From 587d0e6ac351787fe1d944b06c6a05b42e1952f1 Mon Sep 17 00:00:00 2001
From: Marijn Jansen <marijn@jansen.onl>
Date: Fri, 20 Jan 2017 15:41:13 +0100
Subject: [PATCH] fixed crosssitescripting on settings pagw

---
 website/queries/settings.php    | 8 ++++----
 website/views/settings-view.php | 1 -
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/website/queries/settings.php b/website/queries/settings.php
index b85cae8..7d3bf9c 100644
--- a/website/queries/settings.php
+++ b/website/queries/settings.php
@@ -87,11 +87,11 @@ function updateSettings() {
       `userID` = :userID
     ");
 
-    $stmt->bindParam(":fname", $_POST["fname"]);
-    $stmt->bindParam(":lname", $_POST["lname"]);
-    $stmt->bindParam(":location", $_POST["location"]);
+    $stmt->bindParam(":fname", test_input($_POST["fname"]));
+    $stmt->bindParam(":lname", test_input($_POST["lname"]));
+    $stmt->bindParam(":location", test_input($_POST["location"]));
     $stmt->bindParam(":bday", $_POST["bday"]);
-    $stmt->bindParam(":bio", $_POST["bio"]);
+    $stmt->bindParam(":bio", test_input($_POST["bio"]));
     $stmt->bindParam(":userID", $_SESSION["userID"]);
 
     $stmt->execute();
diff --git a/website/views/settings-view.php b/website/views/settings-view.php
index f6c4e07..1fa5278 100644
--- a/website/views/settings-view.php
+++ b/website/views/settings-view.php
@@ -1,6 +1,5 @@
 <?php
 $settings = getSettings();
-//phpinfo();
 ?>
 
 <div class="content">