{"id":15960547,"url":"https://github.com/seb35/sqltrees-php","last_synced_at":"2025-11-11T02:30:12.863Z","repository":{"id":77920461,"uuid":"437501281","full_name":"Seb35/sqltrees-php","owner":"Seb35","description":"Developper-proof prevention of SQL injection (PHP library), spiritial fork of the Java version https://github.com/Orange-Cyberdefense/sqltrees","archived":false,"fork":false,"pushed_at":"2021-12-12T19:51:43.000Z","size":29,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-12-28T11:43:38.331Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Seb35.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-12T09:22:03.000Z","updated_at":"2021-12-12T19:51:45.000Z","dependencies_parsed_at":"2023-02-27T22:00:48.192Z","dependency_job_id":null,"html_url":"https://github.com/Seb35/sqltrees-php","commit_stats":{"total_commits":8,"total_committers":1,"mean_commits":8.0,"dds":0.0,"last_synced_commit":"5aeccfebc90837a1bffc9b06c7d04a3d4fced4ad"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Seb35%2Fsqltrees-php","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Seb35%2Fsqltrees-php/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Seb35%2Fsqltrees-php/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Seb35%2Fsqltrees-php/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Seb35","download_url":"https://codeload.github.com/Seb35/sqltrees-php/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239587264,"owners_count":19663892,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-07T15:20:28.067Z","updated_at":"2025-11-11T02:30:12.652Z","avatar_url":"https://github.com/Seb35.png","language":"PHP","readme":"SQLTrees (php)\n==============\n\nThis is a PHP version of the Java library [SQLTrees](https://github.com/Orange-Cyberdefense/sqltrees) aiming at annihilating (possibility of) SQL injections and at the same time keeping the whole expressiveness of SQL. You can read (in French) [this introductory article](https://connect.ed-diamond.com/MISC/misc-111/zero-sqli-malgre-les-developpeurs), check out [the example](https://githu.com/Seb35/sqltrees-php/tree/main/examples), or read below a summary.\n\n\nExample\n=======\n\nIn the MySQL system database `information_schema`, take the following SQL request containing a parameter in the WHERE provided by the application to let the user jump at some point in the list:\n```sql\nSELECT table_schema, table_name, engine, table_rows, create_time FROM tables WHERE table_name \u003e= 'parameter' ORDER BY table_name, create_time LIMIT 0,10;\n```\n\nIn a trivial example like this one, the request can be rewritten as a parametrised request:\n```sql\nSELECT table_schema, table_name, engine, table_rows, create_time FROM tables WHERE table_name \u003e= ? ORDER BY table_name, create_time LIMIT 0,10;\n-- with the parameters: ('parameter')\n```\n\nBut if now we want let the user choose the requested columns, we write in PHP:\n```php\nfunction getParametrisedSQL( $columns, $parameter ) {\n\treturn [\n\t\t'sql' =\u003e 'SELECT ' . implode( ', ', $columns ) . ' FROM tables WHERE tables_name \u003e= ? ORDER BY table_name, create_time LIMIT 0,10;',\n\t\t'parameters' =\u003e [ $parameter ],\n\t];\n}\n```\nAnd now the name of the columns could introduce a SQL injection, if the columns names are not sufficiently sanitised beforehand, even if we use a parametrised SQL request.\n\nDuring an audit, all functions manipulating some parts of SQL requests must be carefully examinated to be sure no one has some escaping issues.\n\n**With this library**, the previous parametrised function would be rewritten like this:\n```php\nuse SQLTrees;\n\nfunction getCompiledSQL( $columns, $parameter ) : CompiledStatement {\n\treturn select( tupleArray( array_map( function( $column ) { return id( $column ); }, $columns ),\n\t\tfrom( id( 'tables' ) ),\n\t\twhere( operator( id( 'table_name' ), '\u003e=', str( $parameter ) ) ),\n\t\torder_by( tuple( id( 'table_name' ), id( 'create_time' ) ) ),\n\t\tlimit( tuple( num( 0 ), num( 10 ) ) )\n\t)-\u003ecompile();\n}\n\n$conn = new mysqli( 'localhost', 'manager', 'password', 'information_schema' );\n$stmt = getCompiledSQL( $columns, $parameter )-\u003erun_mysqli( $conn );\n```\n\nDifferences with Java library\n=============================\n\n1. SQL libary: this PHP library uses, for this POC, the standard library `mysqli` and `mysqli_stmt` in `CompiledStatement`: methods `getPreparedStatement_mysqli` and `run_mysqli`. To avoid being library-specific, there is also the library-independent method `CompiledStatement::getPreparedStatement`.\n\n2. Types of arguments: `CompiledStatement` has a supplementary method `addParam` to append a non-string parameter (integer, double, blob), see [`mysqli_stmt_bin_param`](https://www.php.net/manual/en/mysqli-stmt.bind-param.php).\n\n3. Added a class `NumLit` to add a number-typed parameter.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseb35%2Fsqltrees-php","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fseb35%2Fsqltrees-php","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseb35%2Fsqltrees-php/lists"}