PHP Backend Input Sanitizing

[Philwlv]

asset-tracker-web/api/user/add/index.php

Lines 11 to 17 in 53b5078

	/// Creates an INSERT INTO query using the given data
	function BuildQuery($usid, $name, $email, $password)
	{
	$query = "INSERT INTO user (admin_id, admin_name, admin_email, admin_password)";
	$query = "$query VALUES ('$usid', '$name', '$email', '$password')";
	return $query;
	}

Believe 'BuidQuery' function will need prepared statements and filtering/sanitizing. @matthewward00 #7

[Philwlv]

I wanted to put this in with #7, You may have to educate me on how to do that lol.

[JoshLmao]

You only need to make one issue which covers the whole problem which you already did but it's not a problem. Rather than having millions of issues with the same thing just make one and use it. We'll use this one for now.

Don't worry about assigning people either. Usually us dev's do that 😉

[JoshLmao]

If you find any more examples where sanitizing needs to be done, put them in here please

[Philwlv]

sure, how do I do that? I tried to add this to the previous one. You can tell im getting into it now, assigning people and adding labels, Whooo. 😆 🤦‍♂

I wont do this every day 😆 I'll do a few and come back a few days later. I don't wona be that annoying, only a little bit annoying 😄

[JoshLmao]

Good on you! Haha

Do the selecting an area of code like normal, but instead of clicking "Reference in New Issue" click the "Copy Permalink" one. Then go to comment like normal and paste the link

[Philwlv]

asset-tracker-web/api/assets/deallocate/index.php

Lines 27 to 31 in c31e5f8

	function BuildQuery($id)
	{
	$query = "UPDATE assets SET owner_name = NULL, owner_address = NULL, owner_date_recieved = NULL, owner_date_return = NULL WHERE assets.id = $id";
	return $query;
	}

This input $id will need filtering and the query will need putting in a prepared statement.