9 comments

[ 3.3 ms ] story [ 11.6 ms ] thread
TL;DR - it does everything PDO does (thanks to class inheritance) but also has some nice short-hand methods for getting jobs done quicker. DRY and KISS.
I just want to raise my concern about the security issues the current implementation provides. At a glance the update method provides a simple way to execute arbitrary SQL.

Please be aware

Are you referring to a condition where if you let attackers control the array indices or table name, it's merely sanitized for meta characters?

https://github.com/resonantcore/lib/blob/7b719907e8954241ff9...

Developer abuse ought to be sufficiently mitigated now. Thanks for saying something :)

No matter how hard you try. If queries are dynamically created, you (or your lib's user) will most certainly miss a spot were an attacker cloud sneak an offensive query.

You fixed the $i, but what about $table? What about $conditions's keys?

See the problem? And we are just talking about a single method ;-)

(comment deleted)