Good afternoon.
I'm a beginner in PHP programming, followed some courses and have a theoretical knowledge about it. I've been hired now and been given some 'basic' tasks. Coworkers here tell me that 'real world' code differs a bit from what it is taught at University, in books and the like. I've been reading about security and found out about SQL-injection. I also learned that the best way to avoid them is using prepared statements and parameters bounding.
So, I'd be very thankful if you could give me your opinions or suggestions about the code below. Please, anything you have to say will be very useful. Opinions about the logic of the code, about the structure, about performance, about security... anything.
if (isset($_POST['username']) && isset($_POST['password']))
{
$dbaddress = 'myhost';
$dbuname = "database_user";
$dbpass = "database_password";
$dbname = 'customers_db';
$r = new mysqli($dbaddress, $dbuname, $dbpass, $dbname);
$q = $r->prepare("SELECT * FROM users WHERE uAccessName = ? AND uAccessPass = ?");
$q->bind_param("ss", $user, $pass);
$user = $_POST['username'];
$pass = $_POST['password'];
$q->execute();
$q->store_result();
if ($q->num_rows === 1)
// Do many many other things here
echo "Access granted
";
else
echo "Access denied
";
$q->close();
$r->close();
} else {
// Handle the case where the form sent no data
}
Thanks a lot.
No comments:
Post a Comment