php - Passing $_POST to Db Class Without any Processing -


i trying pass $_post global variable directly database through mysqli_real_escape_string without processing...

here code working fine.

  1. what possible problem arising due type of coding?
  2. what security risks?
  3. is shortcut or there still more...???
class db{ ... more ...      public function insert($args=array()){         if(!isset($args['table']) || !isset($args['values'])){             return false;         }         $table=$args['table'];         $values=$this->process_insert($args['values']);         $query="insert {$table} {$values}";         $result=$this->query2db($query); //method returns mysqli_query()         if($result){             return true;         }else{             return false;         }     }      protected function process_insert($data=array()){         $values="";         $fields="";         $glue=", ";         if(isset($data)){             foreach($data $key=> $value){                 $key=$this->escape($key);                 $value=$this->escape($value); //method returns mysqli_real_escape_string                 $fields .="{$key}".$glue;                 $values .="'{$value}'".$glue;             }             $fields=rtrim($fields, $glue);             $values=rtrim($values, $glue);             return "({$fields}) values ({$values})";         }else{             return false;         }     }  ... more ... }  if(!empty($_post)){      $query=array(     'table'=>'users',     'values'=> $_post //<=== problem here     );      $dbobj=new db;     $dbobj->insert($query);  }

update-

  • i can use interactions android...
  • auto generate form having values in array format
  • and validating using array

instead of using mysql_real_escape_string, suggest using prepared statements. say, never trust users input. data escaped still gets in database , not forget performance boost using prepared statements!

read post mysql_real_escape_string vs prepared statements


Comments

Post a Comment

Popular posts from this blog

php - How to add and update images or image url in Volusion using Volusion API -

actually have store importing products store product data insert , update image or image url not insert , update. this xml code name datapro.txt. <products_joined> <productcode>3710_012t</productcode> <vendor_partno>eah5450silent/di/1gd3(lp)</vendor_partno> <productname>test product ta</productname> <hideproduct>n</hideproduct> <stockstatus>20</stockstatus> <lastmodified>1/5/2016 10:25:00 am</lastmodified> <lastmodby>2</lastmodby> <productweight>0.9</productweight> <productprice>100</productprice> <productmanufacturer>asus tek</productmanufacturer> <vendor_price>32.69</vendor_price> <numproductssharingstock>0</numproductssharingstock> <categoryids>107</categoryids> <producturl>http://tebkq.mvlce.servertrust.com/productdetails.asp?productcode=3710_012t</producturl>
Read more

javascript - IE9 error '$'is not defined -

Image
<!--[if lte ie 9]><html class="lte9"><![endif]--><!--[if gt ie 9]><html><![endif]--> <!--[if !ie]><!--> <html> <!--<![endif]--> blah blah <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.1/jquery.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <script src="{{ asset('js/mypage.js') }}" type="text/javascript"></script> </body> </html> when load page, ie9 brings error '$' not defined . how can solve error? +++ mypage.js $(function(){ //when load page, //ie9 tag not moving. $(window).load(function() { $('div.mask').hide(); }); // when click , willshow show. //for not ie 9 if (!$('html').hasclass('lte9')) { var = $('ul.about > li > span.activebtn');
Read more