Merge pull request #12 from conqeror/fix-sql-injections

Fix sql injections.
conqeror · Apr 26, 2018 · e9c39bf · e9c39bf
2 parents 4c0a394 + cce7af9
commit e9c39bf
Show file tree

Hide file tree

Showing 8 changed files with 105 additions and 84 deletions.
diff --git a/edit.php b/edit.php
@@ -15,23 +15,21 @@
     <?php
 
     include "db_config.php";
-    $link = mysqli_connect($db_host,$db_user,$db_password)  or die("failed to connect to server !!");
-    mysqli_set_charset($link, "utf8");
-    mysqli_select_db($link,"nodla");
+    $pdo = new PDO($db_host, $db_user, $db_password);
     $accessstring = $_GET['as'];
-    $query = "SELECT * FROM teams WHERE accessstring = \"" . $accessstring . "\"";
-    $result = mysqli_query($link, $query);
-    if (!$result) {
+    $stmt = $pdo->prepare("SELECT * FROM teams WHERE accessstring = ?");
+    $stmt->execute(array($accessstring));
+    if (!$stmt) {
       die("Neplatný link!");
     }
-    $team = mysqli_fetch_assoc($result);
+    $team = $stmt->fetchObject();
     echo '<div class="first"></div>';
     if(isset($_GET['edited'])){
       echo '<div class="alert alert-success container" role="alert"><span class="glyphicon glyphicon-ok-sign" aria-hidden="true"></span> Úspešne si editoval údaje o tíme!</div>';
     }
 
     $checked = "";
-    if($team['attend'] == 1){
+    if($team->attend == 1){
       $checked = "checked";
     }
 
@@ -42,25 +40,25 @@
     </div>
     <div class="container">
     <form class="form-horizontal" id="form_update" role="form" action="update_teamdata.php" method="POST">
-    <input type="hidden" name="id" value="$team[id]">
+    <input type="hidden" name="id" value="$team->id">
     <input type="hidden" name="as" value="$accessstring">
     <legend>Info o tíme</legend>
 
     <div class="form-group">
     <label for="teamname" class="col-sm-2">Názov tímu</label>
     <div class="col-sm-7">
-      <input type="text" class="form-control" name="teamname" id="teamname" required value="$team[teamname]">
+      <input type="text" class="form-control" name="teamname" id="teamname" required value="$team->teamname">
     </div>
     </div>
 
     <div class="form-group">
         <label for="email" class="col-sm-2">e-mail</label>
         <div class="col-sm-4">
-        	<input type="email" class="form-control" name="email" id="email" required value="$team[email]">
+        	<input type="email" class="form-control" name="email" id="email" required value="$team->email">
         </div>
         <label for="phone" class="col-sm-1">tel. číslo</label>
         <div class="col-sm-2">
-        	<input type="tel" class="form-control" name="phone" id="phone" required value="$team[phone]">
+        	<input type="tel" class="form-control" name="phone" id="phone" required value="$team->phone">
         </div>
     </div>
 
@@ -69,11 +67,11 @@
     <div class="form-group">
         <label for="player1" class="col-sm-2">Meno</label>
         <div class="col-sm-4">
-        	<input type="text" class="form-control" name="player1" id="player1" required value="$team[name1]">
+        	<input type="text" class="form-control" name="player1" id="player1" required value="$team->name1">
         </div>
         <label for="age1" class="col-sm-1">Vek</label>
         <div class="col-sm-2">
-        	<input type="number" class="form-control" name="age1" id="age1" value="$team[age1]">
+        	<input type="number" class="form-control" name="age1" id="age1" value="$team->age1">
         </div>
     </div>
 
@@ -82,11 +80,11 @@
     <div class="form-group">
         <label for="player2" class="col-sm-2">Meno</label>
         <div class="col-sm-4">
-        	<input type="text" class="form-control" name="player2" id="player2" required value="$team[name2]">
+        	<input type="text" class="form-control" name="player2" id="player2" required value="$team->name2">
         </div>
         <label for="age2" class="col-sm-1">Vek</label>
         <div class="col-sm-2">
-        	<input type="number" class="form-control" name="age2" id="age2" value="$team[age2]">
+        	<input type="number" class="form-control" name="age2" id="age2" value="$team->age2">
         </div>
     </div>
 
@@ -95,11 +93,11 @@
     <div class="form-group">
         <label for="player3" class="col-sm-2">Meno</label>
         <div class="col-sm-4">
-        	<input type="text" class="form-control" name="player3" id="player3" required value="$team[name3]">
+        	<input type="text" class="form-control" name="player3" id="player3" required value="$team->name3">
         </div>
         <label for="age3" class="col-sm-1">Vek</label>
         <div class="col-sm-2">
-        	<input type="number" class="form-control" name="age3" id="age3" value="$team[age3]">
+        	<input type="number" class="form-control" name="age3" id="age3" value="$team->age3">
         </div>
     </div>
 
@@ -108,19 +106,19 @@
     <div class="form-group">
         <label for="player4" class="col-sm-2">Meno</label>
         <div class="col-sm-4">
-        	<input type="text" class="form-control" name="player4" id="player4" required value="$team[name4]">
+        	<input type="text" class="form-control" name="player4" id="player4" required value="$team->name4">
         </div>
         <label for="age4" class="col-sm-1">Vek</label>
         <div class="col-sm-2">
-        	<input type="number" class="form-control" name="age4" id="age4" value="$team[age4]">
+        	<input type="number" class="form-control" name="age4" id="age4" value="$team->age4">
         </div>
     </div>
 
     <hr>
     <div class="form-group">
       <label for="special" class="col-sm-2">Máte nejaké špeciálne požiadavky na stravu?</label>
       <div class="col-sm-6">
-        <textarea class="form-control custom-control" name="special" id="special" rows="4" style="resize:none">$team[special]</textarea>
+        <textarea class="form-control custom-control" name="special" id="special" rows="4" style="resize:none">$team->special</textarea>
       </div>
     </div>
     <div class="form-group">

diff --git a/forum.php b/forum.php
@@ -60,15 +60,12 @@
 EOT;
       $date_format = "d. m. Y H:i";
       include "db_config.php";
-      $link = mysqli_connect($db_host,$db_user,$db_password)  or die("failed to connect to server !!");
-      mysqli_select_db($link,"nodla");
-      mysqli_set_charset($link, "utf8");
-
-      $result = mysqli_query($link, "SELECT * FROM forum ORDER BY id DESC");
+      $pdo = new PDO($db_host, $db_user, $db_password);
+      $result = $pdo->query("SELECT * FROM forum ORDER BY id DESC");
       if (!$result) {
         die("Query to show fields from table failed");
       }
-      while($row = mysqli_fetch_assoc($result))
+      foreach ($result as $row)
       {
         $org = "";
         if($row["org"] == 1){

diff --git a/news.php b/news.php
@@ -24,13 +24,9 @@
       <hr>
       <?php
         include "db_config.php";
-        $link = mysqli_connect($db_host,$db_user,$db_password)  or die("failed to connect to server !!");
-        mysqli_set_charset($link, "utf8");
-        mysqli_select_db($link,"nodla");
+        $pdo = new PDO($db_host, $db_user, $db_password);
+        $num_teams = $pdo->query("SELECT COUNT(*) AS id FROM teams WHERE attend=1")->fetchColumn();
 
-        $counter = mysqli_query($link, "SELECT COUNT(*) AS id FROM teams WHERE attend=1");
-        $num = mysqli_fetch_array($counter);
-        $num_teams = $num["id"];
         include "competition_vars.php";
         $days_to_start = floor(($competition_start - time())/86400);
         $days_to_register = floor(($registration_end - time())/86400);
@@ -66,11 +62,11 @@
         $date_format = "d. m. Y H:i";
         echo '<div class="col-md-9"><h2>Novinky</h2>';
 
-        $result = mysqli_query($link, "SELECT * FROM news ORDER BY id DESC");
+        $result = $pdo->query("SELECT * FROM news ORDER BY id DESC");
         if (!$result) {
           die("Query to show fields from table failed");
         }
-        while($row = mysqli_fetch_assoc($result))
+        foreach($result as $row)
         {
 
           $fdate = date($date_format, strtotime($row["timestamp"]));
@@ -89,11 +85,11 @@
         }
 
         echo '<hr><h2>Najnovšie príspevky vo <a href="forum.php">fóre</a></h2>';
-        $result = mysqli_query($link, "SELECT * FROM forum ORDER BY id DESC LIMIT 3");
+        $result = $pdo->query("SELECT * FROM forum ORDER BY id DESC LIMIT 3");
         if (!$result) {
           die("Query to show fields from table failed");
         }
-        while($row = mysqli_fetch_assoc($result))
+        foreach($result as $row)
         {
           $org = "";
           if($row["org"] == 1){

diff --git a/register.php b/register.php
@@ -15,11 +15,8 @@
     <!-- let the content begin -->
     <?php
     include "db_config.php";
-    $link = mysqli_connect($db_host,$db_user,$db_password)  or die("failed to connect to server !!");
-    mysqli_select_db($link,"nodla");
-    $counter = mysqli_query($link, "SELECT COUNT(*) AS id FROM teams WHERE attend=1");
-    $num = mysqli_fetch_array($counter);
-    $num_teams = $num["id"];
+    $pdo = new PDO($db_host, $db_user, $db_password);
+    $num_teams = $pdo->query("SELECT COUNT(*) AS id FROM teams WHERE attend=1")->fetchColumn();
     $full_capacity_message = "";
     $disabled = "";
     if($num_teams >= $capacity){

diff --git a/send_forummessage.php b/send_forummessage.php
@@ -1,7 +1,6 @@
 <?php
 include "db_config.php";
-$link = mysqli_connect($db_host,$db_user,$db_password)  or die("failed to connect to server !!");
-mysqli_select_db($link,"nodla");
+$pdo = new PDO($db_host, $db_user, $db_password);
 if(isset($_REQUEST['submit']))
 {
 $errorMessage = "";
@@ -33,10 +32,14 @@
 echo "<p class='message'>" .$errorMessage. "</p>" ;
 }
 else{
-//Inserting record in table using INSERT query
-$insqDbtb="INSERT INTO `nodla`.`forum`
-(`name`, `message`, `org`) VALUES (_utf8'$name', _utf8'$message', '$org')";
-mysqli_query($link,$insqDbtb) or die(mysqli_error($link));
+$sql = "INSERT INTO forum
+(name, message, org) VALUES (:name, :message, :org)";
+
+$stmt = $pdo->prepare($sql);
+$stmt->bindValue(":name", $name);
+$stmt->bindValue(":message", $message);
+$stmt->bindValue(":org", $org);
+$stmt->execute();
 
 header("Location: forum.php");
 }

diff --git a/send_teamdata.php b/send_teamdata.php
@@ -1,7 +1,6 @@
 <?php
 include "db_config.php";
-$link = mysqli_connect($db_host,$db_user,$db_password)  or die("failed to connect to server !!");
-mysqli_select_db($link,"nodla");
+$pdo = new PDO($db_host, $db_user, $db_password);
 if(isset($_REQUEST['submit']))
 {
 $errorMessage = "";
@@ -38,13 +37,31 @@
 echo "<p class='message'>" .$errorMessage. "</p>" ;
 }
 else{
-//Inserting record in table using INSERT query
-$insqDbtb="INSERT INTO `nodla`.`teams`
-(`accessstring`, `teamname`, `email`, `phone`, `name1`, `age1`,
-`name2`, `age2`,`name3`, `age3`,`name4`, `age4`) VALUES ('$accessstring', _utf8'$teamname',
- '$email', '$phone', _utf8'$name1', '$age1', _utf8'$name2',
-  '$age2', _utf8'$name3', '$age3', _utf8'$name4', '$age4')";
-mysqli_query($link,$insqDbtb) or die(mysqli_error($link));
+$sql = "
+INSERT INTO teams
+(accessstring, teamname, email, phone, name1, age1,
+name2, age2, name3, age3, name4, age4, special)
+VALUES
+(:accessstring, :teamname,
+:email, :phone, :name1, :age1, :name2,
+  :age2, :name3, :age3, :name4, :age4, :special)";
+
+$stmt = $pdo->prepare($sql);
+$stmt->bindValue(":accessstring", $accessstring);
+$stmt->bindValue(":teamname", $teamname);
+$stmt->bindValue(":email", $email);
+$stmt->bindValue(":phone", $phone);
+$stmt->bindValue(":name1", $name1);
+$stmt->bindValue(":age1", $age1);
+$stmt->bindValue(":name2", $name2);
+$stmt->bindValue(":age2", $age2);
+$stmt->bindValue(":name3", $name3);
+$stmt->bindValue(":age3", $age3);
+$stmt->bindValue(":name4", $name4);
+$stmt->bindValue(":age4", $age4);
+$stmt->bindValue(":special", $special);
+$stmt->execute();
+
 
 $subject = 'Nôdľa ťa víta!';
 $message = 'Ahoj!
@@ -53,8 +70,8 @@
 Ak by si chcel editovať údaje o tíme, navštív tento link http://nodla.sk/edit.php?as='
 . $accessstring . '
 
-Taktiež je potrebné uhradiť poplatok 15 eur na tím najneskôr do 24. 4. Platí sa na účet SK28 8360 5207 0042 0394 6590.
-Variabilné číslo pre platbu (rovnaké ako ID) je '.mysqli_insert_id($link).'.
+Taktiež je potrebné uhradiť poplatok 15 eur na tím najneskôr do 30. 4. Platí sa na účet SK28 8360 5207 0042 0394 6590.
+Variabilné číslo pre platbu (rovnaké ako ID) je '.$pdo->lastInsertId().'.
 
 Tešíme sa na Vás!';
 $headers = 'From: samo@fks.sk' . "\r\n" .

diff --git a/teams.php b/teams.php
@@ -39,15 +39,14 @@
 
     <?php
     include "db_config.php";
-    $link = mysqli_connect($db_host,$db_user,$db_password)  or die("failed to connect to server !!");
-    mysqli_set_charset($link, "utf8");
-    mysqli_select_db($link,"nodla");
 
-    $result = mysqli_query($link, "SELECT * FROM teams");
+    $pdo = new PDO($db_host, $db_user, $db_password);
+    $result = $pdo->query("SELECT * FROM teams");
+
     if (!$result) {
       die("Query to show fields from table failed");
     }
-    while($row = mysqli_fetch_row($result))
+    foreach ($result as $row)
     {
       if($row[14] == 1){
       echo "<tr>";

diff --git a/update_teamdata.php b/update_teamdata.php
@@ -1,7 +1,6 @@
 <?php
 include "db_config.php";
-$link = mysqli_connect($db_host,$db_user,$db_password)  or die("failed to connect to server !!");
-mysqli_select_db($link,"nodla");
+$pdo = new PDO($db_host, $db_user, $db_password);
 if(isset($_REQUEST['submit']))
 {
 $errorMessage = "";
@@ -27,25 +26,40 @@
 echo "<p class='message'>" .$errorMessage. "</p>" ;
 }
 else{
-//Inserting record in table using INSERT query
-$insqDbtb="
-UPDATE `nodla`.`teams`
-SET `teamname` = _utf8'$teamname',
-`email` = '$email',
-`phone` = '$phone',
-`name1` = _utf8'$name1',
-`age1` = '$age1',
-`name2` = _utf8'$name2',
-`age2` = '$age2',
-`name3` = _utf8'$name3',
-`age3` = '$age3',
-`name4` = _utf8'$name4',
-`age4` = '$age4',
-`special` = '$special',
-`attend` = '$attend'
-WHERE `id` = '$id'
+$sql = "
+UPDATE `teams`
+SET `teamname` = :teamname,
+`email` = :email,
+`phone` = :phone,
+`name1` = :name1,
+`age1` = :age1,
+`name2` = :name2,
+`age2` = :age2,
+`name3` = :name3,
+`age3` = :age3,
+`name4` = :name4,
+`age4` = :age4,
+`special` = :special,
+`attend` = :attend
+WHERE `accessstring` = :as
 ";
-mysqli_query($link,$insqDbtb) or die(mysqli_error($link));
+$stmt = $pdo->prepare($sql);
+$stmt->bindValue(":teamname", $teamname);
+$stmt->bindValue(":email", $email);
+$stmt->bindValue(":phone", $phone);
+$stmt->bindValue(":name1", $name1);
+$stmt->bindValue(":age1", $age1);
+$stmt->bindValue(":name2", $name2);
+$stmt->bindValue(":age2", $age2);
+$stmt->bindValue(":name3", $name3);
+$stmt->bindValue(":age3", $age3);
+$stmt->bindValue(":name4", $name4);
+$stmt->bindValue(":age4", $age4);
+$stmt->bindValue(":special", $special);
+$stmt->bindValue(":attend", $attend);
+$stmt->bindValue(":as", $as);
+$stmt->execute();
+
 header("Location: edit.php?as=$as&edited=1");
 }
 }