🦄 refactor:Sanitize SQL queries #47

DNA-styx · Jan 16, 2025 · 1d1acb3 · 1d1acb3
1 parent 130be58
commit 1d1acb3
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 17 deletions.
diff --git a/web/pages/bans.php b/web/pages/bans.php
@@ -48,7 +48,7 @@
 		FROM
 			hlstats_Games
 		WHERE
-			hlstats_Games.code = '$game'
+			hlstats_Games.code = '" . valid_request($game, false) . "'
 	");
 
     if ($db->num_rows() < 1) {
@@ -150,7 +150,7 @@
 		FROM
 			hlstats_Players
 		WHERE
-			hlstats_Players.game = '$game'
+			hlstats_Players.game = '" . valid_request($game, false) . "'
 			AND hlstats_Players.hideranking = 2
 			AND hlstats_Players.kills >= $minkills
 	");
@@ -175,7 +175,7 @@
 		FROM
 			hlstats_Players
 		WHERE
-			hlstats_Players.game = '$game'
+			hlstats_Players.game = '" . valid_request($game, false) . "'
 			AND hlstats_Players.hideranking = 2
 			AND hlstats_Players.kills >= $minkills
 		ORDER BY

diff --git a/web/pages/clans.php b/web/pages/clans.php
@@ -48,7 +48,7 @@
 		FROM
 			hlstats_Games
 		WHERE
-			hlstats_Games.code = '$game'
+			hlstats_Games.code = '" . valid_request($game, false) . "'
 	");
 
 	if ($db->num_rows() < 1) {
@@ -152,7 +152,7 @@
 			hlstats_Clans,
 			hlstats_Players
 		WHERE
-			hlstats_Clans.game = '$game'
+			hlstats_Clans.game = '" . valid_request($game, false) . "'
 			AND hlstats_Clans.hidden <> 1
 			AND hlstats_Players.clan = hlstats_Clans.clanId
 			AND hlstats_Players.hideranking = 0
@@ -181,7 +181,7 @@
 		ON
 			hlstats_Players.clan = hlstats_Clans.clanId
 		WHERE
-			hlstats_Clans.game = '$game'
+			hlstats_Clans.game = '" . valid_request($game, false) . "'
 			AND hlstats_Clans.hidden <> 1
 			AND hlstats_Players.hideranking = 0
 		GROUP BY

diff --git a/web/pages/dailyawardinfo.php b/web/pages/dailyawardinfo.php
@@ -62,7 +62,7 @@
 	$awardtype = $awarddata['awardType'];
 	$awardcode = $awarddata['code'];
 
-	$db->query("SELECT name FROM hlstats_Games WHERE code='$game'");
+	$db->query("SELECT name FROM hlstats_Games WHERE code='" . valid_request($game, false) . "'");
 	if ($db->num_rows() < 1) {
 		error("No such game '$game'.");
 	}

diff --git a/web/pages/game.php b/web/pages/game.php
@@ -41,7 +41,7 @@
     }
 
 	require (PAGE_PATH . '/livestats.php');
-	$db->query("SELECT name FROM hlstats_Games WHERE code='$game'");
+	$db->query("SELECT name FROM hlstats_Games WHERE code='" . valid_request($game, false) . "'");
 	if ($db->num_rows() < 1) {
 		error("No such game '$game'.");
 	}
@@ -57,7 +57,7 @@
 			FROM
 				hlstats_Players
 			WHERE 
-				game='$game'
+				game='" . valid_request($game, false) . "'
 	";
 	$result = $db->query($query);
 	list($total_players) = $db->fetch_row($result);
@@ -88,7 +88,7 @@
 			FROM
 				hlstats_Servers
 			WHERE 
-				game='$game'
+				game='" . valid_request($game, false) . "'
 	";
 	$result = $db->query($query);
 	list($total_kills, $total_headshots, $total_servers) = $db->fetch_row($result);
@@ -99,7 +99,7 @@
 			FROM 
 				hlstats_Trend 
 			WHERE       
-				game='$game'
+				game='" . valid_request($game, false) . "'
 				AND timestamp<=" . (time() - 86400) . "
 			ORDER BY 
 				timestamp DESC LIMIT 0,1
@@ -132,7 +132,7 @@
             FROM
                 hlstats_Servers
             WHERE
-                game='$game'
+                game='" . valid_request($game, false) . "'
             ORDER BY
                 sortorder, name, serverId
 	";
@@ -302,7 +302,7 @@
 			LEFT JOIN hlstats_Players ON
 				hlstats_Players.playerId = hlstats_Awards.d_winner_id
 			WHERE
-				hlstats_Awards.game='$game'
+				hlstats_Awards.game='" . valid_request($game, false) . "'
 			ORDER BY
 				hlstats_Awards.name
 		");

diff --git a/web/pages/roles.php b/web/pages/roles.php
@@ -48,7 +48,7 @@
 		FROM
 			hlstats_Games
 		WHERE
-			hlstats_Games.code = '$game'
+			hlstats_Games.code = '" . valid_request($game, false) . "'
 	");
 	if ($db->num_rows() < 1) error("No such game '$game'.");
 	list($gamename) = $db->fetch_row();
@@ -66,7 +66,7 @@
 		FROM
 			hlstats_Roles
 		WHERE
-			hlstats_Roles.game='$game'
+			hlstats_Roles.game='" . valid_request($game, false) . "'
 	");
 	while ($rowdata = $db->fetch_row($result))
 	{ 
@@ -163,7 +163,7 @@
 		FROM
 			hlstats_Roles
 		WHERE
-			hlstats_Roles.game = '$game'
+			hlstats_Roles.game = '" . valid_request($game, false) . "'
 			AND hlstats_Roles.hidden = '0'
 	");
 	list($realkills, $realdeaths, $realpicked) = $db->fetch_row();
@@ -182,7 +182,7 @@
 		FROM
 			hlstats_Roles
 		WHERE
-			hlstats_Roles.game = '$game' 
+			hlstats_Roles.game = '" . valid_request($game, false) . "' 
 			AND hlstats_Roles.kills > 0 
 			AND hlstats_Roles.hidden = '0'
 		GROUP BY