Escape texts before writing to database.

2023-12-30 10:36:23 +01:00
parent 7cd0ed9f58
commit 66af0a2bb7
4 changed files with 8 additions and 8 deletions
--- a/admin/inhalte/gb/edit.php
+++ b/admin/inhalte/gb/edit.php
@@ -28,8 +28,8 @@ if (!isset($_POST['Speichern'])) {

    <?php
 } else {
-    $Autor = $_POST['Autor'];
-    $Text = $_POST['Text'];
+    $Autor = $db->real_escape_string($_POST['Autor']);
+    $Text = $db->real_escape_string($_POST['Text']);
    $Datum = $_POST['Datum'];
    $sql2 = 'UPDATE gb SET Autor = "' . $Autor . '", Text = "' . $Text . '", Datum = "' . $Datum . '" WHERE ID = "' . $_POST['id'] . '";';
    $stmt2 = $db->prepare($sql2);