood, slashes, wildcards'; so you get 1 single sql query that can get the result, instead of unserialising the massive tree.