adoralaura/shopping-list
1
0
Fork 0
mirror of https://github.com/tim-krehan/shopping-list.git synced 2024-11-23 22:30:41 +01:00
Code Issues Projects Releases Packages Wiki Activity

sql inject for add listitem

Browse source
This commit is contained in:
Tim Krehan 2019-05-22 08:42:36 +02:00
parent eacd172218
commit 8515304423
1 changed files with 4 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
php/classes.list.php
View file

@ -30,23 +30,17 @@
include $_SESSION["docroot"].'/config/config.php';
include $_SESSION["docroot"].'/php/connect.php';
if(!is_int($einheit)){
$unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\"";
// $unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = :einheit");
// $unit_query->bind_param(":einheit", $einheit);
$result = $mysqli->query($unit_query);
$unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = ?");
$unit_query->bind_param("s", $einheit);
$unit_query->execute();
$result = $unit_query->get_result();
while($row = $result->fetch_assoc()){
$einheit = $row["ID"];
}
}
// $insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)";
$insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0)");
$insertQuery->bind_param("sss", $anzahl, $einheit, $name);
$result = $insertQuery->execute();
var_dump($result);
// $insertQuery->bind_param(":einheit", $einheit);
// $insertQuery->bind_param(":itemname", $name);
// $insertQuery->execute();
// $mysqli->query($insertQuery);
$mysqli->close();
}