Re: repute.php mysql->mysqli
On 09/07/14 22:13, Christian Rößner wrote:
> Hi,
>
> I have rewritten mysql stuff in repute.php, because ext/mysql is deprecated as of php-5.5
>
> As I am not that great PHP programmer, please review it and if it is okay, feel free to include it.
>
> Best wishes
>
> -Christian Rößner
>
>
>
$query1 = "SELECT ratio_high,
UNIX_TIMESTAMP(updated),
rate_samples
FROM predictions
WHERE name = '$subject'
AND reporter = 0";
$query2 = "SELECT daily_limit_low
FROM predictions
WHERE name = '$subject'
AND reporter = $reporter";
This is classic sql injection. Replace variables and quotes with ?
and then
if (!($result = $connection->query($query1)))
if ($stmt = $mysqli->prepare($query1)) {
/* bind parameters for markers */
$stmt->bind_param("s", $subject);
/* execute query */
$stmt->execute();
if (!($result = $stmt->get_result())).....
Received on Thu Jul 17 2014 - 22:32:55 PST
This archive was generated by hypermail 2.3.0
: Thu Jul 17 2014 - 22:36:01 PST