Ocena sktyptu i wskazanie błędów.

octonapewno

octonapewno

Użytkownik
Dołączył
Maj 22, 2008
Posty
110
Chciałbym abyście ocenili klasy które utworzyłem i chciałbym wykorzystać na moim blogu:
PHP: 
<?php
    include('bbcode.php');
    
    class user{
    function connectAndSelect(){
        mysql_connect("localhost", "user", "password") or die("Nie można połączyć z serwerem!");        
        mysql_select_db("db_blog") or die("Nie wybrano bazy danych!");
        mysql_set_charset('utf8');
    }
        
        
        function showArticles(){
            $query = "SELECT id_articles, title, description FROM tbl_articles ORDER BY id_articles DESC";
            $results = mysql_query($query) or die(mysql_error());
            
            function numberComm($id){
            $query = "SELECT count(id_comments) as number ,id_articles FROM tbl_comments WHERE id_articles = '".$id."' GROUP BY id_articles";
            $result = mysql_query($query);
            $num = mysql_fetch_assoc($result);
            
            if($num['number'] == 0)
            {
                return "0";
            } else {
            return $num['number'];
            }
            }
            
            while($art = mysql_fetch_assoc($results))
            {
                include('art_style.php');
            }
            
        }
        
        function showArticlesToId($id){
            $query = "SELECT id_articles, title, content FROM tbl_articles WHERE id_articles='".$id."'";
            $results = mysql_query($query) or die(mysql_error());
            
            while($art = mysql_fetch_assoc($results))
            {
                include('art_id_style.php');
            }
        }
        
        function showComments($id) {
            $query = "SELECT id_comments, who_add, content, date FROM tbl_comments WHERE id_articles='".$id."' ORDER BY id_articles DESC";
            $results = mysql_query($query) or die(mysql_error());
            
            while($art = mysql_fetch_assoc($results))
            {
                include('dark_comments_id_style.php');              
            }
        }
        
        function topArticle(){
            $query = "SELECT art.id_articles, art.title, com.id_articles, count( com.id_articles ) as count_id 
                        FROM tbl_articles AS art, tbl_comments AS com
                        WHERE art.id_articles = com.id_articles
                        GROUP BY com.id_articles ORDER BY count_id DESC
                        LIMIT 0 , 5 ";
            $result = mysql_query($query);
            
            while($art = mysql_fetch_assoc($result))
            {
                include("topArticles.php");
            }
        }
        
        function allArticles(){
            $query = "SELECT id_articles, title FROM tbl_articles WHERE id_articles >= 0 ORDER BY id_articles";
            $result = mysql_query($query);
            
            while($art = mysql_fetch_assoc($result))
            {
                include("topArticles.php");
            }
        }
        
        function programsList(){
            $query = "SELECT name, description, link FROM tbl_programs ";
            $result = mysql_query($query);
            $yes = mysql_num_rows($result);
            if($yes === 0){
                print "Nie ma żadnych programów!";
            } else {
                while($prog = mysql_fetch_assoc($result))
                {
                    include("programs.php");
                }
            }
        }
        
        function sendComm($id, $whoAdd, $email, $content){
        
            if(empty($email)){
                $query = "INSERT INTO tbl_comments VALUES (null, '".$id."','".$whoAdd."', NULL, '".$content."', NOW())";
                mysql_query($query) or die(mysql_error());
            } else {
                $query = "INSERT INTO tbl_comments VALUES (null, '".$id."','".$whoAdd."','".$email."', '".$content."', NOW())";
                mysql_query($query) or die(mysql_error());
            }
        }
        
        
    }

    class admin {
        
        function connectAndSelect(){
            mysql_connect("localhost", "admin", "password") or die(mysql_error());
            
            mysql_select_db("db_blog") or die(mysql_error());
            mysql_set_charset('utf8');
        }
    
        function addArticle($title, $content, $description, $additional){
            if(empty($additional)){
                $query = "INSERT INTO tbl_articles VALUES (null,'".$title."','".$description."','".$content."', NOW(), null)";
                    mysql_query($query) or die(mysql_error());
            } else {
                $query = "INSERT INTO tbl_articles VALUES (null,'".$title."','".$description."','".$content."', NOW(), '".$additional."')";
                    mysql_query($query) or die(mysql_error());
            }
        }
        
        function showAllArticles(){        
            $query = "SELECT id_articles, title FROM tbl_articles";
            $result = mysql_query($query);
            
            while($tab = mysql_fetch_assoc($result)){
                include('all_admin.php');
            }
        }
    
        function updateArticle($id, $title, $description, $content, $additional) {
            if(empty($additional)){
                $query = "UPDATE tbl_articles SET title = '".$title."', description = '".$description."', content = '".$content."', additional = null WHERE id_articles = '".$id."'";
                    mysql_query($query) or die(mysql_error());
            } else {
                $query = "UPDATE tbl_articles SET title = '".$title."', description = '".$description."', content = '".$content."', additional = '".$additional."' WHERE id_articles = '".$id."'";
                    mysql_query($query) or die(mysql_error());
            }
        } 
        
        function editArticles($id){
            $query = "SELECT id_articles, title, content, description, additional FROM tbl_articles WHERE id_articles = '".$id."'";
            $result =    mysql_query($query);
            global $edit;
                $edit = mysql_fetch_assoc($result);    
        }
    }
?>

tzn. wszystko jest ok i działa tak jak należy, ale to jest mój pierwszy taki projekt i chciałbym zobaczyć swoje błędy, które popełniłem.
 
Ostatnia edycja:
L

loganek

Były Moderator
Dołączył
Listopad 11, 2006
Posty
563
nie dbasz w ogóle o bezpieczeństwo. Poczytaj o SQL Injection. Wartość merytoryczną sprawdzę wieczorem:)
 
A

Atomic_Eater`

Użytkownik
Dołączył
Styczeń 11, 2011
Posty
5
PHP: 
function sendComm($id, $whoAdd, $email, $content){
        
            if(empty($email)){
                $query = "INSERT INTO tbl_comments VALUES (null, '".$id."','".$whoAdd."', NULL, '".$content."', NOW())";
                mysql_query($query) or die(mysql_error());
            } else {
                $query = "INSERT INTO tbl_comments VALUES (null, '".$id."','".$whoAdd."','".$email."', '".$content."', NOW())";
                mysql_query($query) or die(mysql_error());
            }
XSS. Usuwaj tagi html (strip_tags), oraz mysql_real_escape_string również by się przydało :).
PHP: 
function numberComm($id){
Manual: ctype_digit.
W ogóle brak walidacji :p
 
You must log in or register to reply here.
Do góry Bottom