^_^ That's basically the same idea as the \x07 suggestion of basically some sort of character to signal "I handled this... Don't touch it, or else..." cept an object would handle it nicer... I like it...
Actually, it would be nice to subclass the RawSQL to create abstraction for the few other <, >, not that we can't otherwise do. To still quote things nicely.
And then we can politely say 'tableName' ONLY handles table names, nothing else... It's not supposed to, and it wont... And when someone says "tableName broke my SQL"... You're not supposed to do that... Fix your code... SQL Error == Bad code... Need fixing...
~Daniel Friesen(Dantman) of: -The Gaiapedia (http://gaia.wikia.com) -Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) -and Wiki-Tools.com (http://wiki-tools.com)
Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
DanTMan wrote:
Simetrical wrote:
There's no reason to complicate the regex with explicit maximum lengths. If additional characters are allowed in unquoted table names, add those to the [a-z0-9_] class. This should avoid all valid joins and similar. (It still fails on comments, though! :P )
"/^\s*(\S+|`[^`]+`)(.\S+|.`[^`]+`)?\s*$/i"
Oh god, make the madness stop! :)
Parsing here sucks for several reasons:
- actual syntax differs between different DB backends
- big ugly regexes are hard to read
- it feels like "magic" trying to treat different strings differently
based on content, which is always icky
Generally we try to make natural use of different *data types* for different kinds of input here.
Since we're talking about a case where we want to make an *exception* from the standard behavior -- string table names being for internal processing, leading to prefixing and quoting -- we should explicitly mark it as such.
Long ago, I tossed around the idea of using a 'RawSql' or similar data type to tell the query-building functions that yes, we were sure, we really want to pass some raw SQL here -- we know what we're doing, so please don't escape it for us.
This might look like:
$db->select( 'page', array( 'page_namespace', 'page_title' ), array( 'page_id' => new RawSql('RAND()*1000' ) );
or whatever.
For the case of wild & crazy custom joins, it might be:
$db->select( new RawSql("$page LEFT JOIN $barfo ON page_id=barfo_page"), array( 'barfo_key', 'page_namespace', 'page_title' ),
or whatever.
Now, I don't know if this is the best system ever, but I like that it's explicit about the use of unprocessed (and thus potentially unsafe) data, which'll make it easier to spot potential trouble spots when maintaining the code later.
- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgjMD4ACgkQwRnhpk1wk47TNACfQY+MG899wp4CgFHy20q3FM97 ZicAoIa1P2gkJtzl844MiWU+my7y/VW/ =5Fj+ -----END PGP SIGNATURE-----
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l