fix SQL injection

This commit is contained in:
Tomáš Mládek 2018-10-17 14:08:18 +02:00
parent b19ed3cade
commit 8283f4a769

16
api.php
View file

@ -8,7 +8,9 @@ if ($action === 'getMessages') {
$timestamp = $database->escapeString(htmlspecialchars($_GET['timestamp']));
$timestamp = ($timestamp == 0) ? strtotime('-6 hours') : $timestamp;
$results = $database->query('SELECT * FROM messages WHERE timestamp > ' . $timestamp);
$statement = $database->prepare('SELECT * FROM messages WHERE timestamp > :timestamp');
$statement->bindValue('timestamp', $timestamp);
$results = $statement->execute();
$messageArray = [];
while ($row = $results->fetchArray(SQLITE3_ASSOC)) {
@ -31,13 +33,11 @@ if ($action === 'createMessage') {
$timestamp = time();
$name = $database->escapeString(htmlspecialchars($_POST['name']));
$text = $database->escapeString(htmlspecialchars($_POST['text']));
/*
$payload = file_get_contents('php://input');
$data = json_decode($payload);
var_dump($data);
*/
$database->query('INSERT INTO messages (name, text, timestamp) VALUES ("' . $name . '", "' . $text . '", "' . $timestamp . '")');
$statement = $database->prepare('INSERT INTO messages (name, text, timestamp) VALUES (:name, :text, :timestamp)');
$statement->bindValue(':name', $name, SQLITE3_TEXT);
$statement->bindValue(':text', $text, SQLITE3_TEXT);
$statement->bindValue(':timestamp', $timestamp, SQLITE3_INTEGER);
$statement->execute();
}
?>