On Thu, May 8, 2008 at 12:54 PM, Brion Vibber <brion(a)wikimedia.org> wrote:
Long ago, I tossed around the idea of using a
'RawSql' or similar data
type to tell the query-building functions that yes, we were sure, we
really want to pass some raw SQL here -- we know what we're doing, so
please don't escape it for us.
This might look like:
$db->select( 'page',
array( 'page_namespace', 'page_title' ),
array( 'page_id' => new RawSql('RAND()*1000' ) );
or whatever.
Hmm, yes. I wish there were a slightly nicer way to write it. Maybe
array( 'page_id' => sql('RAND()*1000') )
or
array( 'page_id' => raw('RAND()*1000') ).
raw() could be used generically to indicate that the input should not
be escaped in any fashion. Of course, it would take work for it to
actually be used by all our magical escaping stuff.
What I really wish is that we could do this kind of type marking
transparently, with different types for clean HTML, clean SQL,
wikitext, etc., plus a type for unsafe input, and then appropriate
concatenation methods that escape everything as necessary. That would
be possible in a language supporting operator overloading, but not
PHP, where there's no effective way to extend strings. (And anyway
everything is a function, not a method, so stuff like str_replace()
would just break hopelessly.)
Alternatively, we could always say that an array input means implode
the array, whereas string input is always literal. That would work.
But it would be somewhat confusing.
On Thu, May 8, 2008 at 12:54 PM, DanTMan <dan_the_man(a)telus.net> wrote:
Soo...
/^\s*(\S+|`[^`]+`)(\s*\.\s*(\S+|`[^`]+`))?\s*$/iS
I do want to use an S flag since it's going to be used very often...
This is moot, but:
1) /i is unnecessary since you have no letters in the pattern.
2) Whether /S is useful is a matter for benchmarking, and the
distinction should be completely trivial when the string you're
analyzing is like 20 characters long.
3) I realized that you're wrong, you can't just rely on \S. Input
"table1,table2" should not be backtick-quoted, it should be left
alone. You need to use something like [a-z0-9_], as I said (maybe
some more characters than that are valid).
But who cares. :)