Unexpected behavior that can corrupt application data

[teso]

https://github.com/vasa-c/go-db/blob/c65eecde33df27be9252999e74021886710e0ddb/goDB/Helpers/Templater.php#L474 I just had following situation:

1. Prepared query like that UPDATE ?t:tableName SET ?s:setValues WHERE ?w:whereCondition
2. Gave data for placeholders: 'tableName' => 'manager', 'setValues' => ['companyId' => '61eaf81b8a5b11e39ba6c436c32fa3a3'], 'whereCondition' => 'id = ?:id', 'id' => '61eaf81b8a5b11e39ba6c436c32fa3a3'

I expected that templater will replace all placeholders recursivly, but it not happend. Okey, its my fault, i was not attentive when read documentation. But, more interesting what query i got: UPDATE manager SET companyId="61eaf81b8a5b11e39ba6c436c32fa3a3" WHERE 1=1 It means if you will give something that is not array or FALSE in ?w-placeholder you will update ENTIRE TABLE. Code will not abort with exception, it silently will corrupt your data.

[mkedo]

@teso Sorry to hear that, I hope you could recover your data. I agree, the WHERE placeholder should be more picky about the type of data provided to it.

The problem here is that if we start throwing exceptions on everything except, lets say, boolean or array, we might break backwards compatibility.

@vasa-c What do you think? Throwing an exception, at least for a string, sounds reasonable, to prevent thoses kind of mistakes. I hope no one really uses strings there.

[teso]

@mkedo Fortunately, it happend on the dev environment (but i have no dump for restoring). We can left this ability only for SELECT queries (for backwards compatibility) and throw exceptions for other cases (if something except array will be given).