diff --git a/app/public/add_entry.php b/app/public/add_entry.php
index 5c1f212..c3028fe 100644
--- a/app/public/add_entry.php
+++ b/app/public/add_entry.php
@@ -5,17 +5,21 @@
$user_data = check_login($con);
if($_SERVER['REQUEST_METHOD'] == "POST") {
- $points = $_POST['points'];
- $minutes = $_POST['minutes'];
- $seconds = $_POST['seconds'];
- $miliseconds = $_POST['miliseconds'];
+ $points = sanitize_input($_POST['points']);
+ $minutes = sanitize_input($_POST['minutes']);
+ $seconds = sanitize_input($_POST['seconds']);
+ $miliseconds = sanitize_input($_POST['miliseconds']);
+ $s_id = sanitize_input($_GET['station']);
+ $m_id = sanitize_input($_POST['team']);
if($minutes == 0 && $seconds == 0 && $miliseconds == 0){
$time = null;
+ } else if ($miliseconds < 10) {
+ $time = "00:" . $minutes . ":" . $seconds . ".0" . $miliseconds;
} else {
$time = "00:" . $minutes . ":" . $seconds . "." . $miliseconds;
}
- write_points($con, $_GET['station'], $_POST['team'], $points, $time);
+ write_points($con, $s_id, $m_id, $points, $time);
header("Location: statistik.php");
die;
}
@@ -33,7 +37,7 @@
diff --git a/app/public/add_station.php b/app/public/add_station.php
index 73ebccc..a2cd326 100644
--- a/app/public/add_station.php
+++ b/app/public/add_station.php
@@ -5,7 +5,9 @@
$user_data = check_login($con);
if($_SERVER['REQUEST_METHOD'] == "POST") {
- write_station($con, $_POST['station_name'], $_POST['station_pos']);
+ $station_name = sanitize_input($_POST['station_name']);
+ $station_pos = sanitize_input($_POST['station_pos']);
+ write_station($con, $station_name, $station_pos);
header("Location: stationen.php");
die;
}
diff --git a/app/public/add_team.php b/app/public/add_team.php
index f2f00f8..97a9484 100644
--- a/app/public/add_team.php
+++ b/app/public/add_team.php
@@ -5,7 +5,9 @@
$user_data = check_login($con);
if($_SERVER['REQUEST_METHOD'] == "POST") {
- write_team($con, $_POST['team_name'], $_POST['fire_department']);
+ $team_name = sanitize_input($_POST['team_name']);
+ $fire_department = sanitize_input($_POST['fire_department']);
+ write_team($con, $team_name, $fire_department);
header("Location: mannschaft.php");
die;
}
diff --git a/app/public/add_user.php b/app/public/add_user.php
index 96d6988..2231ac8 100644
--- a/app/public/add_user.php
+++ b/app/public/add_user.php
@@ -6,14 +6,14 @@
$error = null;
if($_SERVER['REQUEST_METHOD'] == "POST") {
- $user_name = $_POST['user_name'];
- $password = $_POST['password'];
- $user_group = $_POST['user_group'];
- $bind_station = $_POST['bind_station'];
+ $user_name = sanitize_input($_POST['user_name']);
+ $password = sanitize_input($_POST['password']);
+ $user_group = sanitize_input($_POST['user_group']);
+ $bind_station = sanitize_input($_POST['bind_station']);
if(!empty($user_name) && !empty($password)) {
$salt = generate_salt();
- $user_id = generate_user_id($_POST['user_name'], $salt);
- $phash = generate_password_hash($_POST['password'], $salt);
+ $user_id = generate_user_id($user_name, $salt);
+ $phash = generate_password_hash($password, $salt);
if($user_group == "station") {
write_user($con, $user_name, $user_id, $phash, $salt, $user_group, $bind_station);
} else {
diff --git a/app/public/edit_station.php b/app/public/edit_station.php
index 3e51735..f14cd47 100644
--- a/app/public/edit_station.php
+++ b/app/public/edit_station.php
@@ -5,21 +5,25 @@
$user_data = check_admin($con);
if($_SERVER['REQUEST_METHOD'] == "GET") {
+ $s_id = sanitize_input($_GET['s_id']);
$row = get_station_all($con, $_GET['s_id'])->fetch();
include("header_footer/header.php");
}
if($_SERVER['REQUEST_METHOD'] == "POST") {
- $station = get_station_all($con, $_POST['station_id'])->fetch();
+ $station_id = sanitize_input($_POST['station_id']);
+ $station_name = sanitize_input($_POST['station_name']);
+ $station_pos = sanitize_input($_POST['station_pos']);
+ $station = get_station_all($con, $station_id)->fetch();
$s_id = intval($station['s_id']);
$name = strval($station['name']);
$standort = strval($station['standort']);
- if($name != $_POST['station_name']) {
- update_station_name($con, $s_id, $_POST['station_name']);
+ if($name != $station_name) {
+ update_station_name($con, $s_id, $station_name);
}
- if($standort != $_POST['station_pos']) {
- update_station_pos($con, $s_id, $_POST['station_pos']);
+ if($standort != $station_pos) {
+ update_station_pos($con, $s_id, $station_pos);
}
header("Location: stationen.php");
die;
diff --git a/app/public/edit_statistics.php b/app/public/edit_statistics.php
index 6a18d38..e4eb4f0 100644
--- a/app/public/edit_statistics.php
+++ b/app/public/edit_statistics.php
@@ -10,12 +10,12 @@
}
if($_SERVER['REQUEST_METHOD'] == 'POST') {
- $m_id = intval($_POST['m_id']);
- $s_id = intval($_POST['s_id']);
- $points = intval($_POST['points']);
- $minutes = intval($_POST['minutes']);
- $seconds = intval($_POST['seconds']);
- $millis = intval($_POST['millis']);
+ $m_id = intval(sanitize_input($_POST['m_id']));
+ $s_id = intval(sanitize_input($_POST['s_id']));
+ $points = intval(sanitize_input($_POST['points']));
+ $minutes = intval(sanitize_input($_POST['minutes']));
+ $seconds = intval(sanitize_input($_POST['seconds']));
+ $millis = intval(sanitize_input($_POST['millis']));
if (get_points($con, $m_id, $s_id)->fetch()['punkte'] != $points) {
change_points($con, $m_id, $s_id, $points);
}
diff --git a/app/public/edit_team.php b/app/public/edit_team.php
index 00fc84b..05fabf4 100644
--- a/app/public/edit_team.php
+++ b/app/public/edit_team.php
@@ -5,18 +5,22 @@
$user_data = check_admin($con);
if($_SERVER['REQUEST_METHOD'] == "GET") {
- $row = get_team($con, $_GET['m_id'])->fetch();
+ $m_id = $_GET['m_id'];
+ $row = get_team($con, $m_id)->fetch();
}
if($_SERVER['REQUEST_METHOD'] == "POST") {
- $row = get_team($con, $_POST['m_id'])->fetch();
+ $m_id = sanitize_input($_POST['m_id']);
+ $team_name = sanitize_input($_POST['team_name']);
+ $fire_department = sanitize_input($_POST['fire_department']);
+ $row = get_team($con, $m_id)->fetch();
if($_POST['team_name'] != $row['name']) {
- update_team_name($con, $_POST['m_id'], $_POST['team_name']);
+ update_team_name($con, $m_id, $team_name);
}
if($_POST['fire_department'] != $row['feuerwehr']) {
- update_team_fire_department($con, $_POST['m_id'], $_POST['fire_department']);
+ update_team_fire_department($con, $m_id, $fire_department);
}
header("Location: mannschaft.php");
diff --git a/app/public/edit_user.php b/app/public/edit_user.php
index c594828..db3d8e4 100644
--- a/app/public/edit_user.php
+++ b/app/public/edit_user.php
@@ -5,28 +5,34 @@
$user_data = check_admin($con);
if($_SERVER['REQUEST_METHOD'] == "GET") {
- $row = get_user($con, $_GET['id'])->fetch();
+ $id = sanitize_input($_GET['id']);
+ $row = get_user($con, $id)->fetch();
include("header_footer/header.php");
}
if($_SERVER['REQUEST_METHOD'] == "POST") {
- $user = get_user($con, $_POST['id'])->fetch();
+ $id = sanitize_input($_POST['id']);
+ $user = get_user($con, $id)->fetch();
+ $user_group = sanitize_input($_POST['user_group']);
+ $user_name = sanitize_input($_POST['user_name']);
+ $bind_station = sanitize_input($_POST['bind_station']);
+ $password = sanitize_input($_POST['password']);
- if($user['user_name'] != $_POST['user_name']) {
- change_user_name($con, $_POST['id'], $_POST['user_name']);
+ if($user['user_name'] != $user_name) {
+ change_user_name($con, $id, $user_name);
}
- if($user['user_group'] != $_POST['user_group']) {
+ if($user['user_group'] != $user_group) {
if($_POST['user_group'] == "station") {
- change_user_group($con, $_POST['id'], $_POST['user_group'], $_POST['bind_station']);
+ change_user_group($con, $id, $user_group, $bind_station);
} else {
- change_user_group($con, $_POST['id'], $_POST['user_group'], NULL);
+ change_user_group($con, $id, $user_group, NULL);
}
}
- if(!empty($_POST['password'])) {
- $phash = generate_password_hash($_POST['password'], $user['salt']);
- change_password($con, $_POST['id'], $phash);
+ if(!empty($password)) {
+ $phash = generate_password_hash($password, $user['salt']);
+ change_password($con, $id, $phash);
}
header("Location: manage_user.php");
diff --git a/app/public/login.php b/app/public/login.php
index 64f9afa..029d059 100644
--- a/app/public/login.php
+++ b/app/public/login.php
@@ -4,8 +4,8 @@
include("../scripts/functions.php");
if($_SERVER['REQUEST_METHOD'] == "POST"){
- $user_name = $_POST['user_name'];
- $password = $_POST['password'];
+ $user_name = sanitize_input($_POST['user_name']);
+ $password = sanitize_input($_POST['password']);
if(!empty($user_name) && !empty($password)) {
$user_data = get_user_data_name($con, $user_name);
diff --git a/app/scripts/functions.php b/app/scripts/functions.php
index ebc6782..839e775 100644
--- a/app/scripts/functions.php
+++ b/app/scripts/functions.php
@@ -195,4 +195,9 @@ function get_time_str($con, $m_id, $s_id) {
$time .= "." . $millis;
}
return $time;
+}
+
+function sanitize_input ($input) {
+ $return = strip_tags($input);
+ return htmlspecialchars($return, ENT_QUOTES);
}
\ No newline at end of file