Get parameter sanitized, added prepared statement (Fixes #1 and #8)

web/search_result/controller.php

 <?php
-require_once ('view.php');
+require_once('view.php');
 
-class resultController {
-    public static function showResultController(array $params) {
-        if (isset($_COOKIE["login"])){
+class resultController
+{
+    public static function showResultController(array $params)
+    {
+        if (isset($_COOKIE["login"])) {
             $token = $_COOKIE["login"];
             $username = getUsername($token);
-        } else{
+        } else {
             $username = "NONE";
         }
-        $text = $params["search_text"];
+        $text = filter_var($params["search_text"], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_STRIP_BACKTICK);
         $result_data = self::getResultData($text);
 
         $params = ['username' => $username];
         $params["item"] = $result_data;
         searchResultView::viewResult($params);
     }
-    private static function getResultData($search_text){
+    private static function getResultData($search_text)
+    {
         $conn = connect_to_mysql();
-        if ($conn !== NULL){
-            $sql_query = 'SELECT T1.ID as ID, Judul, Pengarang, Deskripsi, avg(rating) as avg_rating, count(book_id) as count
-                          from ((SELECT * FROM books where Judul LIKE "%'.$search_text.'%") as T1 left join book_order on (T1.ID = book_order.book_id))
-                                left join review on (review.order_id = book_order.Nomor_Order) group by T1.ID';
-            $result = $conn->query($sql_query);
+        if ($conn !== NULL) {
+            $sql_query = "SELECT T1.ID as ID, Judul, Pengarang, Deskripsi, avg(rating) as avg_rating, count(book_id) as count
+                          from ((SELECT * FROM books where Judul LIKE CONCAT('%',?,'%')) as T1 left join book_order on (T1.ID = book_order.book_id))
+                                left join review on (review.order_id = book_order.Nomor_Order) group by T1.ID";
+
+            if ($stmt = $conn->prepare($sql_query)) {
+                $stmt->bind_param("s", $search_text);
+                $stmt->execute();
+                $result = $stmt->get_result();
+                $stmt->close();
+            }
+
             $conn->close();
-            if ($result != NULL){
+            if ($result != NULL) {
                 return $result;
-            } else{
+            } else {
                 return 0;
             }
-        } else{
+        } else {
             return 0;
         }
     }
 }
-
-?>
\ No newline at end of file