|First of all, hello, and thanks for sharing this class, it's so useful, clean and smart.|
I have a suggestion for you, the only lack of your class is that is not secure. You append values directly to query
I made a different model class, with helpers to insert, update, delete and search. I had the same problem you had: dynamic fields, dynamic value types and security issues. I did some research and, same as you, got the PDO concept, and it have the powerful security way to do things: bindParam and bindValue.
The new problem is you need labels, not based in field names because you can get duplicates and this will screw your query.
Why don't you try to loop the values, adding automatic labels (like :label1, :label2, ...) associated with their values, and when you need to execute the query, process all that labels with bindValue ?
You'll build a final security barrier plus the other security checks you do before this calls ...
Maybe this will help to you, it's just my idea :)
João Mário Nedeff
|2012-11-28 14:36:12 - In reply to message 1 from CieNTi|
Thank you for your post.
I think the bindValue function is a great idea to improve the code.
The labeling could improve the code too, because at its present state, it doesnt accept parameters that are not table fields. The __set function checks wheter what the user is trying to set is a table field.
Sometimes it could be useful to set some parameters that do not need to be saved.
For example, one could be calculating something and the intermediate results could be set as parameters, although they don't get saved at the end. They are just sent to the view.
This can be achieved through labels, saving the specific ones, but I didnt get why the need for sequenced labels instead of labeling after fields names.
The field names are unique and they come from the database, not from user input. Why worry with them in the query?