Skip to content

Commit

Permalink
Bug Fix for #49 (#50)
Browse files Browse the repository at this point in the history 
* Changed all MySQLi statements to PDO objects + Minor Fixes
* Added database error page for public
* Did field verification while creating forms and converted MYSQLi statements to PDO objects
Co-authored-by: Mahalakshumi <mahav2000@gmail.com>
  • Loading branch information
@bearlike
bearlike committed Dec 19, 2020
1 parent 6a51d6e commit 4e7b099
Show file tree
Hide file tree
Showing 22 changed files with 816 additions and 513 deletions.
2 changes: 1 addition & 1 deletion docs/files/Sample_REMS_Database.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ CREATE TABLE `certificates` (
`id` int(255) NOT NULL,
`name` varchar(255) NOT NULL,
`regno` varchar(255) DEFAULT NULL,
`dept` varchar(40) DEFAULT NULL,
`dept` varchar(255) DEFAULT NULL,
`year` int(10) DEFAULT NULL,
`section` varchar(10) DEFAULT NULL,
`position` varchar(255) NOT NULL,
Expand Down
64 changes: 37 additions & 27 deletions members/activity-log.php
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,42 @@
<?php
include("header.php");
$page = 1;
$perPage = 10;;
$totalPages = 1;
if (empty($_GET['page'])) {
include("header.php");
$page = 1;
} else {
$page = $_GET['page'];
}
if (empty($_GET['perPage'])) {
$perPage = 10;
} else {
$perPage = $_GET['perPage'];
}
$conn = new mysqli($servername, $username, $password, $MainDB);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$resultc = $conn->query('select count(*) from logging where userid="' . $_SESSION['uname'] . '";');
$rowc = $resultc->fetch_row();
$countr = $rowc[0]; // Count total responses
// calculate number of pages needed
$totalPages = ceil($countr / $perPage);
// Find the starting element for the current $page
$startPage = $perPage * ($page - 1);
$sql = "select timestamp, log from logging where userid=\"" . $_SESSION['uname'] . "\" order by id desc limit " . $startPage . "," . $perPage . ";";
$logResults = $conn->query($sql);
$perPage = 10;;
$totalPages = 1;
if (empty($_GET['page'])) {
$page = 1;
} else {
$page = $_GET['page'];
}
if (empty($_GET['perPage'])) {
$perPage = 10;
} else {
$perPage = $_GET['perPage'];
}
try{
$conn = new PDO('mysql:dbname='.$MainDB.';host='.$servername.';charset=utf8', $username, $password);
$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e){
$message = $e->getMessage() ;
header('pages/error.php?error='.$e->getMessage());
die();
}
$resultc = $conn->prepare('select count(*) from logging where userid=:currentUser');
$resultc->bindValue(':currentUser', $_SESSION['uname']);
$resultc->execute();
$rowc = $resultc->fetch();
$countr = $rowc[0]; // Count total responses
// calculate number of pages needed
$totalPages = ceil($countr / $perPage);
// Find the starting element for the current $page
$startPage = $perPage * ($page - 1);
$sql = $conn->prepare("select timestamp, log from logging where userid=:currentUser order by id desc limit :startpage , :perpage");
$sql->bindValue(':currentUser', $_SESSION['uname']);
$sql->bindValue(':startpage', (int) $startPage, PDO::PARAM_INT);
$sql->bindValue(':perpage', (int) $perPage, PDO::PARAM_INT);
$sql->execute();
$logResults = $sql->fetchAll(PDO::FETCH_ASSOC);
?>

<html>
Expand Down
44 changes: 28 additions & 16 deletions members/change-password.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,38 @@
include('mainFunction.php');
include("secrets_.php");

$conn = new mysqli($servername, $username, $password, $MainDB);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
try{
$conn = new PDO('mysql:dbname='.$MainDB.';host='.$servername.';charset=utf8', $username, $password);

$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e){
$message = $e->getMessage() ;
header('Location:../public/error.html');
die();
}
$gen = null;
if(isset($_GET['gen'])){
$gen = $_GET['gen'];
$check_if_done = 'SELECT count(PasswordLinkVerification("'.$gen.'"))as ifExists';
$list = $conn->query($check_if_done);
foreach ($list as $row) {
$check_if_done = $conn->prepare('SELECT count(PasswordLinkVerification(:gen)) as ifExists');
$check_if_done->bindValue(":gen",$gen);
$check_if_done->execute();
foreach ($check_if_done as $row) {
$exists = $row['ifExists'];
}
if($exists==1){
$check_validity_query = 'SELECT PasswordLinkVerification("'.$gen.'") as time_diff';
$list_time = $conn->query($check_validity_query);
foreach ($list_time as $row_time) {
$check_validity_query = $conn->prepare('SELECT PasswordLinkVerification(:gen) as time_diff');
$check_validity_query->bindValue(":gen",$gen);
$check_validity_query->execute();
foreach ($check_validity_query as $row_time) {
$key = $row_time['time_diff'];
}
if($key<1800){
}
else{
$check_validity_query = 'DELETE FROM forgot_password WHERE gen_key="'.$gen.'"';
$list = $conn->query($check_validity_query);
$check_validity_query = 'DELETE FROM forgot_password WHERE gen_key=:gen';
$check_validity_query->bindValue(":gen",$gen);
$check_validity_query->execute();
header('Location:link-expired.html');
}
}else{
Expand Down Expand Up @@ -83,14 +92,17 @@

if (isset($_POST["submit"])){
$gen = $_POST["gen"];
$get_uname_sql = 'SELECT GetUserName("'.$gen.'") as uname';
$user_name_list = $conn->query($get_uname_sql);
foreach ($user_name_list as $user_name) {
$get_uname_sql = $conn->prepare('SELECT GetUserName(:gen) as uname');
$get_uname_sql->bindValue(":gen",$gen);
$get_uname_sql->execute();
foreach ($get_uname_sql as $user_name) {
$uname = $user_name['uname'];
}
$password = $_POST['pwd_confirm'];
$update_sql = 'CALL SetPassword("'.$gen.'","'.$password.'")';
$list = $conn->query($update_sql);
$update_sql = $conn->prepare('CALL SetPassword(:gen,:password)');
$update_sql->bindValue(":gen",$gen);
$update_sql->bindValue(":password",$password);
$update_sql->execute();
echo('<div class="alert alert-success" role="alert" style="width:80%;margin-left:10%;margin-right:10%">
Password updated successfuly!
</div>');
Expand Down
59 changes: 40 additions & 19 deletions members/dashboard.php
View file
Original file line number Diff line number Diff line change
@@ -1,28 +1,49 @@
<?php
include("header.php");
$conn1 = new mysqli($servername, $username, $password, $MainDB);
// Check connection
if ($conn1->connect_error) {
die("Connection failed: " . $conn->connect_error);
try{
$conn1 = new PDO('mysql:dbname='.$MainDB.';host='.$servername.';charset=utf8', $username, $password);
$conn1->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn1->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e){
$message = $e->getMessage() ;
header('pages/error.php?error='.$e->getMessage());
die();
}
$conn2 = new mysqli($servername, $username, $password, $formDB);
// Check connection
if ($conn2->connect_error) {
die("Connection failed: " . $conn->connect_error);

try{
$conn2 = new PDO('mysql:dbname='.$formDB.';host='.$servername.';charset=utf8', $username, $password);
$conn2->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn2->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e){
$message = $e->getMessage() ;
header('pages/error.php?error='.$e->getMessage());
die();
}
$resultc = $conn1->query('SELECT CONCAT("event_",LOWER(REPLACE((SELECT `event_name` FROM `events` order by `date` desc limit 1)," ","_"))) as code');
$rowc = $resultc->fetch_row();
$eventsCount = $rowc[0]; // Count total responses
$resultc = $conn2->query('SELECT COUNT(*) as code FROM '.$eventsCount);
if($resultc){
$rowc = $resultc->fetch_row();
$registrationCount = $rowc[0]; // Count total responses

$resultc = $conn1->prepare('SELECT CONCAT("event_",LOWER(REPLACE((SELECT `event_name` FROM `events` order by `date` desc limit 1)," ","_"))) as code');
$resultc->execute();
$rowc = $resultc->fetch();
$eventTable = $rowc[0]; // Return Latest Event Name
//echo $eventTable;
$ifTableExistSQL = $conn2->prepare('SELECT count(1) FROM information_schema.TABLES WHERE (TABLE_SCHEMA = :formDB) AND (TABLE_NAME = :eventTable)');
$ifTableExistSQL->bindValue(':formDB', $formDB);
$ifTableExistSQL->bindValue(':eventTable', $eventTable);
$ifTableExistSQL->execute();
$ifTableExist = $ifTableExistSQL->fetch();

if($ifTableExist[0]==1){
$evCountStmt = $conn2->prepare('SELECT count(*) from '.$eventTable);
$evCountStmt->execute();
$resultc = $evCountStmt->fetch();
$registrationCount = $resultc[0]; // Count total responses
}
else{
$registrationCount = 0;
$registrationCount = "Form not Generated";
}
$resultc = $conn1->query('SELECT COUNT(*) as code FROM events;');
$rowc = $resultc->fetch_row();
$conn2=null;
$resultc = $conn1->prepare('SELECT COUNT(*) as code FROM events;');
$resultc->execute();
$rowc = $resultc->fetch();
$eventsCount = $rowc[0]; // Count total responses

?>
Expand Down Expand Up @@ -52,7 +73,7 @@ class="row">
<div class="card-body">
<div class="row align-items-center no-gutters">
<div class="col mr-2">
<div class="text-uppercase text-primary font-weight-bold text-xs mb-1"><span>Registrations (Latest)</span></div>
<div class="text-uppercase text-primary font-weight-bold text-xs mb-1"><span>Registrations for <?php echo ucwords(str_replace("event ","",(str_replace("_"," ",$eventTable)))); ?> (Latest)</span></div>
<div class="text-dark font-weight-bold h5 mb-0"><span><?php echo $registrationCount; ?></span></div>
</div>
<div class="col-auto"><i class="fas fa-user-friends fa-2x text-gray-300"></i></div>
Expand Down
74 changes: 50 additions & 24 deletions members/db-manage.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,33 +41,57 @@
else{
$perPage=$_GET['perPage'];
}
$conn = new mysqli($servername, $username, $password, $db);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
try{
$conn = new PDO('mysql:dbname='.$db.';host='.$servername.';charset=utf8', $username, $password);

$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e){
$message = $e->getMessage() ;
header('Location:pages/error.php?error='.$e->getMessage());
die();
}
$sql = "show TABLES from ".$db;
$tableNames = $conn->query($sql);

$sql = $conn->prepare("show TABLES from ".$db);
$sql->execute();
$tableNames = $sql->fetchAll(PDO::FETCH_ASSOC);

if(!(empty($_GET['table']))){
$table = $_GET['table'];
$sql = "SELECT `COLUMN_NAME` FROM `INFORMATION_SCHEMA`.`COLUMNS` WHERE `TABLE_SCHEMA`='".$db."' AND `TABLE_NAME`='".$table."'";
// echo $sql; // For testing
$columns = $conn->query($sql); // COLUMN_NAME
$i=0;
foreach ($columns as $row) {
$colArr[$i]=$row['COLUMN_NAME'];
$i++;
$table_list=[];

foreach ($tableNames as $row) {
$table_list[]=$row["Tables_in_".$db];
}
$resultc = $conn->query("select count(*) from ".$table.";");
$rowc = $resultc->fetch_row();
$countr = $rowc[0]; // Count total responses
// calculate number of pages needed
$totalPages = ceil($countr/$perPage);
// Find the starting element for the current $page
$startPage = $perPage*($page-1);
$sql = "select * from ".$table." order by id limit ".$startPage.",".$perPage.";";
// echo "<br>".$sql; // For testing
$registrants = $conn->query($sql);

if(in_array($table,$table_list)){
$sql = $conn->prepare("SELECT `COLUMN_NAME` FROM `INFORMATION_SCHEMA`.`COLUMNS` WHERE `TABLE_SCHEMA`=:db AND `TABLE_NAME`=:table");
$sql->bindValue(":db",$db);
$sql->bindValue(":table",$table);
$sql->execute();
$columns = $sql->fetchAll(PDO::FETCH_ASSOC); // COLUMN_NAME
$i=0;
foreach ($columns as $row) {
$colArr[$i]=$row['COLUMN_NAME'];
$i++;
}
$sql = $conn->prepare("select count(*) from ".$table.";");
$sql->execute();
$rowc = $sql->fetch();
$countr = $rowc[0]; // Count total responses
// calculate number of pages needed
$totalPages = ceil($countr/$perPage);
// Find the starting element for the current $page
$startPage = $perPage*($page-1);
$sql = $conn->prepare("select * from ".$table." order by id limit :startpage,:perpage;");
$sql->bindValue(":startpage",$startPage);
$sql->bindValue(":perpage",$perPage);
$sql->execute();
$registrants = $sql->fetchAll(PDO::FETCH_ASSOC);
}else{
header('Location: ../public/bad-request.html');
}

}
?>
<html>
Expand Down Expand Up @@ -103,8 +127,10 @@
<select onchange="this.form.submit()" class="form-control border-1 small" style="width: 68%;max-width:15em;" name ="table" required>
<option value = "">Select an table</option>
<?php
$table_list=[];
foreach ($tableNames as $row) {
echo "<option value = ".$row["Tables_in_".$db].">".$row["Tables_in_".$db]."</option>";
$table_list[]=$row["Tables_in_".$db];
}
?>
</select><br>
Expand Down Expand Up @@ -137,7 +163,7 @@
<!-- Form weirdly starts here, don't ask me why :3 !-->
<form action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="GET">
<input type="hidden" name="table" value="<?php echo $table; ?>"/>
<input type="hidden" name="page" value="<?php echo $page; ?>"/>
<input type="hidden" name="page" value="1"/>
<select onchange="this.form.submit()" name="perPage" class="form-control form-control-sm custom-select custom-select-sm">
<option value="10" <?php if($perPage==10){echo 'selected=""';} ?>>10</option>
<option value="25" <?php if($perPage==25){echo 'selected=""';} ?>>25</option>
Expand Down
25 changes: 17 additions & 8 deletions members/db-ops/delete.php
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,32 @@
<?php
include("../header.php");
$conn = new mysqli($servername, $username, $password, $_GET['db']);
// Check connection
if ($conn->connect_error) {
header('Location: ../pages/error.php?error=Cannot connect to the server/database');
include("../header.php");
if(retIsAdmin($_SESSION['uname'])==0){
header('Location: pages/error.php?error=noAccess');
}
try{
$conn = new PDO('mysql:dbname='.$_GET['db'].';host='.$servername.';charset=utf8', $username, $password);
$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e){
$message = $e->getMessage() ;
header('Location: ../pages/error.php?error=Cannot connect to the server/database');
die();
}

$tablename = $_GET["table"];
$id = $_GET["id"];

$delete_query = "DELETE FROM ".$tablename." WHERE id='".$id."';";
$delete_query = "DELETE FROM ".$tablename." WHERE id=:id";
$submit_stmt = $conn->prepare($delete_query);
$submit_stmt->bindValue(':id', $id);
if (!$submit_stmt) {
header('Location: ../pages/error.php?error=Error while executing the query');
}
$submit_stmt->execute();
if($_POST['db']==$MainDB)
if($_GET['db']==$MainDB)
$dbc=1;
else if($_POST['db']==$formDB)
else if($_GET['db']==$formDB)
$dbc=2;
else
$dbc=3;
Expand Down
Loading

0 comments on commit 4e7b099

Please sign in to comment.