DB_escape_string

[icedlava]

I think, in sum, the new query function is built to resemble the old query function, with the added benefit that, so long as users are instructed to only use bindvars for variables, the queries will be 99.9% injection safe.

That was the query, but it has been changed since in the subversion branch.

the function does not take advantage of the fact that parametrized queries are more efficient when executed multiple times.

Yes I thought of that - and perhaps we could get around it by passing in an option say, 'raw' for want of a better name, that is false.

This option would allow the statement to be passed back rather than the array as i had it.

This would therefore be only available as required, and hopefully to those that remember to close it.

If we do that we'd also need a function to alter the bound parameters (since bind_param is mysqli specific) as well.

Continuing on from the 'raw' idea - that would be handled and called by the developer's script after they receive the statement back.

Also, for constant SQL queries, using parametrized queries comes at a slight performance hit.

I don't believe it would be that great given the scope and purpose of most webERP scripts and think consistency would be better. Refactoring code somewhat for higher php versions later would I believe overcome it perhaps. But that's just my thought atm.


Cheers,
[Edit] - I would hope if consistency was chosen then traces of the 'old' DB_query would be removed at some point after all sql had been revised for new bind vars.