[_lce0]

I just want to raise my concern about the security issues the current implementation provides. At a glance the update method provides a simple way to execute arbitrary SQL.

Please be aware

[sarciszewski]

Are you referring to a condition where if you let attackers control the array indices or table name, it's merely sanitized for meta characters?

https://github.com/resonantcore/lib/blob/7b719907e8954241ff9...

Developer abuse ought to be sufficiently mitigated now. Thanks for saying something :)

[_lce0]

No matter how hard you try. If queries are dynamically created, you (or your lib's user) will most certainly miss a spot were an attacker cloud sneak an offensive query.

You fixed the $i, but what about $table? What about $conditions's keys?

See the problem? And we are just talking about a single method ;-)

[sarciszewski]

Valid points, but regrettably they were ones I had already addressed in subsequent changes.

I linked to a single commit.

I probably should have linked to the master branch instead. (Also, I just pushed another update as I wrote this.)

https://github.com/resonantcore/lib/blob/master/src/DB.php