How to do a search in an app using AngularJS with parameter passing correctly?

0

How to do a search in an app using AngularJS with parameter passing correctly, when I speak correctly I mean to avoid SQL Injection.

For example; the var parameters = "joao"; parameter in the query below.

self.searchAll = function(nameSearch){
  var parameters = "joao";

  return DBA.query('SELECT id, name FROM users WHERE name  ?', parameters)
    .then(function(result){
      return DBA.getAll(result);
    });
}
    
asked by anonymous 26.08.2016 / 20:18

1 answer

1

It is not safe and it is much less advisable to leave the query exposed in this way.

I advise you to work with RESTful . If you work with PHP, you can use microframework for this. I use and quite like Slim Framework .

In my projects, I usually follow this structure:

In the example below, I make a Controller (user.controller.js), which sends the request to a Service (service.js), which in turn returns the data that was requested to the application backend (/ app / users /index.php).

# usuario.controller.js
...
angular.controller('UsuarioCtrl', Usuario);
...
function Usuario($scope,$stateParams,api) {

    api.getUsuario($stateParams.id).success(function(data){
        $scope.usuario = data.usuario;
    });

}
...


# service.js
...
angular.service('api', Api);
...
function Api($http,$rootScope) {

    this.getUsuario = function (id) {
        return $http.get("/app/api/usuarios/"+ id) || [];
    };
}
...


# /app/usuarios/index.php
...
function getUsuario($id){

    $sql = "
        SELECT id,nome,email
        FROM usuarios
        WHERE id = :id
    ";
    try {
        $con = getConnection();
        $stmt = $con->prepare($sql);
        $stmt->execute(array('id' => $id));
        $usuario = $stmt->fetchAll(PDO::FETCH_OBJ);

        echo json_encode(array("usuario"=>$usuario[0]));
    } catch (Exception $e) {
        echo '{"error":"' . $e->getMessage() . '"}';
    }
}
...
    
02.09.2016 / 18:20