Jump to content
Sign in to follow this  
FrancescoBianco

Manipulate Database Schema with ORM

Recommended Posts

I don't think you'll get a lot of feedback when there's no documentation anywhere. Even the code examples on GitHub don't work due to typos and wrong array keys (looks like “user”, “pass”, “name” and “pref” should actually be “username”, “password”, “dbname” and “prefix”). You offer an Italian ebook, but that's just empty (and Italian).

 

Your code is wide open to SQL injection attacks through identifiers:

$db->apply([
    'test' => [
        'x' => $db::TEXT,
    ],
]);

$db->insert('test', [
    "x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- " => "dummy value",
    "x" => "dummy value",
]);

This puts your exact MySQL version (or any other sensitive data) into the column:

INSERT INTO `prefix_test` (x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- ,x) VALUES (:x) SELECT CONCAT('The MySQL version is: ', VERSION()) -- ,:x)

You're also using emulated prepared statements (this is a PDO default) and a SET NAMES query, which can make the values vulnerable to injection attacks as well. Emulation means that PDO doesn't actually use prepared statements, it merely auto-escapes all values. When you use SET NAMES, you silently change the connection encoding without notifying PDO, potentially breaking the escape mechanism altogether.

 

The latter can be fixed by turning off emulation and using the DSN charset attribute instead of SET NAMES. The former is tricky, because you have no concept for safely dealing with identifiers (they're just dumped straight into the query). One possible approach would be to wrap all identifiers in backticks while escaping all backticks within the identifiers (through doubling). Whether this actually works in all cases is an open question, though.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.