Ruud makes some good points in his post.
To further enhance the security of your code, as well as make it easier for you to write you should try and use Contao default behaviour and libraries wherever you can.
Your code has some big security holes. Using SQL Injection, somebody could delete your entire database! For example if we look at your code:
Code:
$sql="select * from tl_member where id=".$_GET['id'];
This is very bad practice for a few reasons:
- You aren't escaping the input
You aren't checking that the ID actually contains an ID
You're inserting user provided values directly into your SQL code
You're not 'preparing' the SQL
Here's a much safer version of your code:
Code:
// Clean up the input using Contao's Input class
$id = Input::get('id');
// Make sure you are indeed getting an id, or at least a numeric value using Contao's Validator class
if(Validator::isNumeric($id))
{
// Use Contao's Database class and a prepared statement
$objPartner = Database::getInstance()->prepare('SELECT * FROM tl_member WHERE partnerCategory=?')->execute($id);
}
The best way to improve your code is to use Contao's libraries wherever you can. It's difficult at first when you don't know which libraries are available but you can pick this up by looking at the code of Contao's core modules, if you're unsure just ask on the forums.
I hope this helps!
Bookmarks