Pass Post method to function

Asked

Viewed 499 times

0

I need to enter the ID variable in the Client.php class to send it to the Server.php class that will search the product in the Database and show it again in the Client.php. Only that I’m having difficulty inserting the variable in the query of the function that will do the search in the Database.

Follow the class I’ve done.

Client class.php

<form action="servidor.php" method="post">
Pesquisa: <input type="text" name="pesquisa" />
<input type="submit" />
</form>
<?php

include('servidor.php');
$connect = new servidor();
$connect->conectar();
$connect->selecionarDB();

?>

Server class.php

$pesquisa = $_REQUEST["pesquisa"];
 `$query = 'SELECT * FROM produtos where id = '.$pesquisa`;

I want to pass this query to the execute() function, to return it to the Client Class.php

class servidor {

   private $host = localhost; 
   private $bd = banco; 
   private $usuario = root; 
   private $senha = senha; 

   function conectar(){
      $conexao = mysql_connect($this->host,$this->usuario,$this->senha) or die($this->mensagem(mysql_error()));
      return $conexao;
   }


   function selecionarDB(){

      $banco = mysql_select_db($this->bd) or die($this->mensagem(mysql_error()));
      if($banco){
         return true;
      }else{
         return false;
      }
   }

   function executar(){
      $query = mysql_query($this->sql) or die ($this->mensagem(mysql_error()));
      return $query;
   }
  • Where does this property come from sql of function executar? Not declared in the property scope of class

1 answer

2


From what I understand, your class doesn’t have a magic method or a method that defines the value of the variable sql.

You see, your method executar depends on this variable:

//...
$query = mysql_query($this->sql) or die ($this->mensagem(mysql_error()));

You need to define this variable in your class or move to the method executar the query that will be processed:

class servidor 
{
    //...

    function executar($sql){
        $query = mysql_query($sql) or die ($this->mensagem(mysql_error()));
        return $query;
    }
}

Now just pass the query as parameter:

//...

include('servidor.php');
$connect = new servidor();
$connect->conectar();
$connect->selecionarDB();

$pesquisa = $_REQUEST["pesquisa"];
$resultado = $connect->executar("SELECT * FROM produtos where id =  $pesquisa");

Remarks:

Your system is vulnerable to an attack by SQL Injection, the variable pesquisa is injected into the query without any treatment facilitating the attack.

Another downside is that although the system uses classes, this does not mean that it is object-oriented, for example, if the project has switched to Sqlserver instead of Mysql, your entire class will have to be redone and probably some queries will stop working and some parts of your application will even have to be redone to support the new database.

Search about design standards, keep in mind from the outset that this is not ready code for specific situations but a model for solving a specific problem.

The database is an external service that is consumed by its application, therefore it should not be dependent on a specific database.

In your case, use the standard Adapter would help your application uncouple the database without the need to change its implementation, it is like an adapter device, which allows a device with a certain socket pattern to use a source that follows another standard, that is, when buying a device with a different socket format, you would not need to break your wall and do a new installation just for a device.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.