[Typo3-dev] DBAL: Call for sponsors

[Martin T. Kutschker]

Kasper Skårhøj wrote:
> I think we can settle for a good "compromise" here and if you knew more
> about the thoughts that I have had about how to do the DBAL
> implementations you would probably agree.
> 
> I'll explain my flow of thoughts:
> 
> - Before 3.6.0 I want to bring security as high as possible - reasonable
> idea I suppose you agree...

Of course.

> - For SQL injection it turns out that centralized calls for creating
> queries is a good idea; More safe, more clean.

Probably.

> - This is NOT a DBAL step as such - just a search-replace operation for
> the around 100 UPDATE/INSERT statements in TYPO3 and doesn't impose high
> risk of breakage.

A kind of lightweight DBL then (missing A for abstraction intended).

> - So, eventually we might create a class for these "createInsertQuery"
> and "createUpdateQuery" functions, say "t3lib_queries"
> - Thinking a little ahead, knowing that we plan DBAL for 3.7.0, this
> class might become "t3lib_db" instead, paving the way for the DBAL
> efforts!
> - Then you think, "Why not direct all mysql*() calls into wrapper
> functions of this class" ... and another search/replace operation does
> just that - again a small step for man, but a giant step for the DBAL
> team working on the DBAL for 3.7.0...
> 
> At this point we can now stop and release 3.6.0. DBAL would not be a
> reality really, but the foundation for the work (t3lib_db or whatever we
> might call it) would be there.

Might work. I mean to do some abstraction now with the intention to 
address most of the real absctraction issues. At least to such a degree 
that all changes are in the right direction.

Anyway I'm glad to see "mysql(); echo mysql_error()" go away ;-)

> So IN GENERAL it makes sense to take these steps now since it can easily
> be defended as clean-up operations, enhancing security which is all
> within the goals of 3.6.0. BUT before we do this - which after all will
> take some time - we want to get the funding in place for the DBAL
> efforts which will go on after the release of 3.6.0. Thats why we are in
> a hurry; because this initial "clean-up operation" benefits the DBAL
> project and we believe that is interesting enough to raise some money.

I see.

> My proposal is:
> - For TYPO3 3.6.0: Add the class "t3lib_db" in TYPO3 3.6.0, containing
> simple wrapper functions (necessary for DBAL efforts after 3.6.0) plus
> security-enhancing query building functions. Do the search/replace.
> - For TYPO3 3.7.0: a group will work on DBAL implementations taking
> offset in the wrapper functions from 3.6.0. You are right that this will
> take a LOONG time and require a lot of test and basically be marked
> "unstable"

Sounds good to me.

May I ask if there will be another RC before anything will be done in 
that direction? A RC2 won't hurt, the lightweight DBAL deserves it's own 
RC anyway.

> As I see this it perfectly matches your arguments about "waiting for
> 3.7.0" but with the little twist that it really DOES reflect back on
> 3.6.0 as Daniel has so argued. The result: We are not talking about a
> complete DBAL implementation for TYPO3 3.6.0 release; only that initial
> work has been done so the DBAL workgroup can proceed - BUT we still want
> to take the opportunity to raise money for this!

Thing are clear now. Sorry for kind of panicking.

Masi