Skip to content

Fix error 500 on user creation, SQLI and windows debug php fix#1218

Closed
Leproide wants to merge 13 commits intoitflow-org:developfrom
Leproide:master
Closed

Fix error 500 on user creation, SQLI and windows debug php fix#1218
Leproide wants to merge 13 commits intoitflow-org:developfrom
Leproide:master

Conversation

@Leproide
Copy link

@Leproide Leproide commented May 1, 2025

johnnyq and others added 12 commits March 3, 2025 15:22
@johnnyq
Merge pull request #1180 from itflow-org/develop
359b04e 
v25.02.2 Maint / Small Feature Release
@johnnyq
Merge pull request #1181 from itflow-org/develop
9f2b9e3 
v25.02.3 - Stable Minor Release
@johnnyq
Merge pull request #1186 from itflow-org/develop
ff80a3d 
v25.02.4 - Stable Minor Release
@johnnyq
Merge pull request #1196 from itflow-org/develop
34397fe 
Merge Develop into Master
@johnnyq
Merge pull request #1197 from itflow-org/develop
30234e0 
Merge Develop into Master
@johnnyq
Merge pull request #1198 from itflow-org/develop
0390b1b 
Develop to Master
@johnnyq
Merge pull request #1205 from itflow-org/develop
595c4f1 
Develop to Master for 25.03.3 release
@johnnyq
Merge pull request #1206 from itflow-org/develop
d92f0fc 
Develop to Master for 25.03.4 Release
@johnnyq
Merge pull request #1213 from itflow-org/develop
b69a70c 
Develop to Master - 25.03.5 Release
@johnnyq
Merge pull request #1216 from itflow-org/develop
83e15e9 
Develop to Master 25.03.6
@Leproide
Fixed error 500 and sqli
a7b2739 
require_once 'post/admin/admin_user_model.php';

$name = trim($_POST['name']);
$email = trim($_POST['email']);
$password_plain = trim($_POST['password']);
$password = password_hash($password_plain, PASSWORD_DEFAULT);
$user_specific_encryption_ciphertext = encryptUserSpecificKey($password_plain);
$role = intval($_POST['role']); // Evita injection anche qui

$stmt = $mysqli->prepare("INSERT INTO users 
    (user_name, user_email, user_password, user_specific_encryption_ciphertext, user_role_id) 
    VALUES (?, ?, ?, ?, ?)");
$stmt->bind_param("ssssi", $name, $email, $password, $user_specific_encryption_ciphertext, $role);
$stmt->execute();

$user_id = $stmt->insert_id;
@Leproide
Update admin_debug.php
c8901f8 
Removed /dev/null (Not work on windows)
github-actions[bot]
github-actions bot reviewed May 1, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello & Welcome! :)

Thanks for taking the time to help improve ITFlow. We're excited to review your contributions - we'll review this PR as soon as we can!

Whilst you're waiting, please feel free to check out the forum.

Just so you know, all contributions to ITFlow are licensed under the GNU GPL. By contributing you grant us a perpetual & irrevocable license to include your work in ITFlow.

github-advanced-security[bot]
github-advanced-security bot found potential problems May 1, 2025
View reviewed changes
admin_user.php
];
$mail = addToMailQueue($data);

if ($mail !== true) {

Check failure

Code scanning / SonarCloud

Database queries should not be vulnerable to injection attacks High

Change this code to not construct SQL queries directly from user-controlled data. See more on SonarQube Cloud
admin_user.php
$mail = addToMailQueue($data);

if ($mail !== true) {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email'");

Check failure

Code scanning / SonarCloud

Database queries should not be vulnerable to injection attacks High

Change this code to not construct SQL queries directly from user-controlled data. See more on SonarQube Cloud
admin_user.php

}
}

Check failure

Code scanning / SonarCloud

Database queries should not be vulnerable to injection attacks High

Change this code to not construct SQL queries directly from user-controlled data. See more on SonarQube Cloud
admin_user.php
}

if (!empty($two_fa) && $two_fa == 'disable') {
mysqli_query($mysqli, "UPDATE users SET user_token = '' WHERE user_id = '$user_id'");

Check failure

Code scanning / SonarCloud

Database queries should not be vulnerable to injection attacks High

Change this code to not construct SQL queries directly from user-controlled data. See more on SonarQube Cloud
@Leproide
Copy link
Author

Leproide commented May 1, 2025
edited
Loading

Nice... other problem xD
I think this module need a rework (not my change)

@Leproide
Update, now works on windows
f77ea07 
require_once __DIR__ . '/config.php';
require_once __DIR__ . '/functions.php';
require_once __DIR__ . '/includes/check_login.php';
require_once __DIR__ . '/plugins/totp/totp.php'; // TOTP MFA Lib
@sonarqubecloud
Copy link

sonarqubecloud bot commented May 1, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@wrongecho
Copy link
Collaborator

wrongecho commented May 1, 2025

Hello. Thanks for getting in touch and looking this, but we have no interest in Windows support for now.

@wrongecho wrongecho closed this May 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Leproide @wrongecho @johnnyq