Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Functions SQL in ?u #41

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Functions SQL in ?u #41

wants to merge 1 commit into from

Conversation

jahimluk
Copy link

@jahimluk jahimluk commented Apr 8, 2017
edited
Loading

Example:

$data = [
    'status' => 'value', 
    '#time' => 'NOW()'
];

print $DB->parse('UPDATE `table` SET ?u', $data);

Result:

UPDATE `table` SET `status`='value',`time`=NOW()

@jahimluk
Functions MySQL in ?u
8532131 
Example:

$data = [
    'status' => 'value', 
    '#time' => 'NOW()'
];

print $DB->parse('UPDATE `table` SET ?u', $data);

Result:

UPDATE `table` SET `status`='value',`time`=NOW()
@jahimluk jahimluk changed the title Functions MySQL in ?u Functions SQL in ?u Apr 8, 2017
@alexprey
Copy link

But in this case you introduce a new security issue. For solve your problem you can use the next code

$data = [
    'status' => 'value',
    'time' => time()
];

@jahimluk
Copy link
Author

jahimluk commented Apr 11, 2017
edited
Loading

Yes, this code would be dangerous (like ?p):

$data = [
    'status' => 'value', 
    '#time' => $_POST['input']
    // OR $_POST['input'] => 'value'
];

But where is the danger in first code? I remind you time() and NOW() in sql its different. In your way, I would have to reprogram the entire site

@alexprey
Copy link

This library oriented to safe execution of SQL code and all placeholders applies the specified filter which makes all input data is safe.

@colshrapnel
Copy link
Owner

@pietuchowski
Thank you for this PR. I appreciate its simplicity, but in general it contradicts with the lib's ideology.
For now the rules are plain and simple: MySQL functions are written in the SQL, while only literal values are added via ?u placeholder:

$data = [
    'status' => 'value', 
];
print $DB->parse('UPDATE `table` SET time => NOW(), ?u', $data);

Remember, there are functions that require a parameter, like INET_ATON() for example:

$data = [
    'field1' => $value,
    'field2' => $value,
];
$sql  = "INSERT INTO table SET dt=NOW(), ip=INET_ATON(?s), ?u";
$db->query($sql, $ip, $data);

With this approach all use cases are consistent, whenever we have a function with a parameter or not.
I prefer to keep the tool as simple and consistent as possible, and if I can avoid adding another exceptional rule, I would prefer to avoid it.

Yes, I understand that sometimes array fields could be conditional, and in this case one couldn't put NOW() directly in the query. But I consider this issue rather odd, and for it I would use the condition with parse().

But also I understand that you most likely would prefer your own way.
Recently I committed a change that made the class extensible. May be you could just create your own class extending safemysql, changing only this method's implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jahimluk @alexprey @colshrapnel