Jump to content

First Database Class, Critique Request

mdvaldosta

By mdvaldosta
in PHP Coding Help

 Share

Recommended Posts

mdvaldosta Newbie

mdvaldosta

Posted
Posted

I'm starting to work with objects and using prepared statements for database interaction, and wrote a class to use in a current project. Wanted to get input on how I could improve it and if it's efficient, for example making sure doing it this way closes the db connection as expected and I'm binding everything properly. I'm also concerned about security, as binding variables is supposed to be safe but I'm still really uneasy about not sanitizing POST and GET before using them.

 

class DatabaseFunctions
{
protected $_dbc;
protected $_stmt;
protected $_result;

// Sets the database connection when object is initiated
public function __construct()
{
	$this->_dbc = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME) or die('Could not connect to the database.');
}

// (add.php) Build the category list so we can populate the add form's dropdown box
public function getCategoryListDropDown()
{	
	// Prepare the statement and execute it
	if ($this->_stmt = $this->_dbc->prepare("SELECT feed_id, title FROM feeds")) {
		$this->_stmt->execute();

		// Bind results to variables
		$this->_stmt->bind_result($feed_id, $title);

		// Loop through the results and print them out
		while ($this->_stmt->fetch()) {
			$format = '<option value="%d">%s</option>';
			$this->_result = printf($format, $feed_id, $title); 
		}

		// We're done, close the statement to free the resources
		$this->_stmt->close();
	}
	return $this->_result;
}

// (add.php) Submit the form results from the add.php page
public function submitAddData()
{	
	// Prepare statement and bind variables
	if ($this->_stmt = $this->_dbc->prepare("INSERT INTO items (id, url, title, description, time, feed_id) VALUES (NULL, ?, ?, ?, NOW(), ?)")) { 
		$this->_stmt->bind_param('sssd', $url, $title, $description, $feed_id); 

		// Grab the variables we'll be executing
		$url = $_GET['url'];
		$title = $_POST['title'];
		$description = $_POST['description'];
		$feed_id = $_POST['category'];

		// Execute and close prepared statement
		$this->_stmt->execute();
		$this->_stmt->close();
	}
}

// Close the database connection when the object is done with it
public function __destruct()
{
	$this->_dbc->close();
}
}

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

Don't wrap an object around an object either use it or extend it.

 

class FeedManager extends MySQLi {
     public function getCategoryList() { /* logic, return $categoryList; */ }
}

class ItemManager extends MySQLi {
    public function add($config) { /* logic */ }
}

class DropDownWidget {
    public function __construct($config = array()) { /* logic */ }
    public function render() { /* logic, renders the dropdown */ }
    public function __toString() { return $this->render(); }
}

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.