0

I am pretty new with PHP furthermore PDO so I am not fully aware of what to avoid (and include) when accessing databases apart from SQL injection. (FYI, in the example below the table "users" also include passwords), however would accessing the database using a function as below to get information from be safe? is it prone to attacks?

and if you don't understand why I've done this it's because I find it quicker and it will make it easier when linking tables :) 

<?php
    require("access/common.php");
    function getval($username, $column, $table, $datab){
    $query = " 
    SELECT 
    id, 
    username,
    email 
    FROM ".$table." 
    WHERE 
    username = :username 
    ";
    $query_params = array( 
    ':username' => $username,
    ); 
    try 
    {
        $stmt = $datab->prepare($query); 
        $result = $stmt->execute($query_params); 
    } 
    catch(PDOException $ex) 
    {
        die(); 
    }
    $row = $stmt->fetch(); 
    if($row) 
    { 
        return $row[$column];
    }
    }
    echo getval("USERNAME", "email", "users", $db);
?>
Yusaf Khaliq
  • 3,333
  • 11
  • 42
  • 82
  • It looks like you're writing some kind of database access layer. Have you considered using one [that's already written](http://stackoverflow.com/questions/108699/good-php-orm-library)? – tadman Oct 22 '12 at 17:54

2 Answers2

1

The question you ask is very open-ended. Your biggest vector for attack is always what you do with user input (anything that a user can submit to your application/website through $_GET or $_POST variables). Certainly there are not security threats with the PHP language constructs eg. functions.

In your example I can see that you are binding the ":username" parameter but not the ":table" parameter which might be a vector for injection if you accept unsanitized user input and use it as the "$table" value.

Always be careful how your use $_GET and $_POST values... and when this becomes tedious, look for a framework to make some of this automatic.

stephenfrank
  • 2,805
  • 2
  • 18
  • 16
  • `$table` cannot be escaped with placeholders or it would end up a literal string, and as such, would render the query invalid. In general practice you should be certain that `$table` cannot contain hostile values, for instance, by vetting it against a known white-list of acceptable values if it's provided by a user, or by ensuring it's only supplied internally, never from `$_GET`, `$_POST` or `$_SESSION`. – tadman Oct 22 '12 at 17:56
0

A function is no safer or less safe than code outside of a function. If it's something you're going to be using more than once or twice, definitely put it in a function. As long as you're using PDO properly you'll be fine.

That said, you might want to put all your database functions in a class, then instantiate a $db object of that class, from which you can then call any database functions you need. There's lots of ways to organize your code to make things easier to work with.

user428517
  • 4,132
  • 1
  • 22
  • 39
  • thankyou :) i've only just thought of this but wouldnt it also be a bit extensive if the statement will be exectuded repeatedly? – Yusaf Khaliq Oct 22 '12 at 16:23
  • 1
    Extensive how? Functions are meant to be called more than once. However, if you're going to be running certain queries over and over, you might want to look into stored procedures in MySQL. – user428517 Oct 22 '12 at 16:25