Commit 4eb2c674 authored by BuildTools's avatar BuildTools
Browse files

fixed sql injection possibilities

parent 63c7c14e
......@@ -4,15 +4,16 @@
$db = new PDO('mysql:host=localhost;dbname=reservation', $user, $pass);
// todo prevent sql injection
$query = 'SELECT tables, opentime, closetime, event FROM opening WHERE date="' . $_GET["date"] . '"';
$result = $db->query($query)->fetch();
$statement = $db -> prepare("SELECT tables, opentime, closetime, event FROM opening WHERE date= ?");
$statement->execute(array($_GET["date"]));
$result = $statement->fetch();
$data = array("tables" => $result[0], "open" => $result[1], "close" => $result[2], "event" => $result[3]);
$query = 'SELECT start, end, tisch FROM reservations WHERE date="' . $_GET["date"] . '" AND ended = 0';
$result = $db->query($query);
$statement = $db -> prepare("SELECT start, end, tisch FROM reservations WHERE date = ? AND ended = 0");
$statement->execute(array($_GET["date"]));
$reservations = array();
foreach( $result as $row ){
foreach( $statement->fetchAll() as $row ){
if (!array_key_exists("T".$row["tisch"], $reservations)) {
$reservations["T".$row["tisch"]] = array();
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment