I'm trying to make a very simple lookup page for the members at my studyspace. Every member has a personal ID number, their registered name (and other information) and the number of points/credits they have left on their account.
I wanted to make a public page with two search fields where the user can lookup how many points/credits are remaining on their account if they input their user ID and some bit of personal information like their last name.
This would query a database and show their credits.
My main concern is security of course, since it will be a public website available to anyone. I got the sample code from a tutorial because I am a very beginner and just know enough to change the code from the tutorial to suit my database.
Here's the search form page code:
<form action="search.php" method="post">
ID: <input type="text" name="searchid" placeholder=" Search here ... "/><br>
Name: <input type="text" name="searchname" placeholder=" Search here ... "/>
<input type="submit" value="Submit" />
</form>
And then the code to query and display results:
<?php
//load database connection
$host = "localhost";
$user = "root";
$password = "passwordhere";
$database_name = "test";
$pdo = new PDO("mysql:host=$host;dbname=$database_name", $user, $password, array(
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
));
// Search from MySQL database table
$searchid=$_POST['searchid'];
$searchname=$_POST['searchname'];
$query = $pdo->prepare("select * from members where name LIKE '$searchname' && id LIKE '$searchid' LIMIT 0 , 10");
$query->bindValue(1, "%$searchid%", PDO::PARAM_STR);
$query->execute();
// Display search result
if (!$query->rowCount() == 0) {
echo "Search found :<br/>";
echo "<table style=\"font-family:arial;color:#333333;\">";
echo "<tr><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">name</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">id</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;background:#98bf21;\">last visit</td></tr>";
while ($results = $query->fetch()) {
echo "<tr><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">";
echo $results['name'];
echo "</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">";
echo $results['id'];
echo "</td><td style=\"border-style:solid;border-width:1px;border-color:#98bf21;\">";
echo $results['lastvisit'];
echo "</td></tr>";
}
echo "</table>";
} else {
echo 'Nothing found';
}
?>
The column named last visit is just for testing, this will be the part with the point information.
The code seems to work fairly well with some dummy data and simple testing. I changed the code to require both fields to match otherwise they return no result so people cannot just try to enter in easy to guess data to try to get results. If one field is empty it will return nothing, if the data is slightly wrong it will also return nothing. However, entering in the user ID with name perfectly returns all that information for that line.
So naturally the first questions is if this code is safe from mySQL attacks? Or if there are any other glaring problems with it?
Also, is it common to actually connect to a database with the user root and the password in plain text like that? That doesn't seem so secure to me but every example I have seen with using PHP to access databases has that code.
Another question I had, for my own learning experience, is the purpose of this code:
$query->bindValue(1, "%$searchid%", PDO::PARAM_STR);
I couldn't quite figure it out, yet.
Thanks for any help.