Call bindValue for $this->... or direct for $_SESSION?

Asked

Viewed 32 times

0

The code where my doubt is..

public function queryFixClayTime($data) {
        if (session_status() !== PHP_SESSION_ACTIVE) {
            session_start();
        }
        if ($_SESSION['claytime'] >= $_SESSION['clayhour']->format('Y-m-d H:i:s')) {
            // 
        } else {
            try {
                $this->iduser = $data['iduser'];
                $this->timeplus = $_SESSION['claytimeplus']->format('Y-m-d H:i:s');
                $cst = $this->con->connect()->prepare("UPDATE resources SET claytime = :claytime WHERE iduser = :iduser");
                $cst->bindValue(":claytime", $this->timeplus);
                $cst->bindValue(":iduser", $this->iduser);
                $cst->execute();
                $id['iduser'] = $_SESSION['iduser'];
                $objupdate = new Resources();
                $objupdate->querySelectResource($id);
            } catch (PDOException $ex) {
                $ex->getMessage();
            }
        }
    }

The focus is here:

$cst->bindValue(":claytime", $this->timeplus);
$cst->bindValue(":iduser", $this->iduser);

Doing it the way above works perfectly

And so too...

$cst->bindValue(":claytime", $_SESSION['claytimeplus']->format('Y-m-d H:i:s'));
$cst->bindValue(":iduser", $_SESSION['iduser']);

What’s the difference between using the $this->iduser or the $_SESSION['iduser']

Use the $_SESSION direct is a bad practice of programming ? And somehow it can make the code more insecure ?

php pdo
  • 1

    How the values of $this are defined? It is not from $_SESSION?

  • Yes, so the question, what is the difference between using $this or $_SESSION directly in bindValue ? ;-;

1 answer

2


It depends on how it was done, if, when defining the variables in $this, did not go through any process of sanitization, validation, etc., from the point of view of safety is the same, after all, you only added the value in another point of memory and accessed by it

As to good practices, it also depends, if the values are received in the constructor (or some function/method that returns an object of the class), its code would be less coupled, changes in the data source (for example, it started to use $_GET instead of $_SESSION) do not change the class. Decoupling also helps to test the code unitarily. But it also implies more complexity, if your class doesn’t need to save state, you don’t need it, only functions would make the code simpler

Browser other questions tagged php pdo

You are not signed in. Login or sign up in order to post.