From 6d74360d1d841fbce40d4bce6e9478fd192bc286 Mon Sep 17 00:00:00 2001 From: Grisu Date: Tue, 21 Jun 2022 23:35:06 +0200 Subject: [PATCH] sanitize all input against xss and fixed bug with time encoding when adding result --- app/public/add_entry.php | 16 ++++++++++------ app/public/add_station.php | 4 +++- app/public/add_team.php | 4 +++- app/public/add_user.php | 12 ++++++------ app/public/edit_station.php | 14 +++++++++----- app/public/edit_statistics.php | 12 ++++++------ app/public/edit_team.php | 12 ++++++++---- app/public/edit_user.php | 26 ++++++++++++++++---------- app/public/login.php | 4 ++-- app/scripts/functions.php | 5 +++++ 10 files changed, 68 insertions(+), 41 deletions(-) diff --git a/app/public/add_entry.php b/app/public/add_entry.php index 5c1f212..c3028fe 100644 --- a/app/public/add_entry.php +++ b/app/public/add_entry.php @@ -5,17 +5,21 @@ $user_data = check_login($con); if($_SERVER['REQUEST_METHOD'] == "POST") { - $points = $_POST['points']; - $minutes = $_POST['minutes']; - $seconds = $_POST['seconds']; - $miliseconds = $_POST['miliseconds']; + $points = sanitize_input($_POST['points']); + $minutes = sanitize_input($_POST['minutes']); + $seconds = sanitize_input($_POST['seconds']); + $miliseconds = sanitize_input($_POST['miliseconds']); + $s_id = sanitize_input($_GET['station']); + $m_id = sanitize_input($_POST['team']); if($minutes == 0 && $seconds == 0 && $miliseconds == 0){ $time = null; + } else if ($miliseconds < 10) { + $time = "00:" . $minutes . ":" . $seconds . ".0" . $miliseconds; } else { $time = "00:" . $minutes . ":" . $seconds . "." . $miliseconds; } - write_points($con, $_GET['station'], $_POST['team'], $points, $time); + write_points($con, $s_id, $m_id, $points, $time); header("Location: statistik.php"); die; } @@ -33,7 +37,7 @@
diff --git a/app/public/add_station.php b/app/public/add_station.php index 73ebccc..a2cd326 100644 --- a/app/public/add_station.php +++ b/app/public/add_station.php @@ -5,7 +5,9 @@ $user_data = check_login($con); if($_SERVER['REQUEST_METHOD'] == "POST") { - write_station($con, $_POST['station_name'], $_POST['station_pos']); + $station_name = sanitize_input($_POST['station_name']); + $station_pos = sanitize_input($_POST['station_pos']); + write_station($con, $station_name, $station_pos); header("Location: stationen.php"); die; } diff --git a/app/public/add_team.php b/app/public/add_team.php index f2f00f8..97a9484 100644 --- a/app/public/add_team.php +++ b/app/public/add_team.php @@ -5,7 +5,9 @@ $user_data = check_login($con); if($_SERVER['REQUEST_METHOD'] == "POST") { - write_team($con, $_POST['team_name'], $_POST['fire_department']); + $team_name = sanitize_input($_POST['team_name']); + $fire_department = sanitize_input($_POST['fire_department']); + write_team($con, $team_name, $fire_department); header("Location: mannschaft.php"); die; } diff --git a/app/public/add_user.php b/app/public/add_user.php index 96d6988..2231ac8 100644 --- a/app/public/add_user.php +++ b/app/public/add_user.php @@ -6,14 +6,14 @@ $error = null; if($_SERVER['REQUEST_METHOD'] == "POST") { - $user_name = $_POST['user_name']; - $password = $_POST['password']; - $user_group = $_POST['user_group']; - $bind_station = $_POST['bind_station']; + $user_name = sanitize_input($_POST['user_name']); + $password = sanitize_input($_POST['password']); + $user_group = sanitize_input($_POST['user_group']); + $bind_station = sanitize_input($_POST['bind_station']); if(!empty($user_name) && !empty($password)) { $salt = generate_salt(); - $user_id = generate_user_id($_POST['user_name'], $salt); - $phash = generate_password_hash($_POST['password'], $salt); + $user_id = generate_user_id($user_name, $salt); + $phash = generate_password_hash($password, $salt); if($user_group == "station") { write_user($con, $user_name, $user_id, $phash, $salt, $user_group, $bind_station); } else { diff --git a/app/public/edit_station.php b/app/public/edit_station.php index 3e51735..f14cd47 100644 --- a/app/public/edit_station.php +++ b/app/public/edit_station.php @@ -5,21 +5,25 @@ $user_data = check_admin($con); if($_SERVER['REQUEST_METHOD'] == "GET") { + $s_id = sanitize_input($_GET['s_id']); $row = get_station_all($con, $_GET['s_id'])->fetch(); include("header_footer/header.php"); } if($_SERVER['REQUEST_METHOD'] == "POST") { - $station = get_station_all($con, $_POST['station_id'])->fetch(); + $station_id = sanitize_input($_POST['station_id']); + $station_name = sanitize_input($_POST['station_name']); + $station_pos = sanitize_input($_POST['station_pos']); + $station = get_station_all($con, $station_id)->fetch(); $s_id = intval($station['s_id']); $name = strval($station['name']); $standort = strval($station['standort']); - if($name != $_POST['station_name']) { - update_station_name($con, $s_id, $_POST['station_name']); + if($name != $station_name) { + update_station_name($con, $s_id, $station_name); } - if($standort != $_POST['station_pos']) { - update_station_pos($con, $s_id, $_POST['station_pos']); + if($standort != $station_pos) { + update_station_pos($con, $s_id, $station_pos); } header("Location: stationen.php"); die; diff --git a/app/public/edit_statistics.php b/app/public/edit_statistics.php index 6a18d38..e4eb4f0 100644 --- a/app/public/edit_statistics.php +++ b/app/public/edit_statistics.php @@ -10,12 +10,12 @@ } if($_SERVER['REQUEST_METHOD'] == 'POST') { - $m_id = intval($_POST['m_id']); - $s_id = intval($_POST['s_id']); - $points = intval($_POST['points']); - $minutes = intval($_POST['minutes']); - $seconds = intval($_POST['seconds']); - $millis = intval($_POST['millis']); + $m_id = intval(sanitize_input($_POST['m_id'])); + $s_id = intval(sanitize_input($_POST['s_id'])); + $points = intval(sanitize_input($_POST['points'])); + $minutes = intval(sanitize_input($_POST['minutes'])); + $seconds = intval(sanitize_input($_POST['seconds'])); + $millis = intval(sanitize_input($_POST['millis'])); if (get_points($con, $m_id, $s_id)->fetch()['punkte'] != $points) { change_points($con, $m_id, $s_id, $points); } diff --git a/app/public/edit_team.php b/app/public/edit_team.php index 00fc84b..05fabf4 100644 --- a/app/public/edit_team.php +++ b/app/public/edit_team.php @@ -5,18 +5,22 @@ $user_data = check_admin($con); if($_SERVER['REQUEST_METHOD'] == "GET") { - $row = get_team($con, $_GET['m_id'])->fetch(); + $m_id = $_GET['m_id']; + $row = get_team($con, $m_id)->fetch(); } if($_SERVER['REQUEST_METHOD'] == "POST") { - $row = get_team($con, $_POST['m_id'])->fetch(); + $m_id = sanitize_input($_POST['m_id']); + $team_name = sanitize_input($_POST['team_name']); + $fire_department = sanitize_input($_POST['fire_department']); + $row = get_team($con, $m_id)->fetch(); if($_POST['team_name'] != $row['name']) { - update_team_name($con, $_POST['m_id'], $_POST['team_name']); + update_team_name($con, $m_id, $team_name); } if($_POST['fire_department'] != $row['feuerwehr']) { - update_team_fire_department($con, $_POST['m_id'], $_POST['fire_department']); + update_team_fire_department($con, $m_id, $fire_department); } header("Location: mannschaft.php"); diff --git a/app/public/edit_user.php b/app/public/edit_user.php index c594828..db3d8e4 100644 --- a/app/public/edit_user.php +++ b/app/public/edit_user.php @@ -5,28 +5,34 @@ $user_data = check_admin($con); if($_SERVER['REQUEST_METHOD'] == "GET") { - $row = get_user($con, $_GET['id'])->fetch(); + $id = sanitize_input($_GET['id']); + $row = get_user($con, $id)->fetch(); include("header_footer/header.php"); } if($_SERVER['REQUEST_METHOD'] == "POST") { - $user = get_user($con, $_POST['id'])->fetch(); + $id = sanitize_input($_POST['id']); + $user = get_user($con, $id)->fetch(); + $user_group = sanitize_input($_POST['user_group']); + $user_name = sanitize_input($_POST['user_name']); + $bind_station = sanitize_input($_POST['bind_station']); + $password = sanitize_input($_POST['password']); - if($user['user_name'] != $_POST['user_name']) { - change_user_name($con, $_POST['id'], $_POST['user_name']); + if($user['user_name'] != $user_name) { + change_user_name($con, $id, $user_name); } - if($user['user_group'] != $_POST['user_group']) { + if($user['user_group'] != $user_group) { if($_POST['user_group'] == "station") { - change_user_group($con, $_POST['id'], $_POST['user_group'], $_POST['bind_station']); + change_user_group($con, $id, $user_group, $bind_station); } else { - change_user_group($con, $_POST['id'], $_POST['user_group'], NULL); + change_user_group($con, $id, $user_group, NULL); } } - if(!empty($_POST['password'])) { - $phash = generate_password_hash($_POST['password'], $user['salt']); - change_password($con, $_POST['id'], $phash); + if(!empty($password)) { + $phash = generate_password_hash($password, $user['salt']); + change_password($con, $id, $phash); } header("Location: manage_user.php"); diff --git a/app/public/login.php b/app/public/login.php index 64f9afa..029d059 100644 --- a/app/public/login.php +++ b/app/public/login.php @@ -4,8 +4,8 @@ include("../scripts/functions.php"); if($_SERVER['REQUEST_METHOD'] == "POST"){ - $user_name = $_POST['user_name']; - $password = $_POST['password']; + $user_name = sanitize_input($_POST['user_name']); + $password = sanitize_input($_POST['password']); if(!empty($user_name) && !empty($password)) { $user_data = get_user_data_name($con, $user_name); diff --git a/app/scripts/functions.php b/app/scripts/functions.php index ebc6782..839e775 100644 --- a/app/scripts/functions.php +++ b/app/scripts/functions.php @@ -195,4 +195,9 @@ function get_time_str($con, $m_id, $s_id) { $time .= "." . $millis; } return $time; +} + +function sanitize_input ($input) { + $return = strip_tags($input); + return htmlspecialchars($return, ENT_QUOTES); } \ No newline at end of file