This is open to SQL injection:
$queryBuilder
->select(...$_GET['columns'])
->from($_GET['table'])
->where($_GET['where'])
;
All below statements produce 42. This is valid SQL:
SELECT `42 FROM TABLE`() FROM dual;
SELECT `⠀` FROM `⠀`;
SELECT * FROM "42"; -- With ANSI_QUOTES
SELECT *
On Tue, Jun 22, 2021, at 11:46 AM, Mike Schinkel wrote:
> Maybe this will help. There are a billion XML schemas, but DomDocument
> and its related classes can process them all. A SqlObjectModel would be
> similar; it would know how to process text queries where the dialect
> interface
While it's true that a lot of the internet is using mysqli due to
WordPress, this doesn't change the fact that PHP already offers a solution
to the problem. Both PDO and mysqli support server-side prepared
statements.
We don't talk about WordPress. They should not hold back PHP. That project
is
> On Jun 22, 2021, at 11:41 AM, Larry Garfield wrote:
>
> On Tue, Jun 22, 2021, at 8:39 AM, Mike Schinkel wrote:
>>> On Jun 22, 2021, at 9:00 AM, Kamil Tekiela wrote:
>>>
>>> Hi Mike,
>>>
>>> Please don't do this. We already have PDO with prepared statements. The
>>> data must be bound.
> On Jun 22, 2021, at 11:56 AM, Pierre wrote:
>
> Le 22/06/2021 à 17:35, Mike Schinkel a écrit :
>> https://github.com/WordPress/WordPress/blob/master/wp-includes/wp-db.php#L2050
> Sorry for the discussion pollution here but, but ouch, plugins are still
> using this unsafe form ? Reminds when
Le 22/06/2021 à 17:35, Mike Schinkel a écrit :
https://github.com/WordPress/WordPress/blob/master/wp-includes/wp-db.php#L2050
Sorry for the discussion pollution here but, but ouch, plugins are still
using this unsafe form ? Reminds when I was a student, I learnt to
parametrize queries there,
On Tue, Jun 22, 2021, at 8:39 AM, Mike Schinkel wrote:
> > On Jun 22, 2021, at 9:00 AM, Kamil Tekiela wrote:
> >
> > Hi Mike,
> >
> > Please don't do this. We already have PDO with prepared statements. The
> > data must be bound. This is the secure way of writing SQL queries.
>
> The problem
> On Jun 22, 2021, at 10:35 AM, Stephen Reay wrote:
>
>> On 22 Jun 2021, at 20:39, Mike Schinkel wrote:
>>
>>> On Jun 22, 2021, at 9:00 AM, Kamil Tekiela wrote:
>>>
>>> Hi Mike,
>>>
>>> Please don't do this. We already have PDO with prepared statements. The
>>> data must be bound. This is
> On 22 Jun 2021, at 20:39, Mike Schinkel wrote:
>
>> On Jun 22, 2021, at 9:00 AM, Kamil Tekiela wrote:
>>
>> Hi Mike,
>>
>> Please don't do this. We already have PDO with prepared statements. The data
>> must be bound. This is the secure way of writing SQL queries.
>
> The problem is
> On Jun 22, 2021, at 9:00 AM, Kamil Tekiela wrote:
>
> Hi Mike,
>
> Please don't do this. We already have PDO with prepared statements. The data
> must be bound. This is the secure way of writing SQL queries.
The problem is that over 40% of the web currently runs on PHP code that using
Le 22/06/2021 à 15:00, Kamil Tekiela a écrit :
Hi Mike,
Please don't do this. We already have PDO with prepared statements. The
data must be bound. This is the secure way of writing SQL queries. The idea
behind SQL builder is to generate SQL, not to allow the data to be
sanitized.
Every time I
Hi Mike,
Please don't do this. We already have PDO with prepared statements. The
data must be bound. This is the secure way of writing SQL queries. The idea
behind SQL builder is to generate SQL, not to allow the data to be
sanitized.
Every time I hear the word sanitize I get goose bumps. You
> On Jun 22, 2021, at 6:45 AM, Pierre wrote:
>
> Le 22/06/2021 à 11:28, Dan Ackroyd a écrit :
>> On Tue, 22 Jun 2021 at 10:25, Mike Schinkel wrote:
>>> Should(n't?) PHP add a basic SQL builder class that can be extended for
>>> special cases, e.g. different flavors of SQL?
>>>
>> No. Or at
13 matches
Mail list logo