Skip to content

Commit

Permalink
PUSH
Browse files Browse the repository at this point in the history
-> Fix SQL INJECTIONS
  • Loading branch information
NaysKutzu committed Nov 19, 2023
1 parent 0657c4d commit fb463ce
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 18 deletions.
12 changes: 8 additions & 4 deletions view/tickets/list.php
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
<?php
<?php
use MythicalDash\SettingsManager;
include(__DIR__ . '/../requirements/page.php');

$ticketsPerPage = 20;
$page = isset($_GET['page']) && is_numeric($_GET['page']) ? (int) $_GET['page'] : 1;
$page = isset($_GET['page']) && is_numeric($_GET['page']) ? (int)$_GET['page'] : 1;
$offset = ($page - 1) * $ticketsPerPage;

$searchKeyword = isset($_GET['search']) ? $_GET['search'] : '';
$searchKeyword = isset($_GET['search']) ? mysqli_real_escape_string($conn, $_GET['search']) : '';
$searchCondition = '';
$ownerKeyCondition = " `ownerkey` = '" . mysqli_real_escape_string($conn, $_COOKIE['token']) . "'";
if (!empty($searchKeyword)) {
Expand All @@ -22,6 +22,8 @@
$totalTickets = $totalResult->fetch_assoc()['total_tickets'];
$totalPages = ceil($totalTickets / $ticketsPerPage);
?>


<!DOCTYPE html>
<html lang="en" class="dark-style layout-navbar-fixed layout-menu-fixed" dir="ltr" data-theme="theme-semi-dark"
data-assets-path="<?= $appURL ?>/assets/" data-template="vertical-menu-template">
Expand Down Expand Up @@ -60,7 +62,9 @@
<form class="mt-4">
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Search tickets..." name="search"
value="<?= $searchKeyword ?>">
<?php $displaySearchKeyword = str_replace("%", "", $searchKeyword);?>

value="<?= $displaySearchKeyword ?>">
<button class="btn btn-outline-secondary" type="submit">Search</button>
</div>
</form>
Expand Down
18 changes: 12 additions & 6 deletions view/user/list.php
Original file line number Diff line number Diff line change
@@ -1,22 +1,27 @@
<?php
use MythicalDash\SettingsManager;

include(__DIR__ . '/../requirements/page.php');

$usersPerPage = 20;
$page = isset($_GET['page']) && is_numeric($_GET['page']) ? (int) $_GET['page'] : 1;
$page = isset($_GET['page']) && is_numeric($_GET['page']) ? (int)$_GET['page'] : 1;
$offset = ($page - 1) * $usersPerPage;

$searchKeyword = isset($_GET['search']) ? $_GET['search'] : '';
$searchKeyword = isset($_GET['search']) ? mysqli_real_escape_string($conn, $_GET['search']) : '';
$searchCondition = '';

if (!empty($searchKeyword)) {
$searchCondition = " WHERE `username` LIKE '%$searchKeyword%' OR `email` LIKE '%$searchKeyword%'";
$searchKeyword = '%' . $searchKeyword . '%';
$searchCondition = " WHERE `username` LIKE '$searchKeyword' OR `email` LIKE '$searchKeyword'";
}

$user_query = "SELECT * FROM mythicaldash_users" . $searchCondition . " ORDER BY `id` LIMIT $offset, $usersPerPage";
$result = $conn->query($user_query);

$totalUsersQuery = "SELECT COUNT(*) AS total_users FROM mythicaldash_users" . $searchCondition;
$totalResult = $conn->query($totalUsersQuery);
$totalUsers = $totalResult->fetch_assoc()['total_users'];
$totalPages = ceil($totalUsers / $usersPerPage);

?>

<!DOCTYPE html>
Expand Down Expand Up @@ -66,8 +71,9 @@
<!-- Search Form -->
<form class="mt-4">
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Search users..." name="search"
value="<?= $searchKeyword ?>">
<input type="text" class="form-control" placeholder="Search users..." <?php $displaySearchKeyword = str_replace("%", "", $searchKeyword);?>

name="search" value="<?= $displaySearchKeyword ?>">
<button class="btn btn-outline-secondary" type="submit">Search</button>
</div>
</form>
Expand Down
29 changes: 21 additions & 8 deletions view/user/payments.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,41 @@
use MythicalDash\SettingsManager;

include(__DIR__ . '/../requirements/page.php');

if (isset($_GET['unlink_discord'])) {
$conn->query("UPDATE `mythicaldash_users` SET `discord_linked` = 'false' WHERE `mythicaldash_users`.`api_key` = '" . mysqli_real_escape_string($conn, $_COOKIE['token']) . "';");
$token = mysqli_real_escape_string($conn, $_COOKIE['token']);
$unlinkQuery = "UPDATE `mythicaldash_users` SET `discord_linked` = 'false' WHERE `mythicaldash_users`.`api_key` = '$token';";
$conn->query($unlinkQuery);

$conn->close();
header('location: /user/connections');
}

$paymentsPerPage = 20;
$page = isset($_GET['page']) && is_numeric($_GET['page']) ? (int) $_GET['page'] : 1;
$page = isset($_GET['page']) && is_numeric($_GET['page']) ? (int)$_GET['page'] : 1;
$offset = ($page - 1) * $paymentsPerPage;

$searchKeyword = isset($_GET['search']) ? $_GET['search'] : '';
$searchKeyword = isset($_GET['search']) ? mysqli_real_escape_string($conn, $_GET['search']) : '';
$token = mysqli_real_escape_string($conn, $_COOKIE['token']);
$searchCondition = '';

if (!empty($searchKeyword)) {
$searchCondition = " WHERE (`code` LIKE '%$searchKeyword%' OR `getaway` LIKE '%$searchKeyword%') AND `ownerkey` = '" . mysqli_real_escape_string($conn, $_COOKIE['token']) . "'";
$searchKeyword = '%' . $searchKeyword . '%';
$searchCondition = " WHERE (`code` LIKE '$searchKeyword' OR `getaway` LIKE '$searchKeyword') AND `ownerkey` = '$token'";
} else {
$searchCondition = " WHERE `ownerkey` = '" . mysqli_real_escape_string($conn, $_COOKIE['token']) . "'";
$searchCondition = " WHERE `ownerkey` = '$token'";
}
$payments_query = 'SELECT * FROM mythicaldash_payments' . $searchCondition . " ORDER BY `id` LIMIT $offset, $paymentsPerPage";

$payments_query = "SELECT * FROM mythicaldash_payments" . $searchCondition . " ORDER BY `id` LIMIT $offset, $paymentsPerPage";
$result = $conn->query($payments_query);
$totalPaymentsQuery = 'SELECT COUNT(*) AS total_payments FROM mythicaldash_payments' . $searchCondition;

$totalPaymentsQuery = "SELECT COUNT(*) AS total_payments FROM mythicaldash_payments" . $searchCondition;
$totalResult = $conn->query($totalPaymentsQuery);
$totalPayments = $totalResult->fetch_assoc()['total_payments'];
$totalPages = ceil($totalPayments / $paymentsPerPage);
?>


<!DOCTYPE html>
<html lang="en" class="dark-style layout-navbar-fixed layout-menu-fixed" dir="ltr" data-theme="theme-semi-dark"
data-assets-path="<?= $appURL ?>/assets/" data-template="vertical-menu-template">
Expand Down Expand Up @@ -81,7 +92,9 @@ class="ti-xs ti ti-currency-euro me-1"></i> Payments</a>
<form class="mt-4">
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Search users..."
name="search" value="<?= $searchKeyword ?>">
<?php $displaySearchKeyword = str_replace("%", "", $searchKeyword);?>

name="search" value="<?= $displaySearchKeyword ?>">
<button class="btn btn-outline-secondary" type="submit">Search</button>
</div>
</form>
Expand Down

0 comments on commit fb463ce

Please sign in to comment.