From 34749e89409afee5a5c4bb565f142266492c0870 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?D=C4=83nil=C4=83=20Daniel?=
 <68745788+danieldanila@users.noreply.github.com>
Date: Tue, 14 Jan 2025 16:53:13 +0200
Subject: [PATCH] Modified DashboardController.php's actionAccomplishment
 function to prevent potential SQL injection attacks

Added parameterized query by replacing direct inclusion of variables ($thisyear, $user, $category_id) in the SQL query with placeholders (:thisyear, :user, :category_id) and used bindValue to bind PHP variables to the query's placeholders.
---
 controllers/DashboardController.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/controllers/DashboardController.php b/controllers/DashboardController.php
index dfc56b6..f8f3764 100644
--- a/controllers/DashboardController.php
+++ b/controllers/DashboardController.php
@@ -193,10 +193,15 @@ public function actionAccomplishment()
             desc_category as n, MONTHNAME(date) as m, SUM(value) as v 
             FROM cashbook 
             INNER JOIN category
-            on category.id_category = cashbook.category_id
-            WHERE YEAR(date) = $thisyear AND cashbook.user_id = $user AND category_id = $category_id 
+            ON category.id_category = cashbook.category_id
+            WHERE YEAR(date) = :thisyear AND cashbook.user_id = :user AND category_id = :category_id 
             GROUP BY desc_category, MONTHNAME(date) 
-            ORDER BY desc_category ASC, MONTHNAME(date) asc;");
+            ORDER BY desc_category ASC, MONTHNAME(date) ASC;");
+
+        $command->bindValue(':thisyear', $thisyear);
+        $command->bindValue(':user', $user);
+        $command->bindValue(':category_id', $category_id);
+
         $accomplishment = $command->queryAll();
         
         $m = array();