prevent SQL injection : use statements & bindvalues

public/index.php

@@ -17,6 +17,7 @@ class MyDB extends SQLite3
 }
 
 $db = new MyDB();
+ini_set('display_errors', 'Off');
 
 
 function addNavbar($response)
@@ -70,8 +71,12 @@ $app->map(['GET', 'POST'], '/blog/create', function (Request $request, Response
     if (isset($_SESSION['username'])) {
         if ($request->getMethod() == 'GET') {
             addNavbar($response);
-            $response->getBody()->write($_SESSION['error']);
-            $response->getBody()->write('<hr/>');
+            if (isset($_SESSION['error'])) {
+                $response->getBody()->write($_SESSION['error']);
+                $response->getBody()->write('<hr/>');
+                unset($_SESSION['error']);
+            }
+
             $response->getBody()->write('<form action="/blog/create" method="POST">');
             $response->getBody()->write('<label for="slug">slug:</label>');
             $response->getBody()->write('<input type="text" name="slug"/><br/>');
@@ -81,15 +86,20 @@ $app->map(['GET', 'POST'], '/blog/create', function (Request $request, Response
             $response->getBody()->write('<textarea type="textarea" name="content"></textarea><br/>');
             $response->getBody()->write('<input type="submit"/>');
             addFooter($response);
-            unset($_SESSION['error']);
         } else {
             $data = $request->getParsedBody();
             global $db;
-            $sql = "INSERT INTO blogs (slug, title, content) VALUES ('" . $data['slug'] . "', '" . $data['title'] . "', '" . $data['content'] . "')";
-            $ret = $db->exec($sql);
+            $db->enableExceptions(false);
+            //$sql = "INSERT INTO blogs (slug, title, content) VALUES ('" . $data['slug'] . "', '" . $data['title'] . "', '" . $data['content'] . "')";
+            $stmt = $db->prepare("INSERT INTO blogs (slug, title, content) VALUES (:slug, :title, :content)");
+            $stmt->bindValue(':slug', $data['slug'], SQLITE3_TEXT);
+            $stmt->bindValue(':title', $data['title'], SQLITE3_TEXT);
+            $stmt->bindValue(':content', $data['content'], SQLITE3_TEXT);
+            $res = $stmt->execute();
+            //$ret = $db->exec($sql);
             //$_SESSION['blogs'][] = ["slug" => $data['slug'], "title" => $data['title'], "content" => "Lorem ipsum 4"];
 
-            if ($ret) {
+            if ($res) {
                 return $response->withHeader('Location', '/')->withStatus(302);
             } else {
                 $err = $db->lastErrorMsg();