Get parameter sanitized, added prepared statement (Fixes #1 and #8)

88f35b48 · Shevalda Gracielira · be10106f · 88f35b48
Commit 88f35b48 authored Feb 02, 2020 by Shevalda Gracielira
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 17 deletions

web/search_result/controller.php web/search_result/controller.php +25 -17

No files found.
--- a/web/search_result/controller.php
+++ b/web/search_result/controller.php
 <?php
-require_once ('view.php');
+require_once('view.php');

-class resultController {
-    public static function showResultController(array $params) {
-        if (isset($_COOKIE["login"])){
+class resultController
+{
+    public static function showResultController(array $params)
+    {
+        if (isset($_COOKIE["login"])) {
            $token = $_COOKIE["login"];
            $username = getUsername($token);
-        } else{
+        } else {
            $username = "NONE";
        }
-        $text = $params["search_text"];
+        $text = filter_var($params["search_text"], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_STRIP_BACKTICK);
        $result_data = self::getResultData($text);

        $params = ['username' => $username];
        $params["item"] = $result_data;
        searchResultView::viewResult($params);
    }
-    private static function getResultData($search_text){
+    private static function getResultData($search_text)
+    {
        $conn = connect_to_mysql();
-        if ($conn !== NULL){
-            $sql_query = 'SELECT T1.ID as ID, Judul, Pengarang, Deskripsi, avg(rating) as avg_rating, count(book_id) as count
-                          from ((SELECT * FROM books where Judul LIKE "%'.$search_text.'%") as T1 left join book_order on (T1.ID = book_order.book_id))
-                                left join review on (review.order_id = book_order.Nomor_Order) group by T1.ID';
-            $result = $conn->query($sql_query);
+        if ($conn !== NULL) {
+            $sql_query = "SELECT T1.ID as ID, Judul, Pengarang, Deskripsi, avg(rating) as avg_rating, count(book_id) as count
+                          from ((SELECT * FROM books where Judul LIKE CONCAT('%',?,'%')) as T1 left join book_order on (T1.ID = book_order.book_id))
+                                left join review on (review.order_id = book_order.Nomor_Order) group by T1.ID";
+
+            if ($stmt = $conn->prepare($sql_query)) {
+                $stmt->bind_param("s", $search_text);
+                $stmt->execute();
+                $result = $stmt->get_result();
+                $stmt->close();
+            }
+
            $conn->close();
-            if ($result != NULL){
+            if ($result != NULL) {
                return $result;
-            } else{
+            } else {
                return 0;
            }
-        } else{
+        } else {
            return 0;
        }
    }
 }
-
-?>
\ No newline at end of file