Need varargs? Use eval!
-
This doesn't qualify as a WTF since this was written by me and is not production software, but nonetheless it's funny.
function dbq($thing) { if(get_magic_quotes_gpc()) $thing = stripslashes($thing); if(!is_numeric($thing)) $thing = '\'\\\''.mysql_real_escape_string($thing).'\\\'\''; return $thing; }function qsprintf($format)
{
$code = '$temp = sprintf($format, ';
$num = func_num_args();
for($i=1; $i<$num; $i++)
{
$arg = func_get_arg($i);
if($i == ($num-1)) $code .= (dbq($arg).');');
else $code .= (dbq($arg).', ');
}
eval($code);
return $temp;
}
Needless to say, I have since changed this code to use vsprintf...
-
Of course, what that really needs is "php_flag magic_quotes_gpc off" in a .htaccess file. ;-)
I do have a lot of code that uses "$first" flags an so on to insert commas between array elements, rather than just using implode() too.
-
@benryves said:
I do have a lot of code that uses "$first" [ ... snip! ... ]
Shh! All those damn slashdot kiddies who've turned up lately will hear you!
-
<.<
>.>
TRWTF is that the generally-accepted way of doing SQL in PHP is still escaping-and-concatenation. Seriously, perl (for example)'s only had parameterised queries as the de facto standard since... er... somewhere in the region of 1998 (version 1.0 of the DBI module -- it'd had parameterised queries since 1994, mind).
(Yes, I know about mysqli. That's all well-and-good, but how many people actually use it?)
-
@Irrelevant said:
TRWTF is that the generally-accepted way of doing SQL in PHP is still escaping-and-concatenation. Seriously, perl (for example)'s only had parameterised queries as the de facto standard since... er... somewhere in the region of 1998 (version 1.0 of the DBI module -- it'd had parameterised queries since 1994, mind).
And not only that, but perl is nice enough to give us (badly needed in other scripting languages) quote operators. Which if they existed in PHP would almost make escape+concat reasonable.
[url=http://perldoc.perl.org/perlop.html#Gory-details-of-parsing-quoted-constructs-quote%2c-gory-details]Resonably sane explanation of quoting rules[/url]
-
@Irrelevant said:
<.<
>.>
TRWTF is that the generally-accepted way of doing SQL in PHP is still escaping-and-concatenation. Seriously, perl (for example)'s only had parameterised queries as the de facto standard since... er... somewhere in the region of 1998 (version 1.0 of the DBI module -- it'd had parameterised queries since 1994, mind).
(Yes, I know about mysqli. That's all well-and-good, but how many people actually use it?)
It's a common way, but not "standard" in the sense that anybody with half a brain would do it that way. Think of php's mysql_ functions as the raw functions for accessing mysql in legacy php code. Since 2000 or earlier there have been libraries to properly access and query databases using parameterised queries. PEAR's Database library comes to mind as the official one. As if parameterised queries and other niceties weren't good enough, using a single set of functions for querying MySQL, Postgresql, SQL Server and other databases is certainly an important reason why you'd want to use something like PEAR for accessing a database.
IMO, PHP should have deprecated the mysql_ functions a long time ago, so I guess in a way it's their fault.
-
@shakin said:
PEAR's Database library comes to mind as the official one.
PEAR really isn't official anything. The bundled database class since 5.1.0 is PDO. People that don't know about it, even if they haven't migrated their code yet, should probably spend a bit more time keeping up with this kind of stuff.
-
@benryves said:
Of course, what that really needs is "php_flag magic_quotes_gpc off" in a .htaccess file. ;-)
I do have a lot of code that uses "$first" flags an so on to insert commas between array elements, rather than just using implode() too.It looks like it was designed to work either way, since it tests against get_magic_quotes_gpc() first, before doing a stripslashes. Convenient for working in both environments.
-
I hope $thing is never "1 can of ' or ''='".
