-1

the PDO conneciton is:

  public function __construct(){
    $this->conn = new PDO("mysql:host=localhost;dbname=dms","root","");
    $this->conn->exec("SET CHARACTER SET utf8");
}

now here is the function to get the result of the required rows.

public function getAny() {
            $stmt9 = $this->conn->prepare("SELECT * FROM " . self::$table_name);
            $stmt9->execute();
            return $stmt9 = $stmt9->fetchAll();
            }

after this on view we will fetch out the rows after running the function. this is the view.php

         $doc = $organ->getAny();
         if(count($doc)){
            foreach($doc as $data){
                    echo $data['id'] . "<br />";
                            echo $data['nameARABIC'] . "<br />";
                    }

is this view.php secure and what else should i do for securing more. regards

SAR
  • 1,765
  • 3
  • 18
  • 42

1 Answers1

0

What you're doing is pretty safe, though I suggest you to use "SET NAMES UTF8" instead of "set character set". OR better, if you're on php >= 5.3.6 you can use the "charset" parameter INSIDE the DSN. Further information.

Also, to avoid SQL Injections, you should ALWAYS avoid putting user's input inside a string, then using it for SQL. E.g. if self::$table_name is a user input (though it's not) you should be careful and do one of two things:

In the end:

return $stmt9 = $stmt9->fetchAll();

Will return whether or not the assignation was completed (either, true or false, not the content of $stmt9->fetchAll() ).

As pointed out by YourCommonSense, the behaviour depicted in the last part, is not correct.

Kei
  • 771
  • 6
  • 17