Difference between revisions of "Developer doc"
(Documented gettext and db_query_params())
Revision as of 14:50, 18 November 2009
A few things to know about how the code works. Far from complete.
i18n in FusionForge is done via the standard Gettext library, with no particular quirks in FusionForge. This makes it a bit unwieldy to use custom/local translations or strings. Lolando has a local branch with code to generate a local translation package that can override the official ones. Need to finish it and commit it to trunk.
Database queries go through the db_query_params() method (db_query() is being deprecated to help get rid of a whole class of potential SQL injection bugs). This is a wrapper around the PostgreSQL database access methods, which passes the variable parts of a query as separate parameters, removing the need for careful escaping and unescaping. To get the full benefits of that, it is important that the query itself be immutable, and all variable parts need to go into separate parameters. For instance, a query counting the groups with a given word in their name or their description should read:
$res = db_query_params ('SELECT count(*) FROM groups WHERE group_name LIKE $1 OR description LIKE $2', array ($word, $word)) ;
Thus, even if $word comes from a malicious user query, it can't do any harm in the database.
Note that this prevents usage of WHERE foo IN (...) constructs if the number of elements in the set is not constant. Fortunately, we can use an alternative way, with the WHERE foo = ANY($1), with the values built with the db_string_array_to_any_clause() or db_int_array_to_any_clause() methods:
$values = array (1, 2, 5, 8) ; $res = db_query_params ('SELECT foo FROM bar WHERE col = ANY($1)', array (db_int_array_to_any_clause($values))) ;