Jump to content

Recommended Posts

Hello,

          I'm trying to create a Content Management System (CMS) however, I always feel that my code is insecure and unprofessional. For example, here is some context from my core file:

       

       

 public function getSiteData() {
  $q = "SELECT * FROM siteSettings ORDER BY id DESC LIMIT 1";
  $r = mysql_query($q);
  
  while ( $a = mysql_fetch_assoc($r) ) {
  global $siteName, $siteMotto, $siteIco;
  $siteName = $a['site_name'];
  $siteMotto = $a['site_motto'];
  $siteIco = $a['site_ico'];
        }
  }

public function adminGet() {
    $q = "SELECT * FROM testDB ORDER BY created DESC LIMIT 4";
    $r = mysql_query($q);

    if ( $r !== false && mysql_num_rows($r) > 0 ) {
      while ( $a = mysql_fetch_assoc($r) ) {
        $title = stripslashes($a['title']);
        $bodytext = stripslashes(substr($a['bodytext'],0,100));

 

I seem to feel that the solutions that I approach towards my content management system are insecure, and could lead to easy hacks and injections. Now, when I compare my code to other content management systems, I seem to  see a huge difference in there professional layout, and the way they go about their coding.  I'm only 14, and have been studying PHP for around a year and a half now, I'm wanting to become a little more advanced in PHP, but I can't feel like I can due to my insecure coding. Would anybody be able to point me in the right direction, or tell me where I'm going wrong please?

 

I have MSN and Yahoo, if you'd prefer to contact me that way. MSN: jarrod@tichiegaming.com : Yahoo: Ptsface12.

 

Many thanks,

Jarrod

Link to comment
https://forums.phpfreaks.com/topic/259086-insecure-php/
Share on other sites

1) The while is unnecessary.

 

while ( $a = mysql_fetch_assoc($r) ) {
  global $siteName, $siteMotto, $siteIco;
  $siteName = $a['site_name'];
  $siteMotto = $a['site_motto'];
  $siteIco = $a['site_ico'];
        }

 

Instead just write:

 

$a = mysql_fetch_assoc($r);
global $siteName, $siteMotto, $siteIco;
$siteName = $a['site_name'];
$siteMotto = $a['site_motto'];
$siteIco = $a['site_ico'];

 

2) PHP has a built-in data-access layer called PHP Data Objects (PDO), use it! There are plans to ditch the mysql extension in favor of mysqli, so avoid it, if possible or use PDO. That said use PDO using the mysqli driver.

 

3) Create classes to group related functionality.

 

abstract class DataStoreService {
    private $pdo;
    public function __construct(PDO $pdo) {
        $this->pdo = $pdo;
    }
    protected function query($sql) {
        $stmt = $this->pdo->query($sql);
        if (false === $stmt) {
            throw new ErrorException($this->pdo->errorInfo(), $this->pdo->errorCode());
        }
        return $stmt;
    }
}
class Site {/*represents the site*/}
class SiteSettings extends DataStoreService {
    public function getSiteData() {
        $stmt = $this->query('SELECT * FROM siteSettings ORDER BY id DESC LIMIT 1');
        if ($stmt->rowCount()) {
            return $stmt->fetchObject( 'Site' );
        }
        return null; // no site data available! bad? throw an exception if it is.
    }
}
class Article {/*represents an article*/}
class Articles extends DataStoreService {
    public function getLatest() {
        $stmt = $this->query('SELECT * FROM testDB ORDER BY created DESC LIMIT 4');
        if ($stmt->rowCount()) {
            return $stmt->fetchAll( PDO::FETCH_CLASS, 'Article' );
        }
        return array(); // nothing here!
}

 

4) Avoid the use of the global keyword. You don't need it! Read up on Depedency Injection and Service Containers

Link to comment
https://forums.phpfreaks.com/topic/259086-insecure-php/#findComment-1328362
Share on other sites

Hello!

        Woah thanks, but I don't get ANY of that. So, I'm guessing, that I'd then call the function by $stmt something like this?

 

new SiteSettings;
$stmt;

 

I'm guessing that is TERRIBLY wrong, I'll try and do some research on it, but from what I can gather, I can't understand hardly anything. I'm really only used to basic PHP

Link to comment
https://forums.phpfreaks.com/topic/259086-insecure-php/#findComment-1328384
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.