HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

Database layer class

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
databaselayerclass

Problem

I'm trying to get familiar with database handling. Can you point out my errors and what I should change?

I want to learn new methods, but just don't want to learn it the wrong way.

I do realize these things below, yet I wanted to make the code more clear:

  • I need to bind values for insert()



  • Use try/catch for error handling



  • Password hashing (did not use it to make example simpler)



_db = new PDO('mysql:host=localhost;dbname=mvc;', 'root', '');
        $this->_db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        $this->_db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
    }

    public function select($arg)
    {
        $this->_sql .= "SELECT {$arg}";
        return $this;
    }

    public function from($arg)
    {
        $this->_sql .= " FROM {$arg}";
        return $this;
    } 

    public function insert($arg)
    {
        $this->_sql .= "INSERT INTO {$arg}";
        return $this;        
    }

    public function columns($arg)
    {
        $this->_sql .= " ({$arg})";
        return $this;            
    }

    public function values($arg)
    {
        $this->_sql .= " VALUES ({$arg})";
        return $this;            
    }

    public function execute($data = null)
    {
        $this->_sth = $this->_db->prepare($this->_sql);
        $this->_sth->execute($data);
        $this->_sql = null;
        return $this;
    }

    public function fetch()
    {
        return $this->_sth->fetchAll();
    }

    public function getSql()
    {
        return $this->_sql;
    }
}

$query = new Query;

// inserts into database
$query->insert('users')
        ->columns('`username`,`password`')
        ->values('"test","tester"')
        ->execute();

// returns array of users
$query->select('username')
        ->from('users')
        ->execute()
        ->fetch()

?>

Solution

Passwords as plain text!?

If I were using an application or website that stored my password as plain text where anyone with access to the DB seeing this would make me feel very scared:

// inserts into database
$query->insert('users')
        ->columns('`username`,`password`')
        ->values('"test","tester"')
        ->execute();


For the love of your users, please consider password hashing!

Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords.

Redundancy

This:

public function insert($arg)
{
    $this->_sql .= "INSERT INTO {$arg}";
    return $this;        
}

public function columns($arg)
{
    $this->_sql .= " ({$arg})";
    return $this;            
}

public function values($arg)
{
    $this->_sql .= " VALUES ({$arg})";
    return $this;            
}


And this:

// inserts into database
$query->insert('users')
        ->columns('`username`,`password`')
        ->values('"test","tester"')
        ->execute();


That seems redundant, unless you plan on inserting user names and passwords in different tables/columns. Why not shorten it like this:

public function insert($arg)
{
    $this->_sql .= "INSERT INTO users (`username`, `password`) VALUES ({$arg})";
    return $this;        
}

Code Snippets

// inserts into database
$query->insert('users')
        ->columns('`username`,`password`')
        ->values('"test","tester"')
        ->execute();
public function insert($arg)
{
    $this->_sql .= "INSERT INTO {$arg}";
    return $this;        
}

public function columns($arg)
{
    $this->_sql .= " ({$arg})";
    return $this;            
}

public function values($arg)
{
    $this->_sql .= " VALUES ({$arg})";
    return $this;            
}
// inserts into database
$query->insert('users')
        ->columns('`username`,`password`')
        ->values('"test","tester"')
        ->execute();
public function insert($arg)
{
    $this->_sql .= "INSERT INTO users (`username`, `password`) VALUES ({$arg})";
    return $this;        
}

Context

StackExchange Code Review Q#58366, answer score: 5

Revisions (0)

No revisions yet.