Sql injection

2025-10-17 09:49:00 +02:00 · 2025-10-17 09:49:00 +02:00 · 68c043f777
commit 68c043f777
parent 5dc2ac7922
3 changed files with 17 additions and 4 deletions
--- a/.idea/vcs.xml
+++ b/.idea/vcs.xml
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>
--- a/services/Access.php
+++ b/services/Access.php
@ -7,6 +7,7 @@ class Access
 {
    static function login($username, $password)
    {
+        // ADORO L'SQL INJECTION ' OR '1'='1
        global $conn;
        $query = "SELECT * FROM users WHERE DESCRIZIONE = '$username' AND PASSWORD = '$password'";
        return $conn->query($query);
--- a/services/Search.php
+++ b/services/Search.php
@ -8,10 +8,16 @@ class Search
    static function searchByUsername($username)
    {
        global $conn;
-        $query = "SELECT persone.* FROM users
-                    RIGHT JOIN persone ON persone.ID = users.ID_PERSONA
-                    WHERE users.DESCRIZIONE = '$username'";
-        return $conn->query($query);
+        $query = "SELECT persone.* 
+          FROM users 
+          RIGHT JOIN persone ON persone.ID = users.ID_PERSONA 
+          WHERE users.DESCRIZIONE = ?";
+
+        $stmt = $conn->prepare($query);
+        $stmt->bind_param("s", $username);
+        $stmt->execute();
+        $result = $stmt->get_result();
+        return $result;
    }

 }