AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add cleanInput function without mysqli_escape_string and converted add and edit payment method to Procedural mysqli Prepared Statments

This commit is contained in:
johnnyq 2025-11-21 19:54:50 -05:00
parent 169619c9b9
commit 3d119261cc
2 changed files with 43 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
admin/post/payment_method.php
View File

@ -10,10 +10,17 @@ if (isset($_POST['add_payment_method'])) {
validateCSRFToken($_POST['csrf_token']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$name = cleanInput($_POST['name']);
$description = cleanInput($_POST['description']);
mysqli_query($mysqli,"INSERT INTO payment_methods SET payment_method_name = '$name', payment_method_description = '$description'");
$query = mysqli_prepare(
$mysqli, "INSERT INTO payment_methods
SET payment_method_name = ?, payment_method_description = ?"
);
mysqli_stmt_bind_param($query, "ss", $name, $description);
mysqli_stmt_execute($query);
logAction("Payment Method", "Create", "$session_name created Payment Method $name");
@ -26,12 +33,21 @@ if (isset($_POST['add_payment_method'])) {
if (isset($_POST['edit_payment_method'])) {
validateCSRFToken($_POST['csrf_token']);
$payment_method_id = intval($_POST['payment_method_id']);
$name = sanitizeInput($_POST['name']);
$description = sanitizeInput($_POST['description']);
$name = cleanInput($_POST['name']);
$description = cleanInput($_POST['description']);
mysqli_query($mysqli,"UPDATE payment_methods SET payment_method_name = '$name', payment_method_description = '$description' WHERE payment_method_id = $payment_method_id");
$query = mysqli_prepare(
$mysqli,
"UPDATE payment_methods
SET payment_method_name = ?, payment_method_description = ?
WHERE payment_method_id = ?"
);
mysqli_stmt_bind_param($query, "ssi", $name, $description, $payment_method_id);
mysqli_stmt_execute($query);
logAction("Payment Method", "Edit", "$session_name edited Payment Method $name");

20
functions.php
View File

@ -802,6 +802,26 @@ function sanitizeInput($input) {
return $input;
}
function cleanInput($input) {
// Only process non-empty input
if (!empty($input)) {
// Normalize encoding to UTF-8 if its not valid
if (!mb_check_encoding($input, 'UTF-8')) {
// Convert from Windows-1252 as a safe fallback
$input = mb_convert_encoding($input, 'UTF-8', 'Windows-1252');
}
}
// Remove HTML and PHP tags
$input = strip_tags((string) $input);
// Trim whitespace
$input = trim($input);
return $input;
}
function sanitizeForEmail($data)
{
$sanitized = htmlspecialchars($data);