MyBB Community Forums

In addition to Issue #4206, with 1.9 series we should really do some updates to the $db->query function.  Right now it can currently execute DROP TABLE, DELETE, and TRUNCATE without calling an explicit method to do so.  This can present security risks when SQL Injection points are discovered.  I believe that DROP TABLE, DELETE, TRUNCATE, and possibly UPDATE should be forced to use the helper function.  This would mean a truncate_table function would need to be created, but it would not be difficult to make.

Another benefit to doing this is that it forces good programming practices.  Developers would not be able to get away with using $db->query for everything when there might be better ways to do so.  This also makes sure write_query gets used when it should as well for those who have separate reading and writing databases.

I do not believe it would be feasible for 1.8 series due to the fact the entire codebase would have to be analyzed to implement such a change.

I'm not sure about forcing such changes on to third-party developers, specially because of compatibility (upgrading 1.8 could be done by regular users easily or not) and flexibility issues.

Maybe Euantor has a better insight into this as I recall is has been discussed several times and work is being prepared for improving the DB classes in future versions (unsure if for 1.9).

When 1.9 comes out, plugins will have to be rewritten anyway since we are switching to Twig for that. That is part of why I think it should be for 1.9.

As I understand it the template system won't be as different for plugin developers as to say they will have to be rewritten, some may require minimal changes, if any, and based on their use of the template system forcing DB changes might force rewrites more than the changes to the template system itself will do.

Anyways, I'm in to implement complex changes in 1.9, just not so sure about forcing some of the stuff I understand in your suggestion. Do other projects follow the approach you suggest?

I haven't really looked at how other projects handle the database. I haven't had a VB licence for years and I've never used Xenforo as an Admin. This might not even be a trend yet, but this way we can set the precedent instead of being one of the later projects to adopt it.