Release status: experimental
|Description||Dynamically adds a new hook to intercept the database fetchObject and fetchRow methods|
|Latest version||2.0.0 (2007-10-11)|
|Translate the DatabaseFetchHook extension if it is available at translatewiki.net|
|Check usage and version matrix.|
Note: This extension is only recommended for use by developers interested in experimenting with a novel approach for handling security in MediaWiki
This hook was created for the Simple Security extension so that it may overcome all the flaws listed in security issues with authorization extensions in a generic way. To address these flaws, a hook is needed which intercepts the requests for each row of a query result, but no such hook exists as of MediaWiki version 1.11. However, it is possible for such a hook to be added by directly manipulating the classes at runtime thereby not requiring any patching of include files. The hook could also be used by other security extensions to overcome the listed issues. The new hook called DatabaseFetchHook.
How it worksEdit
All database interactions are done on an object of a DatabaseXXX class (the actual name of the class depends on the kind of database, which the hook code can determine at runtime) and a reference to that object is returned by the wfGetDB() global function which in turn asks the global LoadBalancer for a connection. The LoadBalancer is a global variable called $wgLoadBalancer which never changes after it's created, and that means we can exchange it for a new one based on an extended LoadBlancer class which has its reallyOpenConnection() method overridden so that all the objects returned are of the new overridden database classes which have the hook added into their fetchObject and fetchRow methods in the same way as the LoadBalancer class was extended.
- The current version only works for MediaWiki 1.10 and above, but the code can be upgraded to work for all versions