TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove: Deprecated MySQLi functions - convert to OOP prepared statements

Browse Source 
- create_bar_tab.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_num_rows/mysqli_error with OOP prepared statements
- submit_order.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_error with OOP prepared statements
- fetch_drinks.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_fetch_assoc with OOP prepared statements
- comment_box.php: Removed mysqli_real_escape_string(), added CSRF token validation for comment submission

All files now use consistent OOP MySQLi approach with proper parameter binding. Fixes PHP 8.1+ compatibility and improves security against multi-byte character injection.
This commit is contained in:
twotalesanimation
2025-12-03 19:52:54 +02:00
parent 4c839d02c0
commit 45523720ea
4 changed files with 43 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
submit_order.php
View File

@@ -19,14 +19,16 @@ if (isset($_POST['tab_id']) && isset($_SESSION['cart'][$_POST['tab_id']])) {
foreach ($drinks as $drink) {
$drink_id = (int) $drink['item_id']; // Ensure drink ID is an integer
$drink_name = mysqli_real_escape_string($conn, $drink['item_name']);
$drink_name = $drink['item_name']; // No escaping needed with prepared statements
$drink_price = (float) $drink['item_price']; // Ensure price is a float
$user_id = (float) $drink['user_id']; // Ensure price is a float
$user_id = (int) $drink['user_id']; // Convert to integer
// Insert each drink into the bar_transactions table
$sql = "INSERT INTO bar_transactions (user_id, tab_id, item_id, item_name, item_price) VALUES ('$user_id', '$tab_id', '$drink_id', '$drink_name', '$drink_price')";
if (!mysqli_query($conn, $sql)) {
$errors[] = "Error inserting drink ID $drink_id: " . mysqli_error($conn);
// Insert each drink into the bar_transactions table using prepared statement
$stmt = $conn->prepare("INSERT INTO bar_transactions (user_id, tab_id, item_id, item_name, item_price) VALUES (?, ?, ?, ?, ?)");
$stmt->bind_param("iiisi", $user_id, $tab_id, $drink_id, $drink_name, $drink_price);
if (!$stmt->execute()) {
$errors[] = "Error inserting drink ID $drink_id: " . $conn->error;
}
}