Class WPDA_Dictionary_Exist
WP Data Access provides interactive database access. Users might follow the interaction provided by the plugin, but might as well influence it's behaviour through plugin arguments (hack query strings and post values). The dynamic nature of WP Data Access allows users to change table and column names that are communicated from one page to another, which clearly leads to a SQL injection risk. This class deals with this issue through checks of existence of database object, like tables, columns, ect.
| author | Peter Schulz |
|---|---|
| since | 1.0.0 |
| package | WPDataAccess\Data_Dictionary |
__construct(string $schema_name, string $table_name)
For table and column checks this class should be used by instantiating it. The table name must be provided as an argument. The schema name might be part of the table name provided in which case the schema name and table name should be seperated by a '.' (dot) as in MySQL notations. If no schema name is provided the WordPress schema is used as the default.
| since | 1.0.0 |
|---|
stringDatabase schema name.
stringDatabase table name.
column_exists(string $column_name) : boolean
Checks whether a column name exists in the WordPress database. Used to prevent SQL injection. Also read \WPDataAccess\Data_Dictionary\WPDA_Dictionary_Exist::table_exists().
Works with tables as well as views.
| since | 1.0.0 |
|---|
stringDatabase columns name.
booleanTRUE = column exists.function_exists(string $schema_name, string $function_name) : boolean
| since | 1.0.0 |
|---|
stringDatabase schema name.
stringDatabase function name.
booleanTRUE = function exists, FALSE = function does not exist.is_view() : boolean
booleanTRUE = $this->table_name is a view, FALSE = $this->table_name is a tableplain_table_exists() : boolean
No access control, back-end or front-end checks are taken into account. This method only checks the existence of the table.
booleanprocedure_exists(string $schema_name, string $procedure_name) : boolean
| since | 1.0.0 |
|---|
stringDatabase schema name.
stringDatabase procedure name.
booleanTRUE = procedure exists, FALSE = procedure does not exist.schema_exists($schema_name)
table_exists(boolean $use_table_access_settings= true, boolean $check_back_end= true) : boolean
A dynamic SQL statement might use a table or view name which can be supplied as argument on the url. This is a source of a possible SQL injection attack. In cases where users have the possibility to change a table or view name argument, we must check if the table or view name exists in the WordPress database to protect ourselves against SQL injection attacks.
Before the existence of a table is checked against the MySQL data dictionary, an access check is performed. If the access check returns FALSE, a query for existence is no longer needed. The access check is performed prior to the existence check as it quicker and might save us a more expensive action.
Works with tables as well as views.
| since | 1.0.0 |
|---|
booleanIndicator whether settings should be checked (default = true).
booleanTRUE = back-end check, FALSE = font-end check.
booleanTRUE means table name is valid.trigger_exists(string $schema_name, string $trigger_name) : boolean
| since | 1.0.0 |
|---|
stringDatabase schema name.
stringDatabase trigger name.
booleanTRUE = trigger exists, FALSE = trigger does not exist.load_plugin_tables()
Loads the plugin tables into a named array to be cached for fast table named access.
| since | 2.0.11 |
|---|
routine_exists(string $schema_name, string $routine_name, string $routine_type) : boolean
| since | 1.0.0 |
|---|
stringDatabase schema name.
stringDatabase routine name.
stringDatabase routine type.
booleanTRUE = routine exists, FALSE = routine does not exist.$plugin_schema_and_tables_loaded : boolean
false$schema_name : string
''$schema_name_cache : array
array()$table_name : string
''$table_name_cache : array
array()