From bc61b59244d279c668b3148328c9d46363b234b8 Mon Sep 17 00:00:00 2001
From: "johnny@pittpc.com" <admin@app.pittpc.com>
Date: Tue, 24 Sep 2019 14:52:53 -0400
Subject: [PATCH] Fixed password issue causing SQL escape characters to add
 slashes remove mysqli_real_escape_string as its not needs, md5 produces no
 sql escape characters by default so it it does not need santized

---
 login.php | 2 +-
 post.php  | 6 +++---
 setup.php | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/login.php b/login.php
index 7e899bae..9c82fd61 100644
--- a/login.php
+++ b/login.php
@@ -25,7 +25,7 @@ session_start();
 if(isset($_POST['login'])){
   
   $email = mysqli_real_escape_string($mysqli,$_POST['email']);
-  $password = md5(mysqli_real_escape_string($mysqli,$_POST['password']));
+  $password = md5($_POST['password']);
   $current_code = mysqli_real_escape_string($mysqli,$_POST['current_code']);
 
   $sql = mysqli_query($mysqli,"SELECT * FROM users WHERE email = '$email' AND password = '$password'");
diff --git a/post.php b/post.php
index 0e45e275..96de6027 100644
--- a/post.php
+++ b/post.php
@@ -17,7 +17,7 @@ if(isset($_POST['add_user'])){
 
     $name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']));
     $email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
-    $password = md5(mysqli_real_escape_string($mysqli,$_POST['password']));
+    $password = md5($_POST['password']);
     $client_id = intval($_POST['client']);
 
     mysqli_query($mysqli,"INSERT INTO users SET name = '$name', email = '$email', password = '$password', avatar = '$path', created_at = NOW(), client_id = $client_id");
@@ -55,8 +55,8 @@ if(isset($_POST['edit_user'])){
     $user_id = intval($_POST['user_id']);
     $name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']));
     $email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
-    $current_password_hash = mysqli_real_escape_string($mysqli,$_POST['current_password_hash']);
-    $password = mysqli_real_escape_string($mysqli,$_POST['password']);
+    $current_password_hash = $_POST['current_password_hash'];
+    $password = $_POST['password'];
     if($current_password_hash == $password){
         $password = $current_password_hash;
     }else{
diff --git a/setup.php b/setup.php
index 8c250a34..77419e2f 100644
--- a/setup.php
+++ b/setup.php
@@ -132,7 +132,7 @@ if(isset($_POST['add_user'])){
 
   $name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']));
   $email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
-  $password = md5(mysqli_real_escape_string($mysqli,$_POST['password']));
+  $password = md5($_POST['password']);
 
   mysqli_query($mysqli,"INSERT INTO users SET name = '$name', email = '$email', password = '$password', created_at = NOW()");