security - php - right GET handling -

-

i have file users.php , want display user's information when set example users.php?id=5

my "users.php" file is:

<?php   $page_title = "administrace - uživatelé"; require_once($_server['document_root']."/core/main.php");  if(!admin::is_admin() or !user::is_logged()) // check if user logged , admin {     redirect($url."index.php"); //get out of here }  $user = new user();  if(isset($_get["id"])) {     $id = test_input($_get["id"]); // = htmlspecialchars() & trim() & stripslashes()     $is_valid = ctype_digit($id);     if($is_valid && $user->check_user_available($id)) // check if $id number , if user $id in database     {         // show user's information     } else {         // out of here         redirect($url."admin/");     } } else {  ?>          <i>...toto je random text...</i>          <section>             <div class="content">                 <h1>administrace -> uživatelé</h1>                 <p>                     <?php                      echo ($user->get_all_users()); // users (<a href="users.php?id=x">user</a>)                     ?>                 </p>               </div>         </section>             <aside>             <?php             $login = new panel("login");             $partneri = new panel("partners");             ?>             </aside>   <?php  } require_once($_server['document_root']."/template/footer.php");?>

my check_user_availabe() function:

<?php public function check_user_available($id) {     $id = trim($id);     $id = stripslashes($id);     $id = htmlspecialchars($id);     if(ctype_digit($id))     {         $query = database::dotaz('select * `users` `id`=?', array($id));         if($query > 0)         {             return true;         } else {             return false;         }     } } ?>

i'm using pdo prepared statements.. here class database , function dotaz() (dotaz = query)

<?php class database {      // databázové spojení     private static $connection;      // výchozí nastavení ovladače     private static $nastaveni = array(         pdo::attr_errmode => pdo::errmode_exception,         pdo::mysql_attr_init_command => "set names utf8",         pdo::attr_emulate_prepares => false,     );      // připojí se k databázi pomocí daných údajů     public static function connect($host, $username, $password, $dbname) {         if (!isset(self::$connection)) {             self::$connection = @new pdo(                 "mysql:host=$host;dbname=$dbname",                 $username,                 $password,                 self::$nastaveni             );         }     }     public static function dotaz($dotaz, $parametry = array()) {         $navrat = self::$connection->prepare($dotaz);         $navrat->execute($parametry);         return $navrat->rowcount();     }?>

could me if $_get part well-secured or me secure better ? thank all


Comments

Post a Comment

Popular posts from this blog

java - Custom OutputStreamAppender not run: LOGBACK: No context given for <MYAPPENDER> -

-
i wish write custom appender on basis of outputstreamappender . wrote following class package tests; import java.io.ioexception; import java.io.outputstream; import ch.qos.logback.core.outputstreamappender; public class myappender<e> extends outputstreamappender<e> { public myappender() { system.out.println("myappender created"); setoutputstream(new outputstream() { @override public void write(int b) throws ioexception { throw new unsupportedoperationexception(); } }); } } then wrote following runner: package tests; import org.slf4j.loggerfactory; import ch.qos.logback.classic.logger; public class runner { private static final logger log = (logger) loggerfactory.getlogger(runner.class); public static void main(string[] args) { //log.addappender(new myappender<iloggingevent>()); log.info("hello world"); } } finall
Read more

c++ - No viable overloaded operator for references a map -

-
i trying use map can make tag names reference number. when try , use it, in code error (6 in total every time reference map): src/main.cpp:25:45: error: no viable overloaded operator[] type 'std::map<std::string, std::string>' const char* idcs = node.child_value(tagmap[3]); this code: #include "pugi/pugixml.hpp" #include <iostream> #include <string> #include <map> int main() { pugi::xml_document doca, docb; std::map<std::string, pugi::xml_node> mapa, mapb; std::map<std::string, std::string> tagmap {{"1", "data"}, {"2", "entry"}, {"3", "id"}, {"4", "content"}}; if (!doca.load_file("a.xml") || !docb.load_file("b.xml")) { std::cout << "can't find input files"; return 1; } (auto& node: doca.child(tagmap[1]).children(tagmap[2])) { co
Read more

java - UML - How would you draw a try catch in a sequence diagram? -

-
Image
is there standard way of drawing try catch sequence diagrams? i've made attempt based on this feel end result doesn't feel right. code diagram based around: public static void save () { try { filehandle filehandle = gdx.files.external(file); filehandle.writestring(boolean.tostring(constantshandler.soundenabled)+"\n", false); (int = 0; < 5; i++) { filehandle.writestring(integer.tostring(constantshandler.highscores[i])+"\n", true); } } catch (throwable e) { } } my attempt note: know still need add loop. that's ok. fragments meant show conditional control flow in sequence diagram. superstructures puts limitations on use of fragments (see pp. 467 of ss2.1.1). should use critical region try part above. , option catch . however, keep telling can take quite freedom in using uml. it's language , such changes in life time. long reader ge
Read more