From 85153044230ee90495551b02b69ce2bd27114d8a Mon Sep 17 00:00:00 2001 From: Tim Krehan Date: Wed, 22 May 2019 08:42:36 +0200 Subject: [PATCH] sql inject for add listitem --- php/classes.list.php | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/php/classes.list.php b/php/classes.list.php index 226bd04..f2bd435 100644 --- a/php/classes.list.php +++ b/php/classes.list.php @@ -30,23 +30,17 @@ include $_SESSION["docroot"].'/config/config.php'; include $_SESSION["docroot"].'/php/connect.php'; if(!is_int($einheit)){ - $unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\""; - // $unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = :einheit"); - // $unit_query->bind_param(":einheit", $einheit); - $result = $mysqli->query($unit_query); + $unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = ?"); + $unit_query->bind_param("s", $einheit); + $unit_query->execute(); + $result = $unit_query->get_result(); while($row = $result->fetch_assoc()){ $einheit = $row["ID"]; } } - // $insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)"; $insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0)"); $insertQuery->bind_param("sss", $anzahl, $einheit, $name); $result = $insertQuery->execute(); - var_dump($result); - // $insertQuery->bind_param(":einheit", $einheit); - // $insertQuery->bind_param(":itemname", $name); - // $insertQuery->execute(); - // $mysqli->query($insertQuery); $mysqli->close(); }