-
Notifications
You must be signed in to change notification settings - Fork 1
/
database.php
66 lines (56 loc) · 2.45 KB
/
database.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php
// ==================DATABASE BOILERPLATE==================
//NOTE: similar structure to https://www.binpress.com/using-php-with-mysql/
//NOTE: this class performs no sanitization. That should be done by caller beforehand.
//TODO: improve code by consulting https://www.acunetix.com/blog/articles/prevent-sql-injection-vulnerabilities-in-php-applications/
class Database {
private $connection = NULL;
public function __construct() {
$configFilePath = "private/config.ini";
if (!file_exists($configFilePath)) die("ADMIN ERROR: MISSING/WRONG CONFIG FILE!!!");
$config = parse_ini_file($configFilePath);
//TODO: error checking on failed parse???
$this->connection = new mysqli($config["host"], $config["username"], $config["password"], $config["dbname"]);
if ($this->connection->connect_error) {
//TODO: handle this error better (log SQL errors to a file, and only show generic messages to user (non-related to SQL))
die("Database connection error: " . $this->connection->connect_error);
}
}
//NOTE: gets called after script finishes (regardless of success or die)
public function __destruct() {
if (!is_null($this->connection)) {
$this->connection->close();
}
}
// unsafe query...
public function query($query) {
$result = $this->connection->query($query);
return $result;
}
// safe query...
// ASSUMED FORMAT (upto caller to respect this!!!)...
// reference: https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection
/* EXAMPLE...
$stmt = $connection->prepare("INSERT INTO myTable (name, age) VALUES (?, ?)");
$stmt->bind_param("si", $_POST['name'], $_POST['age']);
$stmt->execute();
$stmt->close();
thus here...
$preparedQuery === "INSERT INTO myTable (name, age) VALUES (?, ?)"
$types === "si"
$params === { $_POST['name'], $_POST['age'] }
*/
public function preparedQuery($preparedQuery, $types, $params) {
$stmt = $this->connection->prepare($preparedQuery);
$stmt->bind_param($types, ...$params);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
return $result;
}
public function getLastInsertID() {
return $this->connection->insert_id;
}
//TODO: could add more specific methods like select(...), insert(...), delete(...), etc. that call query()
}
?>