[Owncloud] Commiting Oracle support tomorrow, beware of SQL without escaped identifiers

[Bernhard Posselt]

> Instead of using the MDB2 'clob' type use 'text' and set a length.
> CLOB is incompatible with indexes on some databases or MDB2 does not
> handle it correctly. Without a length MDB2 will pick an internal length
> which it thinks is right but breaks current mysql eg. And it will force
> you to think on sensible text lengths which in general is "a good thing"
> I think that's it.

Sorry, but I think this is the wrong way of doing it. Sometimes theres
no alternative for Text. For instance in the newsapp this completely
broke the articles because it cut off the closing html tags. And how
long can an article be? Should we set a length of 10 million characters?
And if something is longer than that, it will still break and produce
weird bugs.

IMHO we should get a sensible ORM which doesnt force us to write SQL by
hand. Also people shouldnt be exposed to the danger of accidentally
overlooking an sql injection bug. Why are you using an abstractionlayer
anyway that forces you to write SQL? IMHO the Oracle transition shows
the problem of MDB2 pretty well.

As for the ORM choice, I only know of the Django and the Rails one, so
what about http://www.phpactiverecord.org/ ? Didnt try it out by myself
yet though.