joshuacoles/wallos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding input validation before saving to the db (#105)

Browse Source
This commit is contained in:
lslschr 2024-02-10 13:58:31 +01:00 committed by GitHub
parent 05f9332fb8
commit 048bf2d0aa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 60 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
endpoints/categories/category.php
View File

@ -1,6 +1,13 @@
<?php <?php
require_once '../../includes/connect_endpoint.php'; require_once '../../includes/connect_endpoint.php';
session_start(); session_start();
function validate($value) {
$value = trim($value);
$value = stripslashes($value);
$value = htmlspecialchars($value);
$value = htmlentities($value);
return $value;
}
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) { if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
if (isset($_GET['action']) && $_GET['action'] == "add") { if (isset($_GET['action']) && $_GET['action'] == "add") {
$categoryName = "Category"; $categoryName = "Category";
@ -26,7 +33,7 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
} else if (isset($_GET['action']) && $_GET['action'] == "edit") { } else if (isset($_GET['action']) && $_GET['action'] == "edit") {
if (isset($_GET['categoryId']) && $_GET['categoryId'] != "" && isset($_GET['name']) && $_GET['name'] != "") { if (isset($_GET['categoryId']) && $_GET['categoryId'] != "" && isset($_GET['name']) && $_GET['name'] != "") {
$categoryId = $_GET['categoryId']; $categoryId = $_GET['categoryId'];
$name = $_GET['name']; $name = validate($_GET['name']);
$sql = "UPDATE categories SET name = :name WHERE id = :categoryId"; $sql = "UPDATE categories SET name = :name WHERE id = :categoryId";
$stmt = $db->prepare($sql); $stmt = $db->prepare($sql);
$stmt->bindParam(':name', $name, SQLITE3_TEXT); $stmt->bindParam(':name', $name, SQLITE3_TEXT);
@ -102,4 +109,4 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
echo translate('error', $i18n); echo translate('error', $i18n);
} }
?> ?>

15
endpoints/currency/currency.php
View File

@ -1,6 +1,13 @@
<?php <?php
require_once '../../includes/connect_endpoint.php'; require_once '../../includes/connect_endpoint.php';
session_start(); session_start();
function validate($value) {
$value = trim($value);
$value = stripslashes($value);
$value = htmlspecialchars($value);
$value = htmlentities($value);
return $value;
}
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) { if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
if (isset($_GET['action']) && $_GET['action'] == "add") { if (isset($_GET['action']) && $_GET['action'] == "add") {
$currencyName = "Currency"; $currencyName = "Currency";
@ -24,9 +31,9 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
} else if (isset($_GET['action']) && $_GET['action'] == "edit") { } else if (isset($_GET['action']) && $_GET['action'] == "edit") {
if (isset($_GET['currencyId']) && $_GET['currencyId'] != "" && isset($_GET['name']) && $_GET['name'] != "" && isset($_GET['symbol']) && $_GET['symbol'] != "") { if (isset($_GET['currencyId']) && $_GET['currencyId'] != "" && isset($_GET['name']) && $_GET['name'] != "" && isset($_GET['symbol']) && $_GET['symbol'] != "") {
$currencyId = $_GET['currencyId']; $currencyId = $_GET['currencyId'];
$name = $_GET['name']; $name = validate($_GET['name']);
$symbol = $_GET['symbol']; $symbol = validate($_GET['symbol']);
$code = $_GET['code']; $code = validate($_GET['code']);
$sql = "UPDATE currencies SET name = :name, symbol = :symbol, code = :code WHERE id = :currencyId"; $sql = "UPDATE currencies SET name = :name, symbol = :symbol, code = :code WHERE id = :currencyId";
$stmt = $db->prepare($sql); $stmt = $db->prepare($sql);
$stmt->bindParam(':name', $name, SQLITE3_TEXT); $stmt->bindParam(':name', $name, SQLITE3_TEXT);
@ -120,4 +127,4 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
echo json_encode($response); echo json_encode($response);
} }
?> ?>

11
endpoints/household/household.php
View File

@ -1,6 +1,13 @@
<?php <?php
require_once '../../includes/connect_endpoint.php'; require_once '../../includes/connect_endpoint.php';
session_start(); session_start();
function validate($value) {
$value = trim($value);
$value = stripslashes($value);
$value = htmlspecialchars($value);
$value = htmlentities($value);
return $value;
}
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) { if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
if (isset($_GET['action']) && $_GET['action'] == "add") { if (isset($_GET['action']) && $_GET['action'] == "add") {
$householdName = "Member"; $householdName = "Member";
@ -26,7 +33,7 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
} else if (isset($_GET['action']) && $_GET['action'] == "edit") { } else if (isset($_GET['action']) && $_GET['action'] == "edit") {
if (isset($_GET['memberId']) && $_GET['memberId'] != "" && isset($_GET['name']) && $_GET['name'] != "") { if (isset($_GET['memberId']) && $_GET['memberId'] != "" && isset($_GET['name']) && $_GET['name'] != "") {
$memberId = $_GET['memberId']; $memberId = $_GET['memberId'];
$name = $_GET['name']; $name = validate($_GET['name']);
$sql = "UPDATE household SET name = :name WHERE id = :memberId"; $sql = "UPDATE household SET name = :name WHERE id = :memberId";
$stmt = $db->prepare($sql); $stmt = $db->prepare($sql);
$stmt->bindParam(':name', $name, SQLITE3_TEXT); $stmt->bindParam(':name', $name, SQLITE3_TEXT);
@ -102,4 +109,4 @@ if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
echo translate('error', $i18n); echo translate('error', $i18n);
} }
?> ?>

15
endpoints/subscription/add.php
View File

@ -9,6 +9,13 @@
return $filename; return $filename;
} }
function validate($value) {
$value = trim($value);
$value = stripslashes($value);
$value = htmlspecialchars($value);
$value = htmlentities($value);
return $value;
}
function getLogoFromUrl($url, $uploadDir, $name) { function getLogoFromUrl($url, $uploadDir, $name) {
$ch = curl_init($url); $ch = curl_init($url);
@ -134,7 +141,7 @@
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) { if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true) {
if ($_SERVER["REQUEST_METHOD"] === "POST") { if ($_SERVER["REQUEST_METHOD"] === "POST") {
$isEdit = isset($_POST['id']) && $_POST['id'] != ""; $isEdit = isset($_POST['id']) && $_POST['id'] != "";
$name = $_POST["name"]; $name = validate($_POST["name"]);
$price = $_POST['price']; $price = $_POST['price'];
$currencyId = $_POST["currency_id"]; $currencyId = $_POST["currency_id"];
$frequency = $_POST["frequency"]; $frequency = $_POST["frequency"];
@ -143,9 +150,9 @@
$paymentMethodId = $_POST["payment_method_id"]; $paymentMethodId = $_POST["payment_method_id"];
$payerUserId = $_POST["payer_user_id"]; $payerUserId = $_POST["payer_user_id"];
$categoryId = $_POST['category_id']; $categoryId = $_POST['category_id'];
$notes = $_POST["notes"]; $notes = validate($_POST["notes"]);
$url = $_POST['url']; $url = validate($_POST['url']);
$logoUrl = $_POST['logo-url']; $logoUrl = validate($_POST['logo-url']);
$logo = ""; $logo = "";
$notify = isset($_POST['notifications']) ? true : false; $notify = isset($_POST['notifications']) ? true : false;

12
endpoints/user/save_user.php
View File

@ -2,6 +2,14 @@
require_once '../../includes/connect_endpoint.php'; require_once '../../includes/connect_endpoint.php';
session_start(); session_start();
function validate($value) {
$value = trim($value);
$value = stripslashes($value);
$value = htmlspecialchars($value);
$value = htmlentities($value);
return $value;
}
function update_exchange_rate($db) { function update_exchange_rate($db) {
$query = "SELECT api_key FROM fixer"; $query = "SELECT api_key FROM fixer";
$result = $db->query($query); $result = $db->query($query);
@ -72,8 +80,8 @@
if (isset($_SESSION['username']) && isset($_POST['username']) && isset($_POST['email']) && isset($_POST['avatar'])) { if (isset($_SESSION['username']) && isset($_POST['username']) && isset($_POST['email']) && isset($_POST['avatar'])) {
$oldUsername = $_SESSION['username']; $oldUsername = $_SESSION['username'];
$username = $_POST['username']; $username = validate($_POST['username']);
$email = $_POST['email']; $email = validate($_POST['email']);
$avatar = $_POST['avatar']; $avatar = $_POST['avatar'];
$main_currency = $_POST['main_currency']; $main_currency = $_POST['main_currency'];
$language = $_POST['language']; $language = $_POST['language'];

12
registration.php
View File

@ -8,6 +8,14 @@ require_once 'includes/i18n/' . $lang . '.php';
require_once 'includes/version.php'; require_once 'includes/version.php';
function validate($value) {
$value = trim($value);
$value = stripslashes($value);
$value = htmlspecialchars($value);
$value = htmlentities($value);
return $value;
}
if ($userCount > 0) { if ($userCount > 0) {
header("Location: login.php"); header("Location: login.php");
exit(); exit();
@ -29,8 +37,8 @@ while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
$passwordMismatch = false; $passwordMismatch = false;
$registrationFailed = false; $registrationFailed = false;
if (isset($_POST['username'])) { if (isset($_POST['username'])) {
$username = $_POST['username']; $username = validate($_POST['username']);
$email = $_POST['email']; $email = validate($_POST['email']);
$password = $_POST['password']; $password = $_POST['password'];
$confirm_password = $_POST['confirm_password']; $confirm_password = $_POST['confirm_password'];
$main_currency = $_POST['main_currency']; $main_currency = $_POST['main_currency'];