Is it safe to run this query on the page people will be on?
Sorry, this is probably a really stupid question, but is it safe to run this code on the page the people will be viewing, or should I wrap this into a function instead and call it?
$stmt = $db->prep_stmt("select * from .... where userid = ? and username = ?");
/* Binding 2 parameters. */
$stmt->bind_param("is", $userid, $username);
/* Binding 2 result. */
$stmt->bind_result($isbn, $title, $author, $coef, $bookid);
/* Executing the statement */
$stmt->execute( ) or die ("Could not execute statement");
/*
* Making PHP buffer the whole result,
* not recommended if there is a blob or
* text field as PHP eats loads of memory
*/
$stmt->store_result();
while ($stmt->fetch()) {
/*
* Here you can use the variables $isbn, $title, $author, $coef, $bookid,
* which contatin the data for 1 row.
*/
print "<tr>".
"<td>".$isbn."</td>".
"<td>".$title."</td>".
"<td>".$a开发者_开发技巧uthor."</td>".
"</tr><tr><td>";
}
They will be the same from a security point of view. It's a question of software design. However, you may want to consider better error handling (at least for production). Specifically, it's not really necessary to leak the cause of the error ("Could not execute statement"). Usually, you want a generic error page ("Sorry, the server's having problems! Try going to the home page.").
Correct me if im wrong, but you seem to be concerned that people can view your PHP code, but that you put it in a different file and did
$dataAccessor = new MyDataAccessorObject();
$dataAccessor->checkUser($userId, $userName);
they wouldnt't see anything meaningful, correct?
Whether or not that code is a function away doesn't matter. Even on PHPs that people 'view' they don't get to see the code, just the HTML that gets rendered. Between the php tags, the only stuff that effects what the user can see if they were to hit 'view source' is stuff that gets echoed or printed or whatever.
Try to view the PHP here, I dare you! http://lirr42.mta.info/schedules.php (this is just a random example, no special compared to anything else)
What you need to worry about it security wise is the input and SQL injection. It seems that your parameterization handles that. I would imagine either that user name or user id from a form, and you need to make sure that some jerk doesnt enter a username like blah' OR 1=1
and cheat. Your prepared statement and parameter binding should handle that. If you are unsure you can sanitize with mysql_real_escape
精彩评论