diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index f32a7f7..93c94ea 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -16,11 +16,12 @@ jobs: - "7.3" - "7.4" - "8.0" + - "8.1" name: PHP ${{ matrix.php-versions }} test steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@v2 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2215d08..722c0f3 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -14,22 +14,22 @@ jobs: packages: write steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Log in to the Container registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file + labels: ${{ steps.meta.outputs.labels }} diff --git a/actions/channel_sync.php b/actions/channel_sync.php index d14dd9d..2f11e65 100644 --- a/actions/channel_sync.php +++ b/actions/channel_sync.php @@ -5,7 +5,7 @@ if (isset($_POST['sync'])) { - foreach ($_POST as $key => $value) { + foreach ($_POST as $key => $value) { if (substr($key, 0, 7) == "target_") { $target = ltrim($key, 'target_'); $target_fields = explode("|", $target); @@ -13,6 +13,13 @@ $target_id=$target_fields[1]; $target_id=str_replace("_com", ".com", $target_id); + // Database names cannot be parameterized in prepared statements (they are identifiers, not values) + // so we use a whitelist to validate the database name before using string interpolation + $allowed_dbs = explode(",", $dbname); + if (!in_array($target_db, $allowed_dbs)) { + die("Invalid database"); + } + // Delete All Previous Trackings $stmt = $conn->prepare("DELETE FROM ".$target_db.".monsters WHERE id = ?"); $rs = $stmt->bind_param("s", $target_id); diff --git a/actions/raids.php b/actions/raids.php index 8ea0399..3d30988 100644 --- a/actions/raids.php +++ b/actions/raids.php @@ -184,13 +184,14 @@ $level = ltrim($key, 'egg_'); $gym_id = ($_POST['gym_id'] != 'ALL') ? $_POST['gym_id'] : NULL; - $stmt = $conn->prepare("INSERT INTO egg ( id, ping, clean, template, distance, team, level, profile_no, gym_id) - VALUES ( ?, ?, ? , ?, ?, 4, ?, ?, ?)"); + $stmt = $conn->prepare("INSERT INTO egg ( id, ping, clean, template, distance, team, level, profile_no, gym_id, rsvp_changes) + VALUES ( ?, ?, ?, ?, ?, 4, ?, ?, ?, ?)"); if (false === $stmt) { header("Location: $redirect_url?type=display&page=raid&return=sql_error&phase=AE1&sql=$stmt->error"); exit(); - } - $rs = $stmt->bind_param("ssisiiis", $_SESSION['id'], $_POST['content'], $clean, $template, $_POST['distance'], $level, $_SESSION['profile'], $gym_id); + } + + $rs = $stmt->bind_param("ssisiiisi", $_SESSION['id'], $_POST['content'], $clean, $template, $_POST['distance'], $level, $_SESSION['profile'], $gym_id, $_POST['rsvp']); if (false === $rs) { header("Location: $redirect_url?type=display&page=raid&return=sql_error&phase=AE2&sql=$stmt->error"); exit(); @@ -213,13 +214,13 @@ $level = ltrim($key, 'raid_'); $gym_id = ($_POST['gym_id'] != 'ALL') ? $_POST['gym_id'] : NULL; - $stmt = $conn->prepare("INSERT INTO raid ( id, ping, clean, template, pokemon_id, distance, team, level, form, profile_no, gym_id) - VALUES ( ?, ?, ? , ?, 9000, ?, 4, ?, 0, ?, ?)"); + $stmt = $conn->prepare("INSERT INTO raid ( id, ping, clean, template, pokemon_id, distance, team, level, form, profile_no, gym_id, rsvp_changes) + VALUES ( ?, ?, ? , ?, 9000, ?, 4, ?, 0, ?, ?, ?)"); if (false === $stmt) { header("Location: $redirect_url?type=display&page=raid&return=sql_error&phase=AR1&sql=$stmt->error"); exit(); } - $rs = $stmt->bind_param("ssisiiis", $_SESSION['id'], $_POST['content'], $clean, $template, $_POST['distance'], $level, $_SESSION['profile'], $gym_id); + $rs = $stmt->bind_param("ssisiiisi", $_SESSION['id'], $_POST['content'], $clean, $template, $_POST['distance'], $level, $_SESSION['profile'], $gym_id, $_POST['rsvp']); if (false === $rs) { header("Location: $redirect_url?type=display&page=raid&return=sql_error&phase=AR2&sql=$stmt->error"); exit(); @@ -245,13 +246,13 @@ if (isset($arr[3])) { $boss_mega = $arr[3];} $gym_id = ($_POST['gym_id'] != 'ALL') ? $_POST['gym_id'] : NULL; - $stmt = $conn->prepare("INSERT INTO raid ( id, ping, clean, template, pokemon_id, distance, team, level, form, profile_no, gym_id) - VALUES ( ?, '', ? , ?, ? , ?, 4, 9000, ?, ?, ?)"); + $stmt = $conn->prepare("INSERT INTO raid ( id, ping, clean, template, pokemon_id, distance, team, level, form, profile_no, gym_id, rsvp_changes) + VALUES ( ?, '', ? , ?, ? , ?, 4, 9000, ?, ?, ?, ?)"); if (false === $stmt) { header("Location: $redirect_url?type=display&page=raid&return=sql_error&phase=ARM1&sql=$stmt->error"); exit(); } - $rs = $stmt->bind_param("sisiiiis", $_SESSION['id'], $clean, $template, $boss_id, $_POST['distance'], $boss_form, $_SESSION['profile'], $gym_id); + $rs = $stmt->bind_param("sisiiiisi", $_SESSION['id'], $clean, $template, $boss_id, $_POST['distance'], $boss_form, $_SESSION['profile'], $gym_id, $_POST['rsvp']); if (false === $rs) { header("Location: $redirect_url?type=display&page=raid&return=sql_error&phase=ARM2&sql=$stmt->error"); exit(); diff --git a/actions/set_language.php b/actions/set_language.php index 492b43b..335230b 100644 --- a/actions/set_language.php +++ b/actions/set_language.php @@ -11,8 +11,10 @@ // Update Language in DB -$sql = "UPDATE humans set language = '".$_GET['lng']."' WHERE id = '" . $_SESSION['id'] . "'"; -$result = $conn->query($sql) or die(mysqli_error($conn)); +$stmt = $conn->prepare("UPDATE humans SET language = ? WHERE id = ?"); +$stmt->bind_param("ss", $_GET['lng'], $_SESSION['id']); +$stmt->execute() or die(mysqli_error($conn)); +$stmt->close(); header("Location: $redirect_url"); diff --git a/actions/set_location.php b/actions/set_location.php index 9b8cd47..ed8f32a 100644 --- a/actions/set_location.php +++ b/actions/set_location.php @@ -10,16 +10,26 @@ $lat = "0.0000000000"; $lon = "0.0000000000"; - $sql = "UPDATE monsters set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); - $sql = "UPDATE raid set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); - $sql = "UPDATE egg set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); - $sql = "UPDATE quest set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); - $sql = "UPDATE invasion set distance = 0 WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("UPDATE monsters set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); + $stmt = $conn->prepare("UPDATE raid set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); + $stmt = $conn->prepare("UPDATE egg set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); + $stmt = $conn->prepare("UPDATE quest set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); + $stmt = $conn->prepare("UPDATE invasion set distance = 0 WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $stmt->close(); } else if ( isset($_GET['lat']) && isset($_GET['lon']) ) { diff --git a/actions/switch_profile.php b/actions/switch_profile.php index c99b9d4..8fa6d2e 100644 --- a/actions/switch_profile.php +++ b/actions/switch_profile.php @@ -11,23 +11,23 @@ $_SESSION['profile'] = $_POST['profile']; } - if ( isset($_POST['activate']) ) { - - $sql = "SELECT area, latitude, longitude from profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_POST['profile']."'"; - $result = $conn->query($sql); - while ($row = $result->fetch_assoc()) { - $area = $row['area']; - $latitude = $row['latitude']; - $longitude = $row['longitude']; + if ( isset($_POST['activate']) ) { + + $stmt = $conn->prepare("SELECT area, latitude, longitude from profiles WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_POST['profile']); + $stmt->execute(); + $result = $stmt->get_result(); + while ($row = $result->fetch_assoc()) { + $area = $row['area']; + $latitude = $row['latitude']; + $longitude = $row['longitude']; } + $stmt->close(); - $sql = "UPDATE humans - SET area = '".$area."', - latitude = '".$latitude."', - longitude = '".$longitude."', - current_profile_no = '".$_POST['profile']."' - WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("UPDATE humans SET area = ?, latitude = ?, longitude = ?, current_profile_no = ? WHERE id = ?"); + $stmt->bind_param("ssdis", $area, $latitude, $longitude, $_POST['profile'], $_SESSION['id']); + $stmt->execute(); + $stmt->close(); header("Location: $redirect_url?type=display&page=profiles&return=success_switch_profile_activate"); @@ -41,27 +41,32 @@ // Get Next Profile Number #$sql = "SELECT IFNULL(max(profile_no),0)+1 next_profile from profiles WHERE id = '" . $_SESSION['id'] . "'"; - $sql = "SELECT MIN(t1.profile_no + 1) AS nextID - FROM (select profile_no from profiles WHERE id = '".$_SESSION['id']."' UNION select 0 profile_no) t1 - LEFT JOIN (select profile_no from profiles WHERE id = '".$_SESSION['id']."' UNION select 0 profile_no) t2 + $stmt = $conn->prepare("SELECT MIN(t1.profile_no + 1) AS nextID + FROM (select profile_no from profiles WHERE id = ? UNION select 0 profile_no) t1 + LEFT JOIN (select profile_no from profiles WHERE id = ? UNION select 0 profile_no) t2 ON t1.profile_no + 1 = t2.profile_no - WHERE t2.profile_no IS NULL"; - - $result = $conn->query($sql); + WHERE t2.profile_no IS NULL"); + $stmt->bind_param("ss", $_SESSION['id'], $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $next_profile = $row['nextID']; } + $stmt->close(); if ( $next_profile == 1 ) { // Get Info on currently active Profile - $sql = "SELECT area, latitude, longitude from humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT area, latitude, longitude from humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $area = $row['area']; $latitude = $row['latitude']; $longitude = $row['longitude']; $_SESSION['profile_name'] = $_POST['profile_name']; } + $stmt->close(); } else { $area = "[]"; $latitude = "0.0000000000"; @@ -153,26 +158,32 @@ // Change Active Profile if Deleting Active one - $sql = "select current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $current_profile = $row['current_profile_no']; } + $stmt->close(); if ( $current_profile == $_SESSION['profile']) { - $sql = "UPDATE humans set current_profile_no = - (select IFNULL(min(profile_no),1) from profiles where id = '".$_SESSION['id']."') - WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("UPDATE humans set current_profile_no = (select IFNULL(min(profile_no),1) from profiles where id = ?) WHERE id = ?"); + $stmt->bind_param("ss", $_SESSION['id'], $_SESSION['id']); + $stmt->execute(); + $stmt->close(); } // Check for smaller Profiles and redirect - $sql = "select IFNULL(min(profile_no),1) min from profiles WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT IFNULL(min(profile_no),1) min from profiles WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $_SESSION['profile'] = $row['min']; } + $stmt->close(); header("Location: $redirect_url?type=display&page=profiles&return=success_delete_profile"); diff --git a/admin_connect.php b/admin_connect.php index 9bdf287..74fd96e 100644 --- a/admin_connect.php +++ b/admin_connect.php @@ -46,8 +46,10 @@ } $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $_SESSION['dbname']); -$sql = "select id, name, type, notes FROM humans WHERE id = '".$search_id."'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT id, name, type, notes FROM humans WHERE id = ?"); +$stmt->bind_param("s", $search_id); +$stmt->execute(); +$result = $stmt->get_result(); if ($result->num_rows == 0) { header("Location: $redirect_url?return=user_not_found"); @@ -60,6 +62,7 @@ $_SESSION['type']=$row['type']; $_SESSION['notes']=$row['notes']; } +$stmt->close(); // Get Config Items from API and Store in Session Variables @@ -108,11 +111,14 @@ // Switch to active Profile -$sql = "SELECT current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'"; -$result = $conn->query($sql); +$stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?"); +$stmt->bind_param("s", $_SESSION['id']); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $_SESSION['profile'] = $row['current_profile_no']; } +$stmt->close(); header("Location: $redirect_url"); diff --git a/admin_sync.php b/admin_sync.php index c6176ca..2b5a0a5 100644 --- a/admin_sync.php +++ b/admin_sync.php @@ -94,8 +94,10 @@ foreach ($dbnames as &$db) { $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db); - $sql = "select id, name, type FROM humans WHERE type like 'discord:channel' AND id <> '".$_SESSION['id']."' ORDER by name"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type like 'discord:channel' AND id <> ? ORDER by name"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); ?> num_rows <> 0) { ?> @@ -145,8 +147,10 @@ foreach ($dbnames as &$db) { $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db); - $sql = "select id, name, type FROM humans WHERE type in ('telegram:channel','telegram:group') AND id <> '".$_SESSION['id']."' ORDER by name"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type in ('telegram:channel','telegram:group') AND id <> ? ORDER by name"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); ?> num_rows <> 0) { ?> @@ -196,8 +200,10 @@ foreach ($dbnames as &$db) { $conn = new mysqli($dbhost.":".$dbport, $dbuser, $dbpass, $db); - $sql = "select id, name, type FROM humans WHERE type like 'webhook' AND id <> '".$_SESSION['id']."' ORDER by name"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT id, name, type FROM humans WHERE type like 'webhook' AND id <> ? ORDER by name"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); ?> num_rows <> 0) { ?> diff --git a/header.php b/header.php index 5ac44c0..b6e407a 100644 --- a/header.php +++ b/header.php @@ -20,6 +20,8 @@ $title = "PoracleWeb"; } +ini_set('default_socket_timeout', 1); + if (!isset($_SESSION['avatar']) || false === @file_get_contents($_SESSION['avatar'], 0, null, 0, 1)) { $avatar = "$redirect_url/img/no_avatar.png"; } else { @@ -29,27 +31,34 @@ // Set Profile to current if not yet set if (!isset($_SESSION['profile']) && isset($_SESSION['id'])) { - $sql = "SELECT current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $_SESSION['profile'] = $row['current_profile_no']; } + $stmt->close(); } // Check if user has Multiple Profiles if (isset($_SESSION['id'])) { - $sql = "SELECT name FROM profiles WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT name FROM profiles WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); $_SESSION['number_of_profiles'] = $result->num_rows; + $stmt->close(); } // Get Profile Name - if (isset($_SESSION['id'])) { - $sql = "SELECT name FROM profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT name FROM profiles WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows > 0) { while ($row = $result->fetch_assoc()) { $_SESSION['profile_name'] = $row['name']; @@ -57,68 +66,95 @@ } else { $_SESSION['profile_name'] = i8ln("Default"); } + $stmt->close(); } // Get Active Profile if (isset($_SESSION['id'])) { - $sql = "SELECT current_profile_no from humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT current_profile_no from humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $_SESSION['current_profile'] = $row['current_profile_no']; } + $stmt->close(); } // Check for Cleaned if (isset($_SESSION['id'])) { - $sql = "select min(clean) clean FROM monsters WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM monsters WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_mon_cleaned = $row['clean']; } - - $sql = "select min(clean) clean FROM (select id, clean from raid UNION select id, clean from egg) raidegg WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt->close(); + + $stmt = $conn->prepare("SELECT min(clean) clean FROM (select id, clean from raid UNION select id, clean from egg) raidegg WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_raid_cleaned = $row['clean']; } - - $sql = "select min(clean) clean FROM quest WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt->close(); + + $stmt = $conn->prepare("SELECT min(clean) clean FROM quest WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_quest_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(clean) clean FROM invasion WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM invasion WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_invasion_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(clean) clean FROM lures WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM lures WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_lures_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(clean) clean FROM nests WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM nests WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_nests_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(clean) clean FROM gym WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT min(clean) clean FROM gym WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $all_gyms_cleaned = $row['clean']; } + $stmt->close(); // Get Areas, Lat, long and Enabled from Humans Table - $sql = "select area, latitude, longitude, enabled, admin_disable, disabled_date from humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT area, latitude, longitude, enabled, admin_disable, disabled_date from humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $area_set = $row['area']; $latitude = $row['latitude']; @@ -127,11 +163,14 @@ $admin_disable = $row['admin_disable']; $disabled_date = $row['disabled_date']; } + $stmt->close(); // Overwrite with Profile info if a profile is available - $sql = "select area, latitude, longitude from profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '". $_SESSION['profile'] ."'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT area, latitude, longitude from profiles WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows > 0) { while ($row = $result->fetch_assoc()) { @@ -140,10 +179,10 @@ $longitude = $row['longitude']; } } + $stmt->close(); } - if (isset($_SESSION['username'])) { // Exit if user not registered to Poracle @@ -155,19 +194,24 @@ $redirect_page = "unregistered.php"; } - if (isset($enable_admin_dis) && $enable_admin_dis == "False" && $_SESSION['id'] <> $_SESSION['admin_id']) + if (!isset($subs_clause)) { $subs_clause = ""; } + + if (isset($enable_admin_dis) && $enable_admin_dis == "False" && isset($_SESSION['admin_id']) && $_SESSION['id'] <> $_SESSION['admin_id']) { - $subs_clause .= " AND admin_disable = 0"; + $stmt = $conn->prepare("SELECT * from humans WHERE id = ? AND admin_disable = 0"); + } else { + $stmt = $conn->prepare("SELECT * from humans WHERE id = ?"); } - - $sql = "SELECT * from humans WHERE id = '" . $_SESSION['id'] . "' ".@$subs_clause; - $result = $conn->query($sql); - if ($result->num_rows == 0) { - if (strpos($_SERVER['REQUEST_URI'],$redirect_page) == false) { - header("Location: $redirect_url/$redirect_page"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); + if ($result->num_rows == 0) { + if (strpos($_SERVER['REQUEST_URI'],$redirect_page) == false) { + header("Location: $redirect_url/$redirect_page"); exit(); - } - } + } + } + $stmt->close(); } else { // If not logged in import login page @@ -229,11 +273,14 @@ // Check if IV + PvP is used $sql = "SELECT * FROM monsters - WHERE (min_iv > 0 or max_iv < 100 or atk > 0 or def > 0 or sta > 0 or max_atk < 15 or max_def < 15 or max_sta < 15) + WHERE (min_iv > 0 or max_iv < 100 or atk > 0 or def > 0 or sta > 0 or max_atk < 15 or max_def < 15 or max_sta < 15) AND pvp_ranking_league <> 0 - AND id = '" . $_SESSION['id'] . "'"; + AND id = ?"; -$result = $conn->query($sql); +$stmt = $conn->prepare($sql); +$stmt->bind_param("s", $_SESSION['id']); +$stmt->execute(); +$result = $stmt->get_result(); if (!empty($result) && $result->num_rows > 0) { $config_alarm=""; } +$stmt->close(); // Check If Distance Map should be displayed diff --git a/include/cache_handler.php b/include/cache_handler.php index c089dbe..1e43be4 100644 --- a/include/cache_handler.php +++ b/include/cache_handler.php @@ -14,6 +14,8 @@ global $file_localePkmnData; $file_localePkmnData = "./.cache/localePkmnData_".$locale.".json"; +global $file_localeFormsData; +$file_localeFormsData = "./.cache/localeFormsData_".$locale.".json"; global $file_localeItemsData; $file_localeItemsData = "./.cache/localeItemsData_".$locale.".json"; @@ -129,6 +131,19 @@ $localePkmnData_json = file_get_contents($repo_locales."pokemon_en.json"); } +// Cache FormsNames locale file + +global $localeFormsData_json; +if (file_exists($file_localeFormsData) && (filemtime($file_localeFormsData) > (time() - 60 * 60 * $repo_locales_cache ))) { + $localeFormsData_json = file_get_contents($file_localeFormsData); +} else if ( @fopen($repo_locales."/forms_".$locale.".json", 'r') ) { + $localeFormsData_json = file_get_contents($repo_locales."/forms_".$locale.".json"); + file_put_contents($file_localeFormsData, $localeFormsData_json); +} else if (isset($locale)) { + $localeFormsData_json = file_get_contents($repo_locales."forms_en.json"); +} + + // Cache itemNames locale file global $localeItemsData_json; diff --git a/include/db_mad.php b/include/db_mad.php index 51d6873..4f902fc 100644 --- a/include/db_mad.php +++ b/include/db_mad.php @@ -116,12 +116,15 @@ function get_raid_bosses() { function get_gym_by_id($id) { global $scan_conn; - $sql = "SELECT name from gymdetails where gym_id = '".$id."'"; - $result = $scan_conn->query($sql); + $stmt = $scan_conn->prepare("SELECT name from gymdetails where gym_id = ?"); + $stmt->bind_param("s", $id); + $stmt->execute(); + $result = $stmt->get_result(); while($row = $result->fetch_assoc()) { $gym_name = $row['name']; } + $stmt->close(); return $gym_name; @@ -130,12 +133,15 @@ function get_gym_by_id($id) { function get_gym_url($id) { global $scan_conn; - $sql = "SELECT url from gymdetails where gym_id = '".$id."'"; - $result = $scan_conn->query($sql); + $stmt = $scan_conn->prepare("SELECT url from gymdetails where gym_id = ?"); + $stmt->bind_param("s", $id); + $stmt->execute(); + $result = $stmt->get_result(); while($row = $result->fetch_assoc()) { $gym_url = $row['url']; } + $stmt->close(); return $gym_url; diff --git a/include/db_rdm.php b/include/db_rdm.php index 2180734..4a9f644 100644 --- a/include/db_rdm.php +++ b/include/db_rdm.php @@ -119,12 +119,15 @@ function get_raid_bosses() { function get_gym_by_id($id) { global $scan_conn; - $sql = "SELECT name from gym where id = '".$id."'"; - $result = $scan_conn->query($sql); + $stmt = $scan_conn->prepare("SELECT name from gym where id = ?"); + $stmt->bind_param("s", $id); + $stmt->execute(); + $result = $stmt->get_result(); while($row = $result->fetch_assoc()) { $gym_name = $row['name']; } + $stmt->close(); return $gym_name; @@ -133,12 +136,15 @@ function get_gym_by_id($id) { function get_gym_url($id) { global $scan_conn; - $sql = "SELECT url from gym where id = '".$id."'"; - $result = $scan_conn->query($sql); + $stmt = $scan_conn->prepare("SELECT url from gym where id = ?"); + $stmt->bind_param("s", $id); + $stmt->execute(); + $result = $stmt->get_result(); while($row = $result->fetch_assoc()) { $gym_url = $row['url']; } + $stmt->close(); return $gym_url; diff --git a/include/defaults.php b/include/defaults.php index 47b1118..318fa20 100644 --- a/include/defaults.php +++ b/include/defaults.php @@ -10,7 +10,7 @@ "min_cp"=>0, "max_cp"=>9000, "min_level"=>0, - "max_level"=>40, + "max_level"=>55, "min_weight"=>0, "max_weight"=>9000000, "atk"=>0, @@ -24,7 +24,7 @@ "max_size"=>5 ); -$min_poracle_version = "4.6.2"; +$min_poracle_version = "4.8.3"; $max_pokemon="1008"; $other_grunt_types = array( diff --git a/include/functions.php b/include/functions.php index d7db67f..d979bf8 100644 --- a/include/functions.php +++ b/include/functions.php @@ -21,7 +21,7 @@ function get_form_name($pokemon_id, $form_id) { if ($pokemon['id'] == "$pokemon_id") { if ( $pokemon['form']['id'] == "$form_id" && $pokemon['form']['id'] <> 0) { - return $pokemon['form']['name']; + return translate_form($pokemon['form']['name']); } } } @@ -51,7 +51,7 @@ function get_all_forms($pokemon_id) { if ($pokemon['id'] == "$pokemon_id") { if ( $pokemon['form']['id'] <> "0" && !in_array( ucfirst($pokemon['form']['name']), $form_exclude ) ) { - $forms[$pokemon['form']['id']] = $pokemon['form']['name']; + $forms[$pokemon['form']['id']] = translate_form($pokemon['form']['name']); } } } @@ -161,6 +161,27 @@ function translate_mon($word) } } +function translate_form($word) +{ + $locale = @$_SESSION['locale']; + if ($locale == "en") { + return $word; exit(); + } + + global $localeFormsData; + global $localeFormsData_json; + + if ($localeFormsData == null) { + $localeFormsData = json_decode($localeFormsData_json, true); + } + + if (isset($localeFormsData[$word])) { + return $localeFormsData[$word]; + } else { + return $word; + } +} + function translate_item($word) { $locale = @$_SESSION['locale']; @@ -375,13 +396,16 @@ function set_locale() { if (isset($_SESSION['id'])) { include_once "./config.php"; include_once "./include/db_connect.php"; - $sql = "select language FROM humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql) or die(mysqli_error($conn)); - while ($row = $result->fetch_assoc()) { - if ( $row['language'] <> "" ) { + $stmt = $conn->prepare("SELECT language FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute() or die(mysqli_error($conn)); + $result = $stmt->get_result(); + while ($row = $result->fetch_assoc()) { + if ( $row['language'] <> "" ) { $_SESSION['locale'] = $row['language']; } } + $stmt->close(); } } @@ -560,10 +584,17 @@ function default_distance($table) { if (isset($_SESSION['id'])) { include_once "./config.php"; include_once "./include/db_connect.php"; - $sql = "select max(distance) distance FROM $table WHERE id = '" . $_SESSION['id'] . "'"; - $sql = "SELECT distance, count(*) FROM $table WHERE id = '" . $_SESSION['id'] . "' GROUP BY distance ORDER BY count(*) DESC LIMIT 1"; - $result = $conn->query($sql) or die(mysqli_error($conn)); + // Table names cannot be parameterized in prepared statements (they are identifiers, not values) + // so we use a whitelist to validate the table name before using string interpolation + $allowed_tables = array('monsters', 'raid', 'egg', 'quest', 'invasion', 'lures', 'gym'); + if (!in_array($table, $allowed_tables)) { die("Invalid table"); } + $sql = "SELECT distance, count(*) FROM $table WHERE id = ? GROUP BY distance ORDER BY count(*) DESC LIMIT 1"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute() or die(mysqli_error($conn)); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $default_distance = $row['distance']; } + $stmt->close(); } if ( !isset($default_distance) ) { $default_distance = 0; } diff --git a/include/nav.php b/include/nav.php index eda8359..da48fed 100644 --- a/include/nav.php +++ b/include/nav.php @@ -72,7 +72,7 @@ "True" ) { ?> - +   diff --git a/include/toplinks.php b/include/toplinks.php index 8e1fc9f..689adb2 100644 --- a/include/toplinks.php +++ b/include/toplinks.php @@ -4,24 +4,27 @@ $user_id = $_SESSION['id']; $profile_id = $_SESSION['profile']; $sql = " - SELECT COUNT(*) AS 'Total', 'monsters' AS 'Type' FROM monsters WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'monsters' AS 'Type' FROM monsters WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'raid' AS 'Type' FROM raid WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'raid' AS 'Type' FROM raid WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'egg' AS 'Type' FROM egg WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'egg' AS 'Type' FROM egg WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'quest' AS 'Type' FROM quest WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'quest' AS 'Type' FROM quest WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'invasion' AS 'Type' FROM invasion WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'invasion' AS 'Type' FROM invasion WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'lures' AS 'Type' FROM lures WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'lures' AS 'Type' FROM lures WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'nests' AS 'Type' FROM nests WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'nests' AS 'Type' FROM nests WHERE id = ? AND profile_no = ? UNION - SELECT COUNT(*) AS 'Total', 'gym' AS 'Type' FROM gym WHERE id = '{$user_id}' AND profile_no = '{$profile_id}' + SELECT COUNT(*) AS 'Total', 'gym' AS 'Type' FROM gym WHERE id = ? AND profile_no = ? "; -$result = $conn->query($sql); +$stmt = $conn->prepare($sql); +$stmt->bind_param("sisisisisisisisi", $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id, $user_id, $profile_id); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { switch ($row['Type']) { case 'monsters': @@ -50,6 +53,7 @@ break; }; } +$stmt->close(); ?> diff --git a/locales/fr.json b/locales/fr.json index 9cb6250..b046bd0 100644 --- a/locales/fr.json +++ b/locales/fr.json @@ -483,5 +483,9 @@ "Level 3 Shadow":"Obscurs Niveau 3", "Level 4 Shadow":"Obscurs Niveau 4", "Shadow Legendary":"Obscurs Légendaires", - "showcase":"Epreuve" + "showcase":"Epreuve", + "Alarm when raid matches":"Alarmes de raid uniquement", + "Alarm when raid matches + RSVP changes": "Alarmes de raid + RSVP", + "Alarm on RSVP changes only": "Alarmes RSVP uniquement", + "RSVP Only": "Uniquement RSVP" } diff --git a/modal/areas_modal.php b/modal/areas_modal.php index 4a31abe..f3ad4e2 100644 --- a/modal/areas_modal.php +++ b/modal/areas_modal.php @@ -3,18 +3,22 @@ // Check Current Selection if ($_SESSION['profile'] == $_SESSION['current_profile'] ) { - $sql = "select area FROM humans WHERE id = '" . $_SESSION['id'] . "'"; + $stmt = $conn->prepare("SELECT area FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); } else { - $sql = "select area FROM profiles WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '".$_SESSION['profile']."'"; + $stmt = $conn->prepare("SELECT area FROM profiles WHERE id = ? AND profile_no = ?"); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); } -$result = $conn->query($sql); +$stmt->execute(); +$result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $existing_area = $row['area']; $existing_area = json_decode($row['area']); } +$stmt->close(); echo "
diff --git a/modal/distance_gyms_modal.php b/modal/distance_gyms_modal.php index 4269884..fde084a 100644 --- a/modal/distance_gyms_modal.php +++ b/modal/distance_gyms_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from gym WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if (!empty($result) && $result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_invasions_modal.php b/modal/distance_invasions_modal.php index 93acee0..2dac5f4 100644 --- a/modal/distance_invasions_modal.php +++ b/modal/distance_invasions_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from invasion WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if (!empty($result) && $result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_lures_modal.php b/modal/distance_lures_modal.php index e532d26..ad0cd62 100644 --- a/modal/distance_lures_modal.php +++ b/modal/distance_lures_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from lures WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if (!empty($result) && $result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_nests_modal.php b/modal/distance_nests_modal.php index 3dc9e41..545a6bc 100644 --- a/modal/distance_nests_modal.php +++ b/modal/distance_nests_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from nests WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if (!empty($result) && $result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_pokemons_modal.php b/modal/distance_pokemons_modal.php index a13118c..00de830 100644 --- a/modal/distance_pokemons_modal.php +++ b/modal/distance_pokemons_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from monsters WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_quests_modal.php b/modal/distance_quests_modal.php index fc490c5..3ca06b1 100644 --- a/modal/distance_quests_modal.php +++ b/modal/distance_quests_modal.php @@ -8,8 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from quest WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -17,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/distance_raids_modal.php b/modal/distance_raids_modal.php index 5100c49..a07b9dd 100644 --- a/modal/distance_raids_modal.php +++ b/modal/distance_raids_modal.php @@ -8,9 +8,10 @@
query($sql); + $stmt = $conn->prepare("SELECT distance from (SELECT distance,id from raid UNION SELECT distance,id from egg) raidegg WHERE id = ? GROUP by distance"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 1) { while ($row = $result->fetch_assoc()) { $distance_set = $row['distance']; @@ -18,6 +19,7 @@ } else { $distance_set = 0; } + $stmt->close(); ?>
diff --git a/modal/edit_profile_modal.php b/modal/edit_profile_modal.php index 586fa48..9b33f70 100644 --- a/modal/edit_profile_modal.php +++ b/modal/edit_profile_modal.php @@ -25,13 +25,18 @@ // Check Currently Active Profile - $sql = "SELECT current_profile_no FROM humans WHERE id = '" . $_SESSION['id'] . "'"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT current_profile_no FROM humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $active_profile = $row['current_profile_no']; } + $stmt->close(); // Check User's existing Profiles - $sql = "SELECT profile_no, name, area, latitude, longitude, active_hours FROM profiles WHERE id = '" . $_SESSION['id'] . "' ORDER BY profile_no"; - $result = $conn->query($sql); + $stmt = $conn->prepare("SELECT profile_no, name, area, latitude, longitude, active_hours FROM profiles WHERE id = ? ORDER BY profile_no"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); echo "
"; echo ""; @@ -51,6 +56,7 @@ echo "\n"; echo "
"; + $stmt->close(); ?> @@ -80,14 +86,17 @@
query($sql); + $stmt = $conn->prepare("SELECT profile_no, name, area, latitude, longitude, active_hours FROM profiles WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows == 0 ) { echo i8ln("You currently don't have any profile configured").".
"; echo i8ln("Please Name default Profile"); } else { echo i8ln("Choose the name of your new Profile"); } + $stmt->close(); ?>
diff --git a/pages/add/quest.php b/pages/add/quest.php index b6f8683..68188ae 100644 --- a/pages/add/quest.php +++ b/pages/add/quest.php @@ -124,7 +124,7 @@
    • - + close(); + ?> diff --git a/pages/display/lure.php b/pages/display/lure.php index b7ba389..1f7fd7c 100644 --- a/pages/display/lure.php +++ b/pages/display/lure.php @@ -99,9 +99,11 @@ class="btn btn-danger"> // Show Lures - $sql = "SELECT * FROM lures WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - ORDER BY lure_id"; - $result = $conn->query($sql); + $sql = "SELECT * FROM lures WHERE id = ? AND profile_no = ? ORDER BY lure_id"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 0) { echo " - + close(); + ?> diff --git a/pages/display/nest.php b/pages/display/nest.php index 84ae800..7b4b7ef 100644 --- a/pages/display/nest.php +++ b/pages/display/nest.php @@ -99,9 +99,11 @@ class="btn btn-danger"> // Show Nests - $sql = "SELECT * FROM nests WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - ORDER BY pokemon_id"; - $result = $conn->query($sql); + $sql = "SELECT * FROM nests WHERE id = ? AND profile_no = ? ORDER BY pokemon_id"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 0) { echo " - + close(); + ?> diff --git a/pages/display/pokemon.php b/pages/display/pokemon.php index 5feb85f..3aa289e 100644 --- a/pages/display/pokemon.php +++ b/pages/display/pokemon.php @@ -1,61 +1,48 @@ query($sql); -while ($row = $result->fetch_assoc()) { $genall = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 1 and 151"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen1 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 152 and 251"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen2 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 252 and 386"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen3 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 387 and 493"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen4 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 494 and 649"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen5 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 650 and 721"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen6 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 722 and 809"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen7 = $row['count']; } - -$sql = $sql_base."AND pokemon_id between 810 and 905"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen8 = $row['count']; } +// Helper function to execute count queries with prepared statements +function execute_count_query($conn, $session_id, $profile, $search_sql, $additional_condition) { + $sql = "SELECT count(*) count FROM monsters WHERE id = ? ".$search_sql." AND profile_no = ? ".$additional_condition; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $session_id, $profile); + $stmt->execute(); + $result = $stmt->get_result(); + $count = 0; + while ($row = $result->fetch_assoc()) { $count = $row['count']; } + $stmt->close(); + return $count; +} -$sql = $sql_base."AND pokemon_id >= 906"; -$result = $conn->query($sql); -while ($row = $result->fetch_assoc()) { $gen9 = $row['count']; } +$genall = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id = 0"); +$gen1 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 1 AND 151"); +$gen2 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 152 AND 251"); +$gen3 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 252 AND 386"); +$gen4 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 387 AND 493"); +$gen5 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 494 AND 649"); +$gen6 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 650 AND 721"); +$gen7 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 722 AND 809"); +$gen8 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id BETWEEN 810 AND 905"); +$gen9 = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, "AND pokemon_id >= 906"); ?> @@ -185,17 +172,18 @@ class="btn btn-danger"> ?> - query($sql); + $sql = "SELECT * FROM monsters WHERE id = ? ".$search_sql." AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); // Show ALL Mons if less than 50 trackings if ( $result->num_rows <= 50 ) { $gen_selector = ""; } + $stmt->close(); // Only Show Gen Selector if More than 50 trackings if ( $result->num_rows > 50 ) { @@ -240,24 +228,15 @@ class="btn btn-danger"> // Check if User is already tracking something - $sql = "select count(*) count - FROM monsters - WHERE id = '" . $_SESSION['id'] . "' - ".@$search_sql." - AND profile_no = '" . $_SESSION['profile'] . "'"; - $result = $conn->query($sql); - while ($row = $result->fetch_assoc()) { - $num_mon_tracked = $row['count']; - } - - // Show Monsters Alarms - - $sql = "select * FROM monsters - WHERE id = '" . $_SESSION['id'] . "' - ".@$search_sql." - AND profile_no = '" . $_SESSION['profile'] . "' " . @$gen_selector ." - ORDER BY pokemon_id, form"; - $result = $conn->query($sql); + $num_mon_tracked = execute_count_query($conn, $_SESSION['id'], $_SESSION['profile'], $search_sql, ""); + + // Show Monsters Alarms + + $sql = "SELECT * FROM monsters WHERE id = ? ".$search_sql." AND profile_no = ? ".@$gen_selector." ORDER BY pokemon_id, form"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($num_mon_tracked == 0) { echo " diff --git a/pages/display/poracle_api.php b/pages/display/poracle_api.php index 6915168..5bcbcb0 100644 --- a/pages/display/poracle_api.php +++ b/pages/display/poracle_api.php @@ -233,15 +233,19 @@ $padmin) { + foreach($_SESSION['poracle_admins'] as $key => $padmin) { - $sql = "select type, name FROM humans where id = '$padmin'"; - $result = $conn->query($sql); + $sql = "SELECT type, name FROM humans WHERE id = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("s", $padmin); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { if ($row['type'] == "discord:user") { $color="primary"; } else if ($row['type'] == "telegram:user") { $color="info"; } echo "".$row['type']." | ".$padmin." | ".$row['name']."
    "; } + $stmt->close(); } diff --git a/pages/display/quest.php b/pages/display/quest.php index 900b4bc..5486a98 100644 --- a/pages/display/quest.php +++ b/pages/display/quest.php @@ -100,18 +100,24 @@ class="btn btn-danger"> // Show Quests - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "'"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ($result->num_rows == 0) { echo ""; } + $stmt->close(); - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND reward_type = 7 ORDER BY reward"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ? AND reward_type = 7 ORDER BY reward"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -272,10 +278,13 @@ class="badge badge-pill badge-info w-100">close(); - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND reward_type = 2 ORDER BY reward"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ? AND reward_type = 2 ORDER BY reward"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -418,10 +427,13 @@ class="badge badge-pill badge-info w-100">close(); - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND reward_type = 12 ORDER BY reward"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ? AND reward_type = 12 ORDER BY reward"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -565,12 +577,15 @@ class="badge badge-pill badge-info w-100"> - close(); - $sql = "select * FROM quest WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND reward_type = 4 ORDER BY reward"; - $result = $conn->query($sql); + $sql = "SELECT * FROM quest WHERE id = ? AND profile_no = ? AND reward_type = 4 ORDER BY reward"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -716,7 +731,9 @@ class="badge badge-pill badge-info w-100"> - + close(); + ?> diff --git a/pages/display/quick_pick.php b/pages/display/quick_pick.php index 3eb18c5..1c5b76f 100644 --- a/pages/display/quick_pick.php +++ b/pages/display/quick_pick.php @@ -1,17 +1,25 @@ query($sql); + $sql = "SELECT min(clean) clean FROM monsters WHERE id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $mon_cleaned = $row['clean']; } + $stmt->close(); - $sql = "select min(distance) distance FROM monsters WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "'"; - $result = $conn->query($sql); + $sql = "SELECT min(distance) distance FROM monsters WHERE id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { $mon_distance = $row['distance']; } + $stmt->close(); ?> @@ -44,15 +52,19 @@
    query($sql); + + $sql = "SELECT uid FROM monsters WHERE min_iv = 100 AND pokemon_id = 0 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } - + while ($row = $result->fetch_assoc()) { $uid = $row['uid']; - } - + } + $stmt->close(); + ?> @@ -82,13 +94,17 @@ query($sql); + $sql = "SELECT uid FROM monsters WHERE min_iv = 0 AND max_iv = 0 AND pokemon_id = 0 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?> @@ -119,13 +135,17 @@ query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 0 AND pvp_ranking_league = 500 AND pvp_ranking_worst = 1 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
    @@ -155,13 +175,17 @@
    query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 0 AND pvp_ranking_league = 1500 AND pvp_ranking_worst = 1 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
    @@ -191,13 +215,17 @@
    query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 0 AND pvp_ranking_league = 2500 AND pvp_ranking_worst = 1 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
    @@ -250,13 +278,17 @@
    query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 129 AND min_weight = 13130 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?> @@ -289,13 +321,17 @@ query($sql); + $sql = "SELECT uid FROM monsters WHERE pokemon_id = 19 AND max_weight = 2410 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
    @@ -349,13 +385,17 @@
    query($sql); + $sql = "SELECT uid FROM monsters WHERE size = 1 AND max_size = 1 AND pokemon_id = 0 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?> @@ -389,13 +429,17 @@ query($sql); + $sql = "SELECT uid FROM monsters WHERE size = 5 AND pokemon_id = 0 AND id = ? AND profile_no = ?"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $found = 1; $style = "background:#1cc88a; color:white;"; } else { $found = ""; $style = ""; } while ($row = $result->fetch_assoc()) { $uid = $row['uid']; } + $stmt->close(); ?>
    diff --git a/pages/display/raid.php b/pages/display/raid.php index 73ee015..7eefb52 100644 --- a/pages/display/raid.php +++ b/pages/display/raid.php @@ -102,8 +102,11 @@ class="btn btn-danger"> // Show Eggs & Raids - $sql = "select * FROM egg WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "' ORDER BY level"; - $result = $conn->query($sql); + $sql = "SELECT * FROM egg WHERE id = ? AND profile_no = ? ORDER BY level"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -148,8 +151,7 @@ class="btn btn-danger"> if ($row['distance'] <> '0') { ?> -
  • +
  • "True" ) { ?>
    • '') { + if ($row['ping'] <> '') { ?>
  • @@ -187,9 +189,27 @@ class="list-group-item justify-content-between align-items-center">
    -
    • + + +
    + +
    + + +
    + +
    +
    close(); - $sql = "select * FROM raid WHERE id = '" . $_SESSION['id'] . "' AND profile_no = '" . $_SESSION['profile'] . "' - AND pokemon_id = 9000 ORDER BY level"; - $result = $conn->query($sql); + $sql = "SELECT * FROM raid WHERE id = ? AND profile_no = ? AND pokemon_id = 9000 ORDER BY level"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -349,8 +372,25 @@ class="list-group-item justify-content-between align-items-center">
    - - + + +
    + +
    + + +
    + +
    + +
    @@ -428,10 +468,13 @@ class="badge badge-pill badge-info w-100"> close(); - $sql = "select * FROM raid WHERE id = '" . $_SESSION['id'] . "' and profile_no = '" . $_SESSION['profile'] . "' - AND pokemon_id <> 9000 ORDER BY pokemon_id"; - $result = $conn->query($sql); + $sql = "SELECT * FROM raid WHERE id = ? AND profile_no = ? AND pokemon_id <> 9000 ORDER BY pokemon_id"; + $stmt = $conn->prepare($sql); + $stmt->bind_param("si", $_SESSION['id'], $_SESSION['profile']); + $stmt->execute(); + $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { @@ -519,6 +562,22 @@ class="badge badge-primary badge-pill">
    + +
    + +
    + + +
    + +
    + close(); ?>
    diff --git a/session.php b/session.php index b4a2152..22da6e0 100644 --- a/session.php +++ b/session.php @@ -19,12 +19,15 @@ exit(); } - $sql = "SELECT * from humans WHERE id = '".$_SESSION['id']."'"; - $result = $conn->query($sql) or die(mysqli_error($conn)); + $stmt = $conn->prepare("SELECT * from humans WHERE id = ?"); + $stmt->bind_param("s", $_SESSION['id']); + $stmt->execute() or die(mysqli_error($conn)); + $result = $stmt->get_result(); if ( $result->num_rows > 0 ) { $_SESSION['dbname'] = $db; } + $stmt->close(); } diff --git a/telegram_auth.php b/telegram_auth.php index 144b4af..4090d71 100644 --- a/telegram_auth.php +++ b/telegram_auth.php @@ -48,6 +48,6 @@ header("Location: $redirect_url?type=display&page=server_settings"); } else if (version_compare($_SESSION['poracleVersion'], $min_poracle_version) < 0) { header("Location: $redirect_url?type=display&page=server_settings"); -} else { +} else { header("Location: $redirect_url"); }