I wanted to know if something like the following would be fairly secure and okay to use in a production setting. I am retrieving data from a database and using the response data into a graph using Chart.js.
My html file
<div id="canvas-holder">
<canvas id="chart-area2" width="200" height="200" />
</div>
<div id="canvas-holder">
<canvas id="chart-area" width="200" height="200" />
</div>
<div id="chartjs-tooltip"></div>
<script>
$.ajax({
url: 'chartpi.php',
success: function (response) {//response is value returned from php
var datachart = JSON.parse(response);
var ctx2 = document.getElementById("chart-area2").getContext("2d");
window.myPie = new Chart(ctx2).Pie(datachart);
}
});
$.ajax({
url: 'chartpi2.php',
success: function (response) {//response is value returned from php
var datachart = JSON.parse(response);
var ctx = document.getElementById("chart-area").getContext("2d");
window.myPie = new Chart(ctx).Doughnut(datachart);
}
});
</script>
My PHP file
<?php
// set up the connection variables
$db_name = '$dbname';
$hostname = '$host';
$username = '$uname';
$password = '$pass';
// connect to the database
$dbh = new PDO("mysql:host=$hostname;dbname=$db_name", $username, $password);
// a query get all the records from the users table
$sql = 'SELECT * FROM pichart2';
// use prepared statements, even if not strictly required is good practice
$stmt = $dbh->prepare( $sql );
// execute the query
$stmt->execute();
// fetch the results into an array
$result = $stmt->fetchAll( PDO::FETCH_ASSOC );
// convert to json
$json = json_encode( $result );
// echo the json string
echo $json;
?>
Your question of
would be fairly secure and okay to use in a production setting
The two obvious area's you have covered
However, I will caution that if any of the data being retrieved from the piechart table(s) retains any user provided data from some other source, that you should consider/implement the proper output encoding even if proper input sanitation was performed.
If that isn't the case, then no worry there.