Skip to main content

Evil Access

I was thinking today about database APIs when inspiration struck. I ended up hacking out the following class, which I think demonstrates a rather interesting approach to interfacing with a database (interesting enough at least to post here).
class DBQuery implements Iterator
{
protected $_db;
protected $_query;
protected $_result;
protected $_index;
protected $_num_rows;

public function __construct($host, $dbname, $username,
$password) {
$this->_db = new PDO("mysql:dbname=$dbname;host=$host",
$username, $password);
}

public function __get($query) {
$this->_query = $query;
$this->_result = $this->_db->query($query);
return $this->_num_rows = $this->_result->rowCount();
}

public function quote($value) {
return PDO::quote($value);
}

public function __call($query, $values) {
$this->_query = $query;
$this->_result = $this->_db->prepare($this->_query);
$this->_result->execute($values[0]);
return $this->_num_rows = $this->_result->rowCount();
}

public function clear() {
$this->_index = 0;
$this->_num_rows = 0;
$this->_query = '';
$this->_result->closeCursor();
}

public function rewind() {
$this->_index = 0;
}

public function current() {
return $this->_result->fetch(PDO::FETCH_ASSOC,
PDO::FETCH_ORI_ABS, $this->_index);
}

public function key() {
return $this->_index;
}

public function next() {
$this->_index++;
}

public function valid() {
return ($this->_index < $this->_num_rows);
}

public function __toString() {
return $this->_query;
}
}
DBQuery isn't your typical database access class. In fact, I would suggest it's slightly evil since it distorts traditional PHP syntax by abusing taking advantage of three specific PHP features.
  1. PHP allows special characters in an identifier if the string is quoted and is enclosed by {}. So, $myValue and ${"my value"} are both equally valid variable identifiers.

  2. The magic overloading methods allow you handle undefined properties and methods in your class. Specifically, I've made use of __get() and __call().

  3. A class that implements the Iterator interface can be traversed using a foreach loop.
Here's a look at how DBQuery would be used:
// connect to the database
$dbq = new DBQuery("localhost", "test", "dbuser",
"dbpassword");

// query the database if the user is authorized
$username = "administrator";
$password = sha1("password");
if (!$dbq->{"SELECT * FROM admin_user WHERE username=? " .
"AND password=?"}(array($username, $password))) {
die("Unauthorized.");
}

// query the database and display some records
$dbq->{"SELECT id, first_name, last_name FROM employee"};
foreach ($dbq as $result) {
print_r($result);
}

// casting the object as a string yields the query string
echo "Query: $dbq";
Don't try this at home, though, my friends. Just because you can write code like this doesn't mean you should.

Comments

  1. Amazing concept, but I'm afraid if I ever see ANY of this code in production in the future I will be forced to strangle you... Consider yourself warned :)

    ReplyDelete
  2. You could make it even hackier by using func_get_args() in __call so the usage would turn out as

    $dbq->{"SELECT * FROM admin_user WHERE username=? AND password=?"}($username, $password)

    ReplyDelete
  3. Yep this is a pretty cool idea. Wouldn't go as far as Commenter #1, but I think it may be a good idea to not bend the rules this much ;)

    ps: why do I have to log in to comment? I don't want to - please make it possible to comment by just leaving your name =)

    ReplyDelete
  4. this looks pretty neat.
    but I don't understand why you shouldn't use something like this ?
    what rules it bends ?

    ReplyDelete

Post a Comment

Popular posts from this blog

Writing a Minimal PSR-0 Autoloader

An excellent overview of autoloading in PHP and the PSR-0 standard was written by Hari K T over at PHPMaster.com , and it's definitely worth the read. But maybe you don't like some of the bloated, heavier autoloader offerings provided by various PHP frameworks, or maybe you just like to roll your own solutions. Is it possible to roll your own minimal loader and still be compliant? First, let's look at what PSR-0 mandates, taken directly from the standards document on GitHub : A fully-qualified namespace and class must have the following structure \<Vendor Name>\(<Namespace>\)*<Class Name> Each namespace must have a top-level namespace ("Vendor Name"). Each namespace can have as many sub-namespaces as it wishes. Each namespace separator is converted to a DIRECTORY_SEPARATOR when loading from the file system. Each "_" character in the CLASS NAME is converted to a DIRECTORY_SEPARATOR . The "_" character has no special ...

Safely Identify Dependencies for Chrooting

The most difficult part of setting up a chroot environment is identifying dependencies for the programs you want to copy to the jail. For example, to make cp available, not only do you need to copy its binary from /bin and any shared libraries it depends on, but the dependencies can have their own dependencies too that need to be copied. The internet suggests using ldd to list a binary’s dependencies, but that has its own problems. The man page for ldd warns not to use the script for untrusted programs because it works by setting a special environment variable and then executes the program. What’s a security-conscious systems administrator to do? The ldd man page recommends objdump as a safe alternative. objdump outputs information about an object file, including what shared libraries it links against. It doesn’t identify the dependencies’ dependencies, but it’s still a good start because it doesn’t try to execute the target file. We can overcome the dependencies of depende...

A Unicode fgetc() in PHP

In preparation for a presentation I’m giving at this month’s Syracuse PHP Users Group meeting, I found the need to read in Unicode characters in PHP one at a time. Unicode is still second-class in PHP; PHP6 failed and we have to fallback to extensions like the mbstring extension and/or libraries like Portable UTF-8 . And even with those, I didn’t see a unicode-capable fgetc() so I wrote my own. Years ago, I wrote a post describing how to read Unicode characters in C , so the logic was already familiar. As a refresher, UTF-8 is a multi-byte encoding scheme capable of representing over 2 million characters using 4 bytes or less. The first 128 characters are encoded the same as 7-bit ASCII with 0 as the most-significant bit. The other characters are encoded using multiple bytes, each byte with 1 as the most-significant bit. The bit pattern in the first byte of a multi-byte sequence tells us how many bytes are needed to represent the character. Here’s what the function looks like: f...