change mysqli -> PDO, prepared statements

2022-08-24 13:04:16 +00:00 · 2022-08-24 13:04:16 +00:00 · c58ab04d1b
parent 258edc97f7
commit c58ab04d1b
1 changed files with 37 additions and 21 deletions
--- a/index.php
+++ b/index.php
@ -3,7 +3,7 @@ require_once './conf.php';

 define("SHORTER_NAME", "shortr");
 define("SHORTER_VERSION", "v0.1");
-define("HASH_LENGTH", 4);
+define("HASH_LENGTH", 8);
 define("CHARSET", "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");

 $url = "";
@ -11,19 +11,17 @@ $link = "";
 $callback = "NO";

 function db_connect() {
-	if (!$mysqli = mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME)) {
-		return false;
-	}
-	return $mysqli;
+	$dbh = new PDO('mysql:host='. DB_HOST . ';dbname='. DB_NAME , DB_USER, DB_PASS);
+	return $dbh;
 }

-function count_urls($mysqli) {
-	$count = mysqli_num_rows(mysqli_query($mysqli, "SELECT * FROM ". DB_TABLE));
-	return $count;
+function count_urls($dbh) {
+	$sth = $dbh->query("SELECT id FROM ". DB_TABLE);
+	return $sth->fetchColumn();
 }

-function generate_short($url, $mysqli) {
-	$url = mysqli_real_escape_string($mysqli, $url);
+function generate_short($url, $dbh) {
+
 	if(!preg_match("/^((https?|ftp)[:\/\/].*\/{2,})/i",$url)) {
 		return false;
 	}
@ -35,30 +33,48 @@ function generate_short($url, $mysqli) {
 	} else {
 		$clientip = $_SERVER['REMOTE_ADDR'];
 	}
-	$result = mysqli_query($mysqli, "SELECT id FROM " . DB_TABLE . " WHERE url='$url'");
-	if ($row = mysqli_fetch_assoc($result)) {
+
+
+	$sth = $dbh->prepare("SELECT id FROM " . DB_TABLE . " WHERE url=?");
+	$sth->bindParam(1, $url, PDO::PARAM_STR);
+	$sth->execute();
+	if ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
 		$hash = $row['id'];
 	} else {
+
 		$charset = str_shuffle(CHARSET);
 		$hash = substr($charset, 0, HASH_LENGTH);
-		while (mysqli_num_rows(mysqli_query($mysqli, "SELECT * FROM " . DB_TABLE . " WHERE id='$hash'")) > 0) {
+
+		$sth = $dbh->prepare("SELECT COUNT(*) FROM " . DB_TABLE . " WHERE id=?");
+		$sth->bindParam(1, $hash, PDO::PARAM_STR, HASH_LENGTH);
+		$sth->execute();
+
+		while ($sth->fetchColumn() > 0) {
 			$hash = substr($charset, 0, HASH_LENGTH);
+			$sth->bindParam(1, $hash, PDO::PARAM_STR, HASH_LENGTH);
+			$sth->execute();
 		}
-		$result = mysqli_query($mysqli, "INSERT INTO " . DB_TABLE . " (id, url, ip, count) VALUES ('$hash', '$url', '$clientip', '0')");
-		if (!mysqli_affected_rows($mysqli)) {
+
+		$sth = $dbh->prepare("INSERT INTO " . DB_TABLE . " (id, url, ip, count) VALUES (?, ?, ?, '0')");
+		$sth->bindParam(1, $hash, PDO::PARAM_STR, HASH_LENGTH);
+		$sth->bindParam(2, $url, PDO::PARAM_STR);
+		$sth->bindParam(3, $clientip, PDO::PARAM_STR, 255);
+		if (!$sth->execute()) {
 			print "FAILURE INSERTING\n";
 		}
 	}
 	return $hash;
 }

-function find_short($hash, $mysqli) {
-	$hash = mysqli_real_escape_string($mysqli, $hash);
-	$result = mysqli_query($mysqli, "SELECT * FROM " . DB_TABLE . " WHERE id='$hash'");
-	if ($row = mysqli_fetch_assoc($result)) {
+function find_short($hash, $dbh) {
+	$sth = $dbh->prepare("SELECT * FROM " . DB_TABLE . " WHERE id=?");
+	$sth->bindParam(1, $hash, PDO::PARAM_STR, HASH_LENGTH);
+	$sth->execute();
+	if ($row = $sth->fetch(PDO::FETCH_ASSOC)) {
 		$link = $row['url'];
-		mysqli_query($mysqli, "UPDATE " . DB_TABLE . " SET count='" . ($row['count'] + 1) . "' WHERE id='" . $row['id'] . "'");
-
+		$sth = $dbh->prepare("UPDATE " . DB_TABLE . " SET count = count + 1 WHERE id=?");
+		$sth->bindParam(1, $row['id'], PDO::PARAM_STR, HASH_LENGTH);
+		$sth->execute();	
 	} else {
 		$link = false;
 	}