1 files changed, 8 insertions, 5 deletions
diff --git a/comic.php b/comic.php
index 1e94abc..e8333bb 100755
--- a/comic.php
+++ b/comic.php

@@ -8,11 +8,14 @@ if (!isset($_GET['id']))
        exit;
 }
-$getcomic = "SELECT * FROM comics WHERE filename = \"" . mysqli_real_escape_string($mysql_conn, $_GET['id']) . ".png\"";
+$getcomic = $mysql_conn->prepare("SELECT * FROM comics WHERE filename = ?");
-$getcomic2 = mysql_query($getcomic);
+$real_filename = $_GET['id'] . ".png";
-$getcomic3 = mysql_fetch_array($getcomic2);
+$getcomic->bind_param("s", $real_filename);
+$getcomic->execute();
-if ($getcomic3['filename'] != ($_GET['id'] . '.png'))
+$getcomic2 = $getcomic->get_result();
+$getcomic3 = $getcomic2->fetch_assoc();
+if ($getcomic3['filename'] != $real_filename)
 {
        header('Location: /');
        exit;

diff --git a/comic.php b/comic.php index 1e94abc..e8333bb 100755 --- a/comic.php +++ b/comic.php
@@ -8,11 +8,14 @@ if (!isset($_GET['id']))
8	exit;	8	exit;
9	}	9	}
10		10
11	$getcomic = "SELECT * FROM comics WHERE filename = \"" . mysqli_real_escape_string($mysql_conn, $_GET['id']) . ".png\"";	11	$getcomic = $mysql_conn->prepare("SELECT * FROM comics WHERE filename = ?");
12	$getcomic2 = mysql_query($getcomic);	12	$real_filename = $_GET['id'] . ".png";
13	$getcomic3 = mysql_fetch_array($getcomic2);	13	$getcomic->bind_param("s", $real_filename);
14		14	$getcomic->execute();
15	if ($getcomic3['filename'] != ($_GET['id'] . '.png'))	15	$getcomic2 = $getcomic->get_result();
		16	$getcomic3 = $getcomic2->fetch_assoc();
		17
		18	if ($getcomic3['filename'] != $real_filename)
16	{	19	{
17	header('Location: /');	20	header('Location: /');
18	exit;	21	exit;