I have added this function in my user class.
- Is this function Place in the User Class is right.
- How should i handle the database query error in this function.
- Or I can Use any Database class for executing the queries that will helpful.
- What should it return to the call of the function.
Please Help. Thanks
function adduser() {
// Storing data in database
$sql = "INSERT INTO users ( alias, firstname, lastname, PASSWORD,email )
VALUES ( '$this->alias', '$this->firstname', '$this->lastname', AES_ENCRYPT('$this->password','text'),'$this->email' );";
$result = mysql_query($sql);
$this->userid=mysql_insert_id();
//make profile card in cards table...
$sql="INSERT INTO cards ( userid_from, userid_to, eventid, gibid,
card_type, message ,status,isDeck) VALUES ( '$this->userid', '$this->userid', 'eventid', '$spaceid', 'V', '','A','Y' )" ;
@mysql_query($sql);
$id_card=mysql_insert_id();
$systemgibid=systemgibid();
//make system gib card in cards table...
$sql="INSERT INTO cards ( userid_from, userid_to, eventid, gibid,
card_type, message ,status,isDeck) VALUES ( '', '$this->userid', 'eventid', '$systemgibid', 'A', '','A','N' )" ;
@mysql_query($sql);
$this->firstname=$this->firstname."\'s Gib";
//create gibs define in connection.php type D for default gib
creategib($this->firstname,'D',$this->userid);
}
The biggest thing you can do is protect your SQL by using prepared statements. Right now you are vulnerable to the classic SQL injection vulnerability.
More on prepared statements:
http://php.net/manual/en/pdo.prepared-statements.php
If you do not want to use PDO, at the very least use
mysql_real_escape_string