I was asking about this bit in terms of the security risk of putting the values (0, 8) directly in the query string, without looking at the colunms they actually use or knowing if there are others unused.
I’ve corrected the code and escaped the output :
$sql = $connection->prepare("SELECT p_cat_id, p_cat_title FROM product_categories");
$sql->execute();
while($row= $sql->fetch()) {
$p_cat_id = $row['p_cat_id'];
$p_cat_title = htmlspecialchars($row['p_cat_title']);
echo "<li> <a href='shop_pdo.php?p_cat=$p_cat_id' class='nav-link'> $p_cat_title </a> </li>";
}
1 Like
I have also escaped this one.
$sql = $pdo->prepare("SELECT product_id, product_title, product_price, product_img1 FROM products ORDER BY 1 DESC LIMIT 0, 8");
$sql->execute();
$result = $sql->rowCount();
if($result === 0) exit('No rows');
while($row= $sql->fetch()) {
$pro_id = $row['product_id'];
$pro_title = htmlspecialchars($row['product_title']);
$pro_price = intval($row['product_price']);
$pro_img1 =htmlspecialchars($row['product_img1']);
echo "
<div class='col-md-4 col-sm-6 single'>
<div class='product'>
<a href='details.php?pro_id=$pro_id'>
<img
src='admin_area/product_images/$pro_img1'
class='img-fluid'
/>
</a>
<div class='text'>
<h3><a href='details.php?pro_id=$pro_id'>$pro_title</a></h3>
<p class='price'>$$pro_price</p>
<p class='buttons'>
<a href='details.php?pro_id=$pro_id' class='btn btn-outline-primary'>View details</a>
<a href='details.php?pro_id=$pro_id' class='btn btn-primary'>
<i class='fa fa-shopping-cart'></i> Add to cart
</a>
</p>
</div>
</div>
</div>
";
}
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.