From d481234926de6a9434aaa7c014486d04d7b14fc6 Mon Sep 17 00:00:00 2001
From: bochard <git@bochard.net>
Date: Mon, 22 Dec 2025 11:11:09 +0800
Subject: [PATCH] now using prepared statements for guestbook

---
 guestbook.php | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/guestbook.php b/guestbook.php
index 6ddd1e5..a5dfcb6 100644
--- a/guestbook.php
+++ b/guestbook.php
@@ -44,8 +44,22 @@
 							
 							// query
 							$sql = "INSERT INTO entries (name, country, website, email, comment, ip_addr)
-											VALUES ('$name', '$country', '$website', '$email', '$comment', '$ip_addr');";
-							$conn->query($sql); // submit query
+											VALUES (?, ?, ?, ?, ?, ?);";
+							
+							$stmt = $conn->prepare($sql);
+							if(!$stmt){
+								die("Prepare failed: {$conn->error}");
+							}
+							
+							// s = string
+							$stmt->bind_param("ssssss", $name, $country, $website, $email, $comment, $ip_addr);
+							if(!$stmt->execute()){
+								die("Execute failed: {$stmt->error}");
+							}
+							
+							$stmt->close();
+							
+							//~ $conn->query($sql); // submit query
 							
 							header("Location: " . $_SERVER["PHP_SELF"]);
 							die();
-- 
2.39.5