Re: repute.php mysql->mysqli

From: Daniel Black <daniel.subs_at_internode.on.net>
Date: Fri, 18 Jul 2014 08:32:32 +1000

On 09/07/14 22:13, Christian Rößner wrote:
> Hi,
>
> I have rewritten mysql stuff in repute.php, because ext/mysql is deprecated as of php-5.5
>
> As I am not that great PHP programmer, please review it and if it is okay, feel free to include it.
>
> Best wishes
>
> -Christian Rößner
>
>
>



$query1 = "SELECT ratio_high,
                        UNIX_TIMESTAMP(updated),
                        rate_samples
           FROM predictions
           WHERE name = '$subject'
           AND reporter = 0";

$query2 = "SELECT daily_limit_low
           FROM predictions
           WHERE name = '$subject'
           AND reporter = $reporter";





This is classic sql injection. Replace variables and quotes with ?

and then

if (!($result = $connection->query($query1)))


if ($stmt = $mysqli->prepare($query1)) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $subject);

    /* execute query */
    $stmt->execute();

    if (!($result = $stmt->get_result())).....
Received on Thu Jul 17 2014 - 22:32:55 PST