Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixed update.php to prevent sql injections because people are douchebags
  • Loading branch information
alpertmd committed Mar 11, 2015
1 parent e53baf5 commit a812a5e
Showing 1 changed file with 24 additions and 19 deletions.
43 changes: 24 additions & 19 deletions update.php
@@ -1,28 +1,33 @@
<?php
$name = $_GET["name"];
$score = $_GET["score"];

$username = "alpertmd";
$password = "yofer`";
$hostname = "repos.insttech.washington.edu";
if ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'){
$username = "alpertmd";
$password = "yofer`";
$hostname = "repos.insttech.washington.edu";

$dbhandle = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");

$selected = mysql_select_db("alpertmd", $dbhandle) or die("Could not select high score db");
$dbhandle = mysqli_connect($hostname, $username, $password) or die("Unable to connect to MySQL");

$result = mysql_query("SELECT MAX(idHighscores) FROM Highscores");
$id = mysql_result($result, 0) + 1;
$selected = mysqli_select_db($dbhandle,$username) or die("Could not select high score db");

$query = "INSERT INTO Highscores VALUES ($id, '$name', $score)";
$result = mysql_query($query);

$query = "SELECT idHighscores FROM Highscores WHERE score = (SELECT Min(score) FROM Highscores)";
$result = mysql_query($query);
$minID = mysql_result($result, 0);
$result = mysqli_query($dbhandle, "SELECT MAX(idHighscores) FROM Highscores");

$id = mysqli_fetch_row($result)[0] + 1;
$name = $_POST["name"];
$score = $_POST["score"];

$query = mysqli_prepare($dbhandle, "INSERT INTO Highscores Values (?, ?, ?)");

mysqli_stmt_bind_param($query, 'isi', $id, $name, $score);
mysqli_stmt_execute($query);
mysqli_stmt_close($query);

$query = "SELECT idHighscores FROM Highscores WHERE score = (SELECT Min(score) FROM Highscores)";
$result = mysqli_query($dbhandle, $query);
$minID = mysqli_fetch_row($result)[0];

$query = "DELETE FROM Highscores WHERE idHighscores = $minID";
$result = mysql_query($query);
$query = "DELETE FROM Highscores WHERE idHighscores = $minID";
$result = mysqli_query($dbhandle, $query);

mysql_close($dbhandle);
mysqli_close($dbhandle);
}
?>

0 comments on commit a812a5e

Please sign in to comment.