<?php
$connection=mysqli_connect("localhost","user","pw", "user_db");
if (!$connection)
{
echo "Could not connect to the database: " . mysql_error();
}
$getData = mysqli_query($connection, "SELECT * FROM `Articles` ORDER BY ArticleID DESC;");
while ($getDataFetch = mysqli_fetch_array($getData))
{
$shortened=strip_tags(substr($getDataFetch['ArticleContent'], 0, 250));
echo "<div>
<header>
<a href=\"/blog/".$getDataFetch['ArticleURL']."\">".$getDataFetch['ArticleTitle']."</a>
</header>".$shortened."...".$getDataFetch['ArticleDate']."</div>";
}
mysqli_close($connection);
?>
Redesigning my website and also implementing security (even though I’m the only one with access.)
I tried converting this to mysqli and surprisingly it worked on the first attempt. How do I go about making this secure? What functions should I do where? I’m a noobie at security.
Since you are not receiving user input for your query, SQL Injection is out of the question. If you ever implement paging, then you’ll want to gravitate to prepared statements
Edit:
Should clarify a few things, how does your data get inputted into the database? Do other users get to submit data? If so, you probably want to utilize htmlentities for anything that does not need to have HTML parsed (title, author, date, etc). As for the article content, if it needs to parse HTML you may want to look at strip_tags and whitelist the HTML you want to support.
So the only area I’ll need to implement security is my admin control panel where I submit articles? Gotcha - thanks. Pagination will be coing within a month or two. I’m at 7 articles now. Once I hit 11, then pagination will take effect and I"ll need that coded.
Just added a bit more clarification to my original post (as I’d hate to mislead you) As there are other vulnerabilities than SQL Injection, you could have XSS attacks if the data in your database is tainted.
The only interaction allowed in my database is through my panel. To even get there, you need to get through two passwords (both I need to get to - the site design isnt done still.)
I’ll keep your comments in mind. Off topic, but do you have a good article handy about uploading images to databases? I am modifying my articles database to add a field for images (it will hold 1 image per article) and so far this is the best article I’ve found.
As there are other vulnerabilities than SQL Injection, you could have XSS attacks if the data in your database is tainted.