Skip to content
Permalink
Browse files Browse the repository at this point in the history
sql injection problems solved
  • Loading branch information
ada-l0velace committed Dec 3, 2014
1 parent 741c3f6 commit abd7114
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 23 deletions.
6 changes: 4 additions & 2 deletions js/ajax_forms.js
Expand Up @@ -42,12 +42,14 @@ $(document).ready(function(){
data: values,
success: function(data){
try {
//alert(data);
var error = $(data).filter("#erro");
//var error = $(data).find('#erro'); use this if div is nested
alert(error.html());
if(error.html() != undefined)
alert(error.html());
}
catch(err) {
//console.log("Error not found");
console.log("Error not found");
}
populateDivTable("leilaoinscritos.php","leiloesincritos");
populateDivTable("leilaotop.php","leiloestop");
Expand Down
32 changes: 21 additions & 11 deletions lance.php
Expand Up @@ -21,11 +21,18 @@ function test_input($data) {
$lance = test_input($_POST["lance"]);
}

$ultimolance_query="SELECT MAX(lance.valor) AS max_valor
/*$ultimolance_query="SELECT MAX(lance.valor) AS max_valor
FROM lance
WHERE lance.leilao = $lid";
$ultimolance = $connection->query($ultimolance_query);
$ultimolance = $connection->query($ultimolance_query);*/
$ultimolance = $connection->prepare("SELECT MAX(lance.valor) AS max_valor
FROM lance
WHERE lance.leilao = :lid");
$ultimolance->bindParam(':lid', $lid);
$ultimolance->setFetchMode(PDO::FETCH_ASSOC);
$ultimolance->execute();
$teste = false;
$ultimolance = $ultimolance->fetchAll();
foreach($ultimolance as $row){
if($row['max_valor'] == ""){
$teste = true;
Expand All @@ -35,16 +42,19 @@ function test_input($data) {
}

}
$ultimolance = $connection->query($ultimolance_query);


//$ultimolance = $connection->query($ultimolance_query);

if($teste == true){
$valorbase_query="SELECT valorbase AS min_valor
FROM leilaor, leilao
WHERE leilaor.lid = $lid
WHERE leilaor.lid = :lid
AND leilaor.dia = leilao.dia
AND leilaor.nrleilaonodia = leilao.nrleilaonodia
AND leilaor.nif = leilao.nif";
$valorbase = $connection->query($valorbase_query);
$valorbase = $connection->prepare($valorbase_query);
$valorbase->bindParam(':lid', $lid);
$valorbase->execute();
foreach($valorbase as $row){
$valor_min = $row["min_valor"];
}
Expand All @@ -59,12 +69,12 @@ function test_input($data) {
if($valor_max < $lance and $valor_min <= $lance){
$lance_query="INSERT INTO lance(pessoa,leilao,valor)
VALUES ($nif,$lid,$lance)";
$result = $connection->query($lance_query);

echo($lance_query);
$result = $connection->prepare($lance_query);
$error = $result->execute();
//echo($lance_query);

if (!$result) {
echo("<div id='erro'> Não houve lance:($sql) </div>");
if (!$error) {
echo("<div id='erro'> Não houve lance:($error) </div>");
}
}else{
echo("<div id='erro'> O valor do lance é inválido </div>");
Expand Down
26 changes: 16 additions & 10 deletions leilao.php
Expand Up @@ -24,9 +24,7 @@ function test_input($data) {
exit();
}

//regista a pessoa no leilão. Exemplificativo apenas.....
$inscreve_query = "INSERT INTO concorrente (pessoa,leilao)
VALUES ($nif,$lid)";

$data_now = date("y-m-d");

/*
Expand All @@ -37,18 +35,19 @@ function test_input($data) {

/* PREPARED STATEMENTS */
$sqlDataLeilao = "SELECT * FROM leilaor
WHERE lid =" . $lid;
$resultado = $connection->query($sqlDataLeilao);

WHERE lid =:lid";
$resultado = $connection->prepare($sqlDataLeilao);
$resultado->bindParam(':lid', $lid);
$error = $resultado->execute();
/*
echo("<p>");
echo($sqlDataLeilao);
echo("</p>");
*/


if (!$resultado) {
echo("<p> Erro na Query:($sql) </p>");
if (!$error) {
echo("<div id='erro'> Erro na Query:($sql) </div>");
exit();
}

Expand All @@ -71,10 +70,17 @@ function test_input($data) {
echo("</p>");
*/
$datediff = strtotime($new_dia) - strtotime($data_now);

//regista a pessoa no leilão. Exemplificativo apenas.....
$inscreve_query = "INSERT INTO concorrente (pessoa,leilao)
VALUES (:nif,:lid)";
if($data_now <= $new_dia){
if($dia_abertura <= $data_now){
$inscreve = $connection->query($inscreve_query);
if (!$inscreve) {
$inscreve = $connection->prepare($inscreve_query);
$inscreve->bindParam(':nif', $nif);
$inscreve->bindParam(':lid', $lid);
$error = $inscreve->execute();
if (!$error) {
echo("<div id='erro'> Pessoa já se encontra registada neste leilão! </div>");
exit();
}
Expand Down

0 comments on commit abd7114

Please sign in to comment.