mirror of
https://github.com/tim-krehan/shopping-list.git
synced 2024-11-27 15:40:00 +01:00
sanitize sql to prepare for sql injection
This commit is contained in:
parent
973cb0fdec
commit
eacd172218
1 changed files with 11 additions and 2 deletions
|
@ -31,13 +31,22 @@
|
||||||
include $_SESSION["docroot"].'/php/connect.php';
|
include $_SESSION["docroot"].'/php/connect.php';
|
||||||
if(!is_int($einheit)){
|
if(!is_int($einheit)){
|
||||||
$unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\"";
|
$unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\"";
|
||||||
|
// $unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = :einheit");
|
||||||
|
// $unit_query->bind_param(":einheit", $einheit);
|
||||||
$result = $mysqli->query($unit_query);
|
$result = $mysqli->query($unit_query);
|
||||||
while($row = $result->fetch_assoc()){
|
while($row = $result->fetch_assoc()){
|
||||||
$einheit = $row["ID"];
|
$einheit = $row["ID"];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)";
|
// $insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)";
|
||||||
$mysqli->query($insertQuery);
|
$insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0)");
|
||||||
|
$insertQuery->bind_param("sss", $anzahl, $einheit, $name);
|
||||||
|
$result = $insertQuery->execute();
|
||||||
|
var_dump($result);
|
||||||
|
// $insertQuery->bind_param(":einheit", $einheit);
|
||||||
|
// $insertQuery->bind_param(":itemname", $name);
|
||||||
|
// $insertQuery->execute();
|
||||||
|
// $mysqli->query($insertQuery);
|
||||||
$mysqli->close();
|
$mysqli->close();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue