I have file users.php
and i want to display user's information when is set for example users.php?id=5
my "users.php" file is:
<?php
$page_title = "Administrace - Uživatelé";
require_once($_SERVER['DOCUMENT_ROOT']."/core/main.php");
if(!Admin::is_admin() or !User::is_logged()) // check if user is logged and is admin
{
redirect($url."index.php"); //get out of here
}
$user = new User();
if(isset($_GET["id"]))
{
$id = test_input($_GET["id"]); // = htmlspecialchars() & trim() & stripslashes()
$is_valid = ctype_digit($id);
if($is_valid && $user->check_user_available($id)) // check if $id is number AND if user with the $id is in database
{
// show user's information
} else {
// get out of here
redirect($url."admin/");
}
} else {
?>
<i>...toto je random text...</i>
<section>
<div class="content">
<h1>Administrace -> Uživatelé</h1>
<p>
<?php
echo ($user->get_all_users()); // get all users (<a href="users.php?id=X">User</a>)
?>
</p>
</div>
</section>
<aside>
<?php
$login = new Panel("login");
$partneri = new Panel("partners");
?>
</aside>
<?php } require_once($_SERVER['DOCUMENT_ROOT']."/template/footer.php");?>
my check_user_availabe()
function:
<?php
public function check_user_available($id)
{
$id = trim($id);
$id = stripslashes($id);
$id = htmlspecialchars($id);
if(ctype_digit($id))
{
$query = Database::dotaz('SELECT * FROM `users` WHERE `id`=?', array($id));
if($query > 0)
{
return true;
} else {
return false;
}
}
}
?>
I'm also using PDO prepared statements.. Here is my class database
and function dotaz()
(dotaz = query)
<?php
class Database {
// Databázové spojení
private static $connection;
// Výchozí nastavení ovladače
private static $nastaveni = array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8",
PDO::ATTR_EMULATE_PREPARES => false,
);
// Připojí se k databázi pomocí daných údajů
public static function connect($host, $username, $password, $dbname) {
if (!isset(self::$connection)) {
self::$connection = @new PDO(
"mysql:host=$host;dbname=$dbname",
$username,
$password,
self::$nastaveni
);
}
}
public static function dotaz($dotaz, $parametry = array()) {
$navrat = self::$connection->prepare($dotaz);
$navrat->execute($parametry);
return $navrat->rowCount();
}?>
Could you say me if the $_GET part is well-secured or help me to secure it better ? Thank you all