WebDesignWorx
commented
1 year ago We had a small exchange about this subject the other day in the internal forum. Generally I find this an interesting objective, but there is no one who is really interested in implementing this feature. What we would need is something that would work simultaneously with our current Database class, so we can use both, prepared statements and the old style queries as we do right now. This, because we are not able to change all queries all at once + there are just too many WBCE modules to take care of right away.
I am closing this issue for the time being. However, if someone has a great implementation and wants to share it with us, feel free to open this issue again. Best case scenario would be if you can provide code we can look at.
Atlasfreak
webbird
To mitigate issues like this https://huntr.dev/bounties/c330dc0d-220a-4b15-b785-5face4cf6ef7/ in the future. I think we should rewrite the whole database class to use prepared statements. We would of course also need to rewrite all queries to also use them but over all this would greatly improve security and prevent sql injections. In my opinion it would also simplify interactions with the database as you do not need to worry about escaping the values yourself. Personally I would suggest using PDO but there are also other libriaries that support this.
If I understand this forum post correctly it was already planned 6 years ago and was actually finished. It was published as a module. Although I would not make the distinction between query and prepared query, just have an optional parameter "values" that is passed as prepared values when given.