2
\$\begingroup\$ 
<?php

require_once '../db.php';

session_start();

// Check if user is logged in using the session variable
if( $_SESSION['logged_in'] != 1 ){

  $_SESSION['message'] = "";
  header("location: error.php"); 

} else {
    $username = $_SESSION['username'];
}

//here starts the code to insert data on DB, and to make a slug
$slug = '';

if(isset($_POST["create"])){ 

  $slug = preg_replace('/[^a-z0-9]+/i', '-', trim(strtolower($_POST["title"])));

  $query = "SELECT slug_url FROM bn_publicacao WHERE slug_url LIKE '$slug%'";

  $statement = $conn->prepare($query); 

  if($statement->execute()){

    $total_row = $statement->rowCount();

    if($total_row > 0){

      $result = $statement->fetchAll();

      foreach($result as $row){

      $data[] = $row['slug_url'];

      }

      if(in_array($slug, $data)){

        $count = 0;
        while( in_array( ($slug . '-' . ++$count ), $data) );
        $slug = $slug . '-' . $count;

      }

    }

  }

  $insert_data = array(

    ':title'         => $_POST['title'],
    ':data_hora'     => $_POST['data_hora'],
    ':datePublished' => $_POST['datePublished'],
    ':dateModified'  => $_POST['dateModified'],
    ':descricao'     => $_POST['descricao'],
    ':capa'          => $_POST['capa'],
    ':width'         => $_POST['width'],
    ':height'        => $_POST['height'],
    ':alt'           => $_POST['alt'],
    ':keywords'      => $_POST['keywords'],
    ':categoria'     => $_POST['categoria'],
    ':slug_url'      => $slug,
    ':slug_link'     => $slug,
    ':entry_type'    => $_POST['entry_type'],

  );

  $query = "INSERT INTO bn_publicacao (title, data_hora, datePublished, dateModified, descricao, capa, width, height, alt, keywords, categoria, slug_url, slug_link, entry_type) VALUES (:title, :data_hora, :datePublished, :dateModified, :descricao, :capa, :width, :height, :alt, :keywords, :categoria, :slug_url, :slug_link, :entry_type)";
  $statement = $conn->prepare($query);
  $statement->execute($insert_data);

}

$conn = NULL;

?>

<!DOCTYPE html>
<html lang="pt_BR">
<head>
  <title>Gravar</title>
  <meta charset="UTF-8">
</head>

<body>

  <div>
    <input type="text" name="title" autocomplete="off" required>           
    <span data-placeholder="Title"></span>          
  </div>

  <div>
    <input type="text" name="datePublished" class="input100" autocomplete="on" required>
    <span data-placeholder="datePublished"></span>
  </div>

  <div>
    <input type="text" name="dateModified" autocomplete="on" required>
    <span data-placeholder="dateModified"></span>
  </div>

  <div>
    <input type="text" name="keywords" class="input100" autocomplete="off" required>
    <span data-placeholder="Keywords"></span>
  </div>

  <div>
    <input type="text" name="data_hora" class="input100" autocomplete="on" required>
    <span data-placeholder="Data e Hora"></span>
  </div>

  <div>
    <input type="text" name="descricao" autocomplete="off" required>
    <span data-placeholder="Descrição"></span>
  </div>

  <div>
    <input type="text" name="capa" autocomplete="off" required>
    <span data-placeholder="Capa Url - ratio 5:2 h/w"></span>
  </div>

  <div>
    <input type="text" name="alt" autocomplete="off" required>
    <span class="focus-input100" data-placeholder="Alt"></span>
  </div>         

  <div>
    <input type="text" name="categoria" required>
    <span data-placeholder="Categoria"></span>
  </div>

  <div>
    <input type="text" name="entry_type" required>
    <span data-placeholder="Entry_type"></span>
  </div>

  <div>
    <input type="text" name="width" autocomplete="off" required>
    <span class="focus-input100" data-placeholder="Width"></span>
  </div>

  <div>
    <input type="text" name="height" autocomplete="off" required>
    <span data-placeholder="Height"></span>
  </div>

  <div>
    <button type="submit" name="create">
      Enviar
    </button>
  </div>

</form>

<div>
  <a href="ir.php">
    <button name="logout">
      Log Out
    </button>
  </a>

</body>

</html>

This file is accessible through my login system that i posted here on codereview earlier: Login System using PHP and PDO Prepared Statement

It's just a simple code that i made, using prepared statement, to insert data on my database.

What you think about my code? Any suggestion?

\$\endgroup\$
1
  • \$\begingroup\$ In your first select query you don't bind the value of $slug% to a corresponding named placeholder in the SQL statement. I think you should, despite the filtering before. Just to be sure. \$\endgroup\$
    – KIKO Software
    Commented Sep 28, 2018 at 7:24

1 Answer 1

Reset to default
0
\$\begingroup\$
  1. Just as I suspected, the authorization code doesn't protect anything. A header("Location: ...") is advisory for the browser, which may ignore it... and continue to load the page you consider protected. Always have a die() call after the redirect header, to make sure that no further code will be executed.

  2. The SELECT query is a cargo cult prepared statement. It should be rewritten to a real one:

    $query = "SELECT slug_url FROM bn_publicacao WHERE slug_url LIKE ?";
$statement = $conn->prepare($query); 
$statement->execute(["$slug%"]);
  3. There is a useless condition, if($statement->execute()){. Given PDO is set in exception mode, the condition will never get the FALSE-like value and thus essentially useless, you can get rid of it.

  4. And another useless condition, if($total_row > 0){. there is no point to check the number of results. Just get your results right away:

    $result = $statement->fetchAll();

  5. The following loop is, well - useless too. PDO can give you a single-dimensional array right out from the statement:

    $data = $statement->fetchAll(PDO::FETCH_COLUMN);

On the other hand, your INSERT code is perfect.

\$\endgroup\$
0

Not the answer you're looking for? Browse other questions tagged or ask your own question.