I Have a class called ‘DBinterface’ and a class called ‘user’.
-
is it perfectly fine for the connect function to be public?
class dbinterface { private $_dbLink; private $dbHost = 'host'; private $dbUser = 'user'; private $dbName = 'name'; private $dbPass = 'pass'; private $dbUserTable = 'table'; public function connect () { $this->_dbLink = mysql_connect($this->_dbHost, $this->_dbUser, $this->_dbPass); if(!$this->_dbLink) throw new Exception ("Could not connect to database. " . mysql_error()); } -
I have a sql table that stores all my users information like userID and password. can i put the name of that table into a function like this without the risk of someone somwhat easily hacking it, or should i put it with my db class?
function registerUser($userName, $userPassword) { $db = new db(); $db->connect(); // Select database mysql_select_db($this->dbName); $query = "insert into usersExample values (NULL, \"$userName\", \"$userPassword\")"; $result = mysql_query($query); // Test to make sure query worked if(!$result) die("Query didn't work. " . mysql_error()); // Get the user ID $this->userID = mysql_insert_id(); // Close database connection mysql_close($dbLink); } // End registerUser()
PS: i have removed password encryption and escape string for legibility.
So you’re asking what the best way to escape data before insert is?
Did you look into mysql_real_escape_string()?
Or are you asking about web security in general? Like making sure nobody can somehow reveal your database info or call the script directly?
You can nest your DB credentials beneath root and include them in this class. You can also prevent directly calling any file by defining a constant elsewhere in a common file and including something like this in the header of every class file:
where obviously you would define IN_APP somewhere else:
If I missed the point feel free to comment and I will adjust as best I can.