Update paidmails.php

-secured PDO query with bindParam

Update paidmails.php
-secured PDO query with bindParam
2c37c154 · Henoch Einbier · 9e5caba2 · 2c37c154
Commit 2c37c154 authored 5 years ago by Henoch Einbier
--- a/content/verdienen/paidmails.php
+++ b/content/verdienen/paidmails.php
@@ -2,12 +2,14 @@
 userstatus();
 head("Paidmailhistory");

-$paidmails = sql::$db->query("SELECT
+$paidmails = sql::$db->prepare("SELECT
                e.gueltig, e.tan, v.verdienst, v.beschreibung, v.mailtext, v.aufendhalt
                FROM " . _VMS_ . "_paidmails_empfaenger e
                LEFT JOIN " . _VMS_ . "_paidmails_versendet v ON v.tan = e.tan
-                WHERE e.uid=" . $_SESSION['uid'] . " && e.gueltig > " . time() . " && e.status=0
+                WHERE e.uid=:session_uid && e.gueltig > " . time() . " && e.status=0
                LIMIT 10");
+$paidmails -> bindParam(':session_uid', $_SESSION['uid'], PDO::PARAM_INT);
+$paidmails -> execute();
 while ($mail = $paidmails->fetch() ) {
    echo '
    <table border="1" id="mail_' . $mail['tan'] . '" width="100%">