Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
asinshesq wrote:By the way, was I right in thinking that
utf8_normalize_nfc(request_var('message', '', true));
cleans a string so that it is ready for insertion into the db? Looking at request_var in functions.php I see it uses htmlspecialchars with ent compat which leaves single quotes alone and no corresponding str_replace to replace single quotes with something else...so what deals with that injection risk? Is there something in utf8_normalize_nfc that deals with that?
as far as I know, that doesn't deal with the injection risks… if you just use that, you would want to use something like
Random thought: Why is PHPBB3 not modular like Drupal?
99% of Drupal modules (I made the stat up but it is close probably) are non intrusive to core files because of the hooks that are in place with drupal core. I wish phpbb3 had that functionality... or really ANY forum software
The tips listed are great though, and encourage a very nonintrusive, modular design and I have to say, I love it
I just added some additional commentary at the end of (9) about $db->sql_in_set(). If you're following this thread and you don't want to go back and try to figure out what I changed, here's the addition:
asinshesq wrote:
A word about $db->sql_in_set(): the coding guidelnes say: "The $db->sql_in_set() function should be used for building IN () and NOT IN () constructs" and gives as an example:
$sql = 'SELECT *
FROM ' . FORUMS_TABLE . '
WHERE ' . $db->sql_in_set('forum_id', $forum_ids);
$db->sql_query($sql);
Two thngs to keep in mind:
- Even though mysql actually needs a comma separated list for its IN feature, the second parameter of sql_in_set ($forum_ids in the above example) needs to be an array (the function then changes the array to a comma separated list usable by mysql program). That is actually pretty useful, but if you are converting old code that uses IN you will need to keep in mind that you should now use an array that you feed into that function.
- The way to build NOT IN is to add a third parameter 'true'. If you look at the comments for the function in dbal.php you will see that they have it backwards (the way the function is written you should use 'true' if you want NOT IN but the function comment says the opposite).
Remember that MySQL is not the only supported DBMS.
A little note too : a fourth parameter (boolean) exists and permit to pass (if true) or not (default) an empty array.
- The way to build NOT IN is to add a third parameter 'true'. If you look at the comments for the function in dbal.php you will see that they have it backwards (the way the function is written you should use 'true' if you want NOT IN but the function comment says the opposite).
jojobarjo32 wrote:
Remember that MySQL is not the only supported DBMS.
Right, I was just referring to mysql as an example. The point is that in DBAL you need to feed a comma separated list into an IN test but sql_in_list() does that work for you so that you can just stick with an array (and in fact if you try to use a comma separated list with sql_in_list() it doesn't work).
kellanved wrote:
Report that as a bug, please.
I wasn't sure whether you were kidding. Is a screwed up comment technically a 'bug' that I should report?
