Revisions to Using dynamic methods to build SQL queries in CodeIgniter

added 603 characters in body

Source Link

edited May 25, 2020 at 22:46

8.8k
1
17
31

In accordance with PSR-1, your method names should be in camelCase. To avoid function name conflicts (native count() with custom count()), it may be best to prefix the method names' functionality with easy or simple, ci, or ar for Active Record.

"Embrace the curly brace." Always use curly braces to encapsulate your language construct and function bodies -- even if they only have one line of code inside them. Not using { and } may lead to developer confusion or unintended/incorrect code logic.

For versatility, I recommend passing an array of arrays to your Crud methods. This will allow you to separate column names from values, enable you to turn off CI's automatic quoting (protect_identifiers flag) when necessary (3rd element in a respective subarray), and effortlessly pass multiple where conditions when required. There is a multitude of reasons for this utility -- here is just one: https://stackoverflow.com/q/2489453/2943403.

I meanGranted, your Read() method _could_be as simple as passing the table name and an associative array of conditions to get_where(), but that approach doesn't permit the flexibility of turning off the auto-quoting.

Using $_GET data is perfectly fine when calling your Read() or Count() methods, but it is not recommended when you are writing to the database. For Insert(), Update(), and Delete(), you need to be collecting user-supplied data via $_POST data only.

Note, IDon't give your users any more access/privilege than absolutely necessary. I wouldn't be letting people know what my table or column names are called. I wouldn't want to offer them the flexibility to nominate the table/column that they want to access as a means-- purely on the grounds of security.

Perhaps provide some kind of alias/whitelist to convert the user data to model entity identifiers (translate the table/column names with in the model) or ideally make all of the table/column names static/hardcoded (provided by you, the developer).

public function changeStatus() {
    $tableName = $this->input->post('tableName');  // I don't like it
    $status = $this->input->post('status');
    $conditionId $this->input->post('conditionId');
    if ($this->Crud->ciUpdate($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

In accordance with PSR-1, your method names should be in camelCase. To avoid function name conflicts (native count() with custom count(), it may be best to prefix the method names' functionality with easy or simple, ci, or ar for Active Record.

For versatility, I recommend passing an array of arrays to your Crud methods. This will allow you to separate column names from values, enable you to turn off CI's automatic quoting (protect_identifiers flag) when necessary (3rd element in a respective subarray), and effortlessly pass multiple where conditions when required.

I mean your Read() method _could_be as simple as passing the table name and an associative array of conditions to get_where(), but that approach doesn't permit the flexibility of turning off the auto-quoting.

Using $_GET data is perfectly fine when calling your Read() or Count() methods, but it is not recommended when you are writing to the database. For Insert(), Update(), and Delete(), you need to be collecting $_POST data only.

Note, I wouldn't be letting people know what my table or column names are called. I wouldn't want to offer them the flexibility to nominate the table/column that they want to access as a means of security.

Perhaps provide some kind of alias/whitelist to convert the user data to model entity identifiers (translate the table/column names with in the model).

public function changeStatus() {
    $tableName = $this->input->post('tableName');
    $status = $this->input->post('status');
    $conditionId $this->input->post('conditionId');
    if ($this->Crud->ciUpdate($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

In accordance with PSR-1, your method names should be in camelCase. To avoid function name conflicts (native count() with custom count()), it may be best to prefix the method names' functionality with easy or simple, ci, or ar for Active Record.

"Embrace the curly brace." Always use curly braces to encapsulate your language construct and function bodies -- even if they only have one line of code inside them. Not using { and } may lead to developer confusion or unintended/incorrect code logic.

For versatility, I recommend passing an array of arrays to your Crud methods. This will allow you to separate column names from values, enable you to turn off CI's automatic quoting (protect_identifiers flag) when necessary (3rd element in a respective subarray), and effortlessly pass multiple where conditions when required. There is a multitude of reasons for this utility -- here is just one: https://stackoverflow.com/q/2489453/2943403.

Granted, your Read() method _could_be as simple as passing the table name and an associative array of conditions to get_where(), but that approach doesn't permit the flexibility of turning off the auto-quoting.

Using $_GET data is perfectly fine when calling your Read() or Count() methods, but it is not recommended when you are writing to the database. For Insert(), Update(), and Delete(), you need to be collecting user-supplied data via $_POST data only.

Don't give your users any more access/privilege than absolutely necessary. I wouldn't be letting people know what my table or column names are called. I wouldn't want to offer them the flexibility to nominate the table/column that they want to access -- purely on the grounds of security.

Perhaps provide some kind of alias/whitelist to convert the user data to model entity identifiers (translate the table/column names with in the model) or ideally make all of the table/column names static/hardcoded (provided by you, the developer).

public function changeStatus() {
    $tableName = $this->input->post('tableName');  // I don't like it
    $status = $this->input->post('status');
    $conditionId $this->input->post('conditionId');
    if ($this->Crud->ciUpdate($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

added 2 characters in body

Source Link

edited May 25, 2020 at 21:44

mickmackusa

8.8k
1
17
31

public function changeStatus() {
    $tableName = $this->input->post('tableName');
    $status = $this->input->post('status');
    $conditionId $this->input->post('conditionId');
    if ($this->Crud->Update>ciUpdate($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

public function changeStatus() {
    $tableName = $this->input->post('tableName');
    $status = $this->input->post('status');
    $conditionId $this->input->post('conditionId');
    if ($this->Crud->Update($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

public function changeStatus() {
    $tableName = $this->input->post('tableName');
    $status = $this->input->post('status');
    $conditionId $this->input->post('conditionId');
    if ($this->Crud->ciUpdate($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

added 691 characters in body

Source Link

edited May 25, 2020 at 21:32

mickmackusa

8.8k
1
17
31

Note, I wouldn't be letting people know what my table or column names are called. I wouldn't want to offer them the flexibility to nominate the table/column that they want to access as a means of security.

Perhaps provide some kind of alias/whitelist to convert the user data to model entity identifiers (translate the table/column names with in the model).

public function changeStatusfetch($tableName, $status$conditionId) {
    $result = $this->Crud->ciRead($tableName, $conditionId[['id', $conditionId]]));
    ...
}

or when writing to the db use post().

public function changeStatus() {
    $tableName = $this->input->post('tableName');
    $status = $this->input->post('status');
    $conditionId $this->input->post('conditionId');
    if ($this->Crud->Update($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

public function changeStatus($tableName, $status, $conditionId) {
    if ($this->Crud->Update($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

Note, I wouldn't be letting people know what my table or column names are called. I wouldn't want to offer them the flexibility to nominate the table/column that they want to access as a means of security.

Perhaps provide some kind of alias/whitelist to convert the user data to model entity identifiers (translate the table/column names with in the model).

public function fetch($tableName, $conditionId) {
    $result = $this->Crud->ciRead($tableName, [['id', $conditionId]]));
    ...
}

or when writing to the db use post().

public function changeStatus() {
    $tableName = $this->input->post('tableName');
    $status = $this->input->post('status');
    $conditionId $this->input->post('conditionId');
    if ($this->Crud->Update($tableName, ['is_active' => $status], [['id', $conditionId]])) {
       $this->session->set_flashdata('success', "Success! Changes saved");
    } else {
       $this->session->set_flashdata('danger', "Something went wrong");
    }
    redirect('admin/seller/' . basename($_SERVER['HTTP_REFERER']));
}

Source Link

answered May 25, 2020 at 21:07

mickmackusa

8.8k
1
17
31

Loading

Stack Exchange Network

Return to Answer