From bf9df619098ee8dfcf31c35344832c6304021605 Mon Sep 17 00:00:00 2001
From: ENGO150 <v.smejkal06@gmail.com>
Date: Sat, 25 May 2024 15:49:49 +0200
Subject: [PATCH] preventing from sql injection in APIs

whoopsie
---
 res/forum/api/remove_user.php |  4 +++-
 res/forum/api/update_user.php | 13 ++++++++++---
 res/forum/api/user_info.php   |  4 +++-
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/res/forum/api/remove_user.php b/res/forum/api/remove_user.php
index e182014..c5996fa 100644
--- a/res/forum/api/remove_user.php
+++ b/res/forum/api/remove_user.php
@@ -17,7 +17,9 @@ if ($out -> num_rows != 1)
 
 if (!isset($_GET["username"])) return;
 
-$user_info_id = (($database -> query("SELECT user_info FROM user WHERE BINARY username=\"" . $_GET["username"] . "\"")) -> fetch_assoc())["user_info"];
+$safe_username = mysqli_real_escape_string($database, $_GET["username"]);
+
+$user_info_id = (($database -> query("SELECT user_info FROM user WHERE BINARY username=\"" . $safe_username . "\"")) -> fetch_assoc())["user_info"];
 
 $database -> query("DELETE FROM user WHERE user_info=" . $user_info_id);
 $database -> query("DELETE FROM user_info WHERE id=" . $user_info_id);
\ No newline at end of file
diff --git a/res/forum/api/update_user.php b/res/forum/api/update_user.php
index 750fd2c..3fb18e1 100644
--- a/res/forum/api/update_user.php
+++ b/res/forum/api/update_user.php
@@ -22,7 +22,14 @@ if ($out -> num_rows != 1 && $_GET["old_username"] != $_SESSION["username"])
     $user = true;
 }
 
-$user_info_id = (($database -> query("SELECT user_info FROM user WHERE username=\"" . $_GET["old_username"] . "\"")) -> fetch_assoc())["user_info"];
+$safe_old_username = mysqli_real_escape_string($database, $_GET["old_username"]);
+$safe_username = mysqli_real_escape_string($database, $_GET["username"]);
+$safe_admin = mysqli_real_escape_string($database, $_GET["admin"]);
+$safe_sex = mysqli_real_escape_string($database, $_GET["sex"]); //fr
+$safe_bio = mysqli_real_escape_string($database, $_GET["bio"]);
+$safe_nickname = mysqli_real_escape_string($database, $_GET["nickname"]);
 
-if (!$user) $database -> query("UPDATE user SET username=\"" . $_GET["username"] . "\", admin=" . $_GET["admin"] . " WHERE user_info=" . $user_info_id);
-$database -> query("UPDATE user_info SET sex=" . $_GET["sex"] . ", bio=\"" . $_GET["bio"] . "\", nickname=\"" . $_GET["nickname"] . "\" WHERE id=" . $user_info_id);
\ No newline at end of file
+$user_info_id = (($database -> query("SELECT user_info FROM user WHERE username=\"" . $safe_old_username . "\"")) -> fetch_assoc())["user_info"];
+
+if (!$user) $database -> query("UPDATE user SET username=\"" . $safe_username . "\", admin=" . $safe_admin . " WHERE user_info=" . $user_info_id);
+$database -> query("UPDATE user_info SET sex=" . $safe_sex . ", bio=\"" . $safe_bio . "\", nickname=\"" . $safe_nickname . "\" WHERE id=" . $user_info_id);
\ No newline at end of file
diff --git a/res/forum/api/user_info.php b/res/forum/api/user_info.php
index 757ad8b..c8ae307 100644
--- a/res/forum/api/user_info.php
+++ b/res/forum/api/user_info.php
@@ -17,7 +17,9 @@ if ($out -> num_rows != 1 && $_GET["username"] != $_SESSION["username"])
     return;
 }
 
-$out = $database -> query("SELECT user.username, user.admin, user_info.bio, user_info.nickname, user_info.sex FROM user INNER JOIN user_info ON user.user_info=user_info.id AND username=\"" . $_GET["username"] . "\"");
+$safe_username = mysqli_real_escape_string($database, $_GET["username"]);
+
+$out = $database -> query("SELECT user.username, user.admin, user_info.bio, user_info.nickname, user_info.sex FROM user INNER JOIN user_info ON user.user_info=user_info.id AND username=\"" . $safe_username . "\"");
 
 $output = array();
 $res = $out -> fetch_assoc();