ENGO150/FabrikaHradekTour
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
FabrikaHradekTour/res/forum/api/user_info.php
ENGO150 bf9df61909
preventing from sql injection in APIs 
whoopsie
2024-05-25 15:49:49 +02:00

33 lines
913 B
PHP
Raw Blame History

<?php
include("../../global.php");
session_start();
if (!isset($_SESSION["username"])) goto fail;
$out = $database -> query("SELECT username, admin FROM user WHERE BINARY username=\"" . $_SESSION["username"] . "\" AND admin=\"1\"");
if (!isset($_GET["username"])) return;
if ($out -> num_rows != 1 && $_GET["username"] != $_SESSION["username"])
{
fail:
echo "nope";
header("Location: ../../../index.php");
return;
}
$safe_username = mysqli_real_escape_string($database, $_GET["username"]);
$out = $database -> query("SELECT user.username, user.admin, user_info.bio, user_info.nickname, user_info.sex FROM user INNER JOIN user_info ON user.user_info=user_info.id AND username=\"" . $safe_username . "\"");
$output = array();
$res = $out -> fetch_assoc();
foreach ($res as $key => $value)
{
$output[$key] = $value;
}
header('Content-type: application/json');
echo json_encode($output);
Reference in New Issue View Git Blame Copy Permalink