PHP Classes

Just an idea

Recommend this page to a friend!

      Model  >  All threads  >  Just an idea  >  (Un) Subscribe thread alerts  
Subject:Just an idea
Summary:An idea to fix a possible security breach
Date:2012-11-27 18:50:53
Update:2012-11-28 14:36:12


  1. Just an idea   Reply   Report abuse  
Picture of CieNTi CieNTi - 2012-11-27 18:50:53
First of all, hello, and thanks for sharing this class, it's so useful, clean and smart.

I have a suggestion for you, the only lack of your class is that is not secure. You append values directly to query

I made a different model class, with helpers to insert, update, delete and search. I had the same problem you had: dynamic fields, dynamic value types and security issues. I did some research and, same as you, got the PDO concept, and it have the powerful security way to do things: bindParam and bindValue.

The new problem is you need labels, not based in field names because you can get duplicates and this will screw your query.

Why don't you try to loop the values, adding automatic labels (like :label1, :label2, ...) associated with their values, and when you need to execute the query, process all that labels with bindValue ?

You'll build a final security barrier plus the other security checks you do before this calls ...

Maybe this will help to you, it's just my idea :)


  2. Re: Just an idea   Reply   Report abuse  
Picture of João Mário Nedeff João Mário Nedeff - 2012-11-28 14:36:12 - In reply to message 1 from CieNTi

Thank you for your post.

I think the bindValue function is a great idea to improve the code.

The labeling could improve the code too, because at its present state, it doesnt accept parameters that are not table fields. The __set function checks wheter what the user is trying to set is a table field.

Sometimes it could be useful to set some parameters that do not need to be saved.

For example, one could be calculating something and the intermediate results could be set as parameters, although they don't get saved at the end. They are just sent to the view.

This can be achieved through labels, saving the specific ones, but I didnt get why the need for sequenced labels instead of labeling after fields names.

The field names are unique and they come from the database, not from user input. Why worry with them in the query?