I read a lot about mysql security, and php script security and was just wondering if this would suit to prevent from intrusions. I made script config.php, and register.php witch are stored in folder that is above root folder ( example ../project/script/ and ../project/www/)
register.php looks like this:
<?php
require_once 'db_config.php';
$user=$_GET['username'];
$pass=$_GET['password'];
$db=$_GET['company'];
try {
$dbh = new PDO("mysql:host=$host", $username, $password);//connecting to database
//check if database exists
$stmt = $dbh->query("SELECT COUNT(*) FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = '$db'");
if($stmt->fetchColumn() == 1){
//some code
}else{
$dbh->exec("CREATE DATABASE `$db`;
CREATE USER '$user'@'localhost' IDENTIFIED BY '$pass';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `$db`.* TO '$user'@'localhost';
FLUSH PRIVILEGES;") or die(print_r($dbh->errorInfo(), true));
echo 'DB created';
}
}
catch (PDOException $e) {
die("DB ERROR: ". $e->getMessage());
}
?>
and test.php looks like this:
<?php
include ('../scripts/db_connect.php');
include ('../scripts/register.php');
?>
My question would be is this good coding practice, will it be secure from someone messing up my database, and what in general do you have to point out to have better looking code in general?? Also any materials on how code should look so other can read it and PHP SQL safety would be appreciated.
