From 56b307dcf8ef44917e1bb6aef7a407368d13971f Mon Sep 17 00:00:00 2001
From: Cflip <36554078+cflip@users.noreply.github.com>
Date: Sat, 23 Jan 2021 17:33:59 -0700
Subject: Resolve #2 by filtering out HTML code from replies

---
 includes/reply_inc.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/reply_inc.php b/includes/reply_inc.php
index d20c4ed..cf7a839 100644
--- a/includes/reply_inc.php
+++ b/includes/reply_inc.php
@@ -13,6 +13,10 @@ if (!isset($_SESSION['signed_in'])) {
 	die('You must be signed in to reply to a thread.');
 } 
 
+$reply_content = filter_var($_POST['reply_content'], FILTER_SANITIZE_STRING);
+$reply_to = $_GET['reply_to'];
+$post_author = $_SESSION['user_id'];
+
 $sql = "INSERT INTO posts(post_content, post_date, post_thread, post_author) VALUES(?, NOW(), ?, ?)";
 $stmt = mysqli_stmt_init($dbc);
 
@@ -20,7 +24,7 @@ if (!mysqli_stmt_prepare($stmt, $sql)) {
 	die('Failed to process statement: ' . mysqli_error($dbc));
 }
 
-mysqli_stmt_bind_param($stmt, "sii", $_POST['reply_content'], $_GET['reply_to'], $_SESSION['user_id']);
+mysqli_stmt_bind_param($stmt, "sii", $reply_content, $reply_to, $post_author);
 mysqli_stmt_execute($stmt);
 mysqli_stmt_close($stmt);
 
-- 
cgit v1.2.3