开发者

How can i improve this code [closed]

问答 作者:
Closed. This question needs to be more focused. It is not currently accepting answers.

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 5 years ago.

开发者_如何转开发 Improve this question

I have added this function in my user class.

  • Is this function Place in the User Class is right.
  • How should i handle the database query error in this function.
  • Or I can Use any Database class for executing the queries that will helpful.
  • What should it return to the call of the function.

Please Help. Thanks 

    function adduser() {

        // Storing data in database
         $sql = "INSERT INTO users  (   alias,  firstname,  lastname,   PASSWORD,email  )
            VALUES  (   '$this->alias',     '$this->firstname',     '$this->lastname',  AES_ENCRYPT('$this->password','text'),'$this->email'    );";
        $result = mysql_query($sql);

        $this->userid=mysql_insert_id();

        //make profile card in cards table...
        $sql="INSERT INTO cards ( userid_from,  userid_to,  eventid,    gibid, 
            card_type,  message ,status,isDeck) VALUES  (   '$this->userid',    '$this->userid',    'eventid',  '$spaceid',     'V', '','A','Y' )"  ;   
        @mysql_query($sql);     
        $id_card=mysql_insert_id(); 

        $systemgibid=systemgibid();
        //make system gib card in cards table...
        $sql="INSERT INTO cards ( userid_from,  userid_to,  eventid,    gibid, 
            card_type,  message ,status,isDeck) VALUES  (   '',     '$this->userid',    'eventid',  '$systemgibid',     'A', '','A','N' )"  ;   
        @mysql_query($sql);     


        $this->firstname=$this->firstname."\'s Gib";
        //create gibs define in connection.php type D for default gib
        creategib($this->firstname,'D',$this->userid);


    }

The biggest thing you can do is protect your SQL by using prepared statements. Right now you are vulnerable to the classic SQL injection vulnerability.

More on prepared statements: http://php.net/manual/en/pdo.prepared-statements.php

If you do not want to use PDO, at the very least use mysql_real_escape_string

Is this function Place in the User Class is right. Yes

How should i handle the database query error in this function. Use try {} catch () {} , throw an exception if anything was wrong

Or I can Use any Database class for executing the queries that will helpful. Use PDO for db queryes

What should it return to the call of the function. boolean true on success , throw exception on failure log the exception and return false

Three things:

  1. STOP, please STOP using '@' to suppress errors. Use exception handling.
  2. Try to use PDO or escape the query parameters using mysql_real_escape_string
  3. Let all the querying be done form a single class. It will keep your exception handling cases (As mentioned in point 1) in a single place.

HI USE try{}catch things ans set error message whenever you get. and than catch it in exception. and than display it all.

继续阅读:error-handlingoopphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9