Skip to content

Commit

Permalink
trying to remove SQL injection attack vulunerablities
Browse files Browse the repository at this point in the history
  • Loading branch information
dr-matt-smith committed Mar 24, 2019
1 parent dfef72d commit e09a4f4
Show file tree
Hide file tree
Showing 6 changed files with 135 additions and 8 deletions.
3 changes: 2 additions & 1 deletion composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@
},
"autoload-dev": {
"psr-4": {
"Mattsmithdev\\PdoCrudRepoTest\\": "tests"
"Mattsmithdev\\PdoCrudRepoTest\\": "tests",
"Tudublin\\":"src"
}
},
"scripts": {
Expand Down
6 changes: 6 additions & 0 deletions config/db.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?php

define('DB_HOST', 'localhost:3306');
define('DB_USER', 'root');
define('DB_PASS', 'passpass');
define('DB_NAME', 'evote');
26 changes: 26 additions & 0 deletions public/index.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<?php
require_once __DIR__ . '/../config/db.php';
require_once __DIR__ . '/../vendor/autoload.php';

use Tudublin\MovieRepository;

// for Car DB actions
$movieRepository = new MovieRepository();

//$movieRepository->delete(2);
//$movies = $movieRepository->searchByColumn('title', 'jaws');
//
//
//$movie = $movieRepository->getOneById(3);
//$movie->setTitle('lskdjflksdjflds');
//$movieRepository->update($movie);

$m = new \Tudublin\Movie();
$m->setTitle('pop');
$m->setPrice(8.01);
$movieRepository->create($m);

$movies = $movieRepository->getAll();

var_dump($movies);

38 changes: 31 additions & 7 deletions src/DatabaseTableRepository.php
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,8 @@ public function getAll()
$db = new DatabaseManager();
$connection = $db->getDbh();

$sql = 'SELECT * from ' . $this->tableName;
$sql = 'SELECT * from :table';
$sql = str_replace(':table', $this->tableName, $sql);

$statement = $connection->prepare($sql);
$statement->setFetchMode(\PDO::FETCH_CLASS, $this->classNameForDbRecords);
Expand All @@ -128,7 +129,10 @@ public function getOneById($id)
$db = new DatabaseManager();
$connection = $db->getDbh();

$statement = $connection->prepare('SELECT * from ' . $this->tableName . ' WHERE id=:id');
$sql = 'SELECT * from :table WHERE id=:id';
$sql = str_replace(':table', $this->tableName, $sql);

$statement = $connection->prepare($sql);
$statement->bindParam(':id', $id, \PDO::PARAM_INT);
$statement->setFetchMode(\PDO::FETCH_CLASS, $this->classNameForDbRecords);
$statement->execute();
Expand All @@ -153,22 +157,34 @@ public function delete($id)
$db = new DatabaseManager();
$connection = $db->getDbh();

$statement = $connection->prepare('DELETE from ' . $this->tableName . ' WHERE id=:id');
$sql = 'DELETE from :table WHERE id=:id';
$sql = str_replace(':table', $this->tableName, $sql);

$statement = $connection->prepare($sql);
// $statement->bindParam(':table', $this->tableName);
$statement->bindParam(':id', $id, \PDO::PARAM_INT);

$queryWasSuccessful = $statement->execute();
return $queryWasSuccessful;
}


public function searchByColumn($columnName, $searchText)
{
$columnName = filter_var($columnName, FILTER_SANITIZE_STRING);

$db = new DatabaseManager();
$connection = $db->getDbh();

// wrap wildcard '%' around the serach text for the SQL query
$searchText = '%' . $searchText . '%';

$statement = $connection->prepare('SELECT * from ' . $this->tableName . ' WHERE ' . $columnName . ' LIKE :searchText');
$sql = 'SELECT * from :table WHERE :column LIKE :searchText';
$sql = str_replace(':table', $this->tableName, $sql);
$sql = str_replace(':column', $columnName, $sql);

$statement = $connection->prepare($sql);
// $statement->bindParam(':column', $columnName, \PDO::PARAM_STR);
$statement->bindParam(':searchText', $searchText, \PDO::PARAM_STR);
$statement->setFetchMode(\PDO::FETCH_CLASS, $this->classNameForDbRecords);
$statement->execute();
Expand All @@ -195,7 +211,12 @@ public function create($object)
$insertFieldList = DatatbaseUtility::fieldListToInsertString($fields);
$valuesFieldList = DatatbaseUtility::fieldListToValuesString($fields);

$statement = $connection->prepare('INSERT into '. $this->tableName . ' ' . $insertFieldList . $valuesFieldList);
$sql = 'INSERT into :table :insertFieldList :valuesFieldList';
$sql = str_replace(':table', $this->tableName, $sql);
$sql = str_replace(':insertFieldList', $insertFieldList, $sql);
$sql = str_replace(':valuesFieldList', $valuesFieldList, $sql);

$statement = $connection->prepare($sql);
$statement->execute($objectAsArrayForSqlInsert);

$queryWasSuccessful = ($statement->rowCount() > 0);
Expand All @@ -209,7 +230,7 @@ public function create($object)

/**
* insert new record into the DB table
* returns new record ID if insertation was successful, otherwise -1
* returns new record ID if insertion was successful, otherwise -1
*
* @param $object
*
Expand All @@ -226,7 +247,10 @@ public function update($object)
$fields = array_keys($objectAsArrayForSqlInsert);
$updateFieldList = DatatbaseUtility::fieldListToUpdateString($fields);

$sql = 'UPDATE '. $this->tableName . ' SET ' . $updateFieldList . ' WHERE id=:id';
$sql = 'UPDATE :table SET :updateFieldList WHERE id=:id';
$sql = str_replace(':table', $this->tableName, $sql);
$sql = str_replace(':updateFieldList', $updateFieldList, $sql);

$statement = $connection->prepare($sql);

// add 'id' to parameters array
Expand Down
61 changes: 61 additions & 0 deletions src/Movie.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
<?php
namespace Tudublin;


class Movie
{
private $id;
private $title;
private $price;

/**
* @return mixed
*/
public function getId()
{
return $this->id;
}

/**
* @param mixed $id
*/
public function setId($id)
{
$this->id = $id;
}

/**
* @return mixed
*/
public function getTitle()
{
return $this->title;
}

/**
* @param mixed $title
*/
public function setTitle($title)
{
$this->title = $title;
}

/**
* @return mixed
*/
public function getPrice()
{
return $this->price;
}

/**
* @param mixed $price
*/
public function setPrice($price)
{
$this->price = $price;
}



}
9 changes: 9 additions & 0 deletions src/MovieRepository.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<?php
namespace Tudublin;

use Mattsmithdev\PdoCrudRepo\DatabaseTableRepository;

class MovieRepository extends DatabaseTableRepository
{

}

0 comments on commit e09a4f4

Please sign in to comment.