From 45523720eae3aadb7bd92c6d7b5336330514c4fb Mon Sep 17 00:00:00 2001 From: twotalesanimation <80506065+twotalesanimation@users.noreply.github.com> Date: Wed, 3 Dec 2025 19:52:54 +0200 Subject: [PATCH] Remove: Deprecated MySQLi functions - convert to OOP prepared statements - create_bar_tab.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_num_rows/mysqli_error with OOP prepared statements - submit_order.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_error with OOP prepared statements - fetch_drinks.php: Replaced mysqli_real_escape_string() and procedural mysqli_query/mysqli_fetch_assoc with OOP prepared statements - comment_box.php: Removed mysqli_real_escape_string(), added CSRF token validation for comment submission All files now use consistent OOP MySQLi approach with proper parameter binding. Fixes PHP 8.1+ compatibility and improves security against multi-byte character injection. --- comment_box.php | 8 +++++++- create_bar_tab.php | 28 +++++++++++++++++----------- fetch_drinks.php | 15 +++++++++++---- submit_order.php | 14 ++++++++------ 4 files changed, 43 insertions(+), 22 deletions(-) diff --git a/comment_box.php b/comment_box.php index d19a81c1..c9fb7975 100644 --- a/comment_box.php +++ b/comment_box.php @@ -10,7 +10,13 @@ $conn = openDatabaseConnection(); // Handle comment post if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['submit_comment'])) { - $comment = $conn->real_escape_string(trim($_POST['comment'])); + // Validate CSRF token + if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) { + http_response_code(403); + die('Security token validation failed.'); + } + + $comment = trim($_POST['comment'] ?? ''); if (!empty($comment)) { $stmt = $conn->prepare("INSERT INTO comments (page_id, user_id, comment) VALUES (?, ?, ?)"); diff --git a/create_bar_tab.php b/create_bar_tab.php index 60c1a97f..d0b9d818 100644 --- a/create_bar_tab.php +++ b/create_bar_tab.php @@ -12,35 +12,41 @@ if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) { // Check if user_id is set in the POST request if (isset($_POST['user_id']) && !empty($_POST['user_id'])) { - // Sanitize the input to prevent SQL injection - $user_id = mysqli_real_escape_string($conn, $_POST['user_id']); + // Validate user_id as integer + $user_id = intval($_POST['user_id']); + if ($user_id <= 0) { + echo json_encode(['status' => 'error', 'message' => 'Invalid user ID.']); + exit(); + } + $created_at = date('Y-m-d H:i:s'); // Use current date and time for created_at // First, check if a bar tab already exists for this user_id - $checkSql = "SELECT * FROM bar_tabs WHERE user_id = '$user_id' LIMIT 1"; - $checkResult = mysqli_query($conn, $checkSql); + $stmt = $conn->prepare("SELECT * FROM bar_tabs WHERE user_id = ? LIMIT 1"); + $stmt->bind_param("i", $user_id); + $stmt->execute(); + $checkResult = $stmt->get_result(); - if (mysqli_num_rows($checkResult) > 0) { + if ($checkResult->num_rows > 0) { // If a bar tab already exists for this user_id, return an error message echo json_encode(['status' => 'error', 'message' => 'A bar tab already exists for this user.']); } else { // Prepare the SQL query to insert a new record into the bar_tabs table - $sql = "INSERT INTO bar_tabs (user_id) VALUES ('$user_id')"; + $stmt = $conn->prepare("INSERT INTO bar_tabs (user_id) VALUES (?)"); + $stmt->bind_param("i", $user_id); // Execute the query - if (mysqli_query($conn, $sql)) { + if ($stmt->execute()) { // If the insertion is successful, return a success message echo json_encode(['status' => 'success', 'message' => 'Bar tab created successfully.']); } else { // If there's an error, return an error message - echo json_encode(['status' => 'error', 'message' => 'Error: ' . mysqli_error($conn)]); + echo json_encode(['status' => 'error', 'message' => 'Error: ' . $conn->error]); } } } else { // If user_id is not provided, return an error message echo json_encode(['status' => 'error', 'message' => 'User ID is required.']); } - -// Close the database connection -mysqli_close($conn); ?> + diff --git a/fetch_drinks.php b/fetch_drinks.php index 9d2db7cd..9524e2fa 100644 --- a/fetch_drinks.php +++ b/fetch_drinks.php @@ -1,16 +1,23 @@ + 'error', 'message' => 'Invalid tab ID.']); + exit(); + } // Fetch drinks available for this tab - $sql = "SELECT * FROM bar_items"; // Customize as needed - $result = mysqli_query($conn, $sql); + $stmt = $conn->prepare("SELECT * FROM bar_items"); + $stmt->execute(); + $result = $stmt->get_result(); $drinks = []; - while ($row = mysqli_fetch_assoc($result)) { + while ($row = $result->fetch_assoc()) { $drinks[] = $row; } diff --git a/submit_order.php b/submit_order.php index e36f5a73..1d673dfa 100644 --- a/submit_order.php +++ b/submit_order.php @@ -19,14 +19,16 @@ if (isset($_POST['tab_id']) && isset($_SESSION['cart'][$_POST['tab_id']])) { foreach ($drinks as $drink) { $drink_id = (int) $drink['item_id']; // Ensure drink ID is an integer - $drink_name = mysqli_real_escape_string($conn, $drink['item_name']); + $drink_name = $drink['item_name']; // No escaping needed with prepared statements $drink_price = (float) $drink['item_price']; // Ensure price is a float - $user_id = (float) $drink['user_id']; // Ensure price is a float + $user_id = (int) $drink['user_id']; // Convert to integer - // Insert each drink into the bar_transactions table - $sql = "INSERT INTO bar_transactions (user_id, tab_id, item_id, item_name, item_price) VALUES ('$user_id', '$tab_id', '$drink_id', '$drink_name', '$drink_price')"; - if (!mysqli_query($conn, $sql)) { - $errors[] = "Error inserting drink ID $drink_id: " . mysqli_error($conn); + // Insert each drink into the bar_transactions table using prepared statement + $stmt = $conn->prepare("INSERT INTO bar_transactions (user_id, tab_id, item_id, item_name, item_price) VALUES (?, ?, ?, ?, ?)"); + $stmt->bind_param("iiisi", $user_id, $tab_id, $drink_id, $drink_name, $drink_price); + + if (!$stmt->execute()) { + $errors[] = "Error inserting drink ID $drink_id: " . $conn->error; } }