Is my database access role secure?

2

I have a file that has CRUD operations with PDO and MySQL, my question is if I leave my functions as the function below:

    function delete($tabela, $id) {
    global $con;
    $sql = "DELETE FROM " . $tabela . " WHERE id=:id";
    if(is_array($id)){
         $errors = array();
         for($i = 0; $i < count($id); $i++){
             $delete = $con->prepare($sql);
             $delete->bindValue(":id", filter_var($id[$i], FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
             if ( !($delete->execute()) ) {
                 $error = $delete->errorInfo();
                 array_push($errors, $error[2]);
             }
         }

         if(count($errors) == 0){
             return true;
         }else{
             return $errors;
         }

    }else{
        $delete = $con->prepare($sql);
        $delete->bindValue(":id", filter_var($id, FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
        if ($delete->execute()) {
            return true;
        } else {
            $error = $delete->errorInfo();
            return $error[2];
        }

    }

}

If I just leave it that way, can I risk using a malicious user to delete this random file from my DB?

I know how to pass parameters via POST eg externally, but my function does not directly receive anything via POST or GET .

    
asked by anonymous 25.09.2017 / 00:36

1 answer

3

I always answer that security is multidisciplinary and extra complicated. If you want safety even call a specialist. My inference is that the vast majority of websites and applications have security issues. Just looking after the code does not mean anything. Even if you follow certain rules it does not guarantee that you are safe, just that it is not so wide open.

That said, it seems okay, as long as the variable $tabela does not have its value set externally to scripts and has no other vulnerability factors.

Just do not think you're free of other problems. The other day someone asked how to not accept someone sending badly formed information that sends a id different, and the answer is simple: you have nothing to do but validate the information before using it and only allow authorized users to do this. If this fails, this code is not safe.

    
25.09.2017 / 00:46