From 4c6ede19a3fb6b84df07d9d4717589960b62eb28 Mon Sep 17 00:00:00 2001 From: BodgeMaster <> Date: Thu, 12 Mar 2020 23:14:03 +0100 Subject: [PATCH] fixed html injection --- threadr/board/board.php | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/threadr/board/board.php b/threadr/board/board.php index d29a57e..dee5fbc 100644 --- a/threadr/board/board.php +++ b/threadr/board/board.php @@ -5,20 +5,27 @@ $statement->execute(array("bid"=>$id)); foreach($statement->fetchAll() as $ROW) { $statement = $pdo->prepare("SELECT * FROM users WHERE id=:uid"); $statement->execute(array("uid"=>$ROW[user_id])); - $post_user = $statement->fetch(); - echo "
"; - echo "

$ROW[title]

"; - echo "
"; - echo "
"; - echo "
"; - echo "

$post_user[name]

"; - echo "
"; - echo "
"; - echo "
"; - echo "

$ROW[content]

"; - echo "
"; - echo "
"; - echo "
"; + + $post_creator = $statement->fetch(); + + $post_title = htmlspecialchars($ROW['title']); + $post_creator_name = htmlspecialchars($post_creator['name']); + $post_time = htmlspecialchars($ROW['post_time']); + $post_content = htmlspecialchars($ROW['content']); + + echo "
+

$post_title

+
+
+
+

$post_creator_name

+
+
+
+

$post_content

+
+
+
"; } ?>