Escape the string in order to prevent injections...

This commit is contained in:
Klaus-Uwe Mitterer 2016-08-09 20:22:52 +02:00
parent bf93fcd148
commit f93a6eba03

View file

@ -12,7 +12,7 @@ if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT ts, lat, lon FROM tracker WHERE device='" . $_GET["device"] . "' ORDER BY ts ASC;";
$sql = "SELECT ts, lat, lon FROM tracker WHERE device='" . mysqli_real_escape_string($conn, $_GET["device"]) . "' ORDER BY ts ASC;";
$result = $conn->query($sql);
if ($result->num_rows > 0) {