FabrikaHradekTour/res/forum/api/update_user.php

<?php

include("../../global.php");
session_start();

if (!isset($_SESSION["username"])) goto fail;

$out = $database -> query("SELECT username, admin, user_info FROM user WHERE BINARY username=\"" . $_SESSION["username"] . "\" AND admin=\"1\"");

if (!isset($_GET["old_username"])) return;

$user = false;

if ($out -> num_rows != 1 && $_GET["old_username"] != $_SESSION["username"])
{
    fail:
    echo "nope";
    header("Location: ../../../index.php");
    return;
} else if ($out -> num_rows != 1)
{
    $user = true;
}

$safe_old_username = mysqli_real_escape_string($database, $_GET["old_username"]);
$safe_username = mysqli_real_escape_string($database, $_GET["username"]);
$safe_admin = mysqli_real_escape_string($database, $_GET["admin"]);
$safe_sex = mysqli_real_escape_string($database, $_GET["sex"]); //fr
$safe_bio = mysqli_real_escape_string($database, $_GET["bio"]);
$safe_nickname = mysqli_real_escape_string($database, $_GET["nickname"]);

$user_info_id = (($database -> query("SELECT user_info FROM user WHERE username=\"" . $safe_old_username . "\"")) -> fetch_assoc())["user_info"];

if (!$user) $database -> query("UPDATE user SET username=\"" . $safe_username . "\", admin=" . $safe_admin . " WHERE user_info=" . $user_info_id);
$database -> query("UPDATE user_info SET sex=" . $safe_sex . ", bio=\"" . $safe_bio . "\", nickname=\"" . $safe_nickname . "\" WHERE id=" . $user_info_id);
created api for user update 2024-05-22 17:20:11 +02:00			`<?php`

			`include("../../global.php");`
			`session_start();`

			`if (!isset($_SESSION["username"])) goto fail;`

			`$out = $database -> query("SELECT username, admin, user_info FROM user WHERE BINARY username=\"" . $_SESSION["username"] . "\" AND admin=\"1\"");`

			`if (!isset($_GET["old_username"])) return;`

preventing user from setting admin to himself lol 2024-05-22 21:01:02 +02:00			`$user = false;`

created api for user update 2024-05-22 17:20:11 +02:00			`if ($out -> num_rows != 1 && $_GET["old_username"] != $_SESSION["username"])`
			`{`
			`fail:`
			`echo "nope";`
			`header("Location: ../../../index.php");`
			`return;`
preventing user from setting admin to himself lol 2024-05-22 21:01:02 +02:00			`} else if ($out -> num_rows != 1)`
			`{`
			`$user = true;`
created api for user update 2024-05-22 17:20:11 +02:00			`}`

preventing from sql injection in APIs whoopsie 2024-05-25 15:49:49 +02:00			`$safe_old_username = mysqli_real_escape_string($database, $_GET["old_username"]);`
			`$safe_username = mysqli_real_escape_string($database, $_GET["username"]);`
			`$safe_admin = mysqli_real_escape_string($database, $_GET["admin"]);`
			`$safe_sex = mysqli_real_escape_string($database, $_GET["sex"]); //fr`
			`$safe_bio = mysqli_real_escape_string($database, $_GET["bio"]);`
			`$safe_nickname = mysqli_real_escape_string($database, $_GET["nickname"]);`
created api for user update 2024-05-22 17:20:11 +02:00
preventing from sql injection in APIs whoopsie 2024-05-25 15:49:49 +02:00			`$user_info_id = (($database -> query("SELECT user_info FROM user WHERE username=\"" . $safe_old_username . "\"")) -> fetch_assoc())["user_info"];`

			`if (!$user) $database -> query("UPDATE user SET username=\"" . $safe_username . "\", admin=" . $safe_admin . " WHERE user_info=" . $user_info_id);`
			`$database -> query("UPDATE user_info SET sex=" . $safe_sex . ", bio=\"" . $safe_bio . "\", nickname=\"" . $safe_nickname . "\" WHERE id=" . $user_info_id);`