Skip to content
Permalink
Browse files Browse the repository at this point in the history
Now without SQL injections!
  • Loading branch information
Thraundil committed Jan 24, 2017
1 parent 9e466c2 commit f1644b1
Show file tree
Hide file tree
Showing 7 changed files with 78 additions and 201 deletions.
7 changes: 5 additions & 2 deletions Turinfo.php
@@ -1,7 +1,10 @@
<html>
<?php
echo "<h1>" . $_GET['INFO'] . "</h1>";
$info = $_GET['INFO'];
$info = stripslashes($info);
$info = mysqli_real_escape_string($info);
echo "<h1>" . $info . "</h1>";

?>

<!-- Denne del står for information/descrpiton, venstre side af turnerings-informationssiden -->
Expand All @@ -15,7 +18,7 @@
echo ("<div id='turDesc'>
<table class='turneringTable' style='width:80%; '>
<tr>
<td>" . $_GET['INFO'] . " </br> " . $row['Dag'] . " kl." . $row['Tid'] . "</td>
<td>" . $info . " </br> " . $row['Dag'] . " kl." . $row['Tid'] . "</td>
</tr>
<tr>
<td> ");
Expand Down
33 changes: 23 additions & 10 deletions Turtabel.php
@@ -1,14 +1,27 @@
<?php
if (isset($_GET['cmd'])) {
$tur = $_GET['Turnering'];
$navn = $_GET['Navn'];
$tag = $_GET['Gametag'];
$Bid = $_GET['BordID'];
$uni = $_GET['Turnering'] . " " . $_GET['Navn'] . " " . $_GET['Gametag'];

$turInput = $_GET['Turnering'];
$turInput = stripslashes($turInput);
$turInput = mysqli_real_escape_string($turInput);

$nameInput = $_GET['Navn'];
$nameInput = stripslashes($nameInput);
$nameInput = mysqli_real_escape_string($nameInput);

$gameInput = $_GET['Gametag'];
$gameInput = stripslashes($gameInput);
$gameInput = mysqli_real_escape_string($gameInput);

$bordInput = $_GET['BordID'];
$bordInput = stripslashes($bordInput);
$bordInput = mysqli_real_escape_string($bordInput);

$uni = $turInput . " " . $nameInput . " " . $gameInput;

if ($tur != '0') {
$sql = "INSERT INTO deltager (TurneringsID , Navn , Gamertag , BordID , Unik)"
. "VALUES ($tur , '$navn' , '$tag' , '$Bid' , '$uni' )";
. "VALUES ($tur , '$nameInput' , '$gameInput' , '$bordInput' , '$uni' )";
}
}
?>
Expand Down Expand Up @@ -44,10 +57,10 @@
<!-- Den følgende php står for fejlbeskeder/successbeskeder ved tilmelding til turnering-->
<?php
if (isset($_REQUEST['cmd'])) {
if ($navn > "%") {
if ($tag > "%") {
if ($Bid > 0 && $Bid < 88) {
if ($tur != '0') {
if ($nameInput > "%") {
if ($gameInput > "%") {
if ($bordInput > 0 && $bordInput < 88) {
if ($turInput != '0') {
mysqli_query($db, $sql);
echo "<h2 text align=\"center\">Succes</h2>";
} else {
Expand Down
27 changes: 19 additions & 8 deletions adminindex.php
Expand Up @@ -14,50 +14,61 @@
// Dette sker når der klikkes "Opdater"
if(isset($_POST["submit"]))
{

$forside1stor2 = mysqli_real_escape_string(stripslashes($_POST['forside1stor2']));
$forside1 = mysqli_real_escape_string(stripslashes($_POST['forside1']));
$forside2stor = mysqli_real_escape_string(stripslashes($_POST['forside2stor']));
$forside2 = mysqli_real_escape_string(stripslashes($_POST['forside2']));
$forside3stor = mysqli_real_escape_string(stripslashes($_POST['forside3stor']));
$forside3 = mysqli_real_escape_string(stripslashes($_POST['forside3']));
$forside4stor = mysqli_real_escape_string(stripslashes($_POST['forside4stor']));
$forside4 = mysqli_real_escape_string(stripslashes($_POST['forside4']));


// Overskriften
$forside1stor3 = $_POST['forside1stor2'];
$forside1stor3 = $forside1stor2;
$forside1stor3 = mysqli_escape_string($db,$forside1stor3);
$q = "UPDATE forside SET `desc`='" . $forside1stor3 . "' WHERE num = 1;";
mysqli_query($db, $q);

// Undertekst til overskriften
$forside1 = $_POST['forside1'];
$forside1 = $forside1;
$forside1 = mysqli_escape_string($db,$forside1);
$q2 = "UPDATE forside SET `desc`='" . $forside1 . "' WHERE num = 2;";
mysqli_query($db, $q2);

// Overskrift lille vindue 1
$forside2stor = $_POST['forside2stor'];
$forside2stor = $forside2stor;
$forside2stor = mysqli_escape_string($db,$forside2stor);
$q2 = "UPDATE forside SET `desc`='" . $forside2stor . "' WHERE num = 3;";
mysqli_query($db, $q2);

// Undertekst til vindue 1
$forside2 = $_POST['forside2'];
$forside2 = $forside2;
$forside2 = mysqli_escape_string($db,$forside2);
$q3 = "UPDATE forside SET `desc`='" . $forside2 . "' WHERE num = 4;";
mysqli_query($db, $q3);

// Overskrift lille vindue 2
$forside3stor = $_POST['forside3stor'];
$forside3stor = $forside3stor;
$forside3stor = mysqli_escape_string($db,$forside3stor);
$q4 = "UPDATE forside SET `desc`='" . $forside3stor . "' WHERE num = 5;";
mysqli_query($db, $q4);

// Undertekst til vindue 2
$forside3 = $_POST['forside3'];
$forside3 = $forside3;
$forside3 = mysqli_escape_string($db,$forside3);
$q5 = "UPDATE forside SET `desc`='" . $forside3 . "' WHERE num = 6;";
mysqli_query($db, $q5);

// Overskrift lille vindue 3
$forside4stor = $_POST['forside4stor'];
$forside4stor = $forside4stor;
$forside4stor = mysqli_escape_string($db,$forside4stor);
$q6 = "UPDATE forside SET `desc`='" . $forside4stor . "' WHERE num = 7;";
mysqli_query($db, $q6);

// Undertekst til vindue 3
$forside4 = $_POST['forside4'];
$forside4 = $forside4;
$forside4 = mysqli_escape_string($db,$forside4);
$q7 = "UPDATE forside SET `desc`='" . $forside4 . "' WHERE num = 8;";
mysqli_query($db, $q7);
Expand Down
8 changes: 4 additions & 4 deletions adminturnering.php
Expand Up @@ -8,17 +8,17 @@
og sletter alle turneringer hvis der klikkes "slet alle turneringer" -->
<?php
if (isset($_GET['Opret'])) {
$Turnavn = $_GET['Turnavn'];
$Dag = $_GET['Dag'];
$Turnavn = mysqli_real_escape_string(stripslashes($_GET['Turnavn']));
$Dag = mysqli_real_escape_string(stripslashes($_GET['Dag']));
if ($Dag == '1') {
$DagB = "Fredag";
} else if ($Dag == '2') {
$DagB = "Lørdag";
} else if ($Dag == '3') {
$DagB = "Søndag";
}
$Tid = $_GET['Tid'];
$Desc = $_GET['Desc'];
$Tid = mysqli_real_escape_string(stripslashes($_GET['Tid']));
$Desc = mysqli_real_escape_string(stripslashes($_GET['Desc']));
$sql = "INSERT INTO `turtabel` (`TurneringsID`, `TurneringsNavn`, `Tid`, `Dag`, `Description`) "
. " VALUES (NULL, '$Turnavn', '$Tid', '$DagB', '$Desc')";
} else if (isset($_GET['slet'])) {
Expand Down
42 changes: 27 additions & 15 deletions bordreservation.php
Expand Up @@ -11,7 +11,19 @@

<!-- Her følger en PHP kode der tager højde for de forskellige input man giver "navn, billet, plads", når man bestiller plads -->
<?php


$numInput = $_GET['pid'];
$numInput = stripslashes($numInput);
$numInput = mysqli_real_escape_string($numInput);

$ticketInput = $_POST[ticketID];
$ticketInput = stripcslashes($ticketInput);
$ticketInput = mysqli_real_escape_string($ticketInput);

$nameInput = $_POST[playernamee];
$nameInput = stripcslashes($nameInput);
$nameInput = mysqli_real_escape_string($nameInput);

/* Dette for loop checker, hvor den første ikke reserverede (hvide) plads er, og gør den til $currentTable */
for ($ii = 1; $ii <= 80; $ii++)
{
Expand All @@ -20,12 +32,12 @@
if ($color["Color"] == "White") {$currentTable = $ii; break;}
}

if (isset($_GET['pid']) && is_numeric($_GET['pid']) && $_GET['pid'] >= 1 && $_GET['pid'] <= 80 ) {
$id = $_GET['pid'];
if (isset($numInput) && is_numeric($numInput) && $numInput >= 1 && $numInput <= 80 ) {
$id = $numInput;


/* Her ses der om pladsen allerede er taget (kigges på farven) */
if (isset($_POST['ticketID'])) {
if (isset($ticketInput)) {

$stmt = $db->prepare("SELECT COUNT(SeatID)
FROM booking
Expand All @@ -48,32 +60,32 @@
if ($isFree > 0) {
$result = mysqli_query($db, "SELECT TicketID
FROM ticket
WHERE TicketID='$_POST[ticketID]'");
WHERE TicketID='$ticketInput'");

$numResults = mysqli_num_rows($result);

/* Her ses der om der allerede er blevet booket på den plads*/
if ($numResults > 0) {
$bookingRes = mysqli_query($db, "SELECT TicketID
FROM booking
WHERE TicketID='$_POST[ticketID]'");
WHERE TicketID='$ticketInput'");
$numBookRes = mysqli_num_rows($bookingRes);

/* SKAL ÆNDRES SÅ MAN RESERVERER EN NY + SLETTER DEN GAMLE */
if ($numBookRes > 0) {

if ($_POST['playername'] != '' AND $id != 'Choose a seat') {
if ($nameInput != '' AND $id != 'Choose a seat') {

mysqli_query($db, "UPDATE booking
SET PlayerName='',
TicketID='',
Color='White'
WHERE TicketID='$_POST[ticketID]'");
WHERE TicketID='$ticketInput'");


mysqli_query($db, "UPDATE booking
SET PlayerName='$_POST[playername]',
TicketID='$_POST[ticketID]',
SET PlayerName='$nameInput',
TicketID='$ticketInput',
Color='Red'
WHERE SeatID=$id");
echo "<script type='text/javascript'>alert('You have now booked seat " . $id . " ');</script>";
Expand All @@ -88,10 +100,10 @@
/* Her reserveres pladsen */
else {

if ($_POST['playername'] != '' AND $id != 'Choose a seat') {
if ($nameInput != '' AND $id != 'Choose a seat') {
mysqli_query($db, "UPDATE booking
SET PlayerName='$_POST[playername]',
TicketID='$_POST[ticketID]',
SET PlayerName='$nameInput',
TicketID='$ticketInput',
Color='Red'
WHERE SeatID=$id");
echo "<script type='text/javascript'>alert('You have now booked seat " . $id . " ');</script>";
Expand Down Expand Up @@ -174,9 +186,9 @@
}

/* Denne IF sætning sørger for at det sæde man er ved at vælge bliver farvet grønt */
if (isset($_GET['pid']))
if (isset($numInput))
{
$idd = $_GET['pid'];
$idd = $numInput;
echo ("<div id='" . $idd . "'");
echo ("style='");
echo ("height:16px;");
Expand Down
68 changes: 0 additions & 68 deletions indexBackend.php
Expand Up @@ -67,74 +67,6 @@
</p>
</div>

<?php

/*
// Drops the Table "Persons"
$sql1="DROP TABLE Persons;";
mysqli_query($db,$sql1);
$sql="CREATE TABLE Persons(FirstName CHAR(30),LastName CHAR(30),Age INT)";
// Execute query
if (mysqli_query($db,$sql)) {
echo "";
}
else {
echo "Error creating table: " . mysqli_error($con);
}
// adds people to the tables
mysqli_query($db,"INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('Peter', 'Griffin',35)");
mysqli_query($db,"INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('Glenn', 'Quagmire',33)");
mysqli_query($db,"INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('Darth', 'Vader',62)");
mysqli_query($db,"INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('Luke', 'Skywalker',28)");
mysqli_query($db,"INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('Han', 'Solo',32)");
// Kigger i databasen og hiver ud via SELECT
$result = mysqli_query($db,"SELECT * FROM Persons");
echo " <div class='phpTable'> <table border='1'>
<tr>
<th>Firstname</th>
<th>Lastname</th>
<th>Age</th>
</tr>";
while($row = mysqli_fetch_array($result)) {
echo "<tr>";
echo "<td>" . $row['FirstName'] . "</td>";
echo "<td>" . $row['LastName'] . "</td>";
echo "<td>" . $row['Age'] . "</td>";
echo "</tr>";
}
echo "</table> </div>";
$result = mysqli_query($db,"SELECT * FROM Persons");
// Lukker Databasen
mysqli_close($db);
*/
?>



Expand Down

0 comments on commit f1644b1

Please sign in to comment.