Hi all,
just had a question about the PDO database connection class and queries,
why doesn't it use prepared statements? isn't there a security risk? unless im missing something?
thanks
You can find the current state of development on github, http://github.com/fuel. Currently we're on 1.1/develop. There you can also find the issues and feature requests, in the issue tracker of the core (or orm/auth/docs) repository.
You'll find the roadmap via the link in the header of this website.
There is no roadmap towards releases, so I can't give you a time on the release of 2.0. As you can see on the roadmap, the new Query Builder is still in proposal stage. I don't expect anything before the end of the year, spring of next year.
But it's definately be part of 2.0, and one of the reasons for rewriting it is to be able to support a much wider range of RDMBs' (or perhaps even NoSQL backends), and different SQL dialects.
It doesn't use prepared statements because the query builder needs to maintain compatibility with other drivers, which do not support this (notably the old PHP function based drivers).
There is no security risk, the query builder takes care of proper escaping ( unless you use DB::expr() to bypass it ).
We've already officially deprecated the (procedural) mysql driver in 1.1. For 2.0 the entire database layer is going to be rewritten, and introduce new features, like for example prepared statements and full stored procedure support.
@WanWizard, where can I find information about 2.0 progress.
Also is there going to be native postgres support? I see someone has done a non package hack in and was thinking of creating a package for it. However, If it is all going to be replaced in 2.0 I won't bother.
Donate
