Pass Post method to function

0

I need to type the variable ID in the class Client.php so that it sends to the class Server.php that will search the product in the Database and show again in the Client.php. I'm having difficulty inserting the variable in the query of the function that will search the database.

Follow the class I've done.

Class Cliente.php

<form action="servidor.php" method="post">
Pesquisa: <input type="text" name="pesquisa" />
<input type="submit" />
</form>
<?php

include('servidor.php');
$connect = new servidor();
$connect->conectar();
$connect->selecionarDB();

?>

Server.php class

$pesquisa = $_REQUEST["pesquisa"];
 '$query = 'SELECT * FROM produtos where id = '.$pesquisa';

I want to pass this query to the execute () function, so that it returns to the Client.php class

class servidor {

   private $host = localhost; 
   private $bd = banco; 
   private $usuario = root; 
   private $senha = senha; 

   function conectar(){
      $conexao = mysql_connect($this->host,$this->usuario,$this->senha) or die($this->mensagem(mysql_error()));
      return $conexao;
   }


   function selecionarDB(){

      $banco = mysql_select_db($this->bd) or die($this->mensagem(mysql_error()));
      if($banco){
         return true;
      }else{
         return false;
      }
   }

   function executar(){
      $query = mysql_query($this->sql) or die ($this->mensagem(mysql_error()));
      return $query;
   }
    
asked by anonymous 14.03.2016 / 05:21

1 answer

2

As I understand it, your class does not have a magic method or a method that defines the value of the variable sql .

See, your executar method depends on this variable:

//...
$query = mysql_query($this->sql) or die ($this->mensagem(mysql_error()));

You must define this variable in your class or pass it to the executar method of the query that will be processed:

class servidor 
{
    //...

    function executar($sql){
        $query = mysql_query($sql) or die ($this->mensagem(mysql_error()));
        return $query;
    }
}

Now just pass the query as a parameter:

//...

include('servidor.php');
$connect = new servidor();
$connect->conectar();
$connect->selecionarDB();

$pesquisa = $_REQUEST["pesquisa"];
$resultado = $connect->executar("SELECT * FROM produtos where id =  $pesquisa");

Notes:

Your system is vulnerable to an attack by SQL Injection , the variable pesquisa is injected into the query without any processing facilitating the attack.

Another negative point is that although the system uses classes, this does not mean that it is object oriented, for example, if the project started using SQLServer instead of MySQL, its entire class will have to be redone and probably some queries will stop working and some parts of your application will have to be redone to support the new database.

Look for design patterns , keep in mind from the beginning that this is not code ready for specific situations, but rather a model for solving a specific problem.

The database is an external service that is consumed by your application, so it should not be dependent on a specific database.

In your case, using the Adapter pattern would help your application decouple the database without having to change its implementation, it is like an adapter device, which allows a device with a particular socket pattern to use a source that follows another pattern, that is, when buying a device with a different outlet format, you would not need to break your wall and do a new installation just for a device.

    
14.03.2016 / 13:18