Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): fix SQL injection in updatePaymetToPaid, OTP random_int, static IV encryption, storage mismatch

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-17 06:31:13 +03:00
parent 8c6dea5d96
commit 0ceb67ee56
7 changed files with 100 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
backend/auth/token_passenger/driver/send_otp_driver.php
View File

@@ -3,7 +3,7 @@
require_once __DIR__ . '/../../../connect.php';
/* 1) توليد رمز التحقق (3 خانات) --------------------------------------------------- */
$otp = (string)rand(100, 999);
$otp = (string)random_int(100, 999);
$receiver = filterRequest("receiver");
if (empty($receiver)) {
@@ -69,6 +69,11 @@ if ($sentOK) {
");
$stmt->execute([$receiver_enc, $otp_enc, $exp, $now]);
// Also save to Redis for verify_otp compatibility
if ($redis) {
$redis->setex("otp:driver:$receiver", 300, $otp);
}
jsonSuccess(null, 'OTP sent and saved successfully');
} catch (PDOException $e) {
@@ -76,12 +81,6 @@ if ($sentOK) {
}
} else {
$errMsg = $decoded['message'] ?? 'Unknown error';
jsonError('Failed to send OTP: ' . $errMsg);
jsonError('Failed to send OTP');
}
/* -----------------------------------------------------------------------
* أبقينا callAPI() فقط إذا كان يُستخدم في ملفات أخرى احذفه إن شئت.
* --------------------------------------------------------------------- */
function callAPI($method, $url, $data) { /* … */ }
?>

17
backend/auth/token_passenger/send_otp.php
View File

@@ -3,7 +3,7 @@
require_once __DIR__ . '/../../connect.php';
/* 1) توليد رمز التحقق (3 خانات) */
$otp = (string)rand(100, 999);
$otp = (string)random_int(100, 999);
$receiver = filterRequest("receiver");
if (empty($receiver)) {
@@ -50,7 +50,7 @@ $decoded = json_decode((string)$res, true);
$sentOK = ($httpCode === 200 && ($decoded['success'] ?? false));
if ($sentOK) {
/* 3) تشفير البيانات وحفظ الرمز في قاعدة البيانات */
/* 3) حفظ الرمز في Redis + قاعدة البيانات */
$receiver_enc = $encryptionHelper->encryptData($receiver);
$otp_enc = $encryptionHelper->encryptData($otp);
@@ -58,6 +58,7 @@ if ($sentOK) {
$now = date('Y-m-d H:i:s');
try {
// Save to MySQL
$con->prepare("DELETE FROM token_verification WHERE phone_number = ?")
->execute([$receiver_enc]);
@@ -68,6 +69,11 @@ if ($sentOK) {
");
$stmt->execute([$receiver_enc, $otp_enc, $exp, $now]);
// Also save to Redis for verify_otp.php compatibility
if ($redis) {
$redis->setex("otp:passenger:$receiver", 300, $otp);
}
jsonSuccess(null, 'OTP sent and saved successfully');
} catch (PDOException $e) {
@@ -76,11 +82,6 @@ if ($sentOK) {
} else {
$errMsg = $decoded['message'] ?? 'Unknown error';
jsonError('Failed to send OTP: ' . $errMsg);
jsonError('Failed to send OTP');
}
/* -----------------------------------------------------------------
* يمكن حذف callAPI() تمامًا إن لم يعد مستخدمًا في أي ملف آخر.
* ---------------------------------------------------------------- */
function callAPI($method, $url, $data) { /* … (أبقِها أو احذفها) */ }
?>

2
backend/auth/token_passenger/verify_otp.php
View File

@@ -30,7 +30,7 @@ try {
$cachedOtp = $redis->get("otp:passenger:$phoneNumber");
if ($cachedOtp && $cachedOtp == $otp) {
if ($cachedOtp && $cachedOtp === $otp) {
// ننجح في التحقق ونحذف المفتاح من Redis لمنع استخدامه مرة أخرى (One-time use)
$redis->del("otp:passenger:$phoneNumber");

15
backend/core/Security/EncryptionHelper.php
View File

@@ -64,14 +64,25 @@ class EncryptionHelper
}
// ─── تشفير/فك تشفير Binary (صور، ملفات) ───────────────
// تُستخدم الـ GCM مع IV عشوائي (كما في encryptData)
public function encryptBinary(string $data): string
{
return openssl_encrypt($data, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
$iv = random_bytes(self::IV_LEN_GCM);
$tag = '';
$encrypted = openssl_encrypt($data, self::ALGO_GCM, $this->key, OPENSSL_RAW_DATA, $iv, $tag, "", self::TAG_LEN);
return base64_encode($iv . $tag . $encrypted);
}
public function decryptBinary(string $data): string|false
{
return openssl_decrypt($data, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
$raw = base64_decode($data, true);
if ($raw === false || strlen($raw) < self::IV_LEN_GCM + self::TAG_LEN) return false;
$iv = substr($raw, 0, self::IV_LEN_GCM);
$tag = substr($raw, self::IV_LEN_GCM, self::TAG_LEN);
$cipher = substr($raw, self::IV_LEN_GCM + self::TAG_LEN);
return openssl_decrypt($cipher, self::ALGO_GCM, $this->key, OPENSSL_RAW_DATA, $iv, $tag);
}
// --------- دوال الـ Padding للـ CBC ----------

38
backend/encrypt_decrypt.php
View File

@@ -49,8 +49,9 @@ class EncryptionHelper {
public function encryptData($plainText) {
$plainText = mb_convert_encoding($plainText, 'UTF-8');
$paddedText = $this->addPadding($plainText);
$encrypted = openssl_encrypt($paddedText, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
return base64_encode($encrypted);
$iv = random_bytes(16);
$encrypted = openssl_encrypt($paddedText, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
return base64_encode($iv . $encrypted);
}
public function decryptData($encryptedText) {
@@ -61,6 +62,22 @@ class EncryptionHelper {
return false;
}
// محاولة أولى: استخراج IV عشوائي من أول 16 بايت
if (strlen($decoded) >= 16) {
$iv = substr($decoded, 0, 16);
$payload = substr($decoded, 16);
$decrypted = openssl_decrypt($payload, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
if ($decrypted !== false) {
$pad = ord($decrypted[strlen($decrypted) - 1]);
if ($pad >= 1 && $pad <= 16) {
return substr($decrypted, 0, -$pad);
}
}
}
// محاولة ثانية: IV ثابت (للبيانات القديمة)
$decrypted = openssl_decrypt($decoded, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
if ($decrypted === false) {
@@ -68,7 +85,6 @@ class EncryptionHelper {
return false;
}
// Verify padding is valid before removal
$pad = ord($decrypted[strlen($decrypted) - 1]);
if ($pad < 1 || $pad > 16) {
error_log("[ERROR] Invalid padding value ($pad) for decrypted input: $encryptedText");
@@ -95,13 +111,23 @@ class EncryptionHelper {
return true;
}
public function encryptBinary($data) {
$encrypted = openssl_encrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
return $encrypted;
$iv = random_bytes(16);
$encrypted = openssl_encrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
return $iv . $encrypted;
}
public function decryptBinary($data) {
if (strlen($data) >= 16) {
$iv = substr($data, 0, 16);
$payload = substr($data, 16);
$decrypted = openssl_decrypt($payload, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
if ($decrypted !== false) {
return $decrypted;
}
}
// للبيانات القديمة ذات IV الثابت
$decrypted = openssl_decrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
// CRIT-07 FIX: التحقق من فشل openssl_decrypt
if ($decrypted === false) {
error_log('[CRIT-07] openssl_decrypt failed in decryptBinary');
throw new Exception('Decryption failed');

38
walletintaleq.intaleq.xyz/v2/main/encrypt_decrypt.php
View File

@@ -41,8 +41,9 @@ class EncryptionHelper {
public function encryptData($plainText) {
$plainText = mb_convert_encoding($plainText, 'UTF-8');
$paddedText = $this->addPadding($plainText);
$encrypted = openssl_encrypt($paddedText, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
return base64_encode($encrypted);
$iv = random_bytes(16);
$encrypted = openssl_encrypt($paddedText, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
return base64_encode($iv . $encrypted);
}
public function decryptData($encryptedText) {
@@ -53,6 +54,22 @@ class EncryptionHelper {
return false;
}
// محاولة أولى: استخراج IV عشوائي من أول 16 بايت
if (strlen($decoded) >= 16) {
$iv = substr($decoded, 0, 16);
$payload = substr($decoded, 16);
$decrypted = openssl_decrypt($payload, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
if ($decrypted !== false) {
$pad = ord($decrypted[strlen($decrypted) - 1]);
if ($pad >= 1 && $pad <= 16) {
return substr($decrypted, 0, -$pad);
}
}
}
// محاولة ثانية: IV ثابت (للبيانات القديمة)
$decrypted = openssl_decrypt($decoded, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
if ($decrypted === false) {
@@ -60,7 +77,6 @@ class EncryptionHelper {
return false;
}
// Verify padding is valid before removal
$pad = ord($decrypted[strlen($decrypted) - 1]);
if ($pad < 1 || $pad > 16) {
error_log("[ERROR] Invalid padding value ($pad) for decrypted input: $encryptedText");
@@ -82,13 +98,23 @@ class EncryptionHelper {
return true;
}
public function encryptBinary($data) {
$encrypted = openssl_encrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
return $encrypted;
$iv = random_bytes(16);
$encrypted = openssl_encrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
return $iv . $encrypted;
}
public function decryptBinary($data) {
if (strlen($data) >= 16) {
$iv = substr($data, 0, 16);
$payload = substr($data, 16);
$decrypted = openssl_decrypt($payload, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $iv);
if ($decrypted !== false) {
return $decrypted;
}
}
// للبيانات القديمة ذات IV الثابت
$decrypted = openssl_decrypt($data, 'AES-256-CBC', $this->key, OPENSSL_RAW_DATA, $this->iv);
// CRIT-07 FIX: التحقق من فشل openssl_decrypt
if ($decrypted === false) {
error_log('[CRIT-07] openssl_decrypt failed in decryptBinary');
throw new Exception('Decryption failed');

8
walletintaleq.intaleq.xyz/v2/main/ride/payment/updatePaymetToPaid.php
View File

@@ -3,11 +3,15 @@ include "../../connect.php";
$driverID = filterRequest("driverID");
if (empty($driverID)) {
printFailure("Driver ID is required");
exit;
}
$sql = "UPDATE `payments` SET `isGiven`='Paid' WHERE driverID='$driverID'";
$sql = "UPDATE `payments` SET `isGiven`='Paid' WHERE driverID = :driverID";
$stmt = $con->prepare($sql);
$stmt->execute();
$stmt->execute([':driverID' => $driverID]);
if ($stmt->rowCount() > 0) {
// Print a success message