I have a file that has CRUD operations with PDO and MySQL, my question is if I leave my functions as the function below:
function delete($tabela, $id) {
global $con;
$sql = "DELETE FROM " . $tabela . " WHERE id=:id";
if(is_array($id)){
$errors = array();
for($i = 0; $i < count($id); $i++){
$delete = $con->prepare($sql);
$delete->bindValue(":id", filter_var($id[$i], FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
if ( !($delete->execute()) ) {
$error = $delete->errorInfo();
array_push($errors, $error[2]);
}
}
if(count($errors) == 0){
return true;
}else{
return $errors;
}
}else{
$delete = $con->prepare($sql);
$delete->bindValue(":id", filter_var($id, FILTER_SANITIZE_NUMBER_INT), PDO::PARAM_INT);
if ($delete->execute()) {
return true;
} else {
$error = $delete->errorInfo();
return $error[2];
}
}
}
If I just leave it that way, can I risk using a malicious user to delete this random file from my DB?
I know how to pass parameters via POST
eg externally, but my function does not directly receive anything via POST
or GET
.