Grisu/PunkteSystem-KSP
1
0
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases Wiki Activity

sanitize all input against xss and fixed bug with time encoding when adding result

Browse Source
This commit is contained in:
Grisu
2022-06-21 23:35:06 +02:00
parent b0478a7dd4
commit 6d74360d1d
10 changed files with 68 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/public/add_entry.php
View File

@@ -5,17 +5,21 @@
$user_data = check_login($con); $user_data = check_login($con);
if($_SERVER['REQUEST_METHOD'] == "POST") { if($_SERVER['REQUEST_METHOD'] == "POST") {
$points = $_POST['points']; $points = sanitize_input($_POST['points']);
$minutes = $_POST['minutes']; $minutes = sanitize_input($_POST['minutes']);
$seconds = $_POST['seconds']; $seconds = sanitize_input($_POST['seconds']);
$miliseconds = $_POST['miliseconds']; $miliseconds = sanitize_input($_POST['miliseconds']);
$s_id = sanitize_input($_GET['station']);
$m_id = sanitize_input($_POST['team']);
if($minutes == 0 && $seconds == 0 && $miliseconds == 0){ if($minutes == 0 && $seconds == 0 && $miliseconds == 0){
$time = null; $time = null;
} else if ($miliseconds < 10) {
$time = "00:" . $minutes . ":" . $seconds . ".0" . $miliseconds;
} else { } else {
$time = "00:" . $minutes . ":" . $seconds . "." . $miliseconds; $time = "00:" . $minutes . ":" . $seconds . "." . $miliseconds;
} }
write_points($con, $_GET['station'], $_POST['team'], $points, $time); write_points($con, $s_id, $m_id, $points, $time);
header("Location: statistik.php"); header("Location: statistik.php");
die; die;
} }
@@ -33,7 +37,7 @@
<div id="team-div" class="dropdown"> <div id="team-div" class="dropdown">
<label for="team">Mannschaft</label> <label for="team">Mannschaft</label>
<select name="team" id="team"> <select name="team" id="team">
<?php load_teams_no_points($con, $_GET['station'])?> <?php load_teams_no_points($con, sanitize_input($_GET['station']))?>
</select> </select>
</div> </div>
<div class="number_field"> <div class="number_field">

4
app/public/add_station.php
View File

@@ -5,7 +5,9 @@
$user_data = check_login($con); $user_data = check_login($con);
if($_SERVER['REQUEST_METHOD'] == "POST") { if($_SERVER['REQUEST_METHOD'] == "POST") {
write_station($con, $_POST['station_name'], $_POST['station_pos']); $station_name = sanitize_input($_POST['station_name']);
$station_pos = sanitize_input($_POST['station_pos']);
write_station($con, $station_name, $station_pos);
header("Location: stationen.php"); header("Location: stationen.php");
die; die;
} }

4
app/public/add_team.php
View File

@@ -5,7 +5,9 @@
$user_data = check_login($con); $user_data = check_login($con);
if($_SERVER['REQUEST_METHOD'] == "POST") { if($_SERVER['REQUEST_METHOD'] == "POST") {
write_team($con, $_POST['team_name'], $_POST['fire_department']); $team_name = sanitize_input($_POST['team_name']);
$fire_department = sanitize_input($_POST['fire_department']);
write_team($con, $team_name, $fire_department);
header("Location: mannschaft.php"); header("Location: mannschaft.php");
die; die;
} }

12
app/public/add_user.php
View File

@@ -6,14 +6,14 @@
$error = null; $error = null;
if($_SERVER['REQUEST_METHOD'] == "POST") { if($_SERVER['REQUEST_METHOD'] == "POST") {
$user_name = $_POST['user_name']; $user_name = sanitize_input($_POST['user_name']);
$password = $_POST['password']; $password = sanitize_input($_POST['password']);
$user_group = $_POST['user_group']; $user_group = sanitize_input($_POST['user_group']);
$bind_station = $_POST['bind_station']; $bind_station = sanitize_input($_POST['bind_station']);
if(!empty($user_name) && !empty($password)) { if(!empty($user_name) && !empty($password)) {
$salt = generate_salt(); $salt = generate_salt();
$user_id = generate_user_id($_POST['user_name'], $salt); $user_id = generate_user_id($user_name, $salt);
$phash = generate_password_hash($_POST['password'], $salt); $phash = generate_password_hash($password, $salt);
if($user_group == "station") { if($user_group == "station") {
write_user($con, $user_name, $user_id, $phash, $salt, $user_group, $bind_station); write_user($con, $user_name, $user_id, $phash, $salt, $user_group, $bind_station);
} else { } else {

14
app/public/edit_station.php
View File

@@ -5,21 +5,25 @@
$user_data = check_admin($con); $user_data = check_admin($con);
if($_SERVER['REQUEST_METHOD'] == "GET") { if($_SERVER['REQUEST_METHOD'] == "GET") {
$s_id = sanitize_input($_GET['s_id']);
$row = get_station_all($con, $_GET['s_id'])->fetch(); $row = get_station_all($con, $_GET['s_id'])->fetch();
include("header_footer/header.php"); include("header_footer/header.php");
} }
if($_SERVER['REQUEST_METHOD'] == "POST") { if($_SERVER['REQUEST_METHOD'] == "POST") {
$station = get_station_all($con, $_POST['station_id'])->fetch(); $station_id = sanitize_input($_POST['station_id']);
$station_name = sanitize_input($_POST['station_name']);
$station_pos = sanitize_input($_POST['station_pos']);
$station = get_station_all($con, $station_id)->fetch();
$s_id = intval($station['s_id']); $s_id = intval($station['s_id']);
$name = strval($station['name']); $name = strval($station['name']);
$standort = strval($station['standort']); $standort = strval($station['standort']);
if($name != $_POST['station_name']) { if($name != $station_name) {
update_station_name($con, $s_id, $_POST['station_name']); update_station_name($con, $s_id, $station_name);
} }
if($standort != $_POST['station_pos']) { if($standort != $station_pos) {
update_station_pos($con, $s_id, $_POST['station_pos']); update_station_pos($con, $s_id, $station_pos);
} }
header("Location: stationen.php"); header("Location: stationen.php");
die; die;

12
app/public/edit_statistics.php
View File

@@ -10,12 +10,12 @@
} }
if($_SERVER['REQUEST_METHOD'] == 'POST') { if($_SERVER['REQUEST_METHOD'] == 'POST') {
$m_id = intval($_POST['m_id']); $m_id = intval(sanitize_input($_POST['m_id']));
$s_id = intval($_POST['s_id']); $s_id = intval(sanitize_input($_POST['s_id']));
$points = intval($_POST['points']); $points = intval(sanitize_input($_POST['points']));
$minutes = intval($_POST['minutes']); $minutes = intval(sanitize_input($_POST['minutes']));
$seconds = intval($_POST['seconds']); $seconds = intval(sanitize_input($_POST['seconds']));
$millis = intval($_POST['millis']); $millis = intval(sanitize_input($_POST['millis']));
if (get_points($con, $m_id, $s_id)->fetch()['punkte'] != $points) { if (get_points($con, $m_id, $s_id)->fetch()['punkte'] != $points) {
change_points($con, $m_id, $s_id, $points); change_points($con, $m_id, $s_id, $points);
} }

12
app/public/edit_team.php
View File

@@ -5,18 +5,22 @@
$user_data = check_admin($con); $user_data = check_admin($con);
if($_SERVER['REQUEST_METHOD'] == "GET") { if($_SERVER['REQUEST_METHOD'] == "GET") {
$row = get_team($con, $_GET['m_id'])->fetch(); $m_id = $_GET['m_id'];
$row = get_team($con, $m_id)->fetch();
} }
if($_SERVER['REQUEST_METHOD'] == "POST") { if($_SERVER['REQUEST_METHOD'] == "POST") {
$row = get_team($con, $_POST['m_id'])->fetch(); $m_id = sanitize_input($_POST['m_id']);
$team_name = sanitize_input($_POST['team_name']);
$fire_department = sanitize_input($_POST['fire_department']);
$row = get_team($con, $m_id)->fetch();
if($_POST['team_name'] != $row['name']) { if($_POST['team_name'] != $row['name']) {
update_team_name($con, $_POST['m_id'], $_POST['team_name']); update_team_name($con, $m_id, $team_name);
} }
if($_POST['fire_department'] != $row['feuerwehr']) { if($_POST['fire_department'] != $row['feuerwehr']) {
update_team_fire_department($con, $_POST['m_id'], $_POST['fire_department']); update_team_fire_department($con, $m_id, $fire_department);
} }
header("Location: mannschaft.php"); header("Location: mannschaft.php");

26
app/public/edit_user.php
View File

@@ -5,28 +5,34 @@
$user_data = check_admin($con); $user_data = check_admin($con);
if($_SERVER['REQUEST_METHOD'] == "GET") { if($_SERVER['REQUEST_METHOD'] == "GET") {
$row = get_user($con, $_GET['id'])->fetch(); $id = sanitize_input($_GET['id']);
$row = get_user($con, $id)->fetch();
include("header_footer/header.php"); include("header_footer/header.php");
} }
if($_SERVER['REQUEST_METHOD'] == "POST") { if($_SERVER['REQUEST_METHOD'] == "POST") {
$user = get_user($con, $_POST['id'])->fetch(); $id = sanitize_input($_POST['id']);
$user = get_user($con, $id)->fetch();
$user_group = sanitize_input($_POST['user_group']);
$user_name = sanitize_input($_POST['user_name']);
$bind_station = sanitize_input($_POST['bind_station']);
$password = sanitize_input($_POST['password']);
if($user['user_name'] != $_POST['user_name']) { if($user['user_name'] != $user_name) {
change_user_name($con, $_POST['id'], $_POST['user_name']); change_user_name($con, $id, $user_name);
} }
if($user['user_group'] != $_POST['user_group']) { if($user['user_group'] != $user_group) {
if($_POST['user_group'] == "station") { if($_POST['user_group'] == "station") {
change_user_group($con, $_POST['id'], $_POST['user_group'], $_POST['bind_station']); change_user_group($con, $id, $user_group, $bind_station);
} else { } else {
change_user_group($con, $_POST['id'], $_POST['user_group'], NULL); change_user_group($con, $id, $user_group, NULL);
} }
} }
if(!empty($_POST['password'])) { if(!empty($password)) {
$phash = generate_password_hash($_POST['password'], $user['salt']); $phash = generate_password_hash($password, $user['salt']);
change_password($con, $_POST['id'], $phash); change_password($con, $id, $phash);
} }
header("Location: manage_user.php"); header("Location: manage_user.php");

4
app/public/login.php
View File

@@ -4,8 +4,8 @@
include("../scripts/functions.php"); include("../scripts/functions.php");
if($_SERVER['REQUEST_METHOD'] == "POST"){ if($_SERVER['REQUEST_METHOD'] == "POST"){
$user_name = $_POST['user_name']; $user_name = sanitize_input($_POST['user_name']);
$password = $_POST['password']; $password = sanitize_input($_POST['password']);
if(!empty($user_name) && !empty($password)) { if(!empty($user_name) && !empty($password)) {
$user_data = get_user_data_name($con, $user_name); $user_data = get_user_data_name($con, $user_name);

5
app/scripts/functions.php
View File

@@ -196,3 +196,8 @@ function get_time_str($con, $m_id, $s_id) {
} }
return $time; return $time;
} }
function sanitize_input ($input) {
$return = strip_tags($input);
return htmlspecialchars($return, ENT_QUOTES);
}