Manipulate Database Schema with ORM

[FrancescoBianco]

Hi!

i want show my project designed as a ORM that directly manipulate Database Schema aim a class as model

https://github.com/Javanile/SchemaDB

please give me more feedback and test reports

thkx

 

[Jacques1]

I don't think you'll get a lot of feedback when there's no documentation anywhere. Even the code examples on GitHub don't work due to typos and wrong array keys (looks like “user”, “pass”, “name” and “pref” should actually be “username”, “password”, “dbname” and “prefix”). You offer an Italian ebook, but that's just empty (and Italian).

 

Your code is wide open to SQL injection attacks through identifiers:

$db->apply([
    'test' => [
        'x' => $db::TEXT,
    ],
]);

$db->insert('test', [
    "x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- " => "dummy value",
    "x" => "dummy value",
]);

This puts your exact MySQL version (or any other sensitive data) into the column:

INSERT INTO `prefix_test` (x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- ,x) VALUES (:x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- ,:x)

You're also using emulated prepared statements (this is a PDO default) and a SET NAMES query, which can make the values vulnerable to injection attacks as well. Emulation means that PDO doesn't actually use prepared statements, it merely auto-escapes all values. When you use SET NAMES, you silently change the connection encoding without notifying PDO, potentially breaking the escape mechanism altogether.

 

The latter can be fixed by turning off emulation and using the DSN charset attribute instead of SET NAMES. The former is tricky, because you have no concept for safely dealing with identifiers (they're just dumped straight into the query). One possible approach would be to wrap all identifiers in backticks while escaping all backticks within the identifiers (through doubling). Whether this actually works in all cases is an open question, though.