Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix critical SQL injection vulnerabilities #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bbdoc merged 6 commits into from
Nov 4, 2025
Merged

Fix critical SQL injection vulnerabilities #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b3d5f68
Fix critical SQL injection vulnerabilities in 10 files
ComplementaryPogo Oct 31, 2025
fe01943
Fix secondary SQL injection vulnerabilities in session and modal files
ComplementaryPogo Oct 31, 2025
d1405f5
Fix SQL injection vulnerabilities in pokemon.php
ComplementaryPogo Oct 31, 2025
2e0843d
Fix remaining SQL injection vulnerabilities
ComplementaryPogo Oct 31, 2025
94dfc7f
Fix SQL injection vulnerabilities in all display pages
ComplementaryPogo Oct 31, 2025
a0b8b92
Fix SQL injection vulnerabilities in poracle_api.php and quick_pick.php
ComplementaryPogo Oct 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion actions/channel_sync.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,21 @@

if (isset($_POST['sync'])) {

foreach ($_POST as $key => $value) {
foreach ($_POST as $key => $value) {
if (substr($key, 0, 7) == "target_") {
$target = ltrim($key, 'target_');
$target_fields = explode("|", $target);
$target_db=$target_fields[0];
$target_id=$target_fields[1];
$target_id=str_replace("_com", ".com", $target_id);

// Database names cannot be parameterized in prepared statements (they are identifiers, not values)
// so we use a whitelist to validate the database name before using string interpolation
$allowed_dbs = explode(",", $dbname);
if (!in_array($target_db, $allowed_dbs)) {
die("Invalid database");
}

// Delete All Previous Trackings
$stmt = $conn->prepare("DELETE FROM ".$target_db.".monsters WHERE id = ?");
$rs = $stmt->bind_param("s", $target_id);
Expand Down
6 changes: 4 additions & 2 deletions actions/set_language.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,10 @@

// Update Language in DB

$sql = "UPDATE humans set language = '".$_GET['lng']."' WHERE id = '" . $_SESSION['id'] . "'";
$result = $conn->query($sql) or die(mysqli_error($conn));
$stmt = $conn->prepare("UPDATE humans SET language = ? WHERE id = ?");
$stmt->bind_param("ss", $_GET['lng'], $_SESSION['id']);
$stmt->execute() or die(mysqli_error($conn));
$stmt->close();

header("Location: $redirect_url");

Expand Down
30 changes: 20 additions & 10 deletions actions/set_location.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,26 @@
$lat = "0.0000000000";
$lon = "0.0000000000";

$sql = "UPDATE monsters set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
$result = $conn->query($sql);
$sql = "UPDATE raid set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
$result = $conn->query($sql);
$sql = "UPDATE egg set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
$result = $conn->query($sql);
$sql = "UPDATE quest set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
$result = $conn->query($sql);
$sql = "UPDATE invasion set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'";
$result = $conn->query($sql);
$stmt = $conn->prepare("UPDATE monsters set distance = 0 WHERE id = ? AND profile_no = ?");
$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
$stmt->execute();
$stmt->close();
$stmt = $conn->prepare("UPDATE raid set distance = 0 WHERE id = ? AND profile_no = ?");
$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
$stmt->execute();
$stmt->close();
$stmt = $conn->prepare("UPDATE egg set distance = 0 WHERE id = ? AND profile_no = ?");
$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
$stmt->execute();
$stmt->close();
$stmt = $conn->prepare("UPDATE quest set distance = 0 WHERE id = ? AND profile_no = ?");
$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
$stmt->execute();
$stmt->close();
$stmt = $conn->prepare("UPDATE invasion set distance = 0 WHERE id = ? AND profile_no = ?");
$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']);
$stmt->execute();
$stmt->close();

} else if ( isset($_GET['lat']) && isset($_GET['lon']) ) {

Expand Down
73 changes: 42 additions & 31 deletions actions/switch_profile.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,23 +11,23 @@
$_SESSION['profile'] = $_POST['profile'];
}

if ( isset($_POST['activate']) ) {

$sql = "SELECT area, latitude, longitude from profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_POST['profile']."'";
$result = $conn->query($sql);
while ($row = $result->fetch_assoc()) {
$area = $row['area'];
$latitude = $row['latitude'];
$longitude = $row['longitude'];
if ( isset($_POST['activate']) ) {

$stmt = $conn->prepare("SELECT area, latitude, longitude from profiles WHERE id = ? AND profile_no = ?");
$stmt->bind_param("si", $_SESSION['id'], $_POST['profile']);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$area = $row['area'];
$latitude = $row['latitude'];
$longitude = $row['longitude'];
}
$stmt->close();

$sql = "UPDATE humans
SET area = '".$area."',
latitude = '".$latitude."',
longitude = '".$longitude."',
current_profile_no = '".$_POST['profile']."'
WHERE id = '" . $_SESSION['id'] . "'";
$result = $conn->query($sql);
$stmt = $conn->prepare("UPDATE humans SET area = ?, latitude = ?, longitude = ?, current_profile_no = ? WHERE id = ?");
$stmt->bind_param("ssdis", $area, $latitude, $longitude, $_POST['profile'], $_SESSION['id']);
$stmt->execute();
$stmt->close();
header("Location: $redirect_url?type=display&page=profiles&return=success_switch_profile_activate");


Expand All @@ -41,27 +41,32 @@

// Get Next Profile Number
#$sql = "SELECT IFNULL(max(profile_no),0)+1 next_profile from profiles WHERE id = '" . $_SESSION['id'] . "'";
$sql = "SELECT MIN(t1.profile_no + 1) AS nextID
FROM (select profile_no from profiles WHERE id = '".$_SESSION['id']."' UNION select 0 profile_no) t1
LEFT JOIN (select profile_no from profiles WHERE id = '".$_SESSION['id']."' UNION select 0 profile_no) t2
$stmt = $conn->prepare("SELECT MIN(t1.profile_no + 1) AS nextID
FROM (select profile_no from profiles WHERE id = ? UNION select 0 profile_no) t1
LEFT JOIN (select profile_no from profiles WHERE id = ? UNION select 0 profile_no) t2
ON t1.profile_no + 1 = t2.profile_no
WHERE t2.profile_no IS NULL";

$result = $conn->query($sql);
WHERE t2.profile_no IS NULL");
$stmt->bind_param("ss", $_SESSION['id'], $_SESSION['id']);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$next_profile = $row['nextID'];
}
$stmt->close();

if ( $next_profile == 1 ) {
// Get Info on currently active Profile
$sql = "SELECT area, latitude, longitude from humans WHERE id = '" . $_SESSION['id'] . "'";
$result = $conn->query($sql);
$stmt = $conn->prepare("SELECT area, latitude, longitude from humans WHERE id = ?");
$stmt->bind_param("s", $_SESSION['id']);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$area = $row['area'];
$latitude = $row['latitude'];
$longitude = $row['longitude'];
$_SESSION['profile_name'] = $_POST['profile_name'];
}
$stmt->close();
} else {
$area = "[]";
$latitude = "0.0000000000";
Expand Down Expand Up @@ -153,26 +158,32 @@

// Change Active Profile if Deleting Active one

$sql = "select current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'";
$result = $conn->query($sql);
$stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?");
$stmt->bind_param("s", $_SESSION['id']);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$current_profile = $row['current_profile_no'];
}
$stmt->close();

if ( $current_profile == $_SESSION['profile']) {
$sql = "UPDATE humans set current_profile_no =
(select IFNULL(min(profile_no),1) from profiles where id = '".$_SESSION['id']."')
WHERE id = '" . $_SESSION['id'] . "'";
$result = $conn->query($sql);
$stmt = $conn->prepare("UPDATE humans set current_profile_no = (select IFNULL(min(profile_no),1) from profiles where id = ?) WHERE id = ?");
$stmt->bind_param("ss", $_SESSION['id'], $_SESSION['id']);
$stmt->execute();
$stmt->close();
}

// Check for smaller Profiles and redirect

$sql = "select IFNULL(min(profile_no),1) min from profiles WHERE id = '" . $_SESSION['id'] . "'";
$result = $conn->query($sql);
$stmt = $conn->prepare("SELECT IFNULL(min(profile_no),1) min from profiles WHERE id = ?");
$stmt->bind_param("s", $_SESSION['id']);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$_SESSION['profile'] = $row['min'];
}
$stmt->close();

header("Location: $redirect_url?type=display&page=profiles&return=success_delete_profile");

Expand Down
14 changes: 10 additions & 4 deletions admin_connect.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,10 @@
}

$conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $_SESSION['dbname']);
$sql = "select id, name, type, notes FROM humans WHERE id = '".$search_id."'";
$result = $conn->query($sql);
$stmt = $conn->prepare("SELECT id, name, type, notes FROM humans WHERE id = ?");
$stmt->bind_param("s", $search_id);
$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows == 0) {
header("Location: $redirect_url?return=user_not_found");
Expand All @@ -60,6 +62,7 @@
$_SESSION['type']=$row['type'];
$_SESSION['notes']=$row['notes'];
}
$stmt->close();

// Get Config Items from API and Store in Session Variables

Expand Down Expand Up @@ -108,11 +111,14 @@

// Switch to active Profile

$sql = "SELECT current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'";
$result = $conn->query($sql);
$stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?");
$stmt->bind_param("s", $_SESSION['id']);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$_SESSION['profile'] = $row['current_profile_no'];
}
$stmt->close();

header("Location: $redirect_url");

Expand Down
18 changes: 12 additions & 6 deletions admin_sync.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,8 +94,10 @@
foreach ($dbnames as &$db) {

$conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db);
$sql = "select id, name, type FROM humans WHERE type like 'discord:channel' AND id <> '".$_SESSION['id']."' ORDER by name";
$result = $conn->query($sql);
$stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type like 'discord:channel' AND id <> ? ORDER by name");
$stmt->bind_param("s", $_SESSION['id']);
$stmt->execute();
$result = $stmt->get_result();
?>

<?php if ($result->num_rows <> 0) { ?>
Expand Down Expand Up @@ -145,8 +147,10 @@
foreach ($dbnames as &$db) {

$conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db);
$sql = "select id, name, type FROM humans WHERE type in ('telegram:channel','telegram:group') AND id <> '".$_SESSION['id']."' ORDER by name";
$result = $conn->query($sql);
$stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type in ('telegram:channel','telegram:group') AND id <> ? ORDER by name");
$stmt->bind_param("s", $_SESSION['id']);
$stmt->execute();
$result = $stmt->get_result();
?>

<?php if ($result->num_rows <> 0) { ?>
Expand Down Expand Up @@ -196,8 +200,10 @@
foreach ($dbnames as &$db) {

$conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db);
$sql = "select id, name, type FROM humans WHERE type like 'webhook' AND id <> '".$_SESSION['id']."' ORDER by name";
$result = $conn->query($sql);
$stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type like 'webhook' AND id <> ? ORDER by name");
$stmt->bind_param("s", $_SESSION['id']);
$stmt->execute();
$result = $stmt->get_result();
?>

<?php if ($result->num_rows <> 0) { ?>
Expand Down
Loading