Commit 90f92e50 authored by Sorrel Harriet's avatar Sorrel Harriet

minor correction to insecure version

parent 33758618
......@@ -4,8 +4,7 @@ $content = "<h1>Add a record</h1>";
// define a variable with path to the script which will process form
// -> $_SERVER["PHP_SELF"] is a path to the current script (index.php)
// -> htmlspecialchars() is used to replace special characters with HTML entities */
$action = htmlspecialchars($_SERVER["PHP_SELF"]."?page=add-record");
$action = $_SERVER["PHP_SELF"]."?page=add-record";
// fetch the artists so that we have access to their names and IDs
$sql = "SELECT id, first_name, last_name
......@@ -79,8 +78,8 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
$price = $_POST["price"];
// define the insertion query
$sql = sprintf("INSERT INTO record (ean, title, artist_id, genre, year, price)
VALUES (%d, %d, %d, %d, %d, %d)", $ean, $title, $artist_id, $genre, $year, $price);
$sql = "INSERT INTO record (ean, title, artist_id, genre, year, price)
VALUES ('$ean', '$title', '$artist_id', '$genre', '$year', '$price')";
// run the query to insert the data
$result = mysqli_query($link, $sql);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment