

Show HN: A “Write Less, Do More” DB Class Based on PDO [PHP] - resonantcore
https://github.com/resonantcore/lib/wiki/DB

======
eridal
I just want to raise my concern about the security issues the current
implementation provides. At a glance the _update_ method provides a simple way
to execute arbitrary SQL.

Please be aware

~~~
sarciszewski
Are you referring to a condition where if you let attackers control the array
indices or table name, it's merely sanitized for meta characters?

[https://github.com/resonantcore/lib/blob/7b719907e8954241ff9...](https://github.com/resonantcore/lib/blob/7b719907e8954241ff93fe96f1f4416ed48fffd8/src/DB.php#L159)

Developer abuse ought to be sufficiently mitigated now. Thanks for saying
something :)

~~~
eridal
No matter how hard you try. If queries are dynamically created, you (or your
lib's user) will most certainly miss a spot were an attacker cloud sneak an
offensive query.

You fixed the $i, but what about $table? What about $conditions's keys?

See the problem? And we are just talking about a single method ;-)

~~~
sarciszewski
Valid points, but regrettably they were ones I had already addressed in
subsequent changes.

I linked to a single commit.

I probably should have linked to the master branch instead. (Also, I just
pushed another update as I wrote this.)

[https://github.com/resonantcore/lib/blob/master/src/DB.php](https://github.com/resonantcore/lib/blob/master/src/DB.php)

------
resonantcore
TL;DR - it does everything PDO does (thanks to class inheritance) but also has
some nice short-hand methods for getting jobs done quicker. DRY and KISS.

------
tckr
Where are the tests?

~~~
resonantcore
There aren't any, currently. These libraries are ripped from an in-house
framework which has some tests already, but none for the classes we extracted.
We created the tests folder in anticipation of actually writing some.

