From 2dca5edfc41cf62e966ebef57d6a5c7e289e62c2 Mon Sep 17 00:00:00 2001
From: "barraux.a" <barraux.a@example.com>
Date: Sat, 20 Nov 2021 15:29:38 +0100
Subject: [PATCH] =?UTF-8?q?fin=20du=20passage=20=C3=A0=20sqlite=20et=20pre?=
 =?UTF-8?q?otection=20des=20injections?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 database/ticket_panne.db  | Bin 16384 -> 16384 bytes
 referant/cible/export.php |   6 ++----
 referant/cible/search.php |   3 +--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/database/ticket_panne.db b/database/ticket_panne.db
index c5d7b10ea354bb09a8b4747ddef54ca0b674f75c..6f599103798e435300a0a8ce1d36260459d9c029 100755
GIT binary patch
delta 69
zcmZo@U~Fh$oFL7pF;T{uQDbAmGJdujO#GkuZ)_G6IKwX~&crOMT9lfWT9lYqlABTh
WWFB4#VsHK^-^#<tvAJBQQy2ghju+|x

delta 63
zcmZo@U~Fh$oFL7pGEv5vQDtMoGJdvuO#Gku?`;+|xWq3k$iyrwS(KWVT9lYql30~m
TR8qP5qkJn5Bj@IFolao@g>n@A

diff --git a/referant/cible/export.php b/referant/cible/export.php
index 5babe53..67f38af 100644
--- a/referant/cible/export.php
+++ b/referant/cible/export.php
@@ -1,9 +1,7 @@
 <?php
 
 $bdd = new SQLite3('../../database/ticket_panne.db', SQLITE3_OPEN_READWRITE);
-$stmt = $bdd->prepare('SELECT * FROM :base');
-$stmt->bindParam(':base', $_POST['bdd']);
-$res = $stmt->execute();
+$res = $bdd->query('SELECT * FROM ' .$_POST['bdd']);
 $title = array_keys($res->fetchArray(SQLITE3_ASSOC));
 
 header('Content-Type: text/csv; charset=utf-8');
@@ -11,7 +9,7 @@ header('Content-Disposition: attachment; filename=' .$_POST['bdd'] .'.csv');
 $output = fopen("php://output", "w");
 fputcsv($output, $title);
 
-while($row = $stmt->fetchArray(SQLITE3_ASSOC)) {
+while($row = $res->fetchArray(SQLITE3_ASSOC)) {
     fputcsv($output, $row);
 }
 fclose($output);
diff --git a/referant/cible/search.php b/referant/cible/search.php
index 1df4c9b..b36b1fd 100755
--- a/referant/cible/search.php
+++ b/referant/cible/search.php
@@ -3,8 +3,7 @@ $bdd = new SQLite3('../../database/ticket_panne.db', SQLITE3_OPEN_READWRITE);
 
 try {
     // $reponse = $bdd->query("SELECT * FROM pannes WHERE `" .$_POST['champ'] ."`='" .$_POST['value'] ."'");
-    $reponse = $bdd->prepare("SELECT * FROM pannes WHERE :champ=:value");
-    $reponse->bindParam(':champ', $_POST['champ']);
+    $reponse = $bdd->prepare("SELECT * FROM pannes WHERE ".$_POST['champ'] ."=:value");
     $reponse->bindValue(':value', $_POST['value']);
     $fetch = $reponse->execute();
     $result = [];