From 6fb915786d93ca75348ce531655020a0ef935d6b Mon Sep 17 00:00:00 2001
From: Dylan <dylanbanta@gmail.com>
Date: Tue, 26 Sep 2023 09:42:30 -0400
Subject: [PATCH] Prepare SQL to prevent SQL injection attacks.

---
 input_ddd_scoreboard.php | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/input_ddd_scoreboard.php b/input_ddd_scoreboard.php
index 7ff917d..b9a5f5b 100755
--- a/input_ddd_scoreboard.php
+++ b/input_ddd_scoreboard.php
@@ -1,6 +1,6 @@
 <?php
 echo file_get_contents("ddd_source.html");
-include('config.php');
+include('/var/config/mysqlconnect.php');
 
 $b64 = $_POST["gamePass"]; 
 $decode = base64_decode($b64, true);
@@ -18,16 +18,19 @@ $bossNames = implode(", ", $bosses);
 echo $name . "<br>" . $score . "<br>" . $mode . "<br>";
 echo "Bosses: " . $bossNames . "<br>";
 
-// Insert the data into the database
-$sql = "INSERT INTO ddd_db.scores (Name, Score, Mode, Bosses) VALUES ('$name', $score, '$mode', '$bossNames')"; 
+// Prepare an SQL statement
+$stmt = $conn->prepare("INSERT INTO ddd_db.scores (Name, Score, Mode, Bosses) VALUES (?, ?, ?, ?)");
+$stmt->bind_param("siss", $name, $score, $mode, $bossNames);
 
-if (mysqli_query($conn, $sql)) {
-  echo "New record created successfully";
+// Execute the statement
+if ($stmt->execute()) {
+    echo "New record created successfully";
 } else {
-  echo "Error: " . $sql . "<br>" . mysqli_error($conn);
+    echo "Error: " . $stmt->error;
 }
 
-mysqli_close($conn);
+$stmt->close();
+$conn->close();
 ?>
 <br>
 <a class='ddd' href='/ddd_index.php'>Back</a>