HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

Database output function

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
codereviewphpstackoverflowmysqlsecurity
databasefunctionoutput

Problem

Please review the following code and list all the coding errors and poor coding practices that you can see in this code.

function output()
{
    // Check authorization
    if(is_authorized())
    {
        $authorized = true;
        include('/path/to/' . $_REQUEST['module'] . '.php');
    }
    echo ""
    $conn = mysql_connect( "dbserver.com:6789", "dbyuser", "dbpassWd" );
    mysql_select_db( "kum", $conn ); // selects a database
    $q = " SELECT * FROM main WHERE id > " . $_GET["id"]. ";";
    $res = mysql_query( $q, $conn);
    while( $row = mysql_fetch_assoc( $res ) )
    {
        echo "".$row['description']."";
    }
    echo "";
    $q = " SELECT * FROM main WHERE id ".$row['description']. "(" .
        $authorized ? $row['status'] : "N/A" . ")";
    }
    echo "";
}

Solution


  • magic strings,



  • DB connection not closed,



  • DB errors not handled,



  • no prepared statements with safe query parameters,



  • injectable request and query parameters,



  • mix of UI and logic code,



  • no HTML encoding,



  • 2 of the 3 comments are very redundant with the line they comment.

Context

StackExchange Code Review Q#12680, answer score: 5

Revisions (0)

No revisions yet.