Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>To answer your questions:</p> <ol> <li>On cursory inspection, it does look like your code will strip out malicious data. If you make sure that your code is broken into small functions that operate only on values passed into them as arguments, you can write yourself a command-line-driven test suite that lets you create lots and lots of test cases that you can re-run any time you make changes to the system so that you are confident that no vulnerabilities exist.</li> <li>In general, the slowest part of any web application is the database layer. Poorly crafted queries and/or too many queries will overwhelmingly overshadow PHP code execution in terms of performance issues. In other words, don't worry about over-optimizing your PHP code.</li> <li>Personally, I would improve your code by wrapping everything in a function(). I would also clean <code>$_POST</code> and <code>$_GET</code> values as needed rather than all at once. In other words, I would call <code>clean()</code> on <code>$str</code> in <code>val_rules()</code>. Also, I find it really confusing when using <code>include()</code> or <code>require()</code> to pull in a script and then realizing that that script executes and performs some function "behind the scenes". I think you'll find that using <code>include()</code> or <code>require()</code> works best when the files that are being pulled in are simply used to declare functions, constants, and classes. It is important to be able to clearly follow all execution "out in the open", that is, on the page that is actually doing some work. Similarly, I would not allow the <code>fn_register()</code> function to directly access the <code>$_POST</code> array without passing this in as an argument instead. It's important to be able to look at a function when reading some code and see immediately what data it is acting on without having to look at the function definition. In other words, all data that a function is acting on should ideally be passed in as a value. Finally, and this is a major issue, your name validation is too strict. It will not tolerate hyphens, apostrophes, accented characters, etc. I think you'll find that being liberal in name validation is the best policy. Some culture's naming conventions don't even have what we consider to be first and last names, for example. Another issue: instead of using 'required' and 'optional', use a boolean value for required. If it is set to <code>TRUE</code>, then the field is required.</li> </ol>
    singulars
    1. This table or related slice is empty.
    1. PO(PHP) Validation, Security and Speed - Does my app have these?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USjkndrkn
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO(PHP) Validation, Security and Speed - Does my app have these?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COHi, Thank you for your reply. Here's my response for your 3 points. 1. Are there any tools to write the command-line-driven test suite? Can you please list them out? 2. Got it. 3. a)I got the part where you mentioned about applying the functions on $str in val_rules() and the strict name validation part. I failed to understand the include() and require() part. Can you please cite an example?
      singulars
      1. PO
      1. USDevner
    2. CO3 b) I allowed fn_register() function to directly access the $_POST array as $_POST is 'superglobal' and my target was to keep my register.php page separated from validation code and instead include it in functions.php page. I only return the results of the validation. Can you please suggest an alternative way if I should not allow the function to access $_POST variables directly and still keep the validation in a different page? I might even have 100 fields(or more), so passing them as argument will not be an option. Look forward to your reply. Thanks again.
      singulars
      1. PO
      1. USDevner
    3. COYou are welcome :] Please understand that some of my suggestions are biased and informed by a personal style influenced by functional programming and test-driven design. 1. I've used phpunit and it has served me well. It does, however, require that your code be organized into classes. http://www.phpunit.de/
      singulars
      1. PO
      1. USjkndrkn
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload