0

   <?php
 
$mysqli = new mysqli("localhost", "root", "", "aspire"); or die ('Error connecting to MySQL!');
 
$earnedpoints = false;
$account = $_POST['name'];
$account = mysqli_real_escape_string($account);
 
if ($account == "") {
    echo 'Enter an account name!';
    exit();
}
 
$ip = $_SERVER['REMOTE_ADDR'];
$time = time();
 
$stmt = $mysqli_prepare("SELECT *, SUM(`times`) as amount FROM votingrecords WHERE account='$account' OR ip='$ip'");
$lasttime = mysqli_fetch_array($stmt);
$amount = $lasttime['amount'];
$insertnew = false;    
if ($amount == "") {
    $insertnew = true;
}
$timecalc = $time - $lasttime['date'];
if (!$insertnew) {
    if ($timecalc < 21600) {  
        echo ' Hello '. $account .' you have already voted with this account ('. $account .') or IP ('. $ip .') in the last 6 hours!';
        echo ' Last voted on: '. date('M d\, h:i:s A', $lasttime['date']) .'';
        echo '<html>';
        echo '<head>';
        echo '<meta HTTP-EQUIV="REFRESH" content="10; url=http://www.">';
        echo '</head>';
        echo '<body>';
        echo '<br><br>You will be redirected to the main website in 10 seconds.';
        echo '</body>';
        echo '</html>';
        exit();
    } else {                
        $update = $mysqli_prepare("UPDATE votingrecords SET account='$account', date='$time', times=times+1 WHERE ip='$ip'");
            if (!$update) {
                $message  = 'Invalid query: ' . mysql_error() . "\n";
                $message .= 'Whole query: ' . $update;
                die($message);
            } else {
                $earnedpoints = true;
            }
        }
} else {
    $success = $mysqli_prepare("INSERT INTO votingrecords (`account`, `ip`, `date`, `times`) VALUES ('$account', '$ip', '$time', 1)");
    if (!$success) {
            $message  = 'Invalid query: ' . mysql_error() . "\n";
            $message .= 'Whole query: ' . $success;
            die($message);
    } else {
        $earnedpoints = true;
    }
}
 
 
 
 
if ($earnedpoints) {
    $points = $mysqli_prepare("UPDATE accounts SET votepoints = votepoints + 2 WHERE name='$account'");                
    if (!$points) {
 
            $message  = 'Invalid query: ' . mysql_error() . "\n";
            $message .= 'Whole query: ' . $stmt;
            die($message);
    }
 $stmt->execute();
    $stmt->close();
    echo '<html>';
    echo '<head>';
    echo '<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.gtop100.com/">';
    echo '</head>';
    echo '</html>';
} else {
    echo 'There was an error processing your request.';
    exit();
}
?>

Hello everyone,

This is a follow up post from my previous PHP script. I'm still very inexperienced and almost have no idea what I'm doing and all tutorials that I've seen weren't very helpful much.

I'm wondering if this new script is better and is actually SQL Injection Proof. Thank you in advance.

John Smith
  • 1
  • 1
  • No it is not. `mysqli_real_escape_string` does nothing with out a connection string. You should parameterize though. Prepared statements without placeholders are just as susceptible to injections. – chris85 Jun 19 '17 at 15:10
  • I hope this question belongs to https://codereview.stackexchange.com/ – manian Jun 19 '17 at 15:13
  • I'm really curious about why so many developers are reluctant to use prepared statements. Is it because incoherent APIs or poor documentation? I don't think nobody picks the most verbose syntax on purpose. – Álvaro González Jun 19 '17 at 15:24

0 Answers0