Jump to content

Manipulate Database Schema with ORM


FrancescoBianco

Recommended Posts

I don't think you'll get a lot of feedback when there's no documentation anywhere. Even the code examples on GitHub don't work due to typos and wrong array keys (looks like “user”, “pass”, “name” and “pref” should actually be “username”, “password”, “dbname” and “prefix”). You offer an Italian ebook, but that's just empty (and Italian).

 

Your code is wide open to SQL injection attacks through identifiers:

$db->apply([
    'test' => [
        'x' => $db::TEXT,
    ],
]);

$db->insert('test', [
    "x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- " => "dummy value",
    "x" => "dummy value",
]);

This puts your exact MySQL version (or any other sensitive data) into the column:

INSERT INTO `prefix_test` (x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- ,x) VALUES (:x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- ,:x)

You're also using emulated prepared statements (this is a PDO default) and a SET NAMES query, which can make the values vulnerable to injection attacks as well. Emulation means that PDO doesn't actually use prepared statements, it merely auto-escapes all values. When you use SET NAMES, you silently change the connection encoding without notifying PDO, potentially breaking the escape mechanism altogether.

 

The latter can be fixed by turning off emulation and using the DSN charset attribute instead of SET NAMES. The former is tricky, because you have no concept for safely dealing with identifiers (they're just dumped straight into the query). One possible approach would be to wrap all identifiers in backticks while escaping all backticks within the identifiers (through doubling). Whether this actually works in all cases is an open question, though.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.