php - Avoiding SQL injection in delete API function -



php - Avoiding SQL injection in delete API function -

i'm trying build android app, , part of app involves crud options on database need synced server. have cru bits sorted, trying deletes in such way avoid sql injection.

i have used prepared statements other queries, wondering whether next method doesn't safe:

i have defined list of tables on delete query valid, along list of primary keys on tables can nowadays in tablekey field. utilize prepared statement using value provided in tablekeyvalue field, along restricting operations acting on individual user's id.

is methodology safe sql injection point of view, or should set specific api endpoints each of tables deleted from, , pass through id value used in traditional prepared statement?

($i = 0; $i < count($deletearray); $i++) { if (in_array($deletearray[$i]['tablename'], $this->table_array) && in_array($deletearray[$i]['tablekey'], $this->key_array)) { $deletestmtsql = "delete ".$deletearray[$i]['tablename']." ".$deletearray[$i]['tablekey']." = ? , userid = ?"; $deletestmtsth = $this->dbh->prepare($deletestmtsql); $deletestmtdata = array( $deletearray[$i]['tablekeyvalue'], $userid ); $deletestmtsth->execute($deletestmtdata); $j++; } }

based on comments lxg , david, solution have come with:

i pass in tablename, tablekey , tablekeyvalue generic method, which, after confirming tablename , tablekey match up, passes tablekeyvalue private method

(e.g. deletefromtablexbykey($tablekeyvalue) uses prepared statement, taking key value.

if values passed parent function tablename , tablekey not match predefined list, pass through no farther interaction, , error message returned.

php mysql sql security mysqli

Comments

Post a Comment

Popular posts from this blog

xslt - DocBook 5 to PDF transform failing with error: "fo:flow" is missing child elements. Required content model: marker* -

xslt - DocBook 5 to PDF transform failing with error: "fo:flow" is missing child elements. Required content model: marker* - i've inherited doc publishing process takes docbook , builds html , pdf output, using apache fop both. project had been started, never completed. lots of tweaking, i've able of doc sets build (20+), except handful, , fail severe code 1 of these 2 conditions: "fo:flow" missing kid elements. required content model: marker* "fo:block" not valid kid of "fo:root" the xml output comes out of docbook , docbook-fop checks out well-formed. the fop error in 1 book, "endecagloss", example, points end of string: <fo:flow flow-name="xsl-region-body" start-indent="4pc" end-indent="0pt"/> here’s log output in case: [java] severe: javax.xml.transform.transformerexception: file:/scratch/publishing/hudson/jobs/build-main-endeca-documentation/workspace/serverdoc/w...
Read more

mediawiki - How do I insert tables inside infoboxes on Wikia pages? -

mediawiki - How do I insert tables inside infoboxes on Wikia pages? - i want insert tables in infoboxes. example, have proteinbox i've developed using infobox template (http://health-and-medicine.wikia.com/wiki/template:proteinbox), , fasta field big fit comfortably in proteinbox. hence collapsible table within box. this tried: {{infobox | row 1 = {| class = "mw-collapsible mw-collapsed wikitable" |- | <!-- table content --> |} }} your problem is, putting nested table within template. pipe characters ( | ) in table syntax collides pipe usage in templates. the commonly used hack around create template called template:! , containing pipe character, , utilize when need set tables, parser functions or other stuff using pipe characters, within templates. table (with every | replaced {{!}} ): {{{!}} {{!}}- {{!}} a1 {{!}} b1 {{!}}- {{!}} a2 {{!}} b2 {{!}}} ...the equivalent of {| |- | a1 | b1 |- | a2 | b2 |} furthermore, hav...
Read more

Local Service User Logged into Windows -

Local Service User Logged into Windows - i created windows service tracks app server user connected through load balancer. it retrieves user logged windows on machine, cross references active directory (ad) business relationship homecoming first name, lastly name , e-mail (for notification through website created project) there 1 scheme on network users remote system, vista system, reason returning values "local service" logged machine, it's weird , security guys impossible "local service" business relationship logged windows. here how user logged windows managementscope ms = new managementscope("\\\\.\\root\\cimv2"); objectquery query = new objectquery("select * win32_computersystem"); managementobjectsearcher searcher = new managementobjectsearcher(ms, query); foreach (managementobject mo in searcher.get()) { _username = mo["username"].tostring(); } // remove domain part username string[] usernameparts = _...
Read more