patate/patate.dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: SQL injection :clown:

Browse Source
This commit is contained in:
ALittlePatate
2024-04-25 16:22:56 +02:00
parent e15b6a10bf
commit 686058d025
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
php/guestbook.php
View File

@@ -11,8 +11,10 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = $_POST['name'];
$message = $_POST['message'];
$sql = "INSERT INTO " . $config['DB_NAME'] . " (name, message) VALUES ('$name', '$message')";
mysqli_query($conn, $sql);
$sql = "INSERT INTO " . $config['DB_NAME'] . " (name, message) VALUES (?, ?)";
$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, "ss", $name, $message);
mysqli_stmt_execute($stmt);
header("Location: " . $_SERVER['PHP_SELF']);
exit;