Use PDO and parameterised queries

[Simon-Davies]

In the light of the recent SQL Injection vulnerability in Joomla 3.7 would it not be a good idea to rewrite Joomla's code to use PDO and parameterised queries?

I know this would be a lot of work but I'm willing to help.

[mbabker]

It's not possible during 3.x, ext/mysql doesn't support prepared statements and it's not worth it to emulate this, especially as we're dropping it in 4.0.

As for the rest of the package, the bulk of the work is already done but the implementations are more reliant on each driver's configuration so right now I'm not sure even with all the work ported over we could write SQL and handle parameterized queries all that well without having an extra layer of string processing in our query processing code.

This is the stuff that needs to be ported over:

• joomla-framework/database@66035e4 - Adds bound variables to the PDO MySQL query object (note the abstract PDO driver already supports prepared statements)
• Add PDO PostgreSQL driver joomla-framework/database#40 - PDO implementation of PostgreSQL, usable in parallel with the native ext/pgsql support
• Prepared Statement Support for MySQLi Driver joomla-framework/database#38 - MySQLi prepared statement support
• Add prepared statement support for PostgreSQL driver joomla-framework/database#39 - PostgreSQL prepared statement support
• Prepared statement support for SQL Server joomla-framework/database#78 - SQL Server prepared statement support

[SniperSister]

Count me in here too, would love to see that happen!

[mbabker]

#16402 would make use of the Framework database package in 4.0. Includes making prepared statement support available and PDO PostgreSQL connections.

[brianteeman]

closed as this work is in progress as mentioned above.