sanitize all input against xss and fixed bug with time encoding when adding result
This commit is contained in:
@@ -5,17 +5,21 @@
|
|||||||
$user_data = check_login($con);
|
$user_data = check_login($con);
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
$points = $_POST['points'];
|
$points = sanitize_input($_POST['points']);
|
||||||
$minutes = $_POST['minutes'];
|
$minutes = sanitize_input($_POST['minutes']);
|
||||||
$seconds = $_POST['seconds'];
|
$seconds = sanitize_input($_POST['seconds']);
|
||||||
$miliseconds = $_POST['miliseconds'];
|
$miliseconds = sanitize_input($_POST['miliseconds']);
|
||||||
|
$s_id = sanitize_input($_GET['station']);
|
||||||
|
$m_id = sanitize_input($_POST['team']);
|
||||||
|
|
||||||
if($minutes == 0 && $seconds == 0 && $miliseconds == 0){
|
if($minutes == 0 && $seconds == 0 && $miliseconds == 0){
|
||||||
$time = null;
|
$time = null;
|
||||||
|
} else if ($miliseconds < 10) {
|
||||||
|
$time = "00:" . $minutes . ":" . $seconds . ".0" . $miliseconds;
|
||||||
} else {
|
} else {
|
||||||
$time = "00:" . $minutes . ":" . $seconds . "." . $miliseconds;
|
$time = "00:" . $minutes . ":" . $seconds . "." . $miliseconds;
|
||||||
}
|
}
|
||||||
write_points($con, $_GET['station'], $_POST['team'], $points, $time);
|
write_points($con, $s_id, $m_id, $points, $time);
|
||||||
header("Location: statistik.php");
|
header("Location: statistik.php");
|
||||||
die;
|
die;
|
||||||
}
|
}
|
||||||
@@ -33,7 +37,7 @@
|
|||||||
<div id="team-div" class="dropdown">
|
<div id="team-div" class="dropdown">
|
||||||
<label for="team">Mannschaft</label>
|
<label for="team">Mannschaft</label>
|
||||||
<select name="team" id="team">
|
<select name="team" id="team">
|
||||||
<?php load_teams_no_points($con, $_GET['station'])?>
|
<?php load_teams_no_points($con, sanitize_input($_GET['station']))?>
|
||||||
</select>
|
</select>
|
||||||
</div>
|
</div>
|
||||||
<div class="number_field">
|
<div class="number_field">
|
||||||
|
|||||||
@@ -5,7 +5,9 @@
|
|||||||
$user_data = check_login($con);
|
$user_data = check_login($con);
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
write_station($con, $_POST['station_name'], $_POST['station_pos']);
|
$station_name = sanitize_input($_POST['station_name']);
|
||||||
|
$station_pos = sanitize_input($_POST['station_pos']);
|
||||||
|
write_station($con, $station_name, $station_pos);
|
||||||
header("Location: stationen.php");
|
header("Location: stationen.php");
|
||||||
die;
|
die;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,7 +5,9 @@
|
|||||||
$user_data = check_login($con);
|
$user_data = check_login($con);
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
write_team($con, $_POST['team_name'], $_POST['fire_department']);
|
$team_name = sanitize_input($_POST['team_name']);
|
||||||
|
$fire_department = sanitize_input($_POST['fire_department']);
|
||||||
|
write_team($con, $team_name, $fire_department);
|
||||||
header("Location: mannschaft.php");
|
header("Location: mannschaft.php");
|
||||||
die;
|
die;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -6,14 +6,14 @@
|
|||||||
$error = null;
|
$error = null;
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
$user_name = $_POST['user_name'];
|
$user_name = sanitize_input($_POST['user_name']);
|
||||||
$password = $_POST['password'];
|
$password = sanitize_input($_POST['password']);
|
||||||
$user_group = $_POST['user_group'];
|
$user_group = sanitize_input($_POST['user_group']);
|
||||||
$bind_station = $_POST['bind_station'];
|
$bind_station = sanitize_input($_POST['bind_station']);
|
||||||
if(!empty($user_name) && !empty($password)) {
|
if(!empty($user_name) && !empty($password)) {
|
||||||
$salt = generate_salt();
|
$salt = generate_salt();
|
||||||
$user_id = generate_user_id($_POST['user_name'], $salt);
|
$user_id = generate_user_id($user_name, $salt);
|
||||||
$phash = generate_password_hash($_POST['password'], $salt);
|
$phash = generate_password_hash($password, $salt);
|
||||||
if($user_group == "station") {
|
if($user_group == "station") {
|
||||||
write_user($con, $user_name, $user_id, $phash, $salt, $user_group, $bind_station);
|
write_user($con, $user_name, $user_id, $phash, $salt, $user_group, $bind_station);
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@@ -5,21 +5,25 @@
|
|||||||
$user_data = check_admin($con);
|
$user_data = check_admin($con);
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "GET") {
|
if($_SERVER['REQUEST_METHOD'] == "GET") {
|
||||||
|
$s_id = sanitize_input($_GET['s_id']);
|
||||||
$row = get_station_all($con, $_GET['s_id'])->fetch();
|
$row = get_station_all($con, $_GET['s_id'])->fetch();
|
||||||
include("header_footer/header.php");
|
include("header_footer/header.php");
|
||||||
}
|
}
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
$station = get_station_all($con, $_POST['station_id'])->fetch();
|
$station_id = sanitize_input($_POST['station_id']);
|
||||||
|
$station_name = sanitize_input($_POST['station_name']);
|
||||||
|
$station_pos = sanitize_input($_POST['station_pos']);
|
||||||
|
$station = get_station_all($con, $station_id)->fetch();
|
||||||
$s_id = intval($station['s_id']);
|
$s_id = intval($station['s_id']);
|
||||||
$name = strval($station['name']);
|
$name = strval($station['name']);
|
||||||
$standort = strval($station['standort']);
|
$standort = strval($station['standort']);
|
||||||
if($name != $_POST['station_name']) {
|
if($name != $station_name) {
|
||||||
update_station_name($con, $s_id, $_POST['station_name']);
|
update_station_name($con, $s_id, $station_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
if($standort != $_POST['station_pos']) {
|
if($standort != $station_pos) {
|
||||||
update_station_pos($con, $s_id, $_POST['station_pos']);
|
update_station_pos($con, $s_id, $station_pos);
|
||||||
}
|
}
|
||||||
header("Location: stationen.php");
|
header("Location: stationen.php");
|
||||||
die;
|
die;
|
||||||
|
|||||||
@@ -10,12 +10,12 @@
|
|||||||
}
|
}
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == 'POST') {
|
if($_SERVER['REQUEST_METHOD'] == 'POST') {
|
||||||
$m_id = intval($_POST['m_id']);
|
$m_id = intval(sanitize_input($_POST['m_id']));
|
||||||
$s_id = intval($_POST['s_id']);
|
$s_id = intval(sanitize_input($_POST['s_id']));
|
||||||
$points = intval($_POST['points']);
|
$points = intval(sanitize_input($_POST['points']));
|
||||||
$minutes = intval($_POST['minutes']);
|
$minutes = intval(sanitize_input($_POST['minutes']));
|
||||||
$seconds = intval($_POST['seconds']);
|
$seconds = intval(sanitize_input($_POST['seconds']));
|
||||||
$millis = intval($_POST['millis']);
|
$millis = intval(sanitize_input($_POST['millis']));
|
||||||
if (get_points($con, $m_id, $s_id)->fetch()['punkte'] != $points) {
|
if (get_points($con, $m_id, $s_id)->fetch()['punkte'] != $points) {
|
||||||
change_points($con, $m_id, $s_id, $points);
|
change_points($con, $m_id, $s_id, $points);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,18 +5,22 @@
|
|||||||
$user_data = check_admin($con);
|
$user_data = check_admin($con);
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "GET") {
|
if($_SERVER['REQUEST_METHOD'] == "GET") {
|
||||||
$row = get_team($con, $_GET['m_id'])->fetch();
|
$m_id = $_GET['m_id'];
|
||||||
|
$row = get_team($con, $m_id)->fetch();
|
||||||
}
|
}
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
$row = get_team($con, $_POST['m_id'])->fetch();
|
$m_id = sanitize_input($_POST['m_id']);
|
||||||
|
$team_name = sanitize_input($_POST['team_name']);
|
||||||
|
$fire_department = sanitize_input($_POST['fire_department']);
|
||||||
|
$row = get_team($con, $m_id)->fetch();
|
||||||
|
|
||||||
if($_POST['team_name'] != $row['name']) {
|
if($_POST['team_name'] != $row['name']) {
|
||||||
update_team_name($con, $_POST['m_id'], $_POST['team_name']);
|
update_team_name($con, $m_id, $team_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
if($_POST['fire_department'] != $row['feuerwehr']) {
|
if($_POST['fire_department'] != $row['feuerwehr']) {
|
||||||
update_team_fire_department($con, $_POST['m_id'], $_POST['fire_department']);
|
update_team_fire_department($con, $m_id, $fire_department);
|
||||||
}
|
}
|
||||||
|
|
||||||
header("Location: mannschaft.php");
|
header("Location: mannschaft.php");
|
||||||
|
|||||||
@@ -5,28 +5,34 @@
|
|||||||
$user_data = check_admin($con);
|
$user_data = check_admin($con);
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "GET") {
|
if($_SERVER['REQUEST_METHOD'] == "GET") {
|
||||||
$row = get_user($con, $_GET['id'])->fetch();
|
$id = sanitize_input($_GET['id']);
|
||||||
|
$row = get_user($con, $id)->fetch();
|
||||||
include("header_footer/header.php");
|
include("header_footer/header.php");
|
||||||
}
|
}
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
if($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||||
$user = get_user($con, $_POST['id'])->fetch();
|
$id = sanitize_input($_POST['id']);
|
||||||
|
$user = get_user($con, $id)->fetch();
|
||||||
|
$user_group = sanitize_input($_POST['user_group']);
|
||||||
|
$user_name = sanitize_input($_POST['user_name']);
|
||||||
|
$bind_station = sanitize_input($_POST['bind_station']);
|
||||||
|
$password = sanitize_input($_POST['password']);
|
||||||
|
|
||||||
if($user['user_name'] != $_POST['user_name']) {
|
if($user['user_name'] != $user_name) {
|
||||||
change_user_name($con, $_POST['id'], $_POST['user_name']);
|
change_user_name($con, $id, $user_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
if($user['user_group'] != $_POST['user_group']) {
|
if($user['user_group'] != $user_group) {
|
||||||
if($_POST['user_group'] == "station") {
|
if($_POST['user_group'] == "station") {
|
||||||
change_user_group($con, $_POST['id'], $_POST['user_group'], $_POST['bind_station']);
|
change_user_group($con, $id, $user_group, $bind_station);
|
||||||
} else {
|
} else {
|
||||||
change_user_group($con, $_POST['id'], $_POST['user_group'], NULL);
|
change_user_group($con, $id, $user_group, NULL);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!empty($_POST['password'])) {
|
if(!empty($password)) {
|
||||||
$phash = generate_password_hash($_POST['password'], $user['salt']);
|
$phash = generate_password_hash($password, $user['salt']);
|
||||||
change_password($con, $_POST['id'], $phash);
|
change_password($con, $id, $phash);
|
||||||
}
|
}
|
||||||
|
|
||||||
header("Location: manage_user.php");
|
header("Location: manage_user.php");
|
||||||
|
|||||||
@@ -4,8 +4,8 @@
|
|||||||
include("../scripts/functions.php");
|
include("../scripts/functions.php");
|
||||||
|
|
||||||
if($_SERVER['REQUEST_METHOD'] == "POST"){
|
if($_SERVER['REQUEST_METHOD'] == "POST"){
|
||||||
$user_name = $_POST['user_name'];
|
$user_name = sanitize_input($_POST['user_name']);
|
||||||
$password = $_POST['password'];
|
$password = sanitize_input($_POST['password']);
|
||||||
|
|
||||||
if(!empty($user_name) && !empty($password)) {
|
if(!empty($user_name) && !empty($password)) {
|
||||||
$user_data = get_user_data_name($con, $user_name);
|
$user_data = get_user_data_name($con, $user_name);
|
||||||
|
|||||||
@@ -195,4 +195,9 @@ function get_time_str($con, $m_id, $s_id) {
|
|||||||
$time .= "." . $millis;
|
$time .= "." . $millis;
|
||||||
}
|
}
|
||||||
return $time;
|
return $time;
|
||||||
|
}
|
||||||
|
|
||||||
|
function sanitize_input ($input) {
|
||||||
|
$return = strip_tags($input);
|
||||||
|
return htmlspecialchars($return, ENT_QUOTES);
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user