From 9c236bba83d434a082a7510536b2a4c758b0b7c6 Mon Sep 17 00:00:00 2001
From: Jonas Leder <jonas@jonasled.de>
Date: Wed, 16 Mar 2022 10:18:46 +0100
Subject: [PATCH] fix two times sql injection possible

---
 public/API/queries/blogPost.php | 3 ++-
 public/API/queries/comments.php | 1 +
 public/API/queries/skills.php   | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/public/API/queries/blogPost.php b/public/API/queries/blogPost.php
index 6f3d732..117ecf0 100644
--- a/public/API/queries/blogPost.php
+++ b/public/API/queries/blogPost.php
@@ -39,6 +39,7 @@ function blogPost($id, $conn)
 function blogPosts($count, $contentLength, $conn)
 {
     $response = [];
+    $count = $conn->real_escape_string($count);
     $result = $conn->query("SELECT * FROM posts order by id desc limit $count");
     if ($result->num_rows > 0) {
         while ($row = $result->fetch_assoc()) {
@@ -62,4 +63,4 @@ function blogPosts($count, $contentLength, $conn)
     }
     
     return $response;
-}
\ No newline at end of file
+}
diff --git a/public/API/queries/comments.php b/public/API/queries/comments.php
index 3b3d46b..de1f3c4 100644
--- a/public/API/queries/comments.php
+++ b/public/API/queries/comments.php
@@ -18,6 +18,7 @@ $commentField = new ObjectType([
 function comments($article, $conn)
 {
     $response = [];
+    $article = $conn->real_escape_string($article);
     $result = $conn->query("SELECT * FROM comments WHERE article='$article'");
     while ($row = $result->fetch_assoc()) {
         $commentElement = [
diff --git a/public/API/queries/skills.php b/public/API/queries/skills.php
index 3167065..5bd97da 100644
--- a/public/API/queries/skills.php
+++ b/public/API/queries/skills.php
@@ -20,4 +20,4 @@ function getSkills() {
                 array_push($response, $skill["Key"]);
         }
         return $response;
-}
\ No newline at end of file
+}
-- 
GitLab