#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    37
    Rep Power
    2

    My PDO Wrapper Class


    I've made a PDO Wrapper Class.

    Features :
    CREATE TABLE
    SELECT
    INSERT
    UPDATE
    DELETE
    TRUNCATE
    DROP TABLE

    And ofcourse, you can also run free form queries.
    PDO prepared statements are used here, so.... We have an advantage


    Thanks to the original source : https://github.com/mikehenrty/thin-pdo-wrapper

    I modified it and added a lot more features.

    Here is the class source : http://www.scriptings.tk/paste/51e75be5656cb
    Here is the sample test : http://www.scriptings.tk/paste/51e758a96d3c4

    Any changes that are to be made?? Please suggest.
    You're welcome to criticize.
    I'll use it later on for a huge project.

    Thanks for reading. Enjoy PHP!!!
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    I think the biggest issue is the lack of security. The values for the WHERE clause are passed to bound parameters, but all other input is just dumped directly into the query string. This makes all identifiers and the LIMIT clause vulnerable to SQL injections. The wrapper also uses fake prepared statements and doesn't let the user specifiy the character encoding. This is a massive security risk.

    Apart from that:

    Since your code is basically just an extension of the original class, you should actually extend this class rather than modifying the source. This way the original class can be updated at any time without you going through your code and adding the changes manually.

    You have a lot of duplicate code, because you copied and pasted the logic for WHERE, ORDER BY, GROUP BY into every method that needs it. That obviously bloats the code unnecessarily and makes it hard to maintain. Define the logic once (in a private method) and then reuse it. That's the whole purpose of object orientation.

    In general, I don't really see the benefit of this class compared to mainstream libraries like Doctrine, which are much more mature and convenient.

    Just compare this:

    PHP Code:
    $qb
        
    ->select(array('id''name''email')) 
        ->
    from('testing'
        ->
    where('id = 1')
        ->
    andWhere('name LIKE "bob%"')
        ->
    andWhere('email LIKE "%3%"')
        ->
    orderBy('id')
        ->
    limit(20
    to this:
    PHP Code:
    $db->select('testing'
        array(
    "id""name""email"), 
        array(
    "id" => 1"name" => "bob%""email" => "%3%"), 
        array(
    ">""LIKE""LIKE"), 
        array(
    "AND","AND"), 
        
    20
        
    null
        array(
    'id'), 
        array(
    'id' => '')
    ); 

    Comments on this post

    • The Alchemist agrees
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    37
    Rep Power
    2
    Originally Posted by Jacques1
    Hi,

    I think the biggest issue is the lack of security. The values for the WHERE clause are passed to bound parameters, but all other input is just dumped directly into the query string. This makes all identifiers and the LIMIT clause vulnerable to SQL injections. The wrapper also uses fake prepared statements and doesn't let the user specifiy the character encoding. This is a massive security risk.

    Apart from that:

    Since your code is basically just an extension of the original class, you should actually extend this class rather than modifying the source. This way the original class can be updated at any time without you going through your code and adding the changes manually.

    You have a lot of duplicate code, because you copied and pasted the logic for WHERE, ORDER BY, GROUP BY into every method that needs it. That obviously bloats the code unnecessarily and makes it hard to maintain. Define the logic once (in a private method) and then reuse it. That's the whole purpose of object orientation.

    In general, I don't really see the benefit of this class compared to mainstream libraries like Doctrine, which are much more mature and convenient.

    Just compare this:

    PHP Code:
    $qb
        
    ->select(array('id''name''email')) 
        ->
    from('testing'
        ->
    where('id = 1')
        ->
    andWhere('name LIKE "bob%"')
        ->
    andWhere('email LIKE "%3%"')
        ->
    orderBy('id')
        ->
    limit(20
    to this:
    PHP Code:
    $db->select('testing'
        array(
    "id""name""email"), 
        array(
    "id" => 1"name" => "bob%""email" => "%3%"), 
        array(
    ">""LIKE""LIKE"), 
        array(
    "AND","AND"), 
        
    20
        
    null
        array(
    'id'), 
        array(
    'id' => '')
    ); 
    Okay. Thanks for the feedback...
    I'll be having a look at doctrine.

    Btw, do you think it'll be a good idea to use another ORM like Laravel's Eloquent if not Doctrine??

    Waiting for your reply.
    Thanks for reading, analysing and suggesting.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by The Alchemist
    Btw, do you think it'll be a good idea to use another ORM like Laravel's Eloquent if not Doctrine??
    Sure! Use whatever you like best.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo