b.BuchID = $ID durch Prepared Statement ersetzt

2023-06-11 21:52:53 +02:00 · 2023-06-11 21:52:53 +02:00 · c9ddb8c3e8
parent 27432e2f56
commit c9ddb8c3e8
1 changed files with 28 additions and 19 deletions
--- a/buch_details.php
+++ b/buch_details.php
@ -18,15 +18,22 @@

    <div class="hauptcontainer">
        <?php
-            /* Übergebene ID des angeklickten Container speichern */
-            $containerID = $_GET['bookID'];
+            $servername = "localhost";
+            $username = "web_b-3";
+            $password = "een7Ao6s";
+            $dbname = "bibliothek_candle";

-            /* Buch ID abtrennen */
-            $ID = str_replace('book_container', '', $containerID);
+            $connection = 
+                mysqli_connect($servername, $username, $password, $dbname);

-            /* SQL-Befehl zusammenstellen */
-            $sql = "SELECT b.BuchID, b.Titel, b.Erscheinungsjahr, b.Bild, 
-            b.Verlag, GROUP_CONCAT(DISTINCT CONCAT(a.VorName, ' ', a.NachName) 
+            if (!$connection) {
+                die("Verbindung fehlgeschlagen: " . mysqli_connect_error());
+            }
+
+            /* SQL-Befehl vorbereiten */
+            $sql = $connection->prepare("SELECT b.BuchID, b.Titel, 
+            b.Erscheinungsjahr, b.Bild, b.Verlag, 
+            GROUP_CONCAT(DISTINCT CONCAT(a.VorName, ' ', a.NachName) 
            SEPARATOR ', ') AS 'Autor',
            GROUP_CONCAT(DISTINCT k.Name SEPARATOR ', ') AS 'Kategorie',
            b.ISBN, b.Klappentext AS 'Inhalt', sp.Bezeichnung AS 'Sprache',
@ -45,22 +52,24 @@
            INNER JOIN `sprache` AS sp ON sp.SprachenID = b.SprachenID
            INNER JOIN `buch_hat_stichwort` AS bhs ON bhs.BuchID = b.BuchID
            INNER JOIN `stichwort` AS st ON st.StichwortID = bhs.StichwortID
-            WHERE b.BuchID = $ID
-            GROUP BY b.BuchID;";
+            WHERE b.BuchID = ?
+            GROUP BY b.BuchID;");

-            $servername = "localhost";
-            $username = "web_b-3";
-            $password = "een7Ao6s";
-            $dbname = "bibliothek_candle";
+            // Parameter binden
+            $sql->bind_param("i", $ID);

-            $connection = 
-                mysqli_connect($servername, $username, $password, $dbname);
+            // Übergebene ID des angeklickten Container speichern
+            $containerID = $_GET['bookID'];

-            if (!$connection) {
-                die("Verbindung fehlgeschlagen: " . mysqli_connect_error());
-            }
+            // Buch ID abtrennen
+            $ID = str_replace('book_container', '', $containerID);
+
+            // SQL-Befehl ausführen
+            $sql->execute();
+
+            // Ergebnis speichern
+            $result = $sql->get_result();

-            $result = mysqli_query($connection, $sql);
            if (mysqli_num_rows($result) > 0) {
                while($row = mysqli_fetch_assoc($result)) {
                    $bookID = $row['BuchID'];