Is my database access function secure?

Asked

Viewed 41 times

2

I have a file that has CRUD operations with PDO and Mysql, my question is if I leave my functions as the function below:

    function delete($tabela, $id) {
    global $con;
    $sql = "DELETE FROM " . $tabela . " WHERE id=:id";
    if(is_array($id)){
         $errors = array();
         for($i = 0; $i < count($id); $i++){
             $delete = $con->prepare($sql);
             $delete->bindValue(":id", filter_var($id[$i], FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
             if ( !($delete->execute()) ) {
                 $error = $delete->errorInfo();
                 array_push($errors, $error[2]);
             }
         }

         if(count($errors) == 0){
             return true;
         }else{
             return $errors;
         }

    }else{
        $delete = $con->prepare($sql);
        $delete->bindValue(":id", filter_var($id, FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
        if ($delete->execute()) {
            return true;
        } else {
            $error = $delete->errorInfo();
            return $error[2];
        }

    }

}

If I just leave it that way, I run the risk of some malicious user using that file to delete random data from my BD?

I know you have how to pass parameters via POST for example externally, but my function does not directly receive anything via POST or GET.

1 answer

3


I always respond that security is multidisciplinary and extraordinarily complicated. If you really want security, call an expert. My inference is that the vast majority of websites and applications have security issues. Just taking care of the code doesn’t mean anything. Even if you follow certain rules you don’t guarantee you’re safe, just that you’re not so wide open.

That being said, it seems to be ok, since the variable $tabela does not have its value defined externally to scripts and has no other vulnerability factors.

Just don’t think you’re free of any other problems. The other day someone asked how to do not accept that someone sends a misinformed information, that sends a id different, and the answer is simple: it has nothing to do but validate the information before using it and only allow authorized users to do so. If you fail at this, it’s no use this code being safe.

  • I know this @Maniero, after all not even the Nasa and bank sites that have experts in charge only of security, escape from every now and then a little kkkk hack. But I want to know even in question of the function, and when you say "as long as the $table variable does not have its value defined externally" you are referring to pass the table name for example by GET or POST right?

  • 1

    I have my doubts if they have real security experts :) I see wrong things on big corporation websites that I’m not an expert know is wrong :) I’m talking about coming from any external source, mainly by GET and POST.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.