CREATE TABLE products (
Id INTEGER PRIMARY KEY AUTO_INCREMENT,
name TEXT NOT NULL,
description TEXT NOT NULL,
price REAL NOT NULL
);
INSERT INTO products (name, description, price) VALUES ('Prueba','Prueba',1000);
DELETE FROM products WHERE (1=1);
INSERT INTO products (name, description, price) VALUES ('NAME','Description',1000);
SELECT table_name FROM information_schema.tables where table_name <> 'products' LIMIT 1;
SELECT * FROM information_schema.tables
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
session_start();
// Retrieve the product information from the form
$name = mysqli_real_escape_string($mysqli, "SELECT table_name FROM information_schema.tables where table_name <> 'products' LIMIT 1");
$description = mysqli_real_escape_string($mysqli, "Description");
//$price = mysqli_real_escape_string($mysqli, "1000); SELECT * FROM products WHERE (1=1");
//$price = mysqli_real_escape_string($mysqli, "@VERSION");
$price = "1000";
echo $name;
//"INSERT INTO products (name, description, price) VALUES ('NAME','Description',1000); SELECT table_name FROM information_schema.tables where (1=1);
$sql = "INSERT INTO products (name, description, price) VALUES ('".$name."','".$description."',".$price.");";
// Use a prepared statement to prevent SQL injection attacks
echo $sql;
$query = mysqli_prepare($mysqli, $sql);
// mysqli_stmt_bind_param($query, "ssd", $name, $description, $price);
mysqli_stmt_execute($query);
// Use a prepared statement to prevent SQL injection attacks
$query = mysqli_prepare($mysqli, "SELECT * FROM products");
mysqli_stmt_execute($query);
// Store the result of the query
$result = mysqli_stmt_get_result($query);
// Loop through the rows of the result
while ($row = mysqli_fetch_assoc($result)) {
// Display the product information
echo "<h2>" . $row['name'] . "</h2>";
echo "<p>" . $row['description'] . "</p>";
echo "<p>Price: $" . $row['price'] . "</p>";
echo "<hr>";
}
?>