From 686058d0250275366da421e84a7829120abcf609 Mon Sep 17 00:00:00 2001 From: ALittlePatate Date: Thu, 25 Apr 2024 16:22:56 +0200 Subject: [PATCH] fix: SQL injection :clown: --- php/guestbook.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/php/guestbook.php b/php/guestbook.php index b021ad9..49f6106 100644 --- a/php/guestbook.php +++ b/php/guestbook.php @@ -11,8 +11,10 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = $_POST['name']; $message = $_POST['message']; - $sql = "INSERT INTO " . $config['DB_NAME'] . " (name, message) VALUES ('$name', '$message')"; - mysqli_query($conn, $sql); + $sql = "INSERT INTO " . $config['DB_NAME'] . " (name, message) VALUES (?, ?)"; + $stmt = mysqli_prepare($conn, $sql); + mysqli_stmt_bind_param($stmt, "ss", $name, $message); + mysqli_stmt_execute($stmt); header("Location: " . $_SERVER['PHP_SELF']); exit;