On Aug 21, 2007, at 7:50 PM, Rob Church wrote: hmm... so that makes it even more mysterious. sigh. When the slashes go nuts, they're definitely in the database. I assume that you weren't saying that mysql_real_escape_string is superfluous. Or is it? I have a feeling that I'm not using the abstraction provided by the MW database functions properly. For example, the method in my row class to save back to the database is function db_save_row(){ global $wgTableEditDatabase; # $this->row_id set when data previously pulled from database # for a row only set in temp space, should be undef $dbr =& wfGetDB( DB_SLAVE ); if ($this->row_data == '') return; # don't save rows with no data or || delimiters $this->row_data = mysql_real_escape_string($this->row_data); if (!$this->row_id){ $sql = "INSERT INTO $wgTableEditDatabase.row VALUES( null, '$this->box_id', '$this->owner_uid', '$this->row_data', '$this->row_style', '$this->row_sort_order', '".time()."' )"; $result = $dbr->query($sql); $this->row_id = $dbr->insertId(); }elseif($this->is_current === true){ # it's in the DB and it's current, update it. $sql = "UPDATE $wgTableEditDatabase.row SET owner_uid='$this->owner_uid', row_data='$this->row_data', row_style = '$this->row_style', row_sort_order = '$this->row_sort_order', timestamp = '".time()."' WHERE row_id = '$this->row_id'"; $result = $dbr->query($sql); }else{ #it's in the DB but it's not current. Delete it from the DB $sql = "DELETE FROM $wgTableEditDatabase.row WHERE row_id = '$this- $result = $dbr->query($sql); } return; } I'm thinking that I should probably be using $dbr->insert (..arrays..), $dbr->update(.. arrays..), and $dbr->delete(... arrays...). Should I be using $dbr->safeQuery instead of mysql_real_escape_string? I did tell you my code was hacky!! Jim ===================================== Jim Hu Associate Professor Dept. of Biochemistry and Biophysics 2128 TAMU Texas A&M Univ. College Station, TX 77843-2128 979-862-4054

On Aug 22, 2007, at 10:15 AM, Brion Vibber wrote: Sorry!! Wow, now I really feel guilty. It used to be worse... I was doing mysql queries directly from php when I started <ducking> Well, I need to do some major refactoring of the TableEdit extension soon (need to be able to handle rollback, for example), so that's a good opportunity. I also just realized recently that I should be using the XML methods for forms. Now that my project has minions, I have to make sure I don't teach them my bad habits. So the wrappers take care of cleaning up things like quotes and returns in the round trip? Oh man, I really should have studied the Database.php code more. As I learn this stuff, I'll try to update the guide for extension authors on mediawiki.org (if someone else who really knows what they're doing doesn't beat me to it). I realize that you guys didn't start this as a system for self- teaching OO PHP, but that's what it's been for me. Thanks for the patience and the feedback. Jim ===================================== Jim Hu Associate Professor Dept. of Biochemistry and Biophysics 2128 TAMU Texas A&M Univ. College Station, TX 77843-2128 979-862-4054