Skip to content
Snippets Groups Projects
Commit d533911d authored by Tegar Aji Pangestu's avatar Tegar Aji Pangestu
Browse files

Using prepared statement

parent 7671a9ac
Branches
No related merge requests found
......@@ -45,8 +45,14 @@
$sharedPublicServer = computePublic($number1,$randomPrivate,$number2);
//masukin ke database
$sql = "UPDATE user SET base2=".$number2.", random=".$randomPrivate." WHERE User_Id=".$_SESSION["myId"];
mysqli_query($con,$sql);
$stmt = $con->prepare("UPDATE user SET base2=?, random=? WHERE User_Id=?");
$stmt->bind_param("iii", $number2, $randomPrivate, $_SESSION["myId"]);
$stmt->execute();
$stmt->close();
// $sql = "UPDATE user SET base2=".$number2.", random=".$randomPrivate." WHERE User_Id=".$_SESSION["myId"];
// mysqli_query($con,$sql);
// echo "Sini";
// echo "number1 = "+$number1; echo " ";
......@@ -68,8 +74,14 @@
$random = $row['random'];
$sharedKey = sharedPrivate($sharedPublicClient,$random,$base2);
// echo $shared_key; echo " ";
$sql = "UPDATE user SET shared_key=".$sharedKey." WHERE User_Id=".$_SESSION["myId"];
mysqli_query($con,$sql);
$stmt = $con->prepare("UPDATE user SET shared_key=? WHERE User_Id=?");
$stmt->bind_param("ii", $sharedKey, $_SESSION["myId"]);
$stmt->execute();
$stmt->close();
// $sql = "UPDATE user SET shared_key=".$sharedKey." WHERE User_Id=".$_SESSION["myId"];
// mysqli_query($con,$sql);
echo $sharedKey;
}
die();
......
......@@ -6,7 +6,7 @@ if (isset($_SESSION["isLogin"])){
$postid = $_GET['postid'];
$getpostresult = getspecificpost($con,$postid);
$row = mysqli_fetch_array($getpostresult);
$row = mysqli_fetch_array($getpostresult);
if ($row['Nama'] != $_SESSION['myNama']) {
header("Location: index.php"); /* Redirect browser */
exit();
......
......@@ -61,12 +61,20 @@ if (isset($_SESSION["isLogin"]) && (isset($_POST['csrf_token']) && $_POST['csrf_
echo "Maaf Anda bukan pemilik post ini!";
} else {
if (isset($_FILES["image"])) {
mysqli_query($con,"UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'".", Image='".$target_file."' WHERE Post_Id=".$postid);
echo "UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'".", Image='".$target_file."' WHERE Post_Id=".$postid;
$stmt = $con->prepare("UPDATE post SET Title=?,Date=?, Contents=?, Image=? WHERE Post_Id=?");
$stmt->bind_param('ssssi', $Judul, $Tanggal, $Konten, $target_file, $postid);
$stmt->execute();
// mysqli_query($con,"UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'".", Image='".$target_file."' WHERE Post_Id=".$postid);
// echo "UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'".", Image='".$target_file."' WHERE Post_Id=".$postid;
}
else {
mysqli_query($con,"UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'"."WHERE Post_Id=".$postid);
echo "UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'"."WHERE Post_Id=".$postid;
$stmt = $con->prepare("UPDATE post SET Title=?,Date=?, Contents=? WHERE Post_Id=?");
$stmt->bind_param('sssi', $Judul, $Tanggal, $Konten, $postid);
$stmt->execute();
// mysqli_query($con,"UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'"."WHERE Post_Id=".$postid);
// echo "UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'"."WHERE Post_Id=".$postid;
}
header("Location: index.php");
}
......
......@@ -4,7 +4,13 @@
// remember the user
include 'mainviewer.php';
$con = phpsqlconnection();
$result = mysqli_query($con,"SELECT * FROM user WHERE Identifier='".$_COOKIE['userSimpleBlog']."' LIMIT 1");
$stmt = $con->prepare(
"SELECT * FROM user WHERE Identifier=? LIMIT 1");
$stmt->bind_param('s', $_COOKIE['userSimpleBlog']);
$stmt->execute();
$result = $stmt->get_result();
// $result = mysqli_query($con,"SELECT * FROM user WHERE Identifier='".$_COOKIE['userSimpleBlog']."' LIMIT 1");
$row = mysqli_fetch_array($result);
if (mysqli_num_rows($result) == 1){
......
......@@ -46,9 +46,16 @@ if (isset($_SESSION["isLogin"]) && (isset($_POST['csrf_token']) && $_POST['csrf_
}
$con = phpsqlconnection();
$sql = "INSERT INTO post (Post_Id, Creator_Id, Title, Date, Contents, Image)
VALUES (NULL".",".$creatorid.","."'".$Judul."'".","."'".$Tanggal."'".","."'".$Konten."'".","."'".$target_file."')";
if (mysqli_multi_query($con, $sql)) {
$stmt = $con->prepare("INSERT INTO post (Post_Id, Creator_Id, Title, Date, Contents, Image)
VALUES (NULL,?,?,?,?,?)");
$stmt->bind_param('issss', $creatorid, $Judul, $Tanggal, $Konten, $target_file);
$stmt->execute();
// $result = $stmt->get_result();
// $sql = "INSERT INTO post (Post_Id, Creator_Id, Title, Date, Contents, Image)
// VALUES (NULL".",".$creatorid.","."'".$Judul."'".","."'".$Tanggal."'".","."'".$Konten."'".","."'".$target_file."')";
if ($stmt->execute()) {
// echo "Huba";
header("Location: index.php");
} else {
......
<?php
if (isset($_SESSION["isLogin"])){
function getpost($con)
{ $sql = "SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id ORDER BY Date DESC";
$result = mysqli_query($con,$sql);
{
$stmt = $con->prepare(
"SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id ORDER BY Date DESC");
// $stmt->bind_param('ss', $value, $value2);
$stmt->execute();
$result = $stmt->get_result();
// $row = $result->fetch_array(MYSQLI_NUM);
// $sql = "SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id ORDER BY Date DESC";
// $result = mysqli_query($con,$sql);
return $result;
}
function getspecificpost($con,$postid)
{
$result = mysqli_query($con,"SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id WHERE Post_Id = ".$postid);
$stmt = $con->prepare(
"SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id WHERE Post_Id = ?");
$stmt->bind_param('i', $postid);
$stmt->execute();
$result = $stmt->get_result();
// $result = mysqli_query($con,"SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id WHERE Post_Id = ".$postid);
return $result;
}
function getspecificcomments($con,$postid)
{
$result = mysqli_query($con,"SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ".$postid." ORDER BY Time DESC");
$stmt = $con->prepare(
"SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ? ORDER BY Time DESC");
$stmt->bind_param('i', $postid);
$stmt->execute();
$result = $stmt->get_result();
// $result = mysqli_query($con,"SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ".$postid." ORDER BY Time DESC");
return $result;
}
}else{
......
......@@ -5,7 +5,13 @@ session_start();
$email = $_POST['email'];
$password = $_POST['password'];
$con = phpsqlconnection();
$result = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' LIMIT 1");
$stmt = $con->prepare(
"SELECT * FROM user WHERE Email='$email' LIMIT 1");
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result();
// $result = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' LIMIT 1");
if ($result->num_rows == 0) {
// insert token too
$token = hash("sha256",(time()."".(rand(1000,1000000))));
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment