This is open to SQL injection: $queryBuilder ->select(...$_GET['columns']) ->from($_GET['table']) ->where($_GET['where']) ;
All below statements produce 42. This is valid SQL: SELECT `42 FROM TABLE`() FROM dual; SELECT `⠀` FROM `⠀`; SELECT * FROM "42"; -- With ANSI_QUOTES SELECT * FROM """"""; This is valid in MySQL: VALUES ROW(42) This is valid in MariaDB: VALUES (42); This is not a valid SQL: SELECT * FROM "\"\""; There are also windows functions, CTE, Stored procedures, and a bunch of new features.