security - php - right GET handling -


i have file users.php , want display user's information when set example users.php?id=5

my "users.php" file is:

<?php   $page_title = "administrace - uživatelé"; require_once($_server['document_root']."/core/main.php");  if(!admin::is_admin() or !user::is_logged()) // check if user logged , admin {     redirect($url."index.php"); //get out of here }  $user = new user();  if(isset($_get["id"])) {     $id = test_input($_get["id"]); // = htmlspecialchars() & trim() & stripslashes()     $is_valid = ctype_digit($id);     if($is_valid && $user->check_user_available($id)) // check if $id number , if user $id in database     {         // show user's information     } else {         // out of here         redirect($url."admin/");     } } else {  ?>          <i>...toto je random text...</i>          <section>             <div class="content">                 <h1>administrace -> uživatelé</h1>                 <p>                     <?php                      echo ($user->get_all_users()); // users (<a href="users.php?id=x">user</a>)                     ?>                 </p>               </div>         </section>             <aside>             <?php             $login = new panel("login");             $partneri = new panel("partners");             ?>             </aside>   <?php  } require_once($_server['document_root']."/template/footer.php");?> 

my check_user_availabe() function:

<?php public function check_user_available($id) {     $id = trim($id);     $id = stripslashes($id);     $id = htmlspecialchars($id);     if(ctype_digit($id))     {         $query = database::dotaz('select * `users` `id`=?', array($id));         if($query > 0)         {             return true;         } else {             return false;         }     } } ?> 

i'm using pdo prepared statements.. here class database , function dotaz() (dotaz = query)

<?php class database {      // databázové spojení     private static $connection;      // výchozí nastavení ovladače     private static $nastaveni = array(         pdo::attr_errmode => pdo::errmode_exception,         pdo::mysql_attr_init_command => "set names utf8",         pdo::attr_emulate_prepares => false,     );      // připojí se k databázi pomocí daných údajů     public static function connect($host, $username, $password, $dbname) {         if (!isset(self::$connection)) {             self::$connection = @new pdo(                 "mysql:host=$host;dbname=$dbname",                 $username,                 $password,                 self::$nastaveni             );         }     }     public static function dotaz($dotaz, $parametry = array()) {         $navrat = self::$connection->prepare($dotaz);         $navrat->execute($parametry);         return $navrat->rowcount();     }?> 

could me if $_get part well-secured or me secure better ? thank all


Comments

Popular posts from this blog

java - Custom OutputStreamAppender not run: LOGBACK: No context given for <MYAPPENDER> -

java - UML - How would you draw a try catch in a sequence diagram? -

c++ - No viable overloaded operator for references a map -