hazaar/framework
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages 1 Wiki Activity Actions

Feature: QueryBuilder prepared statements #323

New issue
Closed
opened 2025-03-07 21:51:34 +00:00 by jamie · 5 comments
jamie commented 2025-03-07 21:51:34 +00:00 (Migrated from git.hazaar.io)
Copy link

Problem Statement

The Hazaar DBI query builder currently does not utilize PHP's prepared statement queries, which can lead to potential security risks (e.g., SQL injection) and performance inefficiencies due to repeated query parsing. Implementing prepared statements will improve security and efficiency in query execution.

Who will benefit?

  • Developers using Hazaar DBI for database interactions.
  • Applications that require secure and efficient database queries.
  • Systems handling user input, reducing the risk of SQL injection.

Benefits and risks

Benefits

  • Security: Protects against SQL injection by properly binding query parameters.
  • Performance: Reduces query parsing overhead by allowing query reuse.
  • Maintainability: Simplifies query building by enforcing parameterized inputs.

Risks

  • Backward Compatibility: Existing queries may require refactoring.
  • Implementation Complexity: The query builder needs to be redesigned to support prepared statements properly.

Proposed Solution

  1. Modify the Hazaar DBI query builder to generate prepared statements instead of raw SQL queries.
  2. Implement parameter binding to replace direct variable interpolation.
  3. Ensure compatibility with different database drivers.
  4. Provide a migration guide for developers to update existing queries.
  5. Implement testing to verify query execution and security improvements.

Priority/Severity

  • High (This will bring a huge increase in performance/productivity/usability/legislative cover)
  • Medium (This will bring a good increase in performance/productivity/usability)
  • Low (anything else e.g., trivial, minor improvements)
## Problem Statement The Hazaar DBI query builder currently does not utilize PHP's prepared statement queries, which can lead to potential security risks (e.g., SQL injection) and performance inefficiencies due to repeated query parsing. Implementing prepared statements will improve security and efficiency in query execution. ## Who will benefit? - Developers using Hazaar DBI for database interactions. - Applications that require secure and efficient database queries. - Systems handling user input, reducing the risk of SQL injection. ## Benefits and risks ### Benefits - **Security:** Protects against SQL injection by properly binding query parameters. - **Performance:** Reduces query parsing overhead by allowing query reuse. - **Maintainability:** Simplifies query building by enforcing parameterized inputs. ### Risks - **Backward Compatibility:** Existing queries may require refactoring. - **Implementation Complexity:** The query builder needs to be redesigned to support prepared statements properly. ## Proposed Solution 1. Modify the Hazaar DBI query builder to generate prepared statements instead of raw SQL queries. 2. Implement parameter binding to replace direct variable interpolation. 3. Ensure compatibility with different database drivers. 4. Provide a migration guide for developers to update existing queries. 5. Implement testing to verify query execution and security improvements. ## Priority/Severity - [x] High (This will bring a huge increase in performance/productivity/usability/legislative cover) - [ ] Medium (This will bring a good increase in performance/productivity/usability) - [ ] Low (anything else e.g., trivial, minor improvements)
jamie commented 2025-03-07 21:59:44 +00:00 (Migrated from git.hazaar.io)
Copy link

assigned to @jamie

assigned to @jamie
jamie commented 2025-03-07 22:39:25 +00:00 (Migrated from git.hazaar.io)
Copy link

changed title from Feature: Query{- b-}uilder prepared statements to Feature: Query{+B+}uilder prepared statements

changed title from **Feature: Query{- b-}uilder prepared statements** to **Feature: Query{+B+}uilder prepared statements**
jamie commented 2025-03-14 04:59:13 +00:00 (Migrated from git.hazaar.io)
Copy link

created branch 323-feature-querybuilder-prepared-statements to address this issue

created branch [`323-feature-querybuilder-prepared-statements`](/hazaar/framework/-/compare/master...323-feature-querybuilder-prepared-statements) to address this issue
jamie commented 2025-03-14 04:59:18 +00:00 (Migrated from git.hazaar.io)
Copy link

mentioned in merge request !215

mentioned in merge request !215
jamie commented 2025-03-17 10:06:58 +00:00 (Migrated from git.hazaar.io)
Copy link

mentioned in commit dc36239813

mentioned in commit dc36239813600b2efff46b0cf96285ab6f48591d
jamie (Migrated from git.hazaar.io) closed this issue 2025-03-17 10:06:58 +00:00
jamie self-assigned this 2025-09-04 01:14:39 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
586-gitlab-ci-migration
297-feature-router-security
develop
No results found.
Labels
Clear labels   
bug

   
confirmed

   
critical

   
discussion

   
documentation

   
Doing

   
enhancement

   
experiment

Experimental Feature

  
suggestion

   
support

   
Testing

   
To Do
No labels
bug
confirmed
critical
discussion
documentation
Doing
enhancement
experiment
suggestion
support
Testing
To Do
Milestone
Clear milestone
No items
No milestone
Release 1.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
jamie
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: hazaar/framework#323
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?