From b3d5f68c3fc53c4e9bcd0cf7e51b271af74f2d9e Mon Sep 17 00:00:00 2001 From: Complementary Date: Fri, 31 Oct 2025 08:45:01 -0500 Subject: [PATCH 1/6] Fix critical SQL injection vulnerabilities in 10 files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace all string concatenation in SQL queries with prepared statements to prevent SQL injection attacks. Changes include: - actions/set_language.php: Fix critical $_GET['lng'] injection - actions/switch_profile.php: Fix 5 SQL injections with POST/session data - admin_connect.php: Fix search_id injections from GET/POST - actions/set_location.php: Fix 5 UPDATE queries with session variables - include/functions.php: Fix set_locale() and default_distance() with table name whitelist - include/db_mad.php: Fix gym ID injections in get_gym_by_id() and get_gym_url() - include/db_rdm.php: Fix gym ID injections in get_gym_by_id() and get_gym_url() - header.php: Fix 11 session-based queries throughout - admin_sync.php: Fix 3 queries with session IDs - actions/channel_sync.php: Add database name whitelist validation All queries now use mysqli prepared statements with bind_param() for user and session data. Table and database names use whitelist validation since they cannot be parameterized. Added explanatory comments for security patterns. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- actions/channel_sync.php | 9 ++- actions/set_language.php | 6 +- actions/set_location.php | 30 ++++++---- actions/switch_profile.php | 73 +++++++++++++---------- admin_connect.php | 14 +++-- admin_sync.php | 18 ++++-- header.php | 116 +++++++++++++++++++++++++------------ include/db_mad.php | 14 +++-- include/db_rdm.php | 14 +++-- include/functions.php | 24 +++++--- 10 files changed, 212 insertions(+), 106 deletions(-) diff --git a/actions/channel_sync.php b/actions/channel_sync.php index d14dd9d4..2f11e655 100644 --- a/actions/channel_sync.php +++ b/actions/channel_sync.php @@ -5,7 +5,7 @@ if (isset($_POST['sync'])) { - foreach ($_POST as $key => $value) { + foreach ($_POST as $key => $value) { if (substr($key, 0, 7) == "target_") { $target = ltrim($key, 'target_'); $target_fields = explode("|", $target); @@ -13,6 +13,13 @@ $target_id=$target_fields[1]; $target_id=str_replace("_com", ".com", $target_id); + // Database names cannot be parameterized in prepared statements (they are identifiers, not values) + // so we use a whitelist to validate the database name before using string interpolation + $allowed_dbs = explode(",", $dbname); + if (!in_array($target_db, $allowed_dbs)) { + die("Invalid database"); + } + // Delete All Previous Trackings $stmt = $conn->prepare("DELETE FROM ".$target_db.".monsters WHERE id = ?"); $rs = $stmt->bind_param("s", $target_id); diff --git a/actions/set_language.php b/actions/set_language.php index 492b43bb..335230b4 100644 --- a/actions/set_language.php +++ b/actions/set_language.php @@ -11,8 +11,10 @@ // Update Language in DB -$sql = "UPDATE humans set language = '".$_GET['lng']."' WHERE id = '" . $_SESSION['id'] . "'"; -$result = $conn->query($sql) or die(mysqli_error($conn)); +$stmt = $conn->prepare("UPDATE humans SET language = ? WHERE id = ?"); +$stmt->bind_param("ss", $_GET['lng'], $_SESSION['id']); +$stmt->execute() or die(mysqli_error($conn)); +$stmt->close(); header("Location: $redirect_url"); diff --git a/actions/set_location.php b/actions/set_location.php index 9b8cd47a..ed8f32a5 100644 --- a/actions/set_location.php +++ b/actions/set_location.php @@ -10,16 +10,26 @@ $lat = "0.0000000000"; $lon = "0.0000000000"; - $sql = "UPDATE monsters set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); - $sql = "UPDATE raid set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); - $sql = "UPDATE egg set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); - $sql = "UPDATE quest set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); - $sql = "UPDATE invasion set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("UPDATE monsters set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); + $stmt = $conn->prepare("UPDATE raid set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); + $stmt = $conn->prepare("UPDATE egg set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); + $stmt = $conn->prepare("UPDATE quest set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); + $stmt = $conn->prepare("UPDATE invasion set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); } else if ( isset($_GET['lat']) && isset($_GET['lon']) ) { diff --git a/actions/switch_profile.php b/actions/switch_profile.php index c99b9d40..8fa6d2e5 100644 --- a/actions/switch_profile.php +++ b/actions/switch_profile.php @@ -11,23 +11,23 @@ $_SESSION['profile'] = $_POST['profile']; } - if ( isset($_POST['activate']) ) { - - $sql = "SELECT area, latitude, longitude from profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_POST['profile']."'"; - $result = $conn->query($sql); - while ($row = $result->fetch_assoc()) { - $area = $row['area']; - $latitude = $row['latitude']; - $longitude = $row['longitude']; + if ( isset($_POST['activate']) ) { + + $stmt = $conn->prepare("SELECT area, latitude, longitude from profiles WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_POST['profile']); + $stmt->execute(); + $result = $stmt->get_result(); + while ($row = $result->fetch_assoc()) { + $area = $row['area']; + $latitude = $row['latitude']; + $longitude = $row['longitude']; } + $stmt->close(); - $sql = "UPDATE humans - SET area = '".$area."', - latitude = '".$latitude."', - longitude = '".$longitude."', - current_profile_no = '".$_POST['profile']."' - WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("UPDATE humans SET area = ?, latitude = ?, longitude = ?, current_profile_no = ? WHERE id = ?"); + $stmt->bind_param("ssdis", $area, $latitude, $longitude, $_POST['profile'], $_SESSION['id']); + $stmt->execute(); + $stmt->close(); header("Location: $redirect_url?type=display&page=profiles&return=success_switch_profile_activate"); @@ -41,27 +41,32 @@ // Get Next Profile Number #$sql = "SELECT IFNULL(max(profile_no),0)+1 next_profile from profiles WHERE id = '" . $_SESSION['id'] . "'"; - $sql = "SELECT MIN(t1.profile_no + 1) AS nextID - FROM (select profile_no from profiles WHERE id = '".$_SESSION['id']."' UNION select 0 profile_no) t1 - LEFT JOIN (select profile_no from profiles WHERE id = '".$_SESSION['id']."' UNION select 0 profile_no) t2 + $stmt = $conn->prepare("SELECT MIN(t1.profile_no + 1) AS nextID + FROM (select profile_no from profiles WHERE id = ? UNION select 0 profile_no) t1 + LEFT JOIN (select profile_no from profiles WHERE id = ? UNION select 0 profile_no) t2 ON t1.profile_no + 1 = t2.profile_no - WHERE t2.profile_no IS NULL"; - - $result = $conn->query($sql); + WHERE t2.profile_no IS NULL"); + $stmt->bind_param("ss", $_SESSION['id'], $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $next_profile = $row['nextID']; } + $stmt->close(); if ( $next_profile == 1 ) { // Get Info on currently active Profile - $sql = "SELECT area, latitude, longitude from humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT area, latitude, longitude from humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $area = $row['area']; $latitude = $row['latitude']; $longitude = $row['longitude']; $_SESSION['profile_name'] = $_POST['profile_name']; } + $stmt->close(); } else { $area = "[]"; $latitude = "0.0000000000"; @@ -153,26 +158,32 @@ // Change Active Profile if Deleting Active one - $sql = "select current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $current_profile = $row['current_profile_no']; } + $stmt->close(); if ( $current_profile == $_SESSION['profile']) { - $sql = "UPDATE humans set current_profile_no = - (select IFNULL(min(profile_no),1) from profiles where id = '".$_SESSION['id']."') - WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("UPDATE humans set current_profile_no = (select IFNULL(min(profile_no),1) from profiles where id = ?) WHERE id = ?"); + $stmt->bind_param("ss", $_SESSION['id'], $_SESSION['id']); + $stmt->execute(); + $stmt->close(); } // Check for smaller Profiles and redirect - $sql = "select IFNULL(min(profile_no),1) min from profiles WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT IFNULL(min(profile_no),1) min from profiles WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $_SESSION['profile'] = $row['min']; } + $stmt->close(); header("Location: $redirect_url?type=display&page=profiles&return=success_delete_profile"); diff --git a/admin_connect.php b/admin_connect.php index 9bdf2874..74fd96ea 100644 --- a/admin_connect.php +++ b/admin_connect.php @@ -46,8 +46,10 @@ } $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $_SESSION['dbname']); -$sql = "select id, name, type, notes FROM humans WHERE id = '".$search_id."'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT id, name, type, notes FROM humans WHERE id = ?"); +$stmt->bind_param("s", $search_id); +$stmt->execute(); +$result = $stmt->get_result(); if ($result->num_rows == 0) { header("Location: $redirect_url?return=user_not_found"); @@ -60,6 +62,7 @@ $_SESSION['type']=$row['type']; $_SESSION['notes']=$row['notes']; } +$stmt->close(); // Get Config Items from API and Store in Session Variables @@ -108,11 +111,14 @@ // Switch to active Profile -$sql = "SELECT current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?"); +$stmt->bind_param("s", $_SESSION['id']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $_SESSION['profile'] = $row['current_profile_no']; } +$stmt->close(); header("Location: $redirect_url"); diff --git a/admin_sync.php b/admin_sync.php index c6176cab..2b5a0a53 100644 --- a/admin_sync.php +++ b/admin_sync.php @@ -94,8 +94,10 @@ foreach ($dbnames as &$db) { $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db); - $sql = "select id, name, type FROM humans WHERE type like 'discord:channel' AND id <> '".$_SESSION['id']."' ORDER by name"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type like 'discord:channel' AND id <> ? ORDER by name"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); ?> num_rows <> 0) { ?> @@ -145,8 +147,10 @@ foreach ($dbnames as &$db) { $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db); - $sql = "select id, name, type FROM humans WHERE type in ('telegram:channel','telegram:group') AND id <> '".$_SESSION['id']."' ORDER by name"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type in ('telegram:channel','telegram:group') AND id <> ? ORDER by name"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); ?> num_rows <> 0) { ?> @@ -196,8 +200,10 @@ foreach ($dbnames as &$db) { $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db); - $sql = "select id, name, type FROM humans WHERE type like 'webhook' AND id <> '".$_SESSION['id']."' ORDER by name"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type like 'webhook' AND id <> ? ORDER by name"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); ?> num_rows <> 0) { ?> diff --git a/header.php b/header.php index dcc8b8d0..0de7fa95 100644 --- a/header.php +++ b/header.php @@ -31,26 +31,34 @@ // Set Profile to current if not yet set if (!isset($_SESSION['profile']) && isset($_SESSION['id'])) { - $sql = "SELECT current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $_SESSION['profile'] = $row['current_profile_no']; } + $stmt->close(); } // Check if user has Multiple Profiles if (isset($_SESSION['id'])) { - $sql = "SELECT name FROM profiles WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT name FROM profiles WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); $_SESSION['number_of_profiles'] = $result->num_rows; + $stmt->close(); } // Get Profile Name if (isset($_SESSION['id'])) { - $sql = "SELECT name FROM profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT name FROM profiles WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows > 0) { while ($row = $result->fetch_assoc()) { $_SESSION['profile_name'] = $row['name']; @@ -58,68 +66,95 @@ } else { $_SESSION['profile_name'] = i8ln("Default"); } + $stmt->close(); } // Get Active Profile if (isset($_SESSION['id'])) { - $sql = "SELECT current_profile_no from humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT current_profile_no from humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $_SESSION['current_profile'] = $row['current_profile_no']; } + $stmt->close(); } // Check for Cleaned if (isset($_SESSION['id'])) { - $sql = "select min(clean) clean FROM monsters WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM monsters WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_mon_cleaned = $row['clean']; } - - $sql = "select min(clean) clean FROM (select id, clean from raid UNION select id, clean from egg) raidegg WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt->close(); + + $stmt = $conn->prepare("SELECT min(clean) clean FROM (select id, clean from raid UNION select id, clean from egg) raidegg WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_raid_cleaned = $row['clean']; } - - $sql = "select min(clean) clean FROM quest WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt->close(); + + $stmt = $conn->prepare("SELECT min(clean) clean FROM quest WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_quest_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(clean) clean FROM invasion WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM invasion WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_invasion_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(clean) clean FROM lures WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM lures WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_lures_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(clean) clean FROM nests WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM nests WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_nests_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(clean) clean FROM gym WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM gym WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_gyms_cleaned = $row['clean']; } + $stmt->close(); // Get Areas, Lat, long and Enabled from Humans Table - $sql = "select area, latitude, longitude, enabled, admin_disable, disabled_date from humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT area, latitude, longitude, enabled, admin_disable, disabled_date from humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $area_set = $row['area']; $latitude = $row['latitude']; @@ -128,11 +163,14 @@ $admin_disable = $row['admin_disable']; $disabled_date = $row['disabled_date']; } + $stmt->close(); // Overwrite with Profile info if a profile is available - $sql = "select area, latitude, longitude from profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '". $_SESSION['profile'] ."'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT area, latitude, longitude from profiles WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows > 0) { while ($row = $result->fetch_assoc()) { @@ -141,6 +179,7 @@ $longitude = $row['longitude']; } } + $stmt->close(); } @@ -159,17 +198,20 @@ if (isset($enable_admin_dis) && $enable_admin_dis == "False" && isset($_SESSION['admin_id']) && $_SESSION['id'] <> $_SESSION['admin_id']) { - $subs_clause .= " AND admin_disable = 0"; + $stmt = $conn->prepare("SELECT * from humans WHERE id = ? AND admin_disable = 0"); + } else { + $stmt = $conn->prepare("SELECT * from humans WHERE id = ?"); } - - $sql = "SELECT * from humans WHERE id = '" . $_SESSION['id'] . "' ".@$subs_clause; - $result = $conn->query($sql); - if ($result->num_rows == 0) { - if (strpos($_SERVER['REQUEST_URI'],$redirect_page) == false) { - header("Location: $redirect_url/$redirect_page"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); + if ($result->num_rows == 0) { + if (strpos($_SERVER['REQUEST_URI'],$redirect_page) == false) { + header("Location: $redirect_url/$redirect_page"); exit(); - } - } + } + } + $stmt->close(); } else { // If not logged in import login page diff --git a/include/db_mad.php b/include/db_mad.php index 51d6873a..4f902fc6 100644 --- a/include/db_mad.php +++ b/include/db_mad.php @@ -116,12 +116,15 @@ function get_raid_bosses() { function get_gym_by_id($id) { global $scan_conn; - $sql = "SELECT name from gymdetails where gym_id = '".$id."'"; - $result = $scan_conn->query($sql); + $stmt = $scan_conn->prepare("SELECT name from gymdetails where gym_id = ?"); + $stmt->bind_param("s", $id); + $stmt->execute(); + $result = $stmt->get_result(); while($row = $result->fetch_assoc()) { $gym_name = $row['name']; } + $stmt->close(); return $gym_name; @@ -130,12 +133,15 @@ function get_gym_by_id($id) { function get_gym_url($id) { global $scan_conn; - $sql = "SELECT url from gymdetails where gym_id = '".$id."'"; - $result = $scan_conn->query($sql); + $stmt = $scan_conn->prepare("SELECT url from gymdetails where gym_id = ?"); + $stmt->bind_param("s", $id); + $stmt->execute(); + $result = $stmt->get_result(); while($row = $result->fetch_assoc()) { $gym_url = $row['url']; } + $stmt->close(); return $gym_url; diff --git a/include/db_rdm.php b/include/db_rdm.php index 2180734d..4a9f6441 100644 --- a/include/db_rdm.php +++ b/include/db_rdm.php @@ -119,12 +119,15 @@ function get_raid_bosses() { function get_gym_by_id($id) { global $scan_conn; - $sql = "SELECT name from gym where id = '".$id."'"; - $result = $scan_conn->query($sql); + $stmt = $scan_conn->prepare("SELECT name from gym where id = ?"); + $stmt->bind_param("s", $id); + $stmt->execute(); + $result = $stmt->get_result(); while($row = $result->fetch_assoc()) { $gym_name = $row['name']; } + $stmt->close(); return $gym_name; @@ -133,12 +136,15 @@ function get_gym_by_id($id) { function get_gym_url($id) { global $scan_conn; - $sql = "SELECT url from gym where id = '".$id."'"; - $result = $scan_conn->query($sql); + $stmt = $scan_conn->prepare("SELECT url from gym where id = ?"); + $stmt->bind_param("s", $id); + $stmt->execute(); + $result = $stmt->get_result(); while($row = $result->fetch_assoc()) { $gym_url = $row['url']; } + $stmt->close(); return $gym_url; diff --git a/include/functions.php b/include/functions.php index ce895a2b..d979bf88 100644 --- a/include/functions.php +++ b/include/functions.php @@ -396,13 +396,16 @@ function set_locale() { if (isset($_SESSION['id'])) { include_once "./config.php"; include_once "./include/db_connect.php"; - $sql = "select language FROM humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql) or die(mysqli_error($conn)); - while ($row = $result->fetch_assoc()) { - if ( $row['language'] <> "" ) { + $stmt = $conn->prepare("SELECT language FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute() or die(mysqli_error($conn)); + $result = $stmt->get_result(); + while ($row = $result->fetch_assoc()) { + if ( $row['language'] <> "" ) { $_SESSION['locale'] = $row['language']; } } + $stmt->close(); } } @@ -581,10 +584,17 @@ function default_distance($table) { if (isset($_SESSION['id'])) { include_once "./config.php"; include_once "./include/db_connect.php"; - $sql = "select max(distance) distance FROM $table WHERE id = '" . $_SESSION['id'] . "'"; - $sql = "SELECT distance, count(*) FROM $table WHERE id = '" . $_SESSION['id'] . "' GROUP BY distance ORDER BY count(*) DESC LIMIT 1"; - $result = $conn->query($sql) or die(mysqli_error($conn)); + // Table names cannot be parameterized in prepared statements (they are identifiers, not values) + // so we use a whitelist to validate the table name before using string interpolation + $allowed_tables = array('monsters', 'raid', 'egg', 'quest', 'invasion', 'lures', 'gym'); + if (!in_array($table, $allowed_tables)) { die("Invalid table"); } + $sql = "SELECT distance, count(*) FROM $table WHERE id = ? GROUP BY distance ORDER BY count(*) DESC LIMIT 1"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute() or die(mysqli_error($conn)); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $default_distance = $row['distance']; } + $stmt->close(); } if ( !isset($default_distance) ) { $default_distance = 0; } From fe019433e5b5a6f87ca782097167a426f5a5a76e Mon Sep 17 00:00:00 2001 From: Complementary Date: Fri, 31 Oct 2025 08:53:10 -0500 Subject: [PATCH 2/6] Fix secondary SQL injection vulnerabilities in session and modal files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace string concatenation in SQL queries with prepared statements to prevent SQL injection attacks. These vulnerabilities are lower priority than the previous commit since they use $_SESSION['id'] rather than direct user input. However, a fault in authentication logic or a compromised identity provider could allow malicious values in $_SESSION['id'], leading to SQL injection. Changes include: - session.php: Fix $_SESSION['id'] injection when checking user database - modal/areas_modal.php: Fix 2 SQL injections with session data - modal/edit_profile_modal.php: Fix 3 SQL injections with session data - modal/distance_*_modal.php: Fix 7 distance query injections (pokemons, raids, gyms, invasions, lures, nests, quests) All queries now use mysqli prepared statements with bind_param() for defense in depth. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- modal/areas_modal.php | 10 +++++++--- modal/distance_gyms_modal.php | 7 +++++-- modal/distance_invasions_modal.php | 7 +++++-- modal/distance_lures_modal.php | 7 +++++-- modal/distance_nests_modal.php | 7 +++++-- modal/distance_pokemons_modal.php | 7 +++++-- modal/distance_quests_modal.php | 7 +++++-- modal/distance_raids_modal.php | 8 +++++--- modal/edit_profile_modal.php | 21 +++++++++++++++------ session.php | 7 +++++-- 10 files changed, 62 insertions(+), 26 deletions(-) diff --git a/modal/areas_modal.php b/modal/areas_modal.php index 4a31abea..f3ad4e21 100644 --- a/modal/areas_modal.php +++ b/modal/areas_modal.php @@ -3,18 +3,22 @@ // Check Current Selection if ($_SESSION['profile'] == $_SESSION['current_profile'] ) { - $sql = "select area FROM humans WHERE id = '" . $_SESSION['id'] . "'"; + $stmt = $conn->prepare("SELECT area FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); } else { - $sql = "select area FROM profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; + $stmt = $conn->prepare("SELECT area FROM profiles WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); } -$result = $conn->query($sql); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $existing_area = $row['area']; $existing_area = json_decode($row['area']); } +$stmt->close(); echo "
diff --git a/modal/distance_gyms_modal.php b/modal/distance_gyms_modal.php index 42698846..fde084ae 100644 --- a/modal/distance_gyms_modal.php +++ b/modal/distance_gyms_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from gym WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if (!empty($result) && $result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_invasions_modal.php b/modal/distance_invasions_modal.php index 93acee0e..2dac5f45 100644 --- a/modal/distance_invasions_modal.php +++ b/modal/distance_invasions_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from invasion WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if (!empty($result) && $result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_lures_modal.php b/modal/distance_lures_modal.php index e532d260..ad0cd627 100644 --- a/modal/distance_lures_modal.php +++ b/modal/distance_lures_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from lures WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if (!empty($result) && $result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_nests_modal.php b/modal/distance_nests_modal.php index 3dc9e41e..545a6bca 100644 --- a/modal/distance_nests_modal.php +++ b/modal/distance_nests_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from nests WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if (!empty($result) && $result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_pokemons_modal.php b/modal/distance_pokemons_modal.php index a13118cb..00de8302 100644 --- a/modal/distance_pokemons_modal.php +++ b/modal/distance_pokemons_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from monsters WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_quests_modal.php b/modal/distance_quests_modal.php index fc490c5b..3ca06b12 100644 --- a/modal/distance_quests_modal.php +++ b/modal/distance_quests_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from quest WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_raids_modal.php b/modal/distance_raids_modal.php index 5100c49a..a07b9dd0 100644 --- a/modal/distance_raids_modal.php +++ b/modal/distance_raids_modal.php @@ -8,9 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from (SELECT distance,id from raid UNION SELECT distance,id from egg) raidegg WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -18,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/edit_profile_modal.php b/modal/edit_profile_modal.php index 586fa48c..9b33f700 100644 --- a/modal/edit_profile_modal.php +++ b/modal/edit_profile_modal.php @@ -25,13 +25,18 @@ // Check Currently Active Profile - $sql = "SELECT current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $active_profile = $row['current_profile_no']; } + $stmt->close(); // Check User's existing Profiles - $sql = "SELECT profile_no, name, area, latitude, longitude, active_hours FROM profiles WHERE id = '" . $_SESSION['id'] . "' ORDER BY profile_no"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT profile_no, name, area, latitude, longitude, active_hours FROM profiles WHERE id = ? ORDER BY profile_no"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); echo "
"; echo ""; @@ -51,6 +56,7 @@ echo "\n"; echo "
"; + $stmt->close(); ?> @@ -80,14 +86,17 @@
query($sql); + $stmt = $conn->prepare("SELECT profile_no, name, area, latitude, longitude, active_hours FROM profiles WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows == 0 ) { echo i8ln("You currently don't have any profile configured").".
"; echo i8ln("Please Name default Profile"); } else { echo i8ln("Choose the name of your new Profile"); } + $stmt->close(); ?>
diff --git a/session.php b/session.php index b4a21525..22da6e08 100644 --- a/session.php +++ b/session.php @@ -19,12 +19,15 @@ exit(); } - $sql = "SELECT * from humans WHERE id = '".$_SESSION['id']."'"; - $result = $conn->query($sql) or die(mysqli_error($conn)); + $stmt = $conn->prepare("SELECT * from humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute() or die(mysqli_error($conn)); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $_SESSION['dbname'] = $db; } + $stmt->close(); } From d1405f5225dd0ffabc065958417b2adc961875d9 Mon Sep 17 00:00:00 2001 From: Complementary Date: Fri, 31 Oct 2025 09:12:39 -0500 Subject: [PATCH 3/6] Fix SQL injection vulnerabilities in pokemon.php MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert all queries using session variables to prepared statements for defense in depth. Add integer validation for dynamic IN clauses from search functionality. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- pages/display/pokemon.php | 120 ++++++++++++++++---------------------- 1 file changed, 50 insertions(+), 70 deletions(-) diff --git a/pages/display/pokemon.php b/pages/display/pokemon.php index 5feb85f0..3aa289eb 100644 --- a/pages/display/pokemon.php +++ b/pages/display/pokemon.php @@ -1,61 +1,48 @@ query($sql); -while ($row = $result->fetch_assoc()) { $genall = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 1 and 151"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen1 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 152 and 251"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen2 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 252 and 386"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen3 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 387 and 493"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen4 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 494 and 649"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen5 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 650 and 721"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen6 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 722 and 809"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen7 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 810 and 905"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen8 = $row['count']; } +// Helper function to execute count queries with prepared statements +function execute_count_query($conn, $session_id, $profile, $search_sql, $additional_condition) { + $sql = "SELECT count(*) count FROM monsters WHERE id = ? ".$search_sql." AND profile_no = ? ".$additional_condition; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $session_id, $profile); + $stmt->execute(); + $result = $stmt->get_result(); + $count = 0; + while ($row = $result->fetch_assoc()) { $count = $row['count']; } + $stmt->close(); + return $count; +} -$sql = $sql_base."AND pokemon_id >= 906"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen9 = $row['count']; } +$genall = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id = 0"); +$gen1 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 1 AND 151"); +$gen2 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 152 AND 251"); +$gen3 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 252 AND 386"); +$gen4 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 387 AND 493"); +$gen5 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 494 AND 649"); +$gen6 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 650 AND 721"); +$gen7 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 722 AND 809"); +$gen8 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 810 AND 905"); +$gen9 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id >= 906"); ?> @@ -185,17 +172,18 @@ class="btn btn-danger"> ?> - query($sql); + $sql = "SELECT * FROM monsters WHERE id = ? ".$search_sql." AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); // Show ALL Mons if less than 50 trackings if ( $result->num_rows <= 50 ) { $gen_selector = ""; } + $stmt->close(); // Only Show Gen Selector if More than 50 trackings if ( $result->num_rows > 50 ) { @@ -240,24 +228,15 @@ class="btn btn-danger"> // Check if User is already tracking something - $sql = "select count(*) count - FROM monsters - WHERE id = '" . $_SESSION['id'] . "' - ".@$search_sql." - AND profile_no = '" . $_SESSION['profile'] . "'"; - $result = $conn->query($sql); - while ($row = $result->fetch_assoc()) { - $num_mon_tracked = $row['count']; - } - - // Show Monsters Alarms - - $sql = "select * FROM monsters - WHERE id = '" . $_SESSION['id'] . "' - ".@$search_sql." - AND profile_no = '" . $_SESSION['profile'] . "' " . @$gen_selector ." - ORDER BY pokemon_id, form"; - $result = $conn->query($sql); + $num_mon_tracked = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, ""); + + // Show Monsters Alarms + + $sql = "SELECT * FROM monsters WHERE id = ? ".$search_sql." AND profile_no = ? ".@$gen_selector." ORDER BY pokemon_id, form"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($num_mon_tracked == 0) { echo " From 2e0843d10f02754f85bc04c4042e494f77c115a9 Mon Sep 17 00:00:00 2001 From: Complementary Date: Fri, 31 Oct 2025 09:38:57 -0500 Subject: [PATCH 4/6] Fix remaining SQL injection vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert queries to prepared statements in: - include/toplinks.php: UNION query with session variables - header.php: IV+PvP configuration check query - pages/display/dashboard.php: Count queries for all tracking types 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- header.php | 10 +++++-- include/toplinks.php | 22 +++++++++------ pages/display/dashboard.php | 56 ++++++++++++++++++++++++++----------- 3 files changed, 60 insertions(+), 28 deletions(-) diff --git a/header.php b/header.php index 0de7fa95..b6e407a5 100644 --- a/header.php +++ b/header.php @@ -273,11 +273,14 @@ // Check if IV + PvP is used $sql = "SELECT * FROM monsters - WHERE (min_iv > 0 or max_iv < 100 or atk > 0 or def > 0 or sta > 0 or max_atk < 15 or max_def < 15 or max_sta < 15) + WHERE (min_iv > 0 or max_iv < 100 or atk > 0 or def > 0 or sta > 0 or max_atk < 15 or max_def < 15 or max_sta < 15) AND pvp_ranking_league <> 0 - AND id = '" . $_SESSION['id'] . "'"; + AND id = ?"; -$result = $conn->query($sql); +$stmt = $conn->prepare($sql); +$stmt->bind_param("s", $_SESSION['id']); +$stmt->execute(); +$result = $stmt->get_result(); if (!empty($result) && $result->num_rows > 0) { $config_alarm=""; } +$stmt->close(); // Check If Distance Map should be displayed diff --git a/include/toplinks.php b/include/toplinks.php index 8e1fc9fb..689adb23 100644 --- a/include/toplinks.php +++ b/include/toplinks.php @@ -4,24 +4,27 @@ $user_id = $_SESSION['id']; $profile_id = $_SESSION['profile']; $sql = " - SELECT COUNT(*) AS 'Total', 'monsters' AS 'Type' FROM monsters WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'monsters' AS 'Type' FROM monsters WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'raid' AS 'Type' FROM raid WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'raid' AS 'Type' FROM raid WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'egg' AS 'Type' FROM egg WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'egg' AS 'Type' FROM egg WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'quest' AS 'Type' FROM quest WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'quest' AS 'Type' FROM quest WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'invasion' AS 'Type' FROM invasion WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'invasion' AS 'Type' FROM invasion WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'lures' AS 'Type' FROM lures WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'lures' AS 'Type' FROM lures WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'nests' AS 'Type' FROM nests WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'nests' AS 'Type' FROM nests WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'gym' AS 'Type' FROM gym WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'gym' AS 'Type' FROM gym WHERE id = ? AND profile_no = ? "; -$result = $conn->query($sql); +$stmt = $conn->prepare($sql); +$stmt->bind_param("sisisisisisisisi", $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { switch ($row['Type']) { case 'monsters': @@ -50,6 +53,7 @@ break; }; } +$stmt->close(); ?> diff --git a/pages/display/dashboard.php b/pages/display/dashboard.php index da9d5453..61c50eb6 100644 --- a/pages/display/dashboard.php +++ b/pages/display/dashboard.php @@ -1,37 +1,61 @@ query($sql); +$stmt = $conn->prepare("SELECT count(*) count FROM monsters WHERE id = ? AND profile_no = ?"); +$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $num_mon_tracked = $row['count']; } +$stmt->close(); -$sql = "select count(*) count FROM raid WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT count(*) count FROM raid WHERE id = ? AND profile_no = ?"); +$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $num_raid_tracked = $row['count']; } +$stmt->close(); -$sql = "select count(*) count FROM egg WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT count(*) count FROM egg WHERE id = ? AND profile_no = ?"); +$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $num_egg_tracked = $row['count']; } +$stmt->close(); -$sql = "select count(*) count FROM quest WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT count(*) count FROM quest WHERE id = ? AND profile_no = ?"); +$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $num_quest_tracked = $row['count']; } +$stmt->close(); -$sql = "select count(*) count FROM invasion WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT count(*) count FROM invasion WHERE id = ? AND profile_no = ?"); +$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $num_invasion_tracked = $row['count']; } +$stmt->close(); -$sql = "select count(*) count FROM lures WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT count(*) count FROM lures WHERE id = ? AND profile_no = ?"); +$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $num_lure_tracked = $row['count']; } +$stmt->close(); -$sql = "select count(*) count FROM nests WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT count(*) count FROM nests WHERE id = ? AND profile_no = ?"); +$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $num_nests_tracked = $row['count']; } +$stmt->close(); -$sql = "select count(*) count FROM gym WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT count(*) count FROM gym WHERE id = ? AND profile_no = ?"); +$stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $num_gyms_tracked = $row['count']; } +$stmt->close(); $num_areas=0; From 94dfc7f1d8134d423dcc02828630d605e39d3372 Mon Sep 17 00:00:00 2001 From: Complementary Date: Fri, 31 Oct 2025 09:52:29 -0500 Subject: [PATCH 5/6] Fix SQL injection vulnerabilities in all display pages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert all session variable queries to prepared statements in: - pages/display/raid.php: 3 queries (egg, raid level 9000, raid pokemon) - pages/display/quick_pick.php: 2 queries (clean, distance) - pages/display/quest.php: 5 queries (count + 4 reward types) - pages/display/nest.php: 1 query (nests listing) - pages/display/lure.php: 1 query (lures listing) - pages/display/invasion.php: 1 query (invasions listing) - pages/display/gym.php: 1 query (gyms listing) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- pages/display/gym.php | 12 ++++++--- pages/display/invasion.php | 12 ++++++--- pages/display/lure.php | 12 ++++++--- pages/display/nest.php | 12 ++++++--- pages/display/quest.php | 49 ++++++++++++++++++++++++------------ pages/display/quick_pick.php | 16 +++++++++--- pages/display/raid.php | 26 +++++++++++++------ 7 files changed, 95 insertions(+), 44 deletions(-) diff --git a/pages/display/gym.php b/pages/display/gym.php index 4a1ddeb2..17ba74f1 100644 --- a/pages/display/gym.php +++ b/pages/display/gym.php @@ -99,9 +99,11 @@ class="btn btn-danger"> // Show Gyms - $sql = "SELECT * FROM gym WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - ORDER BY team"; - $result = $conn->query($sql); + $sql = "SELECT * FROM gym WHERE id = ? AND profile_no = ? ORDER BY team"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 0) { echo "
- + close(); + ?> diff --git a/pages/display/invasion.php b/pages/display/invasion.php index 8b25f5d6..0f3178b9 100644 --- a/pages/display/invasion.php +++ b/pages/display/invasion.php @@ -99,9 +99,11 @@ class="btn btn-danger"> // Show Invasions - $sql = "SELECT * FROM invasion WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - ORDER BY grunt_type"; - $result = $conn->query($sql); + $sql = "SELECT * FROM invasion WHERE id = ? AND profile_no = ? ORDER BY grunt_type"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 0) { echo " - + close(); + ?> diff --git a/pages/display/lure.php b/pages/display/lure.php index b7ba389b..1f7fd7c7 100644 --- a/pages/display/lure.php +++ b/pages/display/lure.php @@ -99,9 +99,11 @@ class="btn btn-danger"> // Show Lures - $sql = "SELECT * FROM lures WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - ORDER BY lure_id"; - $result = $conn->query($sql); + $sql = "SELECT * FROM lures WHERE id = ? AND profile_no = ? ORDER BY lure_id"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 0) { echo " - + close(); + ?> diff --git a/pages/display/nest.php b/pages/display/nest.php index 84ae8000..7b4b7ef5 100644 --- a/pages/display/nest.php +++ b/pages/display/nest.php @@ -99,9 +99,11 @@ class="btn btn-danger"> // Show Nests - $sql = "SELECT * FROM nests WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - ORDER BY pokemon_id"; - $result = $conn->query($sql); + $sql = "SELECT * FROM nests WHERE id = ? AND profile_no = ? ORDER BY pokemon_id"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 0) { echo " - + close(); + ?> diff --git a/pages/display/quest.php b/pages/display/quest.php index 900b4bc7..5486a989 100644 --- a/pages/display/quest.php +++ b/pages/display/quest.php @@ -100,18 +100,24 @@ class="btn btn-danger"> // Show Quests - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "'"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 0) { echo ""; } + $stmt->close(); - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND reward_type = 7 ORDER BY reward"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ? AND reward_type = 7 ORDER BY reward"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -272,10 +278,13 @@ class="badge badge-pill badge-info w-100">close(); - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND reward_type = 2 ORDER BY reward"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ? AND reward_type = 2 ORDER BY reward"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -418,10 +427,13 @@ class="badge badge-pill badge-info w-100">close(); - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND reward_type = 12 ORDER BY reward"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ? AND reward_type = 12 ORDER BY reward"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -565,12 +577,15 @@ class="badge badge-pill badge-info w-100"> - close(); - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND reward_type = 4 ORDER BY reward"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ? AND reward_type = 4 ORDER BY reward"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -716,7 +731,9 @@ class="badge badge-pill badge-info w-100"> - + close(); + ?> diff --git a/pages/display/quick_pick.php b/pages/display/quick_pick.php index 3eb18c51..83aa33b9 100644 --- a/pages/display/quick_pick.php +++ b/pages/display/quick_pick.php @@ -1,17 +1,25 @@ query($sql); + $sql = "SELECT min(clean) clean FROM monsters WHERE id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $mon_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(distance) distance FROM monsters WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; - $result = $conn->query($sql); + $sql = "SELECT min(distance) distance FROM monsters WHERE id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $mon_distance = $row['distance']; } + $stmt->close(); ?> diff --git a/pages/display/raid.php b/pages/display/raid.php index 6f9a17e4..7eefb52e 100644 --- a/pages/display/raid.php +++ b/pages/display/raid.php @@ -102,8 +102,11 @@ class="btn btn-danger"> // Show Eggs & Raids - $sql = "select * FROM egg WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "' ORDER BY level"; - $result = $conn->query($sql); + $sql = "SELECT * FROM egg WHERE id = ? AND profile_no = ? ORDER BY level"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -286,10 +289,13 @@ class="badge badge-pill badge-info w-100">close(); - $sql = "select * FROM raid WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "' - AND pokemon_id = 9000 ORDER BY level"; - $result = $conn->query($sql); + $sql = "SELECT * FROM raid WHERE id = ? AND profile_no = ? AND pokemon_id = 9000 ORDER BY level"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -462,10 +468,13 @@ class="badge badge-pill badge-info w-100"> close(); - $sql = "select * FROM raid WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND pokemon_id <> 9000 ORDER BY pokemon_id"; - $result = $conn->query($sql); + $sql = "SELECT * FROM raid WHERE id = ? AND profile_no = ? AND pokemon_id <> 9000 ORDER BY pokemon_id"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -649,6 +658,7 @@ class="badge badge-pill badge-info w-100"> close(); ?> From a0b8b92db463647b06bc7a104a4c818aa46ff9fe Mon Sep 17 00:00:00 2001 From: Complementary Date: Fri, 31 Oct 2025 10:02:30 -0500 Subject: [PATCH 6/6] Fix SQL injection vulnerabilities in poracle_api.php and quick_pick.php MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Convert all session variable queries to prepared statements: - poracle_api.php: 1 query (admin list from $_SESSION['poracle_admins']) - quick_pick.php: 9 queries (100% IV, 0% IV, PvP rankings, Magikarp/Rattata weights, XXS/XXL sizes) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- pages/display/poracle_api.php | 10 +++-- pages/display/quick_pick.php | 80 +++++++++++++++++++++++++---------- 2 files changed, 65 insertions(+), 25 deletions(-) diff --git a/pages/display/poracle_api.php b/pages/display/poracle_api.php index 69151680..5bcbcb0b 100644 --- a/pages/display/poracle_api.php +++ b/pages/display/poracle_api.php @@ -233,15 +233,19 @@ $padmin) { + foreach($_SESSION['poracle_admins'] as $key => $padmin) { - $sql = "select type, name FROM humans where id = '$padmin'"; - $result = $conn->query($sql); + $sql = "SELECT type, name FROM humans WHERE id = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("s", $padmin); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { if ($row['type'] == "discord:user") { $color="primary"; } else if ($row['type'] == "telegram:user") { $color="info"; } echo "".$row['type']." | ".$padmin." | ".$row['name']."
"; } + $stmt->close(); } diff --git a/pages/display/quick_pick.php b/pages/display/quick_pick.php index 83aa33b9..1c5b76f7 100644 --- a/pages/display/quick_pick.php +++ b/pages/display/quick_pick.php @@ -52,15 +52,19 @@
query($sql); + + $sql = "SELECT uid FROM monsters WHERE min_iv = 100 AND pokemon_id = 0 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } - + while ($row = $result->fetch_assoc()) { $uid = $row['uid']; - } - + } + $stmt->close(); + ?> @@ -90,13 +94,17 @@ query($sql); + $sql = "SELECT uid FROM monsters WHERE min_iv = 0 AND max_iv = 0 AND pokemon_id = 0 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?> @@ -127,13 +135,17 @@ query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 0 AND pvp_ranking_league = 500 AND pvp_ranking_worst = 1 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
@@ -163,13 +175,17 @@
query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 0 AND pvp_ranking_league = 1500 AND pvp_ranking_worst = 1 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
@@ -199,13 +215,17 @@
query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 0 AND pvp_ranking_league = 2500 AND pvp_ranking_worst = 1 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
@@ -258,13 +278,17 @@
query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 129 AND min_weight = 13130 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?> @@ -297,13 +321,17 @@ query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 19 AND max_weight = 2410 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
@@ -357,13 +385,17 @@
query($sql); + $sql = "SELECT uid FROM monsters WHERE size = 1 AND max_size = 1 AND pokemon_id = 0 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?> @@ -397,13 +429,17 @@ query($sql); + $sql = "SELECT uid FROM monsters WHERE size = 5 AND pokemon_id = 0 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>