mirror of
https://github.com/tim-krehan/shopping-list.git
synced 2024-11-23 22:30:41 +01:00
sql sanitizing
This commit is contained in:
Tim Krehan
parent
04c9776a65
commit
543b9aafef
5 changed files with 92 additions and 2013 deletions
|
|
@ -1,7 +1,6 @@
|
|||
<script src="/bin/recipe.js" charset="utf-8"></script>
|
||||
<?php
|
||||
include $_SESSION["docroot"].'/php/classes.recipe.php';
|
||||
include $_SESSION["docroot"].'/php/classes.parsedown.php';
|
||||
$book = new cookbook;
|
||||
$book->getRecipe($_GET["number"]);
|
||||
$recipe = $book->sites[0];
|
||||
|
|
|
|||
|
|
@ -13,7 +13,10 @@
|
|||
$token = "-1";
|
||||
}
|
||||
|
||||
$result = $mysqli->query('SELECT * FROM `sessions` WHERE `session_id` = \''.$token.'\';');
|
||||
$selectQuery = $mysqli->prepare('SELECT * FROM `sessions` WHERE `session_id` = ?;');
|
||||
$selectQuery->bind_param("s", $token);
|
||||
$selectQuery->execute();
|
||||
$result = $selectQuery->get_result();
|
||||
|
||||
if(($result->num_rows) == 0 && (!(in_array("site", array_keys($_GET))) || $_GET["site"]!="login"))
|
||||
{
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
function shopping(){
|
||||
include $_SESSION["docroot"].'/config/config.php';
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$result = $mysqli->query("SELECT * FROM `ViewEinkauf` ORDER BY `ViewEinkauf`.`Name` ASC");
|
||||
$result = $mysqli->query("SELECT * FROM `ViewEinkauf` ORDER BY `ViewEinkauf`.`Name` ASC;");
|
||||
while($item = $result->fetch_assoc()){
|
||||
$this->addItem($item["ID"], $item["Anzahl"], $item["Einheit"], $item["Name"], $item["Erledigt"]);
|
||||
}
|
||||
|
|
@ -30,15 +30,15 @@
|
|||
include $_SESSION["docroot"].'/config/config.php';
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
if(!is_int($einheit)){
|
||||
$unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = ?");
|
||||
$unit_query->bind_param("s", $einheit);
|
||||
$unit_query->execute();
|
||||
$result = $unit_query->get_result();
|
||||
$selectQuery = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = ?;");
|
||||
$selectQuery->bind_param("s", $einheit);
|
||||
$selectQuery->execute();
|
||||
$result = $selectQuery->get_result();
|
||||
while($row = $result->fetch_assoc()){
|
||||
$einheit = $row["ID"];
|
||||
}
|
||||
}
|
||||
$insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0)");
|
||||
$insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0);");
|
||||
$insertQuery->bind_param("sss", $anzahl, $einheit, $name);
|
||||
$result = $insertQuery->execute();
|
||||
$mysqli->close();
|
||||
|
|
@ -53,14 +53,14 @@
|
|||
function removeChecked(){
|
||||
include $_SESSION["docroot"].'/config/config.php';
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$mysqli->query("DELETE FROM `Einkauf` WHERE `Erledigt`=1");
|
||||
$mysqli->query("DELETE FROM `Einkauf` WHERE `Erledigt`=1;");
|
||||
$mysqli->close();
|
||||
}
|
||||
|
||||
function check($id, $status){
|
||||
include $_SESSION["docroot"].'/config/config.php';
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$updateQuery = $mysqli->prepare("UPDATE `Einkauf` SET `Erledigt` = $status WHERE `Einkauf`.`ID` = ?");
|
||||
$updateQuery = $mysqli->prepare("UPDATE `Einkauf` SET `Erledigt` = $status WHERE `Einkauf`.`ID` = ?;");
|
||||
$updateQuery->bind_param("s", $id);
|
||||
$updateQuery->execute();
|
||||
$mysqli->close();
|
||||
|
|
@ -94,7 +94,7 @@
|
|||
function units(){
|
||||
include $_SESSION["docroot"].'/config/config.php';
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$result = $mysqli->query("SELECT * FROM `Einheit`");
|
||||
$result = $mysqli->query("SELECT * FROM `Einheit`;");
|
||||
while($item = $result->fetch_assoc()){
|
||||
$this->addItem($item["ID"], $item["Name"], $item["Standard"]);
|
||||
}
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -14,7 +14,7 @@
|
|||
}
|
||||
function unitList(){
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$result = $mysqli->query("SELECT * FROM `Einheit`");
|
||||
$result = $mysqli->query("SELECT * FROM `Einheit`;");
|
||||
while($item = $result->fetch_assoc()){
|
||||
$this->addItem($item["ID"], $item["Name"], $item["Standard"]);
|
||||
}
|
||||
|
|
@ -22,7 +22,10 @@
|
|||
}
|
||||
function getID($Name){
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$result = $mysqli->query("SELECT `ID` FROM `Einheit` WHERE `Name` = '$Name'");
|
||||
$selectQuery = $mysqli->prepare("SELECT `ID` FROM `Einheit` WHERE `Name` = ?;");
|
||||
$selectQuery->bind_param("s", "$Name");
|
||||
$selectQuery->execute();
|
||||
$result = $selectQuery->get_result();
|
||||
$ID = $result->fetch_assoc();
|
||||
return $ID["ID"];
|
||||
}
|
||||
|
|
@ -57,16 +60,28 @@
|
|||
public $sites = array();
|
||||
function getRecipe($ID){
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$recipes = $mysqli->query("SELECT * FROM `Rezept` WHERE `ID` = $ID ORDER BY Name ASC");
|
||||
$selectQuery = $mysqli->prepare("SELECT * FROM `Rezept` WHERE `ID` = ? ORDER BY Name ASC;");
|
||||
$selectQuery->bind_param("s", $ID);
|
||||
$selectQuery->execute();
|
||||
$recipes = $selectQuery->get_result();
|
||||
while($recipe = $recipes->fetch_assoc()){
|
||||
$current = new recipe($RID = $recipe["ID"], $RName = $recipe["Name"], $RDuration = $recipe["Dauer"], $RDescription = $recipe["Beschreibung"]);
|
||||
$recepieIngredients = $mysqli->query("SELECT * FROM `RezeptZutat` WHERE `Rezept` = $RID");
|
||||
$selectIngredientsQuery = $mysqli->prepare("SELECT * FROM `RezeptZutat` WHERE `Rezept` = ?;");
|
||||
$selectIngredientsQuery->bind_param("s", $RID);
|
||||
$selectIngredientsQuery->execute();
|
||||
$recepieIngredients = $selectIngredientsQuery->get_result();
|
||||
while($recepieIngredient = $recepieIngredients->fetch_assoc()){
|
||||
$IID = $recepieIngredient["Zutat"];
|
||||
$IAmount = $recepieIngredient["Menge"];
|
||||
$units = $mysqli->query("SELECT `Name` FROM `Einheit` WHERE `ID` = ".$recepieIngredient["Einheit"]);
|
||||
$selectUnitQuery = $mysqli->prepare("SELECT `Name` FROM `Einheit` WHERE `ID` = ?;");
|
||||
$selectUnitQuery->bind_param("s", $recepieIngredient["Einheit"]);
|
||||
$selectUnitQuery->execute();
|
||||
$units = $selectUnitQuery->get_result();
|
||||
while($unit = $units->fetch_assoc()){$IUnit = $unit["Name"];}
|
||||
$names = $mysqli->query("SELECT `Name` FROM `Zutat` WHERE `ID` = ".$recepieIngredient["Zutat"]);
|
||||
$selectNamesQuery = $mysqli->prepare("SELECT `Name` FROM `Zutat` WHERE `ID` = ?;");
|
||||
$selectNamesQuery->bind_param("s", $recepieIngredient["Zutat"]);
|
||||
$selectNamesQuery->execute();
|
||||
$names = $selectNamesQuery->get_result();
|
||||
while($name = $names->fetch_assoc()){$IName = $name["Name"];}
|
||||
$current->addIngredient($IID, $IAmount, $IUnit, $IName);
|
||||
}
|
||||
|
|
@ -80,13 +95,22 @@
|
|||
$recipes = $mysqli->query("SELECT * FROM `Rezept` ORDER BY Name ASC");
|
||||
while($recipe = $recipes->fetch_assoc()){
|
||||
$current = new recipe($RID = $recipe["ID"], $RName = $recipe["Name"], $RDuration = $recipe["Dauer"], $RDescription = $recipe["Beschreibung"]);
|
||||
$recepieIngredients = $mysqli->query("SELECT * FROM `RezeptZutat` WHERE `Rezept` = $RID");
|
||||
$selectIngredientsQuery = $mysqli->prepare("SELECT * FROM `RezeptZutat` WHERE `Rezept` = ?;");
|
||||
$selectIngredientsQuery->bind_param("s", $RID);
|
||||
$selectIngredientsQuery->execute();
|
||||
$recepieIngredients = $selectIngredientsQuery->get_result();
|
||||
while($recepieIngredient = $recepieIngredients->fetch_assoc()){
|
||||
$IID = $recepieIngredient["Zutat"];
|
||||
$IAmount = $recepieIngredient["Menge"];
|
||||
$units = $mysqli->query("SELECT `Name` FROM `Einheit` WHERE `ID` = ".$recepieIngredient["Einheit"]);
|
||||
$selectUnitQuery = $mysqli->prepare("SELECT `Name` FROM `Einheit` WHERE `ID` = ?;");
|
||||
$selectUnitQuery->bind_param("s", $recepieIngredient["Einheit"]);
|
||||
$selectUnitQuery->execute();
|
||||
$units = $selectUnitQuery->get_result();
|
||||
while($unit = $units->fetch_assoc()){$IUnit = $unit["Name"];}
|
||||
$names = $mysqli->query("SELECT `Name` FROM `Zutat` WHERE `ID` = ".$recepieIngredient["Zutat"]);
|
||||
$selectNamesQuery = $mysqli->prepare("SELECT `Name` FROM `Zutat` WHERE `ID` = ?;");
|
||||
$selectNamesQuery->bind_param("s", $recepieIngredient["Zutat"]);
|
||||
$selectNamesQuery->execute();
|
||||
$names = $selectNamesQuery->get_result();
|
||||
while($name = $names->fetch_assoc()){$IName = $name["Name"];}
|
||||
$current->addIngredient($IID, $IAmount, $IUnit, $IName);
|
||||
}
|
||||
|
|
@ -103,7 +127,10 @@
|
|||
$import = json_decode($_POST["content"]);
|
||||
if($import->sites!=null){
|
||||
foreach ($import->sites as $site) {
|
||||
$result = $mysqli->query("SELECT * FROM `Rezept` WHERE `Name`='$site->Name'");
|
||||
$selectQuery = $mysqli->prepare("SELECT * FROM `Rezept` WHERE `Name`=?;");
|
||||
$selectQuery->bind_param("s", $site->Name);
|
||||
$selectQuery->execute();
|
||||
$result = $selectQuery->get_result();
|
||||
if($result->num_rows>0){
|
||||
array_push($failed_sites, $site);
|
||||
}
|
||||
|
|
@ -132,53 +159,83 @@
|
|||
|
||||
function newRecipe($Name, $Dauer, $Beschreibung, $Zutaten){
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$mysqli->query("INSERT INTO `Rezept` (`Name`, `Dauer`, `Beschreibung`) VALUES ('$Name', '$Dauer', '$Beschreibung')");
|
||||
$insertQuery = $mysqli->prepare("INSERT INTO `Rezept` (`Name`, `Dauer`, `Beschreibung`) VALUES (?, ?, ?);");
|
||||
$insertQuery->bind_param("sss", $Name, $Dauer, $Beschreibung);
|
||||
$insertQuery->execute();
|
||||
$RezeptID = $mysqli->insert_id;
|
||||
foreach ($Zutaten as $Zutat) {
|
||||
$ZutatID = null;
|
||||
$result = $mysqli->query("SELECT ID FROM `Zutat` WHERE `Name` LIKE '".$Zutat["Name"]."'");
|
||||
$selectIngredientsQuery = $mysqli->prepare("SELECT ID FROM `Zutat` WHERE `Name` LIKE ?;");
|
||||
$selectIngredientsQuery->bind_param("s", $Zutat["Name"]);
|
||||
$selectIngredientsQuery->execute();
|
||||
$result = $selectIngredientsQuery->get_result();
|
||||
if($result->num_rows>0){
|
||||
$item = $result->fetch_assoc();
|
||||
$ZutatID = $item["ID"];
|
||||
}
|
||||
else{
|
||||
$mysqli->query("INSERT INTO `Zutat` (`Name`) VALUES ('".ucwords($Zutat["Name"])."')");
|
||||
$UppercaseName = ucwords($Zutat["Name"]);
|
||||
$insertIngredientsQuery = $mysqli->prepare("INSERT INTO `Zutat` (`Name`) VALUES (?);");
|
||||
$insertIngredientsQuery->bind_param("s", $UppercaseName);
|
||||
$insertIngredientsQuery->execute();
|
||||
$ZutatID = $mysqli->insert_id;
|
||||
}
|
||||
$mysqli->query("INSERT INTO `RezeptZutat` (`Rezept`,`Menge`,`Einheit`,`Zutat`) VALUES ('{$RezeptID}','{$Zutat["Amount"]}','{$Zutat["Unit"]}','{$ZutatID}');");
|
||||
$inserRecipeQuery = $mysqli->prepare("INSERT INTO `RezeptZutat` (`Rezept`,`Menge`,`Einheit`,`Zutat`) VALUES (?,?,?,?);");
|
||||
$inserRecipeQuery->bind_param("ssss", $RezeptID, $Zutat["Amount"], $Zutat["Unit"], $ZutatID);
|
||||
$inserRecipeQuery->execute();
|
||||
}
|
||||
$mysqli->close();
|
||||
}
|
||||
|
||||
function updateRecipe($ID, $Name, $Dauer, $Beschreibung, $Zutaten){
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$mysqli->query("UPDATE `Rezept` SET `Name` = '$Name', `Dauer` = '$Dauer', `Beschreibung` = '$Beschreibung' WHERE `Rezept`.`ID` = $ID;");
|
||||
$mysqli->query("DELETE FROM RezeptZutat WHERE Rezept = $ID");
|
||||
$updateQuery = $mysqli->prepare("UPDATE `Rezept` SET `Name` = ?, `Dauer` = ?, `Beschreibung` = ? WHERE `Rezept`.`ID` = ?;");
|
||||
$updateQuery->bind_param("ssss", $Name, $Dauer, $Beschreibung, $ID);
|
||||
$updateQuery->execute();
|
||||
$deleteQuery = $mysqli->prepare("DELETE FROM RezeptZutat WHERE Rezept = ?;");
|
||||
$deleteQuery->bind_param("s", $ID);
|
||||
$deleteQuery->execute();
|
||||
foreach ($Zutaten as $Zutat) {
|
||||
$ZutatID = null;
|
||||
$result = $mysqli->query("SELECT ID FROM `Zutat` WHERE `Name` LIKE '".$Zutat["Name"]."'");
|
||||
$selectIngredientsQuery = $mysqli->prepare("SELECT ID FROM `Zutat` WHERE `Name` LIKE ?;");
|
||||
$selectIngredientsQuery->bind_param("s", $Zutat["Name"]);
|
||||
$selectIngredientsQuery->execute();
|
||||
$result = $selectIngredientsQuery->get_result();
|
||||
if($result->num_rows>0){
|
||||
while($item = $result->fetch_assoc()){ $ZutatID = $item["ID"];}
|
||||
}
|
||||
else{
|
||||
$mysqli->query("INSERT INTO `Zutat` (`Name`) VALUES ('".ucwords($Zutat["Name"])."')");
|
||||
$uppercaseName = ucwords($Zutat["Name"]);
|
||||
$insertIngredientsQuery = $mysqli->prepare("INSERT INTO `Zutat` (`Name`) VALUES (?);");
|
||||
$insertIngredientsQuery->bind_param("s", $uppercaseName);
|
||||
$insertIngredientsQuery->execute();
|
||||
$ZutatID = $mysqli->insert_id;
|
||||
}
|
||||
$mysqli->query("INSERT INTO `RezeptZutat` (`Rezept`,`Menge`,`Einheit`,`Zutat`) VALUES ('{$ID}','{$Zutat["Amount"]}','{$Zutat["Unit"]}','{$ZutatID}');");
|
||||
$insertRecipeIngredientsQuery = $mysqli->prepare("INSERT INTO `RezeptZutat` (`Rezept`,`Menge`,`Einheit`,`Zutat`) VALUES (?,?,?,?);");
|
||||
$insertRecipeIngredientsQuery->bind_param("ssss", $ID, $Zutat["Amount"], $Zutat["Unit"], $ZutatID);
|
||||
$insertRecipeIngredientsQuery->execute();
|
||||
}
|
||||
}
|
||||
|
||||
function removeRecipe($ID){
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$mysqli->query("DELETE FROM `RezeptZutat` WHERE `Rezept`=$ID");
|
||||
$mysqli->query("DELETE FROM Rezept WHERE ID=$ID");
|
||||
$deleteQuery = $mysqli->prepare("DELETE FROM `RezeptZutat` WHERE `Rezept`=?;");
|
||||
$deleteQuery->bind_param("s", $ID);
|
||||
$deleteQuery->execute();
|
||||
$deleteQuery = $mysqli->prepare("DELETE FROM Rezept WHERE ID=?;");
|
||||
$deleteQuery->bind_param("s", $ID);
|
||||
$deleteQuery->execute();
|
||||
$mysqli->close();
|
||||
}
|
||||
|
||||
function getAllIngredientsContaining($q){
|
||||
include $_SESSION["docroot"].'/php/connect.php';
|
||||
$values = array();
|
||||
$result = $mysqli->query("SELECT Name FROM Zutat WHERE Name LIKE '%$q%' ORDER BY Name ASC");
|
||||
$filterValue = "%$q%";
|
||||
$selectQuery = $mysqli->prepare("SELECT Name FROM Zutat WHERE Name LIKE ? ORDER BY Name ASC");
|
||||
$selectQuery->bind_param("s", $filterValue);
|
||||
$selectQuery->execute();
|
||||
$result = $selectQuery->get_result();
|
||||
while($item = $result->fetch_assoc()){
|
||||
array_push($values, $item["Name"]);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue