Merge pull request #52 from EyesOfNetworkCommunity/issue51

issue #51 injection SQL in Cookie
EyesOfNetworkCommunity · Feb 28, 2020 · ba82675 · ba82675
2 parents 78ce6ec + effaf43
commit ba82675
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/include/classes/Translator.class.php b/include/classes/Translator.class.php
@@ -46,7 +46,15 @@ public function __construct()
 
 		// Check if user default lang is defined
 		if(isset($_COOKIE['user_id'])){
-			$lang = mysqli_result(sqlrequest($database_eonweb,"select user_language from users where user_id='".$_COOKIE['user_id']."'"),0);
+			$idUser =$_COOKIE['user_id'];
+			$conn = connexionDB($database_eonweb);
+			$stmt = $conn->prepare("SELECT user_language from users where user_id= :idUser");
+			$stmt->bindParam(':idUser', $idUser);
+			$stmt->execute();
+			$result = $stmt->fetch(); 
+			$lang=$result["user_language"];
+			$stmt=null;
+			$conn=null;
 		}
 
 		// Check if isset browser lang

diff --git a/include/function.php b/include/function.php
@@ -113,6 +113,19 @@ function sqlrequest($database,$sql,$id=false,$prepare=false){
 	return $result;
 }
 
+function connexionDB($database){
+    global $database_host;
+    global $database_username;
+    global $database_password;
+    try {
+        $dbh = new PDO("mysql:host=$database_host;dbname=$database", $database_username, $database_password);
+        return $dbh;
+    } catch (PDOException $e) {
+        print "Erreur !: " . $e->getMessage() . "<br/>";
+        die();
+    }
+}
+
 // Display array value
 function display_value($value, $key){
 	echo "$value\n";