...
 
Commits (7)
......@@ -34,14 +34,20 @@
private function fetchBookDetails() {
$conn = connect_to_mysql();
$sql_query = 'SELECT * FROM books WHERE id=' . $this->book_id;
$result = $conn->query($sql_query);
$sql_query = 'SELECT * FROM books WHERE id = ?';
if ($stmt = $conn->prepare($sql_query)) {
$stmt->bind_param("i", $this->book_id);
$stmt->execute();
$result = $stmt->get_result();
$this->book_detail = $result->fetch_assoc();
$stmt->close();
}
$conn->close();
$this->book_detail = $result->fetch_assoc();
if ($this->book_detail == NULL) {
$this->fetchsuccess = FALSE;
}
$conn->close();
}
private function fetchReviews() {
......@@ -52,11 +58,17 @@
FROM (
SELECT Nomor_Order, book_id, user_id
FROM books INNER JOIN book_order ON books.ID=book_id
WHERE books.id='. $this->book_id .') as T1
WHERE books.id = ?) as T1
INNER JOIN review ON Nomor_Order=order_id) as T2
INNER JOIN user ON user_id=user.id
';
$result = $conn->query($sql_query);
if ($stmt = $conn->prepare($sql_query)) {
$stmt->bind_param("i", $this->book_id);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
}
$conn->close();
if ($result != NULL) {
......
......@@ -6,7 +6,7 @@
$user = getUserInfo(getUserIDbyToken($user_token));
if (isset($_GET['id'])) {
$book_id = $_GET['id'];
$book_id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);
$bookDetail = new bookDetailController($book_id, $user['username']);
$bookDetail->showBookDetail();
} else {
......
......@@ -6,11 +6,11 @@
public static function viewBookDetail($params) {
$book_detail = $params['book_detail'];
$reviews = $params['reviews'];
$book_rating = $params['book_rating'];
$book_rating = filter_var($params['book_rating'], FILTER_SANITIZE_NUMBER_INT);
echo Header::generateHead($book_detail['Judul'].' Book Detail', 'book_detail');
Body::outputInBody(
Header::headerLogin($params['username']).
Header::headerLogin(self::sanitizeString($params['username'])).
Header::headerMenu(Header::BROWSE).
self::generateBookDetail($book_detail, $reviews, $book_rating).
self::showScript().
......@@ -34,10 +34,10 @@
<div class="flex-container book-detail">
<div class="flex-1 book-desc">
<div class="title-author">
<div class="book-title orange-text" ><b>'.$book_detail['Judul'].'</b></div>
<div class="book-author">'.$book_detail['Pengarang'].'</div>
<div class="book-title orange-text" ><b>'.self::sanitizeString($book_detail['Judul']).'</b></div>
<div class="book-author">'.self::sanitizeString($book_detail['Pengarang']).'</div>
</div>
<div id="detail-paragraph">'.$book_detail['Deskripsi'].'</div>
<div id="detail-paragraph">'.self::sanitizeString($book_detail['Deskripsi']).'</div>
</div>
<div class="add-flex-direction-column" id="rightbar-pic" align="center">
<div class="flex-1">
......@@ -94,7 +94,7 @@
'</select>
</div>
<div align="right">
<button class="order-button c-button light-blue" type="button" onclick="orderBook('.$id.')">Order</button>
<button class="order-button c-button light-blue" type="button" onclick="orderBook('.self::sanitizeString($id).')">Order</button>
</div>
</div>';
return $str;
......@@ -118,11 +118,11 @@
<div class="flex-container align-items-flex-start">
<div class="flex-1 flex-review-tab">
<div class="reviewer-profile">
<img id="profile_pict" src="'.self::showPicture('user', $review['profile_picture']).'">
<img id="profile_pict" src="'.self::showPicture('user', filter_var($review['profile_picture'], FILTER_SANITIZE_URL)).'">
</div>
<div id="comment-user">
<div id="reviewer">@'.$review['username'].'</div>
<div id="detail-paragraph">'.filter_var($review['komentar'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_STRIP_BACKTICK).'</div>
<div id="reviewer">@'.self::sanitizeString($review['username']).'</div>
<div id="detail-paragraph">'.self::sanitizeString($review['komentar']).'</div>
</div>
</div>
<div class="add-flex-direction-column">
......@@ -155,5 +155,9 @@
private function floatRating($rate) {
return number_format((float)$rate, 1, '.', '');
}
private function sanitizeString($input) {
return filter_var($input, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_STRIP_BACKTICK);
}
}
?>
\ No newline at end of file
<?php
require_once ("../database/accessDB.php");
$username = $_POST["username"];
$password = $_POST["password"];
$username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
$password = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
if (userExist($username, $password)){
login($username);
......
......@@ -21,12 +21,14 @@
$conn = connect_to_mysql();
if ($conn !== NULL) {
$sql_query = 'INSERT INTO user (name, username, password, email, address, phone, profile_picture)
VALUES ("'. $name . '", "' . $username . '", "' . $password . '", "'
. $email . '", "' . $address . '", "' . $phonenumber . '", "null")';
$result = $conn->query($sql_query);
$conn->close();
VALUES (?, ?, ?, ?, ?, ?, "null")';
if ($stmt = $conn->prepare($sql_query)) {
$stmt->bind_param("ssssss", $name, $username, $password, $email, $address, $phonenumber);
$stmt->execute();
$stmt->close();
}
}
$conn->close();
}
function drawTick ($param, $listofaccounts) {
......
......@@ -7,7 +7,7 @@
$password = filter_var($_POST["password"], FILTER_SANITIZE_STRING);
$email = filter_var($_POST["email"], FILTER_SANITIZE_EMAIL);
$address = filter_var($_POST["address"], FILTER_SANITIZE_STRING);
$phonenumber= filter_var($_POST["phonenumber"], FILTER_SANITIZE_NUMBER_INT);
$phonenumber = filter_var($_POST["phonenumber"], FILTER_SANITIZE_STRING);
insertNewUser($name, $username, $password, $email, $address, $phonenumber);
login($username);
......