Skip to content
Permalink
Browse files Browse the repository at this point in the history
this commit is important, it has prevented all sql injection attacks …
…in location_history by either using prepared statements or using mysqli::real_escape_string
  • Loading branch information
kylebebak committed Dec 15, 2015
1 parent c126ec3 commit 87405b7
Show file tree
Hide file tree
Showing 8 changed files with 24 additions and 29 deletions.
7 changes: 3 additions & 4 deletions location_history/controllers/__build_query.php
Expand Up @@ -3,20 +3,19 @@
include_once '../models/Location_History.php';



// range of dates
if ($dateFilter[0]) {
$query .= " AND start_date >= STR_TO_DATE('" . htmlspecialchars($dateFilter[0]) . "', '%m/%d/%Y')";
$query .= " AND start_date >= STR_TO_DATE('" . $db->mysqli()->real_escape_string($dateFilter[0]) . "', '%m/%d/%Y')";
}

if ($dateFilter[1]) {
$query .= " AND start_date <= STR_TO_DATE('" . htmlspecialchars($dateFilter[1]) . "', '%m/%d/%Y')";
$query .= " AND start_date <= STR_TO_DATE('" . $db->mysqli()->real_escape_string($dateFilter[1]) . "', '%m/%d/%Y')";
}


// filtered-out days
if (isset($dayFilter)) {
$query .= " AND DAYOFWEEK(start_date) NOT IN (" . htmlspecialchars($dayFilter) . ")";
$query .= " AND DAYOFWEEK(start_date) NOT IN (" . $dayFilter . ")";
}


Expand Down
6 changes: 3 additions & 3 deletions location_history/controllers/__parse_query.php
Expand Up @@ -6,18 +6,18 @@
// limit number of results
$limit = null;
if ($_POST['limit']) {
$limit = $_POST['limit'];
$limit = $db->mysqli()->real_escape_string($_POST['limit']);
}


// select only a certain range of dates
$dayFilter = null;
if (isset($_POST['dayFilter'])) {
$dayFilter = implode(',', $_POST['dayFilter']);
$dayFilter = $db->mysqli()->real_escape_string(implode(',', $_POST['dayFilter']));
}


// filter out certain days of the week
// filter out certain days of the week. the elements of this array are escaped in __build_query.php
$dateFilter = array('', '');
if (isset($_POST['dateFilter'])) {
$dateFilter = $_POST['dateFilter'];
Expand Down
4 changes: 2 additions & 2 deletions location_history/controllers/global.php
Expand Up @@ -15,7 +15,7 @@
// CONSTRUCT WHERE CLAUSE
include '__build_query.php';

$visits = $db->rawQuery($query, null, false);
$visits = $db->rawQuery($query, null);



Expand All @@ -29,7 +29,7 @@
// CONSTRUCT WHERE CLAUSE
include '__build_query.php';

$trips = $db->rawQuery($query, null, false);
$trips = $db->rawQuery($query, null);


echo json_encode(array("visits" => $visits, "trips" => $trips));
Expand Down
7 changes: 2 additions & 5 deletions location_history/controllers/graph.php
Expand Up @@ -9,15 +9,12 @@
return;
}

$location_id = $_POST['location_id'];



// visits for location
$query = "SELECT
DATE(start_date) AS date, SUM(duration) AS duration
FROM grouped_point gp
WHERE location_id = " . htmlspecialchars($location_id);
WHERE location_id = ?";


// CONSTRUCT WHERE CLAUSE
Expand All @@ -26,7 +23,7 @@
// group by comes after where clause
$query .= " GROUP BY DATE(start_date)";

$results = $db->rawQuery($query, null, false);
$results = $db->rawQuery($query, Array($_POST['location_id']));


// convert seconds to hours, and make sure that no day is longer than 24 hours, by rolling extra hours over to the next record
Expand Down
4 changes: 2 additions & 2 deletions location_history/controllers/main.php
Expand Up @@ -24,12 +24,12 @@

// limit clause comes last
if (isset($limit)) {
$query .= " LIMIT " . htmlspecialchars($limit);
$query .= " LIMIT " . $limit;
}



echo json_encode($db->rawQuery($query, null, false));
echo json_encode($db->rawQuery($query, null));



Expand Down
12 changes: 6 additions & 6 deletions location_history/controllers/trips.php
Expand Up @@ -9,7 +9,7 @@
return;
}

$location_id = htmlspecialchars($_POST['location_id']);
$location_id = $db->mysqli()->real_escape_string($_POST['location_id']);



Expand All @@ -28,7 +28,7 @@

include '__build_query.php';
$query .= " GROUP BY t.end_location_id HAVING count_lid > 1 ORDER BY count_lid DESC";
$start_aggregate = $db->rawQuery($query, null, false);
$start_aggregate = $db->rawQuery($query, null);



Expand All @@ -50,7 +50,7 @@

include '__build_query.php';
$query .= " ORDER BY c.count_lid DESC, t.end_location_id, t.start_date ASC";
$start_all = $db->rawQuery($query, null, false);
$start_all = $db->rawQuery($query, null);



Expand All @@ -67,7 +67,7 @@

include '__build_query.php';
$query .= " GROUP BY t.start_location_id HAVING count_lid > 1 ORDER BY count_lid DESC";
$end_aggregate = $db->rawQuery($query, null, false);
$end_aggregate = $db->rawQuery($query, null);



Expand All @@ -89,7 +89,7 @@

include '__build_query.php';
$query .= " ORDER BY c.count_lid DESC, t.start_location_id, t.end_date ASC";
$end_all = $db->rawQuery($query, null, false);
$end_all = $db->rawQuery($query, null);



Expand All @@ -109,7 +109,7 @@
$query .= " ORDER BY t.start_date ASC) SQ, location ls, location le
WHERE ls.id = SQ.start_location_id AND le.id = SQ.end_location_id";

$start_end_all = $db->rawQuery($query, null, false);
$start_end_all = $db->rawQuery($query, null);



Expand Down
9 changes: 2 additions & 7 deletions location_history/controllers/visits.php
Expand Up @@ -9,22 +9,19 @@
return;
}

$location_id = $_POST['location_id'];


// visits for location
$query = "SELECT
DATE(gp.start_date) as start_date, TIME(gp.start_date) as start_time, TIME_TO_SEC(gp.start_date) as start_time_sec, TIME_TO_SEC(gp.end_date) as end_time_sec, duration
FROM grouped_point gp
WHERE location_id = " . htmlspecialchars($location_id);
WHERE location_id = ?";



// CONSTRUCT WHERE CLAUSE
include '__build_query.php';
include_once '../models/Circular.php';

$results = $db->rawQuery($query, null, false);
$results = $db->rawQuery($query, Array($_POST['location_id']));


$start_times = array();
Expand All @@ -43,6 +40,4 @@
"results" => $results));




?>
4 changes: 4 additions & 0 deletions location_history/css/style.css
Expand Up @@ -208,6 +208,10 @@ li#weekdays-container {
margin-top: 8px;
}

label.checkbox {
color: black !important;
}

li#search-container {
margin-top: 11px;
margin-right: 10px;
Expand Down

0 comments on commit 87405b7

Please sign in to comment.