php - Avoiding SQL injection in delete API function -



php - Avoiding SQL injection in delete API function -

i'm trying build android app, , part of app involves crud options on database need synced server. have cru bits sorted, trying deletes in such way avoid sql injection.

i have used prepared statements other queries, wondering whether next method doesn't safe:

i have defined list of tables on delete query valid, along list of primary keys on tables can nowadays in tablekey field. utilize prepared statement using value provided in tablekeyvalue field, along restricting operations acting on individual user's id.

is methodology safe sql injection point of view, or should set specific api endpoints each of tables deleted from, , pass through id value used in traditional prepared statement?

($i = 0; $i < count($deletearray); $i++) { if (in_array($deletearray[$i]['tablename'], $this->table_array) && in_array($deletearray[$i]['tablekey'], $this->key_array)) { $deletestmtsql = "delete ".$deletearray[$i]['tablename']." ".$deletearray[$i]['tablekey']." = ? , userid = ?"; $deletestmtsth = $this->dbh->prepare($deletestmtsql); $deletestmtdata = array( $deletearray[$i]['tablekeyvalue'], $userid ); $deletestmtsth->execute($deletestmtdata); $j++; } }

based on comments lxg , david, solution have come with:

i pass in tablename, tablekey , tablekeyvalue generic method, which, after confirming tablename , tablekey match up, passes tablekeyvalue private method

(e.g. deletefromtablexbykey($tablekeyvalue) uses prepared statement, taking key value.

if values passed parent function tablename , tablekey not match predefined list, pass through no farther interaction, , error message returned.

php mysql sql security mysqli

Comments

Post a Comment

Popular posts from this blog

php - How to pass multiple values from url -

php - How to pass multiple values from url - i'm trying pass textbox , 1 select result value 1 page page.using url.but it's display error message. "parse error: syntax error, unexpected '' (t_encapsed_and_whitespace), expecting identifier (t_string) or variable (t_variable) or number (t_num_string) in c:.." while($value= mysqli_fetch_assoc($result)){ $apid=$value['apid']; echo("<tr> <td>". $value['apid'] ."</td> <td>".$value['email']."</td> <td>".$value['comments']."</td> <td>".'<input type="text" name="payment"/>'."</td> <td>"."<input type='text' name='apid' value='".$apid."' style='visibility:hidden' size='2'>"."</a>"."<a hre...
Read more

xslt - DocBook 5 to PDF transform failing with error: "fo:flow" is missing child elements. Required content model: marker* -

xslt - DocBook 5 to PDF transform failing with error: "fo:flow" is missing child elements. Required content model: marker* - i've inherited doc publishing process takes docbook , builds html , pdf output, using apache fop both. project had been started, never completed. lots of tweaking, i've able of doc sets build (20+), except handful, , fail severe code 1 of these 2 conditions: "fo:flow" missing kid elements. required content model: marker* "fo:block" not valid kid of "fo:root" the xml output comes out of docbook , docbook-fop checks out well-formed. the fop error in 1 book, "endecagloss", example, points end of string: <fo:flow flow-name="xsl-region-body" start-indent="4pc" end-indent="0pt"/> here’s log output in case: [java] severe: javax.xml.transform.transformerexception: file:/scratch/publishing/hudson/jobs/build-main-endeca-documentation/workspace/serverdoc/w...
Read more

database - php search bar when I press submit with nothing in the search bar it shows all the data -

database - php search bar when I press submit with nothing in the search bar it shows all the data - the search fusion works correctly if press submit nil in search bar shows data. how message show saying nil has been entered search bar ?.i new php. <?php $mysql_host="host"; $mysql_database="database"; $mysql_user="username"; $mysql_password="password"; $dbconnect=@mysql_connect($mysql_host, $mysql_user, $mysql_password); // trys connect database if (!$dbconnect) { exit("an error has occurred - not connect database."); // if couldn't connect, allow user know } if(!mysql_select_db($mysql_database)) { exit("an error has occurred - not select database."); //if couldn't select db, allow user know } $output = ''; //collect if(isset($_post['search'])...
Read more