From eacd1722186e959e0528e9bda94bf5e4a2842a52 Mon Sep 17 00:00:00 2001
From: Tim Krehan <Tim.Krehan@brz.eu>
Date: Wed, 22 May 2019 08:37:37 +0200
Subject: [PATCH] sanitize sql to prepare for sql injection

---
 php/classes.list.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/php/classes.list.php b/php/classes.list.php
index e8fdf32..226bd04 100644
--- a/php/classes.list.php
+++ b/php/classes.list.php
@@ -31,13 +31,22 @@
       include $_SESSION["docroot"].'/php/connect.php';
       if(!is_int($einheit)){
         $unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\"";
+        // $unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = :einheit");
+        // $unit_query->bind_param(":einheit", $einheit);
         $result = $mysqli->query($unit_query);
         while($row = $result->fetch_assoc()){
           $einheit = $row["ID"];
         }
       }
-      $insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)";
-      $mysqli->query($insertQuery);
+      // $insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)";
+      $insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0)");
+      $insertQuery->bind_param("sss", $anzahl, $einheit, $name);
+      $result = $insertQuery->execute();
+      var_dump($result);
+      // $insertQuery->bind_param(":einheit", $einheit);
+      // $insertQuery->bind_param(":itemname", $name);
+      // $insertQuery->execute();
+      // $mysqli->query($insertQuery);
       $mysqli->close();
     }