diff --git a/src/api/statistics.php b/src/api/statistics.php
index c1d1ef54..03585a76 100644
--- a/src/api/statistics.php
+++ b/src/api/statistics.php
@@ -36,10 +36,12 @@ switch ($_SERVER['REQUEST_METHOD']) {
$response['data'][$table] = $count->get();
}
} else {
+ $table = Sanitiser::getTable($_GET['table']);
+
$count = $database
->query(
'SELECT COUNT(`id`) AS "count"
- FROM `' . $_GET['table'] . '`;'
+ FROM `' . $table . '`;'
)
->fetch();
diff --git a/src/api/wishes.php b/src/api/wishes.php
index 9f529b75..c42d4c60 100644
--- a/src/api/wishes.php
+++ b/src/api/wishes.php
@@ -59,11 +59,11 @@ switch ($_SERVER['REQUEST_METHOD']) {
break;
}
- $wish_title = trim($_POST['wish_title']);
- $wish_description = trim($_POST['wish_description']);
- $wish_image = trim($_POST['wish_image']);
- $wish_url = trim($_POST['wish_url']);
- $wish_priority = isset($_POST['wish_priority']) && $_POST['wish_priority'] ? $_POST['wish_priority'] : 'NULL';
+ $wish_title = Sanitiser::getTitle($_POST['wish_title']);
+ $wish_description = Sanitiser::getText($_POST['wish_description']);
+ $wish_image = Sanitiser::getURL($_POST['wish_image']);
+ $wish_url = Sanitiser::getURL($_POST['wish_url']);
+ $wish_priority = !empty(Sanitiser::getNumber($_POST['wish_priority'])) ? Sanitiser::getNumber($_POST['wish_priority']) : 'NULL';
$wish_is_purchasable = isset($_POST['wish_is_purchasable']) ? 'true' : 'false';
if (Wish::NO_IMAGE === $wish_image) {
@@ -127,7 +127,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
*/
$wish_price = empty($_POST['wish_price']) || 'false' === $wish_is_purchasable
? 'NULL'
- : $_POST['wish_price'];
+ : Sanitiser::getNumber($_POST['wish_price']);
$database
->query(
@@ -207,7 +207,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
* Product
*/
$wish_id = $database->lastInsertId();
- $wish_price = floatval($_POST['wish_price']);
+ $wish_price = Sanitiser::getNumber($_POST['wish_price']);
if ($wish_price > 0) {
$database
@@ -235,7 +235,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
/**
* Update Wish Status
*/
- $status = $_PUT['wish_status'];
+ $status = Sanitiser::getStatus($_PUT['wish_status']);
+ $wish_id = Sanitiser::getNumber($_PUT['wish_id']);
if (Wish::STATUS_TEMPORARY === $status) {
$status = time();
@@ -243,8 +244,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
$database->query(
'UPDATE `wishes`
- SET `status` = "' . $status . '"
- WHERE `id` = ' . $_PUT['wish_id'] . ';'
+ SET `status` = "' . $status . '"
+ WHERE `id` = ' . $wish_id . ';'
);
$response['success'] = true;
@@ -254,8 +255,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
*/
$database->query(
'UPDATE `wishes`
- SET `url` = "' . $_PUT['wish_url_proposed'] . '"
- WHERE `url` = "' . $_PUT['wish_url_current'] . '";'
+ SET `url` = "' . Sanitiser::getURL($_PUT['wish_url_proposed']) . '"
+ WHERE `url` = "' . Sanitiser::getURL($_PUT['wish_url_current']) . '";'
);
$response['success'] = true;
@@ -268,7 +269,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
if (isset($_DELETE['wish_id'])) {
$database->query(
'DELETE FROM `wishes`
- WHERE `id` = ' . $_DELETE['wish_id'] . ';'
+ WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wish_id']) . ';'
);
}
diff --git a/src/api/wishlists-saved.php b/src/api/wishlists-saved.php
index 46170098..4d5778d1 100644
--- a/src/api/wishlists-saved.php
+++ b/src/api/wishlists-saved.php
@@ -26,7 +26,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
$wishlist = $database
->query('SELECT *
FROM `wishlists_saved`
- WHERE `wishlist` = ' . $_POST['wishlist'] . '
+ WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . '
;')
->fetch();
@@ -34,7 +34,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
/** Delete */
$database
->query('DELETE FROM `wishlists_saved`
- WHERE `wishlist` = ' . $_POST['wishlist'] . '
+ WHERE `wishlist` = ' . Sanitiser::getNumber($_POST['wishlist']) . '
;');
$response['action'] = 'deleted';
@@ -46,7 +46,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
`wishlist`
) VALUES (
' . $user->id . ',
- ' . $_POST['wishlist'] . '
+ ' . Sanitiser::getNumber($_POST['wishlist']) . '
)
;');
diff --git a/src/api/wishlists.php b/src/api/wishlists.php
index b0d344ff..a67c1a8e 100644
--- a/src/api/wishlists.php
+++ b/src/api/wishlists.php
@@ -21,15 +21,18 @@ switch ($_SERVER['REQUEST_METHOD']) {
/**
* Create
*/
+ $user_id = Sanitiser::getNumber($_SESSION['user']['id']);
+ $wish_name = Sanitiser::getTitle($_POST['wishlist-name']);
+
$database->query('INSERT INTO `wishlists`
(
`user`,
`name`,
`hash`
) VALUES (
- ' . $_SESSION['user']['id'] . ',
- "' . $_POST['wishlist-name'] . '",
- "' . sha1(time() . $_SESSION['user']['id'] . $_POST['wishlist-name']) . '"
+ ' . $user_id . ',
+ "' . $wish_name . '",
+ "' . sha1(time() . $user_id . $wish_name) . '"
)
;');
@@ -40,7 +43,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
/**
* Request more wishes
*/
- $wishlistID = $_POST['wishlist-id'];
+ $wishlistID = Sanitiser::getNumber($_POST['wishlist-id']);
/** Get last notification time */
$wishlistQuery = $database
@@ -148,8 +151,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
$database
->query('UPDATE `wishlists`
- SET `name` = "' . $_PUT['wishlist_title'] . '"
- WHERE `id` = ' . $_PUT['wishlist_id'] . '
+ SET `name` = "' . Sanitiser::getTitle($_PUT['wishlist_title']) . '"
+ WHERE `id` = ' . Sanitiser::getNumber($_PUT['wishlist_id']) . '
;');
$response['success'] = true;
@@ -159,7 +162,7 @@ switch ($_SERVER['REQUEST_METHOD']) {
parse_str(file_get_contents("php://input"), $_DELETE);
$database->query('DELETE FROM `wishlists`
- WHERE `id` = ' . $_DELETE['wishlistID'] . '
+ WHERE `id` = ' . Sanitiser::getNumber($_DELETE['wishlistID']) . '
;');
$response['success'] = true;
diff --git a/src/classes/options.php b/src/classes/options.php
index b8883f56..2185b4ec 100644
--- a/src/classes/options.php
+++ b/src/classes/options.php
@@ -28,12 +28,12 @@ class Options
try {
$option = $this->database->query(
'SELECT * FROM `options`
- WHERE `key` = "' . $key . '";'
+ WHERE `key` = "' . Sanitiser::getOption($key) . '";'
)->fetch();
$value = $option['value'] ?? '';
} catch (\Throwable $th) {
- //throw $th;
+ throw $th;
}
return $value;
@@ -41,6 +41,9 @@ class Options
public function setOption(string $key, string $value): void
{
+ $key = Sanitiser::getOption($key);
+ $value = Sanitiser::getText($value);
+
$optionExists = 0 !== $this->database
->query('SELECT *
FROM `options`
diff --git a/src/classes/sanitiser.php b/src/classes/sanitiser.php
new file mode 100644
index 00000000..2e088c1e
--- /dev/null
+++ b/src/classes/sanitiser.php
@@ -0,0 +1,70 @@
+query(
diff --git a/src/pages/login.php b/src/pages/login.php
index 99672c5e..80c8f080 100644
--- a/src/pages/login.php
+++ b/src/pages/login.php
@@ -14,7 +14,7 @@ $page = new Page(__FILE__, __('Login'));
* Login
*/
if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
- $email = $_POST['email'];
+ $email = Sanitiser::getEmail($_POST['email']);
$password = User::generatePassword($_POST['password']);
$database->query('UPDATE `users`
@@ -54,7 +54,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
$user = $database
->query('SELECT *
FROM `users`
- WHERE `email` = "' . $_POST['email'] . '";')
+ WHERE `email` = "' . Sanitiser::getEmail($_POST['email']) . '";')
->fetch();
if ($user) {
@@ -68,7 +68,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
WHERE `id` = ' . $user['id'] . '
;');
- $emailReset = new Email($_POST['email'], __('Password reset link'), 'default', 'password-reset');
+ $emailReset = new Email($user['email'], __('Password reset link'), 'default', 'password-reset');
$emailReset->setPlaceholder('TEXT_HELLO', __('Hello,'));
$emailReset->setPlaceholder(
'TEXT_PASSWORD_RESET',
@@ -84,7 +84,7 @@ if (isset($_POST['reset'], $_POST['email'])) {
'password-reset-link',
$_SERVER['REQUEST_SCHEME'] . '://' .
$_SERVER['HTTP_HOST'] .
- Page::PAGE_REGISTER . '&password-reset=' . $_POST['email'] . '&token=' . $token
+ Page::PAGE_REGISTER . '&password-reset=' . $user['email'] . '&token=' . $token
);
$emailReset->send();
diff --git a/src/pages/profile.php b/src/pages/profile.php
index 2cd3ad0d..242573cd 100644
--- a/src/pages/profile.php
+++ b/src/pages/profile.php
@@ -108,7 +108,7 @@ if (isset($_POST['user-id'], $_POST['section'])) {
$database
->query('UPDATE `users`
SET ' . implode(',', $set) . '
- WHERE `id` = ' . $_POST['user-id']);
+ WHERE `id` = ' . Sanitiser::getNumber($_POST['user-id']));
}
if ($loginRequired) {
diff --git a/src/pages/register.php b/src/pages/register.php
index 47a31523..692e8f98 100644
--- a/src/pages/register.php
+++ b/src/pages/register.php
@@ -16,16 +16,17 @@ $buttonSubmit = $passwordReset ? __('Reset') : __('Register');
$page = new Page(__FILE__, $pageTitle);
if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
- $users = $database->query('SELECT * FROM `users`;')->fetchAll();
- $emails = array_map(
+ $users = $database->query('SELECT * FROM `users`;')->fetchAll();
+ $emails = array_map(
function ($user) {
return $user['email'];
},
$users
);
+ $user_email = Sanitiser::getEmail($_POST['email']);
$isHuman = false;
- $planet = strtolower($_POST['planet']);
+ $planet = Sanitiser::getTitle($_POST['planet']);
$planetName = strtoupper($planet[0]) . substr($planet, 1);
$planets = array(
strtolower(__('Mercury')),
@@ -57,14 +58,17 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
$userRegistered = false;
if (isset($_GET['password-reset'], $_GET['token'])) {
+ $user_email = Sanitiser::getEmail($_GET['password-reset']);
+ $user_token = Sanitiser::getSHA1($_GET['token']);
+
/**
* Password reset
*/
$user = $database
->query(
'SELECT * FROM `users`
- WHERE `email` = "' . $_GET['password-reset'] . '"
- AND `password_reset_token` = "' . $_GET['token'] . '";'
+ WHERE `email` = "' . $user_email . '"
+ AND `password_reset_token` = "' . $user_token . '";'
)
->fetch();
@@ -80,7 +84,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
);
$page->messages[] = Page::success(
- 'Password has been successfully reset for ' . $_GET['password-reset'] . '.',
+ 'Password has been successfully reset for ' . $user_email . '.',
'Success'
);
} else {
@@ -101,7 +105,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
`password`,
`power`
) VALUES (
- "' . $_POST['email'] . '",
+ "' . $user_email . '",
"' . User::generatePassword($_POST['password']) . '",
100
)
@@ -109,7 +113,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
);
$userRegistered = true;
} else {
- if (in_array($_POST['email'], $emails)) {
+ if (in_array($user_email, $emails)) {
$page->messages[] = Page::error(
__('An account with this email address already exists.'),
__('Invalid email address')
@@ -121,7 +125,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
`email`,
`password`
) VALUES (
- "' . $_POST['email'] . '",
+ "' . $user_email . '",
"' . User::generatePassword($_POST['password']) . '"
)
;'
@@ -138,7 +142,7 @@ if (isset($_POST['email'], $_POST['password']) && !empty($_POST['planet'])) {
*/
if ($userRegistered) {
$userID = $database->lastInsertID();
- $wishlistName = __('My hopes and dreams');
+ $wishlistName = Sanitiser::getTitle(__('My hopes and dreams'));
$database
->query(