diff options
| author | Cflip <36554078+cflip@users.noreply.github.com> | 2021-01-23 17:33:59 -0700 |
|---|---|---|
| committer | Cflip <36554078+cflip@users.noreply.github.com> | 2021-01-23 17:33:59 -0700 |
| commit | 56b307dcf8ef44917e1bb6aef7a407368d13971f (patch) | |
| tree | a573e234e1b2284f949554e091fa7b48a103b685 | |
| parent | 00ea4b13768ec70a0a48685ac19df97cc7e649bc (diff) | |
Resolve #2 by filtering out HTML code from replies
| -rw-r--r-- | includes/reply_inc.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/includes/reply_inc.php b/includes/reply_inc.php index d20c4ed..cf7a839 100644 --- a/includes/reply_inc.php +++ b/includes/reply_inc.php @@ -13,6 +13,10 @@ if (!isset($_SESSION['signed_in'])) { die('You must be signed in to reply to a thread.'); } +$reply_content = filter_var($_POST['reply_content'], FILTER_SANITIZE_STRING); +$reply_to = $_GET['reply_to']; +$post_author = $_SESSION['user_id']; + $sql = "INSERT INTO posts(post_content, post_date, post_thread, post_author) VALUES(?, NOW(), ?, ?)"; $stmt = mysqli_stmt_init($dbc); @@ -20,7 +24,7 @@ if (!mysqli_stmt_prepare($stmt, $sql)) { die('Failed to process statement: ' . mysqli_error($dbc)); } -mysqli_stmt_bind_param($stmt, "sii", $_POST['reply_content'], $_GET['reply_to'], $_SESSION['user_id']); +mysqli_stmt_bind_param($stmt, "sii", $reply_content, $reply_to, $post_author); mysqli_stmt_execute($stmt); mysqli_stmt_close($stmt); |