From 34feaae95705a35c877e6a27bd8e9c0255b3a639 Mon Sep 17 00:00:00 2001
From: Henoch Einbier <axcessor@hotmail.com>
Date: Fri, 25 Oct 2019 23:57:12 +0300
Subject: [PATCH] Update anmelden.php -secured PDO query with bindParam
---
content/intern/anmelden.php | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/content/intern/anmelden.php b/content/intern/anmelden.php
index 62d0f52..dd45502 100644
--- a/content/intern/anmelden.php
+++ b/content/intern/anmelden.php
@@ -31,9 +31,12 @@ if ($_POST['anmelden'] == "Jetzt anmelden!") {
if ($_POST['agb'] != "ja") $error .= 'Du musst die AGBs bestätigen!<br>';
// User mit der Datenbank abgleichen
if (!$error) {
- $sql = sql::$db->query("SELECT `nickname` FROM " ._VMS_. "_userdaten WHERE nickname='" . $_POST['nickname'] . "'");
+ $sql = sql::$db->prepare("SELECT `nickname` FROM " ._VMS_. "_userdaten WHERE nickname=:nickname");
+ $sql -> bindParam(':nickname', $_POST['nickname'], PDO::PARAM_STR);
+ $sql -> execute();
$nickname_check = $sql -> fetch();
- $sql = sql::$db->query("SELECT `emailadresse` FROM " ._VMS_. "_emaildaten WHERE emailadresse='" . $_POST['emailadresse'] . "'");
+ $sql = sql::$db->prepare("SELECT `emailadresse` FROM " ._VMS_. "_emaildaten WHERE emailadresse=:mail");
+ $sql -> bindParam(':mail', $_POST['emailadresse'], PDO::PARAM_STR);
$mail_check = $sql -> fetch();
if ($mail_check) $error .= 'Diese Emailadresse ist schon im System!<br>';
--
GitLab