How to prevent the SQL Injection with this lib

[apausepi]

trafficstars

Are there a solution like PDO::setParameter(..) ?

[simPod]

I have investigated that for https://github.com/simPod/PhpClickHouseClient and I recommend subscribing https://github.com/ClickHouse/ClickHouse/issues/8842

[isublimity]

I`m try implement

curl -X POST -F 'query=select {p1:UInt8} + {p2:UInt8}' -F "param_p1=3" -F "param_p2=4" 'http://default:default@localhost:8123/'
7

[devicenull]

Was this implemented? While I can use {x} within a query, it doesn't appear to get escaped - and just a dumb string replacement happens, leading to sqli vulns

I'm doing

$db->select('select * from test where ID={ID}', ['ID' => 1]);

[donatascn]

I would also like to know if there are plans to implement it.

[isublimity]

If someone is ready to test the implementation in dev23

https://github.com/smi2/phpClickHouse/blob/dev23/tests/BindingsPostTest.php#L18

if the request contains {\w+:\w+}it will be passed to the post

[isublimity]

Code support old binds without typeCast and new

$db->select('select * from test where ID={ID}', ['ID' => 1]);


$db->select('select * from test where ID={ID:UInt8}', ['ID' => 1]);

[isublimity]

I will not be able to conduct full tests before publishing to the master branch. All phpUnitTest - OK

I can try push master "as it is now" and see what happens -)))

[antanasja]

After some testing found an issue with the expression {\w+:\w+}. It will fail with array type:

select {numbers_array:Array(UInt64)};

Otherwise, it seems to be working just fine.

[antanasja]

Added support for arrays.

[antanasja]

@isublimity Can we get a new release regarding this?

[isublimity]

pub 1.5.1