How to do a search in an app using AngularJS with parameter passing correctly, when I speak correctly I mean to avoid SQL Injection.
For example; the var parameters = "joao"; parameter in the query below.
self.searchAll = function(nameSearch){
var parameters = "joao";
return DBA.query('SELECT id, name FROM users WHERE name ?', parameters)
.then(function(result){
return DBA.getAll(result);
});
}
It is not safe and it is much less advisable to leave the query exposed in this way.
I advise you to work with RESTful . If you work with PHP, you can use microframework for this. I use and quite like Slim Framework .
In my projects, I usually follow this structure:
In the example below, I make a Controller (user.controller.js), which sends the request to a Service (service.js), which in turn returns the data that was requested to the application backend (/ app / users /index.php).
# usuario.controller.js
...
angular.controller('UsuarioCtrl', Usuario);
...
function Usuario($scope,$stateParams,api) {
api.getUsuario($stateParams.id).success(function(data){
$scope.usuario = data.usuario;
});
}
...
# service.js
...
angular.service('api', Api);
...
function Api($http,$rootScope) {
this.getUsuario = function (id) {
return $http.get("/app/api/usuarios/"+ id) || [];
};
}
...
# /app/usuarios/index.php
...
function getUsuario($id){
$sql = "
SELECT id,nome,email
FROM usuarios
WHERE id = :id
";
try {
$con = getConnection();
$stmt = $con->prepare($sql);
$stmt->execute(array('id' => $id));
$usuario = $stmt->fetchAll(PDO::FETCH_OBJ);
echo json_encode(array("usuario"=>$usuario[0]));
} catch (Exception $e) {
echo '{"error":"' . $e->getMessage() . '"}';
}
}
...