Merge branch 'master' of https://github.com/tegarajipangestu/secure-blog

h

Merge branch 'master' of https://github.com/tegarajipangestu/secure-blog
h
9e50a610 · daniarherikurniawan · 535f2101 · 8b342f34 · 9e50a610 · 9e50a610
Commit 9e50a610 authored 9 years ago by daniarherikurniawan
--- a/code/delete_post_action.php
+++ b/code/delete_post_action.php
@@ -12,7 +12,12 @@ if (isset($_SESSION["isLogin"])){
        exit();
    }else{
-		mysqli_query($con,"DELETE FROM post WHERE Post_Id=".$postid);
+        $stmt = $con->prepare(
+        "DELETE FROM post WHERE Post_Id=?");
+        $stmt->bind_param('i', $postid);
+        $stmt->execute();
+		// mysqli_query($con,"DELETE FROM post WHERE Post_Id=".$postid);
 		header("Location: index.php");
    }

--- a/code/getcomments.php
+++ b/code/getcomments.php
@@ -6,10 +6,21 @@ if (isset($_SESSION["isLogin"])){
    $contents = htmlspecialchars($_GET['contents'], ENT_QUOTES, 'UTF-8');
    $creatorid = $_SESSION["myId"];
    $con = phpsqlconnection();
-    $sql ="INSERT INTO comments (Comment_Id, Creator_Id, Post_Id, Contents) 
+    $stmt = $con->prepare(
-        VALUES (NULL".",".$creatorid.","."'".$postid."'".","."'".$contents."')";
+    "INSERT INTO comments (Comment_Id, Creator_Id, Post_Id, Contents) 
-    if (mysqli_multi_query($con, $sql)) {
+        VALUES (NULL,?,?,?)");
-        $getcommentsresult = mysqli_query($con,"SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ".$postid." ORDER BY Time DESC");    
+    $stmt->bind_param('iis', $creatorid, $postid, $contents);
+    // $stmt->execute();
+    // $sql ="INSERT INTO comments (Comment_Id, Creator_Id, Post_Id, Contents) 
+    //     VALUES (NULL".",".$creatorid.","."'".$postid."'".","."'".$contents."')";
+    if ($stmt->execute()) {
+        $stmt = $con->prepare("SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ? ORDER BY Time DESC");
+        $stmt->bind_param('i',$postid);
+        $stmt->execute();
+        $getcommentsresult = $stmt->get_result();
+        // $getcommentsresult = mysqli_query($con,"SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ".$postid." ORDER BY Time DESC");    
        while($comments = mysqli_fetch_array($getcommentsresult)) {                                
            echo
            "<li class=\"art-list-item\">
@@ -25,7 +36,7 @@ if (isset($_SESSION["isLogin"])){
            echo "</li>";
        }
    } else {
-        echo "Error: " . $sql . "<br>" . mysqli_error($con);
+        echo "Error: ". mysqli_error($con);
    }
 }else{
    header("Location: login.php"); /* Redirect browser */