adoralaura/shopping-list
1
0
Fork 0
mirror of https://github.com/tim-krehan/shopping-list.git synced 2024-11-23 22:30:41 +01:00
Code Issues Projects Releases Packages Wiki Activity

sanitize sql to prepare for sql injection

Browse source
This commit is contained in:
Tim Krehan 2019-05-22 08:37:37 +02:00
parent 973cb0fdec
commit eacd172218
1 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
php/classes.list.php
View file

@ -31,13 +31,22 @@
include $_SESSION["docroot"].'/php/connect.php'; include $_SESSION["docroot"].'/php/connect.php';
if(!is_int($einheit)){ if(!is_int($einheit)){
$unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\""; $unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\"";
// $unit_query = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = :einheit");
// $unit_query->bind_param(":einheit", $einheit);
$result = $mysqli->query($unit_query); $result = $mysqli->query($unit_query);
while($row = $result->fetch_assoc()){ while($row = $result->fetch_assoc()){
$einheit = $row["ID"]; $einheit = $row["ID"];
} }
} }
$insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)"; // $insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)";
$mysqli->query($insertQuery); $insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0)");
$insertQuery->bind_param("sss", $anzahl, $einheit, $name);
$result = $insertQuery->execute();
var_dump($result);
// $insertQuery->bind_param(":einheit", $einheit);
// $insertQuery->bind_param(":itemname", $name);
// $insertQuery->execute();
// $mysqli->query($insertQuery);
$mysqli->close(); $mysqli->close();
} }