From d533911d7b9a62e6f9132005d8818cc1241bc752 Mon Sep 17 00:00:00 2001
From: tegarajipangestu <13512061@std.stei.itb.ac.id>
Date: Thu, 25 Feb 2016 19:15:51 +0700
Subject: [PATCH] Using prepared statement
---
code/deffiehelman.php | 20 ++++++++++++++++----
code/delete_post_action.php | 2 +-
code/edit_post_action.php | 16 ++++++++++++----
code/login.php | 8 +++++++-
code/new_post_action.php | 13 ++++++++++---
code/posthandling.php | 27 +++++++++++++++++++++++----
code/signup_action.php | 8 +++++++-
7 files changed, 76 insertions(+), 18 deletions(-)
diff --git a/code/deffiehelman.php b/code/deffiehelman.php
index e80c856..62d45fd 100644
--- a/code/deffiehelman.php
+++ b/code/deffiehelman.php
@@ -45,8 +45,14 @@
$sharedPublicServer = computePublic($number1,$randomPrivate,$number2);
//masukin ke database
- $sql = "UPDATE user SET base2=".$number2.", random=".$randomPrivate." WHERE User_Id=".$_SESSION["myId"];
- mysqli_query($con,$sql);
+ $stmt = $con->prepare("UPDATE user SET base2=?, random=? WHERE User_Id=?");
+ $stmt->bind_param("iii", $number2, $randomPrivate, $_SESSION["myId"]);
+
+ $stmt->execute();
+ $stmt->close();
+
+ // $sql = "UPDATE user SET base2=".$number2.", random=".$randomPrivate." WHERE User_Id=".$_SESSION["myId"];
+ // mysqli_query($con,$sql);
// echo "Sini";
// echo "number1 = "+$number1; echo " ";
@@ -68,8 +74,14 @@
$random = $row['random'];
$sharedKey = sharedPrivate($sharedPublicClient,$random,$base2);
// echo $shared_key; echo " ";
- $sql = "UPDATE user SET shared_key=".$sharedKey." WHERE User_Id=".$_SESSION["myId"];
- mysqli_query($con,$sql);
+ $stmt = $con->prepare("UPDATE user SET shared_key=? WHERE User_Id=?");
+ $stmt->bind_param("ii", $sharedKey, $_SESSION["myId"]);
+
+ $stmt->execute();
+ $stmt->close();
+
+ // $sql = "UPDATE user SET shared_key=".$sharedKey." WHERE User_Id=".$_SESSION["myId"];
+ // mysqli_query($con,$sql);
echo $sharedKey;
}
die();
diff --git a/code/delete_post_action.php b/code/delete_post_action.php
index 0685d7c..a3716a3 100644
--- a/code/delete_post_action.php
+++ b/code/delete_post_action.php
@@ -6,7 +6,7 @@ if (isset($_SESSION["isLogin"])){
$postid = $_GET['postid'];
$getpostresult = getspecificpost($con,$postid);
- $row = mysqli_fetch_array($getpostresult);
+ $row = mysqli_fetch_array($getpostresult);
if ($row['Nama'] != $_SESSION['myNama']) {
header("Location: index.php"); /* Redirect browser */
exit();
diff --git a/code/edit_post_action.php b/code/edit_post_action.php
index ea788d5..106f872 100644
--- a/code/edit_post_action.php
+++ b/code/edit_post_action.php
@@ -61,12 +61,20 @@ if (isset($_SESSION["isLogin"]) && (isset($_POST['csrf_token']) && $_POST['csrf_
echo "Maaf Anda bukan pemilik post ini!";
} else {
if (isset($_FILES["image"])) {
- mysqli_query($con,"UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'".", Image='".$target_file."' WHERE Post_Id=".$postid);
- echo "UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'".", Image='".$target_file."' WHERE Post_Id=".$postid;
+ $stmt = $con->prepare("UPDATE post SET Title=?,Date=?, Contents=?, Image=? WHERE Post_Id=?");
+ $stmt->bind_param('ssssi', $Judul, $Tanggal, $Konten, $target_file, $postid);
+ $stmt->execute();
+
+ // mysqli_query($con,"UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'".", Image='".$target_file."' WHERE Post_Id=".$postid);
+ // echo "UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'".", Image='".$target_file."' WHERE Post_Id=".$postid;
}
else {
- mysqli_query($con,"UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'"."WHERE Post_Id=".$postid);
- echo "UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'"."WHERE Post_Id=".$postid;
+ $stmt = $con->prepare("UPDATE post SET Title=?,Date=?, Contents=? WHERE Post_Id=?");
+ $stmt->bind_param('sssi', $Judul, $Tanggal, $Konten, $postid);
+ $stmt->execute();
+
+ // mysqli_query($con,"UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'"."WHERE Post_Id=".$postid);
+ // echo "UPDATE post SET Title='".$Judul."'".","."Date='".$Tanggal."'".","."Contents='".$Konten."'"."WHERE Post_Id=".$postid;
}
header("Location: index.php");
}
diff --git a/code/login.php b/code/login.php
index b462a0d..1949fba 100644
--- a/code/login.php
+++ b/code/login.php
@@ -4,7 +4,13 @@
// remember the user
include 'mainviewer.php';
$con = phpsqlconnection();
- $result = mysqli_query($con,"SELECT * FROM user WHERE Identifier='".$_COOKIE['userSimpleBlog']."' LIMIT 1");
+ $stmt = $con->prepare(
+ "SELECT * FROM user WHERE Identifier=? LIMIT 1");
+ $stmt->bind_param('s', $_COOKIE['userSimpleBlog']);
+ $stmt->execute();
+ $result = $stmt->get_result();
+
+ // $result = mysqli_query($con,"SELECT * FROM user WHERE Identifier='".$_COOKIE['userSimpleBlog']."' LIMIT 1");
$row = mysqli_fetch_array($result);
if (mysqli_num_rows($result) == 1){
diff --git a/code/new_post_action.php b/code/new_post_action.php
index 10f0b66..6c173d3 100644
--- a/code/new_post_action.php
+++ b/code/new_post_action.php
@@ -46,9 +46,16 @@ if (isset($_SESSION["isLogin"]) && (isset($_POST['csrf_token']) && $_POST['csrf_
}
$con = phpsqlconnection();
- $sql = "INSERT INTO post (Post_Id, Creator_Id, Title, Date, Contents, Image)
- VALUES (NULL".",".$creatorid.","."'".$Judul."'".","."'".$Tanggal."'".","."'".$Konten."'".","."'".$target_file."')";
- if (mysqli_multi_query($con, $sql)) {
+
+ $stmt = $con->prepare("INSERT INTO post (Post_Id, Creator_Id, Title, Date, Contents, Image)
+ VALUES (NULL,?,?,?,?,?)");
+ $stmt->bind_param('issss', $creatorid, $Judul, $Tanggal, $Konten, $target_file);
+ $stmt->execute();
+ // $result = $stmt->get_result();
+
+ // $sql = "INSERT INTO post (Post_Id, Creator_Id, Title, Date, Contents, Image)
+ // VALUES (NULL".",".$creatorid.","."'".$Judul."'".","."'".$Tanggal."'".","."'".$Konten."'".","."'".$target_file."')";
+ if ($stmt->execute()) {
// echo "Huba";
header("Location: index.php");
} else {
diff --git a/code/posthandling.php b/code/posthandling.php
index a971779..01f3580 100644
--- a/code/posthandling.php
+++ b/code/posthandling.php
@@ -1,18 +1,37 @@
<?php
if (isset($_SESSION["isLogin"])){
function getpost($con)
- { $sql = "SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id ORDER BY Date DESC";
- $result = mysqli_query($con,$sql);
+ {
+ $stmt = $con->prepare(
+ "SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id ORDER BY Date DESC");
+ // $stmt->bind_param('ss', $value, $value2);
+ $stmt->execute();
+ $result = $stmt->get_result();
+ // $row = $result->fetch_array(MYSQLI_NUM);
+ // $sql = "SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id ORDER BY Date DESC";
+ // $result = mysqli_query($con,$sql);
return $result;
}
function getspecificpost($con,$postid)
{
- $result = mysqli_query($con,"SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id WHERE Post_Id = ".$postid);
+ $stmt = $con->prepare(
+ "SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id WHERE Post_Id = ?");
+ $stmt->bind_param('i', $postid);
+ $stmt->execute();
+ $result = $stmt->get_result();
+
+ // $result = mysqli_query($con,"SELECT user.Nama , post.* FROM post INNER join user ON post.Creator_Id = user.User_Id WHERE Post_Id = ".$postid);
return $result;
}
function getspecificcomments($con,$postid)
{
- $result = mysqli_query($con,"SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ".$postid." ORDER BY Time DESC");
+ $stmt = $con->prepare(
+ "SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ? ORDER BY Time DESC");
+ $stmt->bind_param('i', $postid);
+ $stmt->execute();
+ $result = $stmt->get_result();
+
+ // $result = mysqli_query($con,"SELECT user.Nama , comments.* FROM comments INNER join user ON comments.Creator_Id = user.User_Id WHERE Post_Id = ".$postid." ORDER BY Time DESC");
return $result;
}
}else{
diff --git a/code/signup_action.php b/code/signup_action.php
index eae8817..a33b03a 100644
--- a/code/signup_action.php
+++ b/code/signup_action.php
@@ -5,7 +5,13 @@ session_start();
$email = $_POST['email'];
$password = $_POST['password'];
$con = phpsqlconnection();
- $result = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' LIMIT 1");
+ $stmt = $con->prepare(
+ "SELECT * FROM user WHERE Email='$email' LIMIT 1");
+ $stmt->bind_param('s', $email);
+ $stmt->execute();
+ $result = $stmt->get_result();
+
+ // $result = mysqli_query($con,"SELECT * FROM user WHERE Email='$email' LIMIT 1");
if ($result->num_rows == 0) {
// insert token too
$token = hash("sha256",(time()."".(rand(1000,1000000))));
--
GitLab