PHP Classes

I appreciate the ability to build queries in code, you code i...

Recommend this page to a friend!

      PHP PDO Fluent Query Builder  >  All threads  >  I appreciate the ability to build...  >  (Un) Subscribe thread alerts  
Subject:I appreciate the ability to build...
Summary:Package rating comment
Messages:4
Author:per
Date:2014-02-21 22:34:42
Update:2014-02-24 19:08:02
 

per rated this package as follows:

Utility: Good
Consistency: Good
Examples: Good

  1. I appreciate the ability to build...   Reply   Report abuse  
Picture of per per - 2014-02-21 22:34:42
I appreciate the ability to build queries in code, you code is very usefull, but lacking. This code is currently unsuitable for exposure to an internet facing server. Even though you excape your string, I could still give your the variable like... $safe_escaped = '1 UNION SELECT password FROM users. Or use crazy combinations of concat, char, hex, and undex to manually write out my command without your escaped slashes.

  2. Re: I appreciate the ability to build...   Reply   Report abuse  
Picture of Carlo Pietrobattista Carlo Pietrobattista - 2014-02-22 11:32:09 - In reply to message 1 from per
Hi there, thank you for your feedback.

I am not sure what you mean when you say that I am escaping the string?

Place holders with PDO are been used to escape values.

If you are feeding a custom stetement to the run method, well that is up to the programmer to secure the query then.

Make sure that you have read the manual also.

Please explain more in details what you mean, so that I can actually address the issue and improve the interface, thank you.





  3. Re: I appreciate the ability to build...   Reply   Report abuse  
Picture of per per - 2014-02-24 19:05:25 - In reply to message 2 from Carlo Pietrobattista
Your right, I missed the line: $this->_query->bindValue( $pos , $value , $type );
and got thrown off by the line: $query = 'INSERT INTO ' . $this->_table . ' (' . $fields . ') VALUES (' . $values . ')';

This be because i belive the variable $values contained the values, but rather it contains to bound variable name ie.. (:1, :2, :3).

I will re-rate this code. For I believe it to be secure.

  4. Re: I appreciate the ability to build...   Reply   Report abuse  
Picture of per per - 2014-02-24 19:08:02 - In reply to message 1 from per
Author provides an excelent PDO solution. I plan to give this code a try.