sdbs/sermon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix SQL injection

Browse source
This commit is contained in:
Tomáš Mládek 2018-10-17 14:08:18 +02:00
parent b19ed3cade
commit 8283f4a769
1 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
api.php
View file

@ -8,7 +8,9 @@ if ($action === 'getMessages') {
$timestamp = $database->escapeString(htmlspecialchars($_GET['timestamp'])); $timestamp = $database->escapeString(htmlspecialchars($_GET['timestamp']));
$timestamp = ($timestamp == 0) ? strtotime('-6 hours') : $timestamp; $timestamp = ($timestamp == 0) ? strtotime('-6 hours') : $timestamp;
$results = $database->query('SELECT * FROM messages WHERE timestamp > ' . $timestamp); $statement = $database->prepare('SELECT * FROM messages WHERE timestamp > :timestamp');
$statement->bindValue('timestamp', $timestamp);
$results = $statement->execute();
$messageArray = []; $messageArray = [];
while ($row = $results->fetchArray(SQLITE3_ASSOC)) { while ($row = $results->fetchArray(SQLITE3_ASSOC)) {
@ -31,13 +33,11 @@ if ($action === 'createMessage') {
$timestamp = time(); $timestamp = time();
$name = $database->escapeString(htmlspecialchars($_POST['name'])); $name = $database->escapeString(htmlspecialchars($_POST['name']));
$text = $database->escapeString(htmlspecialchars($_POST['text'])); $text = $database->escapeString(htmlspecialchars($_POST['text']));
/*
$payload = file_get_contents('php://input');
$data = json_decode($payload);
var_dump($data);
*/
$database->query('INSERT INTO messages (name, text, timestamp) VALUES ("' . $name . '", "' . $text . '", "' . $timestamp . '")'); $statement = $database->prepare('INSERT INTO messages (name, text, timestamp) VALUES (:name, :text, :timestamp)');
$statement->bindValue(':name', $name, SQLITE3_TEXT);
$statement->bindValue(':text', $text, SQLITE3_TEXT);
$statement->bindValue(':timestamp', $timestamp, SQLITE3_INTEGER);
$statement->execute();
} }
?> ?>