Adding input validation before saving to the db (#105)

2024-02-10 13:58:31 +01:00 · 2024-02-10 13:58:31 +01:00 · 048bf2d0aa
commit 048bf2d0aa
parent 05f9332fb8
6 changed files with 60 additions and 16 deletions
--- a/endpoints/categories/category.php
+++ b/endpoints/categories/category.php
@ -1,6 +1,13 @@
 <?php
 require_once '../../includes/connect_endpoint.php';
 session_start();
+function validate($value) {
+    $value = trim($value);
+    $value = stripslashes($value);
+    $value = htmlspecialchars($value);
+    $value = htmlentities($value);
+    return $value;
+}
 if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    if (isset($_GET['action']) && $_GET['action'] == "add") {
        $categoryName = "Category";
@ -26,7 +33,7 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    } else if (isset($_GET['action']) && $_GET['action'] == "edit") {
        if (isset($_GET['categoryId']) && $_GET['categoryId'] != "" && isset($_GET['name']) && $_GET['name'] != "") {
            $categoryId = $_GET['categoryId'];
-            $name = $_GET['name'];
+            $name = validate($_GET['name']);
            $sql = "UPDATE categories SET name = :name WHERE id = :categoryId";
            $stmt = $db->prepare($sql);
            $stmt->bindParam(':name', $name, SQLITE3_TEXT);
@ -102,4 +109,4 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    echo translate('error', $i18n);
 }

-?>
+?>
--- a/endpoints/currency/currency.php
+++ b/endpoints/currency/currency.php
@ -1,6 +1,13 @@
 <?php
 require_once '../../includes/connect_endpoint.php';
 session_start();
+function validate($value) {
+    $value = trim($value);
+    $value = stripslashes($value);
+    $value = htmlspecialchars($value);
+    $value = htmlentities($value);
+    return $value;
+}
 if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    if (isset($_GET['action']) && $_GET['action'] == "add") {
        $currencyName = "Currency";
@ -24,9 +31,9 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    } else if (isset($_GET['action']) && $_GET['action'] == "edit") {
        if (isset($_GET['currencyId']) && $_GET['currencyId'] != "" && isset($_GET['name']) && $_GET['name'] != "" && isset($_GET['symbol']) && $_GET['symbol'] != "") {
            $currencyId = $_GET['currencyId'];
-            $name = $_GET['name'];
-            $symbol = $_GET['symbol'];
-            $code = $_GET['code'];
+            $name = validate($_GET['name']);
+            $symbol = validate($_GET['symbol']);
+            $code = validate($_GET['code']);
            $sql = "UPDATE currencies SET name = :name, symbol = :symbol, code = :code WHERE id = :currencyId";
            $stmt = $db->prepare($sql);
            $stmt->bindParam(':name', $name, SQLITE3_TEXT);
@ -120,4 +127,4 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    echo json_encode($response);
 }

-?>
+?>
--- a/endpoints/household/household.php
+++ b/endpoints/household/household.php
@ -1,6 +1,13 @@
 <?php
 require_once '../../includes/connect_endpoint.php';
 session_start();
+function validate($value) {
+    $value = trim($value);
+    $value = stripslashes($value);
+    $value = htmlspecialchars($value);
+    $value = htmlentities($value);
+    return $value;
+}
 if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    if (isset($_GET['action']) && $_GET['action'] == "add") {
        $householdName = "Member";
@ -26,7 +33,7 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    } else if (isset($_GET['action']) && $_GET['action'] == "edit") {
        if (isset($_GET['memberId']) && $_GET['memberId'] != "" && isset($_GET['name']) && $_GET['name'] != "") {
            $memberId = $_GET['memberId'];
-            $name = $_GET['name'];
+            $name = validate($_GET['name']);
            $sql = "UPDATE household SET name = :name WHERE id = :memberId";
            $stmt = $db->prepare($sql);
            $stmt->bindParam(':name', $name, SQLITE3_TEXT);
@ -102,4 +109,4 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
    echo translate('error', $i18n);
 }

-?>
+?>
--- a/endpoints/subscription/add.php
+++ b/endpoints/subscription/add.php
@ -9,6 +9,13 @@
        return $filename;
    }

+    function validate($value) {
+        $value = trim($value);
+        $value = stripslashes($value);
+        $value = htmlspecialchars($value);
+        $value = htmlentities($value);
+        return $value;
+    }
    function getLogoFromUrl($url, $uploadDir, $name) {
        
        $ch = curl_init($url);
@ -134,7 +141,7 @@
    if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
        if ($_SERVER["REQUEST_METHOD"] === "POST") {
            $isEdit = isset($_POST['id']) && $_POST['id'] != "";
-            $name = $_POST["name"];
+            $name = validate($_POST["name"]);
            $price = $_POST['price'];
            $currencyId = $_POST["currency_id"];
            $frequency = $_POST["frequency"];
@ -143,9 +150,9 @@
            $paymentMethodId = $_POST["payment_method_id"];
            $payerUserId = $_POST["payer_user_id"];
            $categoryId = $_POST['category_id'];
-            $notes = $_POST["notes"];
-            $url = $_POST['url'];
-            $logoUrl = $_POST['logo-url'];
+            $notes = validate($_POST["notes"]);
+            $url = validate($_POST['url']);
+            $logoUrl = validate($_POST['logo-url']);
            $logo = "";
            $notify = isset($_POST['notifications']) ? true : false;

--- a/endpoints/user/save_user.php
+++ b/endpoints/user/save_user.php
@ -2,6 +2,14 @@
    require_once '../../includes/connect_endpoint.php';
    session_start();

+    function validate($value) {
+        $value = trim($value);
+        $value = stripslashes($value);
+        $value = htmlspecialchars($value);
+        $value = htmlentities($value);
+        return $value;
+    }
+
    function update_exchange_rate($db) {
        $query = "SELECT api_key FROM fixer";
        $result = $db->query($query);
@ -72,8 +80,8 @@

    if (isset($_SESSION['username']) && isset($_POST['username']) && isset($_POST['email']) && isset($_POST['avatar'])) {
        $oldUsername = $_SESSION['username'];
-        $username = $_POST['username'];
-        $email = $_POST['email'];
+        $username = validate($_POST['username']);
+        $email = validate($_POST['email']);
        $avatar = $_POST['avatar'];
        $main_currency = $_POST['main_currency'];
        $language = $_POST['language'];
--- a/registration.php
+++ b/registration.php
@ -8,6 +8,14 @@ require_once 'includes/i18n/' . $lang . '.php';

 require_once 'includes/version.php';

+function validate($value) {
+    $value = trim($value);
+    $value = stripslashes($value);
+    $value = htmlspecialchars($value);
+    $value = htmlentities($value);
+    return $value;
+}
+
 if ($userCount > 0) {
    header("Location: login.php");
    exit();
@ -29,8 +37,8 @@ while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
 $passwordMismatch = false;
 $registrationFailed = false;
 if (isset($_POST['username'])) {
-    $username = $_POST['username'];
-    $email = $_POST['email'];
+    $username = validate($_POST['username']);
+    $email = validate($_POST['email']);
    $password = $_POST['password'];
    $confirm_password = $_POST['confirm_password'];
    $main_currency = $_POST['main_currency'];