Escape texts before writing to database.

2023-12-30 10:36:23 +01:00
parent 7cd0ed9f58
commit 66af0a2bb7
4 changed files with 8 additions and 8 deletions
--- a/admin/inhalte/gb/edit.php
+++ b/admin/inhalte/gb/edit.php
@@ -28,8 +28,8 @@ if (!isset($_POST['Speichern'])) {

    <?php
 } else {
-    $Autor = $_POST['Autor'];
-    $Text = $_POST['Text'];
+    $Autor = $db->real_escape_string($_POST['Autor']);
+    $Text = $db->real_escape_string($_POST['Text']);
    $Datum = $_POST['Datum'];
    $sql2 = 'UPDATE gb SET Autor = "' . $Autor . '", Text = "' . $Text . '", Datum = "' . $Datum . '" WHERE ID = "' . $_POST['id'] . '";';
    $stmt2 = $db->prepare($sql2);
--- a/admin/inhalte/gb/new.php
+++ b/admin/inhalte/gb/new.php
@@ -24,8 +24,8 @@ if (!isset($_POST['Speichern'])) {
    <?php
 } else {
    if ('' != $_FILES['Foto']['name']) {
-        $Autor = $_POST['Autor'];
-        $Text = $_POST['Text'];
+        $Autor = $db->real_escape_string($_POST['Autor']);
+        $Text = $db->real_escape_string($_POST['Text']);
        $Datum = $_POST['Datum'];
        $sql1 = 'INSERT INTO gb (ID, Autor, Text, Datum) VALUES (NULL, "' . $Autor . '", "' . $Text . '", "' . $Datum . '");';
        $stmt1 = $db->prepare($sql1);