Auto protecting queries

I’m working on the new Forms system and I realized something: by default, query parameters are NOT protected. I will not debate on SQL injection (consult the Oracle), but I want to stress out that you SHOULD ALWAYS protect the parameters, the easy way is to use the autoProtect field:

class HTVP_filmUpdate extends PHPDS_query
{
protected $sql = 'UPDATE `table` SET `field` = "%(parameter)s" WHERE `id` = %(id)d';
protected $autoProtect = true;
}

(of course it’s not necessary if you deal only with %d parameters)

You can also use $autoQuote = true to automatically add quotes to your parameters.