To improve security and code readability, I have refactored the database classes Database, Database\Query and Sql. Some minor features have been added along the way. Full changelog:
Quote identifiers (tables and columns) to allow using reserved names and strange characters in identifiers
Validate table and column names using a whitelist
Use bindings instead of quoting internally
Bind all parameters that can be bound (everything except SQL string parameters)
Validate SQL keywords, predicates and operators like <=, IN and PRIMARY KEY
Split up SQL class into MySQL and SQLite specific methods where necessary to improve code readability
$query->having(): Support for the where() syntax
Use TIMESTAMP type for timestamps in MySQL instead of INT
Disable prepare emulation to use native prepared statements where possible
Improvements and fixes for SQLite databases
Comment and naming improvements
Because of the added validations, some existing code may break (that's good!). Also, maybe there are some edge cases that will currently not work. So this definitely needs to be included in a Kirby beta before release.
To improve security and code readability, I have refactored the database classes
Database
,Database\Query
andSql
. Some minor features have been added along the way. Full changelog:<=
,IN
andPRIMARY KEY
$query->having()
: Support for thewhere()
syntaxBecause of the added validations, some existing code may break (that's good!). Also, maybe there are some edge cases that will currently not work. So this definitely needs to be included in a Kirby beta before release.