t3harco / rfidpayments Goto Github PK
View Code? Open in Web Editor NEWRFID Payment System, created for EHackB, an event in Belgium created by students at the Erasmus University College Brussels
rfidpayments's People
Contributors
Stargazers
Watchers
Forkers
tibodwrfidpayments's Issues
[Insight] Database queries should use parameter binding - in partials/cashier.php, line 13
in partials/cashier.php, line 13
If provided by the user, the value of
$rfidmay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
$rfid = mysqli_real_escape_string($db, $_POST['rfid']);
if($total < 0)
die("Het totaal kan /niet/ negatief zijn..");
if($result = mysqli_query($db, "SELECT balance FROM users WHERE rfid_tag = '" . $rfid . "';")) {
$balance = (mysqli_fetch_row($result)[0] - $total);
if($balance < 0) {
die("That's an error..");
} else {Posted from SensioLabsInsight
[Insight] Database queries should use parameter binding - in partials/abits/recharge.php, line 11
in partials/abits/recharge.php, line 11
If provided by the user, the value of
$balancemay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
if(isset($_POST['rfid'])) {
$error = false;
$rfid = mysqli_real_escape_string($db, $_POST['rfid']);
$balance = mysqli_real_escape_string($db, $_POST['balance']);
if($result = mysqli_query($db, "UPDATE users SET balance = balance + '" . $balance . "' WHERE rfid_tag = '" . $rfid . "';")) {
$balance = mysqli_query($db, "SELECT balance FROM users WHERE rfid_tag = '" . $rfid . "';");
$bdata = mysqli_fetch_row($balance);
if(mysqli_num_rows($balance) == 1)
echo '<div class="alert alert-success"><span class="glyphicon glyphicon-ok"></span> Balans geregistreerd. Nieuwe balans: ' . $bdata[0] . '</div>';Posted from SensioLabsInsight
[Insight] Database queries should use parameter binding - in partials/abits/deluser.php, line 19
in partials/abits/deluser.php, line 19
If provided by the user, the value of
$idmay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
}
if(isset($_POST['users'])) {
$id = mysqli_real_escape_string($db, $_POST['users']);
if($result = mysqli_query($db, "DELETE FROM users WHERE id = '" . $id . "';"))
echo '<div class="alert alert-success">De gebruiker is verwijderd</div>';
else
echo '<div class=alert alert-danger">De gebruiker werd niet verwijderd..</div>';
}
?>Posted from SensioLabsInsight
[Insight] Database queries should use parameter binding - in api.php, line 42
If provided by the user, the value of
$rfidmay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
switch($_GET['act']) {
case 'checkbal':
$rfid = mysqli_real_escape_string($db, $_GET['id']);
if($result = mysqli_query($db, "SELECT balance FROM users WHERE rfid_tag = '" . $rfid . "';")) {
if(mysqli_num_rows($result) == 0) {
echo message("Unknown ID", 1);
return;
}Posted from SensioLabsInsight
Statistieken implementeren
Age restrictie implementeren
Stock implementeren
[Insight] Database queries should use parameter binding - in partials/cashier.php, line 19
in partials/cashier.php, line 19
If provided by the user, the value of
$totalmay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
$balance = (mysqli_fetch_row($result)[0] - $total);
if($balance < 0) {
die("That's an error..");
} else {
if($result = mysqli_query($db, "UPDATE users SET balance = balance - '" . $total . "' WHERE rfid_tag = '" . $rfid . "';")) {
echo '<div class="alert alert-success"><strong>OK!</strong> Aankoop geregistreerd. Nieuwe balans: <strong>' . $balance . '</strong></div>';
}
}
}
}Posted from SensioLabsInsight
[Insight] Database queries should use parameter binding - in partials/rbits/recharge.php, line 11
in partials/rbits/recharge.php, line 11
If provided by the user, the value of
$balancemay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
if(isset($_POST['rfid'])) {
$error = false;
$rfid = mysqli_real_escape_string($db, $_POST['rfid']);
$balance = mysqli_real_escape_string($db, $_POST['balance']);
if($result = mysqli_query($db, "UPDATE users SET balance = balance + '" . $balance . "' WHERE rfid_tag = '" . $rfid . "';")) {
$balance = mysqli_query($db, "SELECT balance FROM users WHERE rfid_tag = '" . $rfid . "';");
$bdata = mysqli_fetch_row($balance);
if(mysqli_num_rows($balance) == 1)
echo '<div class="alert alert-success"><span class="glyphicon glyphicon-ok"></span> Balans geregistreerd. Nieuwe balans: ' . $bdata[0] . '</div>';Posted from SensioLabsInsight
[Insight] Database queries should use parameter binding - in partials/rbits/recharge.php, line 12
in partials/rbits/recharge.php, line 12
If provided by the user, the value of
$rfidmay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
$error = false;
$rfid = mysqli_real_escape_string($db, $_POST['rfid']);
$balance = mysqli_real_escape_string($db, $_POST['balance']);
if($result = mysqli_query($db, "UPDATE users SET balance = balance + '" . $balance . "' WHERE rfid_tag = '" . $rfid . "';")) {
$balance = mysqli_query($db, "SELECT balance FROM users WHERE rfid_tag = '" . $rfid . "';");
$bdata = mysqli_fetch_row($balance);
if(mysqli_num_rows($balance) == 1)
echo '<div class="alert alert-success"><span class="glyphicon glyphicon-ok"></span> Balans geregistreerd. Nieuwe balans: ' . $bdata[0] . '</div>';
elsePosted from SensioLabsInsight
[Insight] Database queries should use parameter binding - in partials/abits/recharge.php, line 12
in partials/abits/recharge.php, line 12
If provided by the user, the value of
$rfidmay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
$error = false;
$rfid = mysqli_real_escape_string($db, $_POST['rfid']);
$balance = mysqli_real_escape_string($db, $_POST['balance']);
if($result = mysqli_query($db, "UPDATE users SET balance = balance + '" . $balance . "' WHERE rfid_tag = '" . $rfid . "';")) {
$balance = mysqli_query($db, "SELECT balance FROM users WHERE rfid_tag = '" . $rfid . "';");
$bdata = mysqli_fetch_row($balance);
if(mysqli_num_rows($balance) == 1)
echo '<div class="alert alert-success"><span class="glyphicon glyphicon-ok"></span> Balans geregistreerd. Nieuwe balans: ' . $bdata[0] . '</div>';
elsePosted from SensioLabsInsight
Userfriendliness
Increase user friendliness by fixing a few bugs.
[Insight] Database queries should use parameter binding - in lib/user.php, line 18
If provided by the user, the value of
$ipmay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
return false;
if(isset($_SESSION['authenticated']))
return false;
if($result = mysqli_query($db, "SELECT * FROM allowedIps WHERE ip = '" . $ip. "';")) {
if(mysqli_num_rows($result) == 0) {
echo("Debug: user IP not in table" . $_SERVER['REMOTE_ADDR']);
return false;
}
}Posted from SensioLabsInsight
[Insight] Database queries should use parameter binding - in lib/user.php, line 25
If provided by the user, the value of
$rfidmay allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.
echo("Debug: user IP not in table" . $_SERVER['REMOTE_ADDR']);
return false;
}
}
if($result = mysqli_query($db, "SELECT * FROM users WHERE (rfid_tag = '" . $rfid . "' AND username = '" . $user . "' AND password = '" . $pass . "' AND username != 'attendee');")) {
if(mysqli_num_rows($result) == 0) {
echo("Debug: user allowed in IP, but not in table");
return false;
} Posted from SensioLabsInsight
Permissie bug fixen
api.php
index.php
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.