From 00c7a59b9d509e4244dda56245f9d8c07808cfae Mon Sep 17 00:00:00 2001
From: Benjamin Kraft <benjamin.kraft@online.de>
Date: Tue, 4 Apr 2023 22:20:08 +0200
Subject: [PATCH] more secure sql statements

---
 public/php/mysql_connect.php | 4 ++++
 public/php/post_feedback.php | 7 ++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/public/php/mysql_connect.php b/public/php/mysql_connect.php
index d0dcf8e..600cb67 100644
--- a/public/php/mysql_connect.php
+++ b/public/php/mysql_connect.php
@@ -27,6 +27,10 @@ class MySQLConnection {
         return $this->mysqli->query($sql);
     }
 
+	public function prepare($sql): bool|mysqli_stmt {
+		return $this->mysqli->prepare($sql);
+	}
+
     public function changeDB($dbName): void {
         $this->dbName = $dbName;
         $this->mysqli->select_db($dbName);
diff --git a/public/php/post_feedback.php b/public/php/post_feedback.php
index 88b6f1a..b6189a4 100644
--- a/public/php/post_feedback.php
+++ b/public/php/post_feedback.php
@@ -1,15 +1,16 @@
 <?php
 $response_array = array();
 
-include_once $_SERVER['DOCUMENT_ROOT'] . '/../private/mysql_connect.php';
+include_once $_SERVER['DOCUMENT_ROOT'] . '/php/mysql_connect.php';
 $conn = new MySQLConnection();
 
 $content = $_POST['content'];
 $projectName = $_POST['projectName'];
 
 $sql = "INSERT INTO feedbacks (content, project_name)
-		VALUES ('$content', '$projectName')";
-$result = $conn->query($sql);
+		VALUES (?, ?)";
+$stmt = $conn->prepare($sql);
+$result = $stmt->execute([$content, $projectName]);
 
 $response_array['result'] = json_encode($result);