Monday, May 27, 2019

mysql - Correct and efficient php form handling

Good afternoon.



I'm a beginner in PHP programming, followed some courses and have a theoretical knowledge about it. I've been hired now and been given some 'basic' tasks. Coworkers here tell me that 'real world' code differs a bit from what it is taught at University, in books and the like. I've been reading about security and found out about SQL-injection. I also learned that the best way to avoid them is using prepared statements and parameters bounding.



So, I'd be very thankful if you could give me your opinions or suggestions about the code below. Please, anything you have to say will be very useful. Opinions about the logic of the code, about the structure, about performance, about security... anything.




if (isset($_POST['username']) && isset($_POST['password']))
{
$dbaddress = 'myhost';
$dbuname = "database_user";
$dbpass = "database_password";
$dbname = 'customers_db';

$r = new mysqli($dbaddress, $dbuname, $dbpass, $dbname);


$q = $r->prepare("SELECT * FROM users WHERE uAccessName = ? AND uAccessPass = ?");
$q->bind_param("ss", $user, $pass);

$user = $_POST['username'];
$pass = $_POST['password'];
$q->execute();
$q->store_result();

if ($q->num_rows === 1)
// Do many many other things here

echo "

Access granted

";
else
echo "

Access denied

";

$q->close();
$r->close();
} else {
// Handle the case where the form sent no data
}



Thanks a lot.

No comments:

Post a Comment

plot explanation - Why did Peaches' mom hang on the tree? - Movies & TV

In the middle of the movie Ice Age: Continental Drift Peaches' mom asked Peaches to go to sleep. Then, she hung on the tree. This parti...