From 8ce7eef62050c5ba889cc263627461b36bafa6bd Mon Sep 17 00:00:00 2001 From: Caleb Mazalevskis Date: Tue, 28 May 2019 20:40:58 +0800 Subject: [PATCH 1/2] Rewrite process.php using PDO instead of mysqli. Uses parameter binding to help reduce the risk of SQL injection. --- process.php | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/process.php b/process.php index 2086f05..11dac63 100644 --- a/process.php +++ b/process.php @@ -1,19 +1,18 @@ getMessage(); + die; +} -//Fetching Values from URL -$name =$_POST['Name']; -$msg =$_POST['Message']; +$Prepared = $PDO->prepare('INSERT INTO `formsub` (`name`, `msg`) values (:name, :msg)'); +if ($Prepared !== false) { + $Query = $Prepared->execute([ + 'name' => $_POST['Name'], + 'msg' => $_POST['Message'] + ]); +} -//Insert query - $sql = "insert into formsub (name,msg) values ('$name','$msg')"; - $query = mysqli_query( $conn,$sql); - if($query){ - echo "Working good"; - }else echo "error"; - -// clossing connection -mysqli_close($conn); -?> +echo $Query ? 'Working good' : 'Error'; From ae354ab5dcb61b8f2194e7fa207164732c3411d2 Mon Sep 17 00:00:00 2001 From: Caleb Mazalevskis Date: Tue, 28 May 2019 20:43:52 +0800 Subject: [PATCH 2/2] Improvement on previous commit. --- process.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/process.php b/process.php index 11dac63..c63a490 100644 --- a/process.php +++ b/process.php @@ -13,6 +13,8 @@ 'name' => $_POST['Name'], 'msg' => $_POST['Message'] ]); +} else { + $Query = false; } echo $Query ? 'Working good' : 'Error';