Secure Database Library

Introduction

This library is compatible with PHP PDO, but doesn't allow insecure operations (such as concatenation of values in any form) with it. We have enforced prepared statements for all data that is to be sent to the database engine, and will enforce whitelisting (via taint tracking) of all SQL parameters (such as limit and order by) where prepared data are not supported by the back-end engine. A base library provides all these features abstracted from database engines, and derived libraries for each common databas engine.

Usage

  Include the required database adapter wrapper class. For example, in case of PDO_MYSQL

 Set up a database connection

 In case you already have a connection made, you can pass the object directly to the constructor

 Execute queries. Parameters can be passed as arrays or expanded lists.



Files

adapter/base.php

DatabaseConfig class

A single wrapper object for all database configuration options. Easier to pass around a single object to functions than an expanded list.

DatabaseModel class

Parent class for all database wrapper classes. Provides most of the PDO compatible interface functions.

DatabaseStatementModel class

Parent class for all database prepared statements. Contains methods to actually perform queries and fetch data.

adapter/pdo_mysql.php

Database_pdo_mysql class

PDO_MySQL wrapper class. Extends the DatabaseModel class.

DatabaseStatement_pdo_mysql

PDO_MySQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

adapter/pdo_pgsql.php

Database_pdo_pgsql class

PDO_PostgreSQL wrapper class. Extends the DatabaseModel class.

DatabaseStatement_pdo_pgsql

PDO_PostgreSQL prepared statement wrapper class. Extends the DatabaseStatementModel class.

adapter/pdo_sqlite.php

Database_pdo_sqlite class

PDO_SQLite wrapper class. Extends the DatabaseModel class.

DatabaseStatement_pdo_sqlite class

PDO_SQLite prepared statement wrapper class. Extends the DatabaseStatementModel class.

dbmanager.php

DatabaseManager class

This is not being used at the moment. It might be needed later for when the set of libraries would be incorporated in a framework. Leaving it for legacy purposes.