Member Avatar for Marco_4

Hello, simple information. I was creating the connection to the database files with various functions, such as: "Get One, getAll".

I wondered if their syntax was safe against sql attacks, though in fact could be improved with the inclusion of the bind, but do not know how to make them better.

However, the code is this:

class db {
    private $conn;
    private $host;
    private $user;
    private $password;
    private $baseName;
    private $port;
    private $Debug;

    function __construct($params=array()) {
        $this->conn = false;
        $this->host = 'localhost'; //hostname
        $this->user = 'gallery'; //username
        $this->password = 'Macchinona321654987'; //password
        $this->baseName = 'gallery'; //name of your database
        $this->port = '3306';
        $this->debug = true;
        $this->connect();
    }

    function __destruct() {
        $this->disconnect();
    }

    function connect() {
        if (!$this->conn) {
            try {
                $this->conn = new PDO('mysql:host='.$this->host.';dbname='.$this->baseName.'', $this->user, $this->password, array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8'));  
            }
            catch (Exception $e) {
                die('Erreur : ' . $e->getMessage());
            }

            if (!$this->conn) {
                $this->status_fatal = true;
                echo 'Connection BDD failed';
                die();
            } 
            else {
                $this->status_fatal = false;
            }
        }

        return $this->conn;
    }

    function disconnect() {
        if ($this->conn) {
            $this->conn = null;
        }
    }

    function getOne($query) {
        $result = $this->conn->prepare($query);
        $ret = $result->execute();
        if (!$ret) {
           echo 'PDO::errorInfo():';
           echo '<br />';
           echo 'error SQL: '.$query;
           die();
        }
        $result->setFetchMode(PDO::FETCH_ASSOC);
        $reponse = $result->fetch();

        return $reponse;
    }

    function getAll($query) {
        $result = $this->conn->prepare($query);
        $ret = $result->execute();
        if (!$ret) {
           echo 'PDO::errorInfo():';
           echo '<br />';
           echo 'error SQL: '.$query;
           die();
        }
        $result->setFetchMode(PDO::FETCH_ASSOC);
        $reponse = $result->fetchAll();

        return $reponse;
    }

        function Count($query) {
                $result = $this->conn->prepare($query);
                $ret = $result->execute();
        if (!$ret) {
           echo 'PDO::errorInfo():';
           echo '<br />';
           echo 'error SQL: '.$query;
           die();
        }
        $result->fetchAll(PDO::FETCH_ASSOC);
        $reponse = $result->rowCount();

        return $reponse;
    }


    function execute($query) {
        if (!$response = $this->conn->exec($query)) {
            echo 'PDO::errorInfo():';
           echo '<br />';
           echo 'error SQL: '.$query;
           die();
        }
        return $response;
    }
}
  • 2 Contributors
  • 1 Reply
  • 180 Views
  • 3 Hours Discussion Span
  • Latest Post Latest Post by cereal
Member Avatar for cereal

I wondered if their syntax was safe against sql attacks, though in fact could be improved with the inclusion of the bind, but do not know how to make them better.

Use prepared statements, add a second parameter to the getOne() and getAll() methods and send an array, for example:

function getOne($query, $input) {
    $result = $this->conn->prepare($query);
    $ret = $result->execute($input);
    if (!$ret) {
       echo 'PDO::errorInfo():';
       echo '<br />';
       echo 'error SQL: '.$query;
       die();
    }
    $result->setFetchMode(PDO::FETCH_ASSOC);
    $reponse = $result->fetch();

    return $reponse;
}

function getAll($query, $input) {
    $result = $this->conn->prepare($query);
    $ret = $result->execute($input);
    if (!$ret) {
       echo 'PDO::errorInfo():';
       echo '<br />';
       echo 'error SQL: '.$query;
       die();
    }
    $result->setFetchMode(PDO::FETCH_ASSOC);
    $reponse = $result->fetchAll();

    return $reponse;
}

Then when you execute the query you do:

$input = [1, 2, 3];

$db = new db;
$result = $db->getAll("select * from users where id IN(?, ?, ?)", $input);
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.