commit 690dc40ac30fa277039fd54eee941ca7b3b9b7ee
from: Jeremy Jackson <jeremy.jackson089@gmail.com>
date: Wed May 10 11:43:30 2023 UTC

Update search.php to use prepared statement.

commit - 7a8d3060c7b9cc65d45c82f630730bb668c4f878
commit + 690dc40ac30fa277039fd54eee941ca7b3b9b7ee
blob - e918ad510afdb241d08548712ea898120fd22f0d
blob + 612723cee776d69bbf8464745efe462c5506e30f
--- alexandria/search.php
+++ alexandria/search.php
@@ -110,14 +110,26 @@ function numremove($word)
       for ($i = 1; $i < sizeof($words); $i++) $query .= " AND (g.name LIKE \"%" . $words[$i] . "%\"" . numremove($words[$i]) . ')';
       $query .= ")";
   }
-  else $query .= "(g.name LIKE \"%$search%\"" .numremove($search) . ")";
+  else $query .= "(g.name LIKE ?)";
 
-  if ($system != "") $query .= " AND g.system='$system'";
+  $searchingBySystem = $system != "";
 
+  if ($searchingBySystem) $query .= " AND g.system=?";
+
   $query .= " ORDER BY g.name, g.system";
 
-  $result = $mysqli->query($query) or die("Error fetching game information!");
+  $statement = $mysqli->prepare($query);
 
+  if ($mode == "" && $searchingBySystem) {
+    $searchString = "%$search%".numremove($search);
+    $statement->bind_param('ss', $searchString, $system);
+  } else if ($searchingBySystem) {
+      $statement->bind_param('s', $system);
+  }
+
+  $statement->execute();
+  $result = $statement->get_result() or die("Error fetching game information!");
+
   print "<title>Search Results</title>";
   include("main-header.txt");
 ?>
@@ -142,7 +154,7 @@ function numremove($word)
    print '<tr><td align="center" background="/images/slbg.gif"><b>Game Name</b></td><td align="center" background="/images/slbg.gif"><b>Shrine Status</b></tr>';
 
    $i = 0;
-   while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
+   while ($row = $result->fetch_assoc())
    {  if ($i <= (($page - 1) * MAX_RESULTS) - 1) {$i++; continue;}
       if ($i > ($page * MAX_RESULTS) - 1) break;
       $gid = $row['gid'];