Return to Answer

replaced http://codereview.stackexchange.com/ with https://codereview.stackexchange.com/

Source Link

edited Apr 13, 2017 at 12:40

Community Bot

But, @tim @tim already took care of that, with really good advices.

Source Link

answered Feb 5, 2016 at 20:45

Ismael Miguel

6.1k
2
24
62

Yes, your code is perfect to practice SQL injection.
Any basic example may be used. You picked the 100% procedural version and I can't see a single mysqli_real_escape_string()!

But, @tim already took care of that, with really good advices.

To add on to all the existing answers, there are plenty of things that are in need of an intervention:

You have some useless repeated code!

You currently have repeated these lines:
```
  <?php ini_set('display_errors', 1);
 error_reporting(E_ALL ^ E_NOTICE); ?>
```
You can throw those away by creating the following php.ini file:
```
 display_errors = 1
 error_reporting = E_ALL ^ E_NOTICE
```
There you go! And now all your pages will have these settings!
Stop die()ing on me!

Really, you can't handle a die()! The code simply ... dies...

You should throw some nice exception, and handle it like a champ instead of displaying an half-loaded page.

Basically, your page eats itself because the user doesn't exist?
Don't close the PHP tag in a page that will be used to only include classes/files!

This will prevent you from accidentally sending garbage to the browser, forcing the headers to be sent. PHP automatically tries to prevent this and deletes 1 and only 1 whitespace after the closing tag. If you have bad luck, and you have 2 newlines, you will see this:

Warning: Cannot modify header information - headers already sent by (output started at /some/file.php:12) in /some/file.php on line 23

If you run session_start();, besides displaying that information, the sessions won't work!
The way you load your database configurations is scary!

You have 4 variables inside the constructor of the class.

Everytime you share this code, you may accidentally send your server's authentification data! And you may not notice it until someone messes with it!

This is my suggestion: create a separated file, like this:
```
 <?php
      //THE ELEMENTS MUST HAVE THE SAME ORDER AS THE ARGUMENTS
      return array(
          'host' => '127.0.0.1', //always prefer the IP
          'username' => 'john_doe',
          'password' => 'bla bla bla',
          'bd' => 'database'
      );
```
To connect, use this:
```
 $con = call_user_func_array('mysqli_connect', array_values(require('bd-config.php')));
```
And now, you can send this to someone else without problems. And, in case you need to change something in the future, you only change in that file, instead of sniffing around a 200+ lines (in case the code increases).

And if someone tries to access it from http://localhost/bd-config.php, they will simply see a white screen!

I hope that this helped you.