Replace db->execute() with prepared statements
Description
Prepared statements like insertOrUpdate()
, update()
or fetchAllValues()
help us to write better readable code and helps to prevent sql injections. We want to avoid using $this->db->execute()
in general. Often execute()
just got used as it was the fastest way to move models to gateways in #9 (closed)
Solution
- Search for
$this->db->execute(
(at issue creation there were 23x after !1207 (merged)) - For some statements there is no pepared statement yet. Try to evaluate if they are safe if you can't find a replacement
- Use prepared statements wherever you can (linked below)
Still left and not yet supported by Database
class:
-
GroupGateway -
ForumFollowerGateway -
FoodsaverGateway -
FoodSharePointGateway (!1267 (merged)) -
WorkGroupGateway -
EmailGateway (!1267 (merged)) -
MailboxGateway (!1267 (merged)) -
StatsmanGateway -
RegionGateway -
MigrateGateway
Links / references
Edited by Alex