Show HN: A “Write Less, Do More” DB Class Based on PDO [PHP]
github.comI just want to raise my concern about the security issues the current implementation provides. At a glance the update method provides a simple way to execute arbitrary SQL.
Please be aware
Are you referring to a condition where if you let attackers control the array indices or table name, it's merely sanitized for meta characters?
https://github.com/resonantcore/lib/blob/7b719907e8954241ff9...
Developer abuse ought to be sufficiently mitigated now. Thanks for saying something :)
No matter how hard you try. If queries are dynamically created, you (or your lib's user) will most certainly miss a spot were an attacker cloud sneak an offensive query.
You fixed the $i, but what about $table? What about $conditions's keys?
See the problem? And we are just talking about a single method ;-)
Valid points, but regrettably they were ones I had already addressed in subsequent changes.
I linked to a single commit.
I probably should have linked to the master branch instead. (Also, I just pushed another update as I wrote this.)
TL;DR - it does everything PDO does (thanks to class inheritance) but also has some nice short-hand methods for getting jobs done quicker. DRY and KISS.
Where are the tests?
There aren't any, currently. These libraries are ripped from an in-house framework which has some tests already, but none for the classes we extracted. We created the tests folder in anticipation of actually writing some.