On Thu, May 8, 2008 at 12:54 PM, Brion Vibber brion@wikimedia.org wrote:
Long ago, I tossed around the idea of using a 'RawSql' or similar data type to tell the query-building functions that yes, we were sure, we really want to pass some raw SQL here -- we know what we're doing, so please don't escape it for us.
This might look like:
$db->select( 'page', array( 'page_namespace', 'page_title' ), array( 'page_id' => new RawSql('RAND()*1000' ) );
or whatever.
Hmm, yes. I wish there were a slightly nicer way to write it. Maybe
array( 'page_id' => sql('RAND()*1000') )
or
array( 'page_id' => raw('RAND()*1000') ).
raw() could be used generically to indicate that the input should not be escaped in any fashion. Of course, it would take work for it to actually be used by all our magical escaping stuff.
What I really wish is that we could do this kind of type marking transparently, with different types for clean HTML, clean SQL, wikitext, etc., plus a type for unsafe input, and then appropriate concatenation methods that escape everything as necessary. That would be possible in a language supporting operator overloading, but not PHP, where there's no effective way to extend strings. (And anyway everything is a function, not a method, so stuff like str_replace() would just break hopelessly.)
Alternatively, we could always say that an array input means implode the array, whereas string input is always literal. That would work. But it would be somewhat confusing.
On Thu, May 8, 2008 at 12:54 PM, DanTMan dan_the_man@telus.net wrote:
Soo...
/^\s*(\S+|`[^`]+`)(\s*.\s*(\S+|`[^`]+`))?\s*$/iS
I do want to use an S flag since it's going to be used very often...
This is moot, but:
1) /i is unnecessary since you have no letters in the pattern.
2) Whether /S is useful is a matter for benchmarking, and the distinction should be completely trivial when the string you're analyzing is like 20 characters long.
3) I realized that you're wrong, you can't just rely on \S. Input "table1,table2" should not be backtick-quoted, it should be left alone. You need to use something like [a-z0-9_], as I said (maybe some more characters than that are valid).
But who cares. :)