| Subject: | I appreciate the ability to build... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 4 |
|---|
| Author: | per |
|---|
| Date: | 2014-02-21 22:34:42 |
|---|
| Update: | 2014-02-24 19:08:02 |
|---|
| |
|
|
per rated this package as follows:
| Utility: | Good |
|---|
| Consistency: | Good |
|---|
| Examples: | Good |
|---|
|
|
 per - 2014-02-21 22:34:42 I appreciate the ability to build queries in code, you code is very usefull, but lacking. This code is currently unsuitable for exposure to an internet facing server. Even though you excape your string, I could still give your the variable like... $safe_escaped = '1 UNION SELECT password FROM users. Or use crazy combinations of concat, char, hex, and undex to manually write out my command without your escaped slashes.
 Carlo Pietrobattista - 2014-02-22 11:32:09 - In reply to message 1 from perHi there, thank you for your feedback.
I am not sure what you mean when you say that I am escaping the string?
Place holders with PDO are been used to escape values.
If you are feeding a custom stetement to the run method, well that is up to the programmer to secure the query then.
Make sure that you have read the manual also.
Please explain more in details what you mean, so that I can actually address the issue and improve the interface, thank you.
per - 2014-02-24 19:05:25 - In reply to message 2 from Carlo PietrobattistaYour right, I missed the line: $this->_query->bindValue( $pos , $value , $type );
and got thrown off by the line: $query = 'INSERT INTO ' . $this->_table . ' (' . $fields . ') VALUES (' . $values . ')';
This be because i belive the variable $values contained the values, but rather it contains to bound variable name ie.. (:1, :2, :3).
I will re-rate this code. For I believe it to be secure.
per - 2014-02-24 19:08:02 - In reply to message 1 from perAuthor provides an excelent PDO solution. I plan to give this code a try.
|
