fixing minor security issues
This commit is contained in:
@@ -10,6 +10,11 @@ secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
|
||||
function print_json_response($data): void
|
||||
{
|
||||
print(htmlentities(json_encode($data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT), ENT_NOQUOTES, 'UTF-8'));
|
||||
}
|
||||
|
||||
// Assuming you've already established a database connection here
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
||||
@@ -104,7 +109,7 @@ try {
|
||||
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($createArgs));
|
||||
print_json_response($createArgs);
|
||||
|
||||
// save challange to session. you have to deliver it to processGet later.
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
@@ -138,7 +143,7 @@ try {
|
||||
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($getArgs));
|
||||
print_json_response($getArgs);
|
||||
|
||||
// save challange to session. you have to deliver it to processGet later.
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
|
||||
@@ -7,6 +7,12 @@ include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
|
||||
function print_json_response($data): void
|
||||
{
|
||||
print(htmlentities(json_encode($data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT), ENT_NOQUOTES, 'UTF-8'));
|
||||
}
|
||||
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
||||
if ($conn->connect_error) {
|
||||
@@ -90,7 +96,7 @@ try {
|
||||
// Get create arguments
|
||||
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification);
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($createArgs));
|
||||
print_json_response($createArgs);
|
||||
|
||||
// Save challenge to session or somewhere else if needed
|
||||
} else if ($fn === 'getGetArgs') {
|
||||
@@ -120,7 +126,7 @@ try {
|
||||
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($getArgs));
|
||||
print_json_response($getArgs);
|
||||
|
||||
// save challange to session. you have to deliver it to processGet later.
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
|
||||
@@ -16,21 +16,32 @@ if ($conn->connect_error) {
|
||||
}
|
||||
|
||||
$search = trim($_GET['search'] ?? '');
|
||||
$sort = $_GET['sort'] ?? 'id';
|
||||
$sort = $_GET['sort'] ?? '';
|
||||
$order = strtoupper($_GET['order'] ?? 'ASC') === 'DESC' ? 'DESC' : 'ASC';
|
||||
|
||||
$allowedSorts = ['id', 'username'];
|
||||
if (!in_array($sort, $allowedSorts)) {
|
||||
$sort = 'id';
|
||||
}
|
||||
|
||||
if ($search !== '') {
|
||||
$query = "SELECT id, username FROM users WHERE username LIKE ? ORDER BY $sort $order";
|
||||
if ($sort === 'username') {
|
||||
$query = $order === 'DESC'
|
||||
? "SELECT id, username FROM users WHERE username LIKE ? ORDER BY username DESC"
|
||||
: "SELECT id, username FROM users WHERE username LIKE ? ORDER BY username ASC";
|
||||
} else {
|
||||
$query = $order === 'DESC'
|
||||
? "SELECT id, username FROM users WHERE username LIKE ? ORDER BY id DESC"
|
||||
: "SELECT id, username FROM users WHERE username LIKE ? ORDER BY id ASC";
|
||||
}
|
||||
$stmt = $conn->prepare($query);
|
||||
$like = '%' . $search . '%';
|
||||
$stmt->bind_param('s', $like);
|
||||
} else {
|
||||
$query = "SELECT id, username FROM users ORDER BY $sort $order";
|
||||
if ($sort === 'username') {
|
||||
$query = $order === 'DESC'
|
||||
? "SELECT id, username FROM users ORDER BY username DESC"
|
||||
: "SELECT id, username FROM users ORDER BY username ASC";
|
||||
} else {
|
||||
$query = $order === 'DESC'
|
||||
? "SELECT id, username FROM users ORDER BY id DESC"
|
||||
: "SELECT id, username FROM users ORDER BY id ASC";
|
||||
}
|
||||
$stmt = $conn->prepare($query);
|
||||
}
|
||||
|
||||
@@ -50,4 +61,4 @@ $stmt->close();
|
||||
$conn->close();
|
||||
|
||||
echo json_encode(['success' => true, 'data' => $users]);
|
||||
?>
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user