On 27 Sep 2006, at 9:35 AM, Dries Buytaert wrote:

Any particular reason not to use %d and %s? I'd favor the use of %d and %s (instead of %) for two reasons:

1. Security. It allows us to cast URL parameters to their proper type. This helps to prevent XSS/SQL injection attacks.

2. Consistency. People familiar with the database API can easily guess what they do.

It DRAMATICALLY increases the number of possible matches.

Secondly, I don't feel that chx actually explained this correctly, but we store the generated menu items, into a normalised database table.

So we can get the callback through a single 'select * from {menu_tree} where path in (/* generated list of possible options */) order by likelihood, slashes, wildcards';

so you get 1 single sql query that can get the result, instead of unserialising the massive tree.