CODEWITHSUNDEEP
phpmysqlooppdoprepared-statement
Abdul Rahman
Abdul Rahman

Reputation: 1705

PDO custom class and security

I am trying to create my own class to work/play with database with PDO. I am having the following method in my class:

private function connect(){
    try{
        $this->con = new PDO("mysql:host={$this->host};dbname={$this->db_name};charset=utf8", $this->db_user, $this->db_pass); 
        $this->con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
        $this->con->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
        $this->con->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    }catch(PDOException $ex){
        $this->catchError($ex);
        }
    }

is there any thing vulnerable in my connection? while i am providing other CRUD method in my class like this:

public function getRecordSet($sql,$bindVars=array()){
            $ary = array();
            try{
                $this->connect();
                $obj = $this->con->prepare($sql);
                if(count($bindVars) > 0){
                    $obj->execute($bindVars);
                    }
                else{
                    $obj->execute();
                    }
                $ary = $obj->fetchAll();
            }catch(PDOException $ex){
                $this->catchError($ex); //Production Server: send exception through email 
                //echo($ex->getMessage()); //Developer Machine: Display Exceptions in browser
                }
                $this->con = null;
                return $ary;
            }//getRecordSet()

In this query users will retrive recordset as an array() using the following way for example:

        $sno = 1;
        $user_name = '%hussain%';
        $aray = array(':sno'=>$sno,':user_name'=>$user_name);
        foreach($crud->getRecordSet("SELECT * FROM users WHERE sno = :sno AND user_name LIKE :user_name",$aray) as $row){
            echo('<br>'.$row['user_name']);
            echo('<br>'.$row['user_password']);
            echo('<br>'.$row['date_reg']);
            }

Please let me know if there is anything goes wrong and makes my class vulnerable?

Thanks in advance.

Shah

Upvotes: 0

Views: 194

Answers (1)

Your Common Sense
Your Common Sense

Reputation: 157880

Change function to

public function getRecordSet($sql, $bindVars=array()){
    $obj = $this->con->prepare($sql);
    $obj->execute($bindVars);
    return $obj->fetchAll();
}

however, it's rather matter of sanity, not security

Upvotes: 1

Related Questions