This is open to SQL injection:
$queryBuilder
->select(...$_GET['columns'])
->from($_GET['table'])
->where($_GET['where'])
;
All below statements produce 42. This is valid SQL:
SELECT `42 FROM TABLE`() FROM dual;
SELECT `⠀` FROM `⠀`;
SELECT * FROM "42"; -- With ANSI_QUOTES
SELECT * FROM """""";
This is valid in MySQL:
VALUES ROW(42)
This is valid in MariaDB:
VALUES (42);
This is not a valid SQL:
SELECT * FROM "\"\"";
There are also windows functions, CTE, Stored procedures, and a bunch of
new features.
