Issue #30 #33 Solved #35
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Needs more work - Please let me know if you have any trouble setting it up on your local and we can chat over discord |
|
@aswinikalyan30 sorry for my negligence please have a look now |
| // Prepare the update query | ||
| $stmt = $this->db->prepare("UPDATE system_settings SET $data WHERE id = ?"); | ||
| $stmt->bind_param($data_types."i", ...$data_values, $chk->fetch_array()['id']); |
There was a problem hiding this comment.
Fatal error: Cannot use positional argument after argument unpacking in /Applications/MAMP/htdocs/Faculty_Evaluation_System-main/admin_class.php on line 354
Getting this error
There was a problem hiding this comment.
Ran it on my local and got this error - How are you testing your changes?
| } | ||
| } | ||
| <?php |
There was a problem hiding this comment.
Causing syntax issues on this line - remove it
| $('#manage-user').submit(function(e){ |
There was a problem hiding this comment.
This function calls an empty url - but I see the query is written on top - how are you testing any of your changes?
Going forward I need screenshots added to the PR to see what output you are seeing on screen
|
Hey @anushkasaxena07 - any progress? |
|
Still working on it |
|
Hey @anushkasaxena07 this has been open for too long, if you're not able to solve it will assign to someone else |
|
Closing this PR as no working changes are made for more than 2 weeks and is blocking contributions from others |
PR Description
The issue with the existing code is that it directly inserts user input into SQL queries, making it vulnerable to SQL injection attacks. To address this, the code needs to be refactored to use prepared statements with parameter binding. Prepared statements separate SQL logic from data, preventing malicious SQL code injection.
Solution:
Here's how to solve the issue:
save_progress() function:
delete_progress() function:
save_restriction() function:
save_evaluation() function:
get_class() function:
get_report() function:
By implementing these changes, it ensures that user input is properly sanitized, and the application is protected from SQL injection attacks. Prepared statements with parameter binding handle user data safely, preventing malicious SQL injection attempts.
Related Issues: Issue for which you are raising a PR for Avoiding SQL injections using prepared statements of MySQLi #30
Closes #30
Issue
#30
Issue
#33
PR Description
This implementation ensures that the backend properly handles the scenario where the username already exists when updating user details.
Checklist
[ x] I have gone through the contributing guide
[ x] I have updated my branch and synced it with project main branch before making this PR
[x ] Is this a bug fix/enhancement/documentation changes
[ x] Part of GSSOC
[ x] Tested for any breaking changes
[x ] Other relevant checks completed
Undertaking
I declare that:
The content I am submitting is original and has not been plagiarized.
No portion of the work has been copied from any other source without proper attribution.
The work has been checked for plagiarism, and I assure its authenticity.
I understand that any violation of this undertaking may have legal consequences that I will bear and could result in the withdrawal of any recognition associated with the work.
[ x] I Agree