keevitaja Posted November 26, 2010 Share Posted November 26, 2010 Hi, i wrote a mysql database class. main features prepared statements and mehtod chaining. please let me know what you think: http://usesql.keevitaja.com/ Quote Link to comment https://forums.phpfreaks.com/topic/219939-usesql-mysql-database-class/ Share on other sites More sharing options...
ignace Posted November 26, 2010 Share Posted November 26, 2010 Great work on the website and the class with a few remarks on the latter: 1) UseSQL would possibly be more useful if you allowed it to connect to more RDBMS then only MySQL (eg. extend PDO and make it a Database Abstraction Layer) 2) Don't mix HTML into your class 3) Use Exception's instead of letting your class handle any and all error's 4) Nearly no data is being filtered before being written to the database exposing anyone who uses your class to SQL injection 5) You assume an "id" convention, bare in mind that not everyone uses pseudo-keys Nevertheless I applaud your effort, keep up the good work! Quote Link to comment https://forums.phpfreaks.com/topic/219939-usesql-mysql-database-class/#findComment-1140070 Share on other sites More sharing options...
keevitaja Posted November 26, 2010 Author Share Posted November 26, 2010 about injection. to avoid it, prepared statement must be used. i can't force escaping every value in insert_row() method. Quote Link to comment https://forums.phpfreaks.com/topic/219939-usesql-mysql-database-class/#findComment-1140087 Share on other sites More sharing options...
keevitaja Posted November 27, 2010 Author Share Posted November 27, 2010 Exceptions added: http://usesql.keevitaja.com/usesql-version-1-1-download/ It was actually very good idea! Quote Link to comment https://forums.phpfreaks.com/topic/219939-usesql-mysql-database-class/#findComment-1140440 Share on other sites More sharing options...
ignace Posted November 28, 2010 Share Posted November 28, 2010 about injection. to avoid it, prepared statement must be used. i can't force escaping every value in insert_row() method. So if users always need to use prepared statements then why is it possible to execute a query that doesn't use them? You should only use prepared statements when you are to execute the same query multiple times with different variables. Using prepared statements merely to avoid SQL injection is over-kill as you could escape it easily yourself in the provided interface. Quote Link to comment https://forums.phpfreaks.com/topic/219939-usesql-mysql-database-class/#findComment-1140551 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.