[development] db_query and serialized arrays
william.darren at gmail.com
Tue Sep 4 13:05:55 UTC 2007
Completey agree, and in fact, I consider myself already bitten by it because
of the time spent debugging why my arrays wouldn't unserialize. The query
in question has been reworked so that it uses placeholders throughout.
On 9/4/07, Karoly Negyesi <karoly at negyesi.net> wrote:
> > I should've looked deeper into the code .. it's a very complex query
> is dynamically generated, and it looks as though the constructed values
> string is plugged in directly rather than using %s substitution. That
> explains it, I guess.
> This is an extremely bad practice and you will be biten by it. Though core
> does similar at a few places wherever I have encountered such, I added a
> comment why it's safe -- usually because it's an integer retrieved from the
> database. Complex stuff should never go without a placeholder.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the development