Jonathan Stanton Thu May 12 14:59:12 -0400 2011

Subject: SQL Injection

I know that using find_by_sql will not protect against SQLI but if I was to search with something basic like:
model::first($id);
does that have SQLI protections?

Basically what does and what doesn't?


Yoan B Fri May 13 04:15:31 -0400 2011

Every single SQL request can be logged, but is also stored inside the Table object.

1 Model::first(1);
2 echo Model::table()->last_sql; // outputs SQL
find_by_sql is safe too. 
1 Model::find_by_sql('SELECT * FROM `models` WHERE `name` = ?', array('John'));

But might not be if you're very dumb.

1 // Do *not* do this, *ever*!
2 Model::find_by_sql("SELECT * FROM `models` WHERE `name` = '$name'");

Except find_by_pk no methods are safe because you'll always be able to build some kind of SQL from variables. Be smart and don't mess with PDO.

Jonathan Stanton Fri May 13 12:07:16 -0400 2011

Ah good very informative. Thank you Yoan. I've searched around the wiki and the forum and I haven't found sufficient documentation on using set_logger. Reading config.php and connection.php it looks as if I have to pass in my own class that has a method log with an argument $sql. How do I pass a class into set_logger?

p.s. you can pass a string into set_logger just fine until AR tries to call a method of the non-object. Interesting tidbit.

Jonathan Stanton Fri May 13 12:39:58 -0400 2011

update: ok so I figured out how to pass a class into the initialize config. Is this the best way to do so?

 1 class logger{
 2     public function log($sql){
 3         echo $sql."<br>";
 4     }
 5 }
 6 
 7 $theLogger = new logger();
 8 ActiveRecord\Config::initialize(function($cfg) use($theLogger)
 9  {
10      $cfg->set_model_directory('model');
11      $cfg->set_connections(array('development' => 'mysql://***:***@***/***'));
12      $cfg->set_logger($theLogger);
13      $cfg->set_logging(true);
14 
15  });
16

I would say no, because the first thing I want to do in my class logger is to throw my results into a DB which would require me to use AR which would require AR to be inside of AR. Inception!

Yoan B Sat May 14 05:32:12 -0400 2011

Use the PEAR::Log to avoid inception:

- http://pear.php.net/package/Log
- http://www.indelible.org/php/Log/guide.html#the-sql-db-handler

Jonathan Stanton Sat May 14 21:05:05 -0400 2011

Was I using the correct way of passing the logger into set_logger? If so maybe you can copy my example or an example using PEAR::log into the Wiki I bet others would benefit from this knowledge as well :)

Yoan B Sun May 15 05:06:11 -0400 2011

The tests have an example:

https://github.com/kla/php-activerecord/blob/master/test/helpers/config.php#L49

The Wiki is by definition open, I'd say feel free to enrich it.

(1-6/6)