sql inject for add listitem

This commit is contained in:
Tim Krehan 2019-05-22 08:42:36 +02:00
parent eacd172218
commit 8515304423

View file

@ -30,23 +30,17 @@
include $_SESSION["docroot"].'/config/config.php'; include $_SESSION["docroot"].'/config/config.php';
include $_SESSION["docroot"].'/php/connect.php'; include $_SESSION["docroot"].'/php/connect.php';
if(!is_int($einheit)){ if(!is_int($einheit)){
$unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\""; $unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = ?");
// $unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = :einheit"); $unit_query->bind_param("s", $einheit);
// $unit_query->bind_param(":einheit", $einheit); $unit_query->execute();
$result = $mysqli->query($unit_query); $result = $unit_query->get_result();
while($row = $result->fetch_assoc()){ while($row = $result->fetch_assoc()){
$einheit = $row["ID"]; $einheit = $row["ID"];
} }
} }
// $insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)";
$insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0)"); $insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0)");
$insertQuery->bind_param("sss", $anzahl, $einheit, $name); $insertQuery->bind_param("sss", $anzahl, $einheit, $name);
$result = $insertQuery->execute(); $result = $insertQuery->execute();
var_dump($result);
// $insertQuery->bind_param(":einheit", $einheit);
// $insertQuery->bind_param(":itemname", $name);
// $insertQuery->execute();
// $mysqli->query($insertQuery);
$mysqli->close(); $mysqli->close();
} }