That sounds great. If you are ready to commit, let me know, and also
what you SF username is. Make sure to commit it on HEAD, as described in
http://docs.phplist.com/PhplistCVS, because we try to keep "stable" for
tiny bugfixes and particularly to be able to respond quickly to security
issues that are found.
If you have some guidelines on avoiding Mysql specific queries that
would be great. I simply only work with Mysql so I never think about
that. It might be useful to write a page about it in the developers
section of the docs. In fact, you can probably just copy your email
below in a page over there.
Once the Adodb layer is re-established, we might just as well all use it
and get rid of the mysql.inc file.
Yes, sorry phplist is still on CVS. I use subversion for other projects
as well, but never found the time to go through the sourceforge stuff to
convert phplist to SVN. Shouldn't be too much trouble though, so we
could try to get that sorted some time in the next year or so.
Michiel
Brian C. DeRocher wrote:
> I just wanted to let the developers know my status and plan for work on
> phplist.
>
> My status:
>
> I have the main admin page running. It reports my database is an old version
> :) At this point i'm investigating what initialise.php will do before i
> click
> it. Also i'm seeing how the upgrade.php and import#.php are tied in.
>
> My plan:
>
> (1) I will get it working with ADODB / PostgreSQL and install it for 2
> clients because they're eager to use it. While doing this i'm tracking my
> changes with SVN. I am also creating a long page of ToDo items because i
> see plenty of places for improvement. (I'll compare them to the bug list
> before acting on them.)
>
> The primary change that i'm making is to switch normal queries over to
> parameterized queries. There are three reasons for this (a) to prevent SQL
> injection attacts, (b) delegate responsibility of quoting values to
> ADODB, and (c) handle database specific things. PostgreSQL quotes names
> (tables, columns) with double quotes and values with single quotes. But it
> doesn't matter since ADODB will take care of that. For example:
>
> - $admindata = Sql_Fetch_Array_Query(sprintf('select password,disabled,id
> from %s where loginname = "%s"',$GL
> OBALS["tables"]["admin"],$login));
> + $query
> + = ' select password, disabled, id'
> + . ' from %s'
> + . ' where loginname = ?';
> + $query = sprintf($query, $GLOBALS["tables"]["admin"]);
> + $req = Sql_Query_Params($query, array($login));
> + $admindata = Sql_Fetch_Array($req);
>
> I created Sql_Query_params() but i'm not going to create
> Sql_Fetch_Array_Query_Params(), etc...
>
> Here's an example of a MySQL specific query.
>
> - $req = Sql_Query("show columns from $tablename");
> + $query
> + = " select column_name, data_type"
> + . " from information_schema.columns"
> + . " where table_schema = ?"
> + . " and table_name = ?";
> + $req = Sql_Query_Params($query, array('phplist',$tablename));
>
> I tried to use the ADODB meta columns function first, but it doesn't
> handle schemas. I'll consider switching to Pear MDB2 or PDO if there
> are more issues like this.
>
> As you see i'm also breaking the query out onto line based on it's major
> parts (select, from, where) for readability. Also i'm using quoting the
> queries in single quotes. The only benefit there is it's slightly faster
> since it doesn't have to expand variables and escape sequences.
>
> Finally i created Sql_Replace() which passes through nicely to ADODB.
> PostgreSQL doesn't have support for "replace into..." but ADODB takes
> care of all of that.
>
> (2) Contribute my changes back to phplist, since this is a project i'll be
> continuing to use for a long time. This will happen strictly after (1).
>
> In the mean time i'll stand up a trac website so developers can view the
> changes i've made so far. If you want me to commit back to the phplist
> repository just grant me access.
>
>
|
