Monday 27 May 2019

mysql - Correct and efficient php form handling

Good afternoon.



I'm a beginner in PHP programming, followed some courses and have a theoretical knowledge about it. I've been hired now and been given some 'basic' tasks. Coworkers here tell me that 'real world' code differs a bit from what it is taught at University, in books and the like. I've been reading about security and found out about SQL-injection. I also learned that the best way to avoid them is using prepared statements and parameters bounding.



So, I'd be very thankful if you could give me your opinions or suggestions about the code below. Please, anything you have to say will be very useful. Opinions about the logic of the code, about the structure, about performance, about security... anything. 




if (isset($_POST['username']) && isset($_POST['password']))
{
    $dbaddress = 'myhost';
    $dbuname = "database_user";
    $dbpass = "database_password";
    $dbname = 'customers_db';

    $r = new mysqli($dbaddress, $dbuname, $dbpass, $dbname);


    $q = $r->prepare("SELECT * FROM users WHERE uAccessName = ? AND uAccessPass = ?");
    $q->bind_param("ss", $user, $pass);

    $user = $_POST['username'];
    $pass = $_POST['password'];
    $q->execute();
    $q->store_result();

    if ($q->num_rows === 1)
        // Do many many other things here

        echo "
Access granted
";
    else
        echo "
Access denied
";

    $q->close();
    $r->close();
} else {
    // Handle the case where the form sent no data
}



Thanks a lot.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...