From 8283f4a769f0e5a1cb33ca2cfedb9a0708c9df97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Ml=C3=A1dek?= <tmladek@protonmail.ch>
Date: Wed, 17 Oct 2018 14:08:18 +0200
Subject: [PATCH] fix SQL injection

---
 api.php | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/api.php b/api.php
index c6990b3..5a02cb8 100644
--- a/api.php
+++ b/api.php
@@ -8,7 +8,9 @@ if ($action === 'getMessages') {
     $timestamp = $database->escapeString(htmlspecialchars($_GET['timestamp']));
     $timestamp = ($timestamp == 0) ? strtotime('-6 hours') : $timestamp;
 
-    $results = $database->query('SELECT * FROM messages WHERE timestamp > ' . $timestamp);
+    $statement = $database->prepare('SELECT * FROM messages WHERE timestamp > :timestamp');
+    $statement->bindValue('timestamp', $timestamp);
+    $results = $statement->execute();
 
     $messageArray = [];
     while ($row = $results->fetchArray(SQLITE3_ASSOC)) {
@@ -31,13 +33,11 @@ if ($action === 'createMessage') {
     $timestamp = time();
     $name = $database->escapeString(htmlspecialchars($_POST['name']));
     $text = $database->escapeString(htmlspecialchars($_POST['text']));
-    /*
-        $payload = file_get_contents('php://input');
-        $data = json_decode($payload);
-        var_dump($data);
-        */
 
-    $database->query('INSERT INTO messages (name, text, timestamp) VALUES ("' . $name . '", "' . $text . '", "' . $timestamp . '")');
+    $statement = $database->prepare('INSERT INTO messages (name, text, timestamp) VALUES (:name, :text, :timestamp)');
+    $statement->bindValue(':name', $name, SQLITE3_TEXT);
+    $statement->bindValue(':text', $text, SQLITE3_TEXT);
+    $statement->bindValue(':timestamp', $timestamp, SQLITE3_INTEGER);
+    $statement->execute();
 }
-
 ?>
\ No newline at end of file