2021-01-07, 12:37 AM
In addition to Issue #4206, with 1.9 series we should really do some updates to the $db->query function. Right now it can currently execute DROP TABLE, DELETE, and TRUNCATE without calling an explicit method to do so. This can present security risks when SQL Injection points are discovered. I believe that DROP TABLE, DELETE, TRUNCATE, and possibly UPDATE should be forced to use the helper function. This would mean a truncate_table function would need to be created, but it would not be difficult to make.
Another benefit to doing this is that it forces good programming practices. Developers would not be able to get away with using $db->query for everything when there might be better ways to do so. This also makes sure write_query gets used when it should as well for those who have separate reading and writing databases.
I do not believe it would be feasible for 1.8 series due to the fact the entire codebase would have to be analyzed to implement such a change.
Another benefit to doing this is that it forces good programming practices. Developers would not be able to get away with using $db->query for everything when there might be better ways to do so. This also makes sure write_query gets used when it should as well for those who have separate reading and writing databases.
I do not believe it would be feasible for 1.8 series due to the fact the entire codebase would have to be analyzed to implement such a change.