Prepare SQL to prevent SQL injection attacks.

2023-09-26 09:42:30 -04:00 · 2023-09-26 09:42:30 -04:00 · 6fb915786d
parent 8e6b85588b
commit 6fb915786d
1 changed files with 10 additions and 7 deletions
--- a/input_ddd_scoreboard.php
+++ b/input_ddd_scoreboard.php
@ -1,6 +1,6 @@
 <?php
 echo file_get_contents("ddd_source.html");
-include('config.php');
+include('/var/config/mysqlconnect.php');

 $b64 = $_POST["gamePass"]; 
 $decode = base64_decode($b64, true);
@ -18,16 +18,19 @@ $bossNames = implode(", ", $bosses);
 echo $name . "<br>" . $score . "<br>" . $mode . "<br>";
 echo "Bosses: " . $bossNames . "<br>";

-// Insert the data into the database
-$sql = "INSERT INTO ddd_db.scores (Name, Score, Mode, Bosses) VALUES ('$name', $score, '$mode', '$bossNames')"; 
+// Prepare an SQL statement
+$stmt = $conn->prepare("INSERT INTO ddd_db.scores (Name, Score, Mode, Bosses) VALUES (?, ?, ?, ?)");
+$stmt->bind_param("siss", $name, $score, $mode, $bossNames);

-if (mysqli_query($conn, $sql)) {
-  echo "New record created successfully";
+// Execute the statement
+if ($stmt->execute()) {
+    echo "New record created successfully";
 } else {
-  echo "Error: " . $sql . "<br>" . mysqli_error($conn);
+    echo "Error: " . $stmt->error;
 }

-mysqli_close($conn);
+$stmt->close();
+$conn->close();
 ?>
 <br>
 <a class='ddd' href='/ddd_index.php'>Back</a>