[Typo3-dev] DBAL: Call for sponsors

Thu Mar 4 11:40:42 CET 2004

I think we can settle for a good "compromise" here and if you knew more
about the thoughts that I have had about how to do the DBAL
implementations you would probably agree.

I'll explain my flow of thoughts:

- Before 3.6.0 I want to bring security as high as possible - reasonable
idea I suppose you agree...
- For SQL injection it turns out that centralized calls for creating
queries is a good idea; More safe, more clean.
- This is NOT a DBAL step as such - just a search-replace operation for
the around 100 UPDATE/INSERT statements in TYPO3 and doesn't impose high
risk of breakage.
- So, eventually we might create a class for these "createInsertQuery"
and "createUpdateQuery" functions, say "t3lib_queries"
- Thinking a little ahead, knowing that we plan DBAL for 3.7.0, this
class might become "t3lib_db" instead, paving the way for the DBAL
efforts!
- Then you think, "Why not direct all mysql*() calls into wrapper
functions of this class" ... and another search/replace operation does
just that - again a small step for man, but a giant step for the DBAL
team working on the DBAL for 3.7.0...

At this point we can now stop and release 3.6.0. DBAL would not be a
reality really, but the foundation for the work (t3lib_db or whatever we
might call it) would be there.

So IN GENERAL it makes sense to take these steps now since it can easily
be defended as clean-up operations, enhancing security which is all
within the goals of 3.6.0. BUT before we do this - which after all will
take some time - we want to get the funding in place for the DBAL
efforts which will go on after the release of 3.6.0. Thats why we are in
a hurry; because this initial "clean-up operation" benefits the DBAL
project and we believe that is interesting enough to raise some money.

My proposal is:
- For TYPO3 3.6.0: Add the class "t3lib_db" in TYPO3 3.6.0, containing
simple wrapper functions (necessary for DBAL efforts after 3.6.0) plus
security-enhancing query building functions. Do the search/replace.
- For TYPO3 3.7.0: a group will work on DBAL implementations taking
offset in the wrapper functions from 3.6.0. You are right that this will
take a LOONG time and require a lot of test and basically be marked
"unstable"

As I see this it perfectly matches your arguments about "waiting for
3.7.0" but with the little twist that it really DOES reflect back on
3.6.0 as Daniel has so argued. The result: We are not talking about a
complete DBAL implementation for TYPO3 3.6.0 release; only that initial
work has been done so the DBAL workgroup can proceed - BUT we still want
to take the opportunity to raise money for this!

- kasper