Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): add role checks to 7 admin endpoints, fix undefined vars in admin_update_passenger, add input validation to send_whatsapp

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-17 06:19:47 +03:00
parent 9bbda24d4a
commit 4a9e6b22c5
7 changed files with 81 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
backend/Admin/errorApp.php
View File

@@ -1,16 +1,22 @@
<?php
require_once __DIR__ . '/../connect.php';
// استلام البيانات من الطلب
$error = filterRequest("error");
$userId = filterRequest("userId");
// Allow any authenticated user to report errors, but validate input
$error = filterRequest("error");
$userId = filterRequest("userId");
$userType = filterRequest("userType");
$phone = filterRequest("phone");
$device = filterRequest("device");
$phone = filterRequest("phone");
$device = filterRequest("device");
$details = filterRequest("details");
// تسجيل الخطأ في ملف logs/app.log للمتابعة السريعة
$logMsg = "[$userType ID: $userId] Error: $error | Where: $device | Details: $details";
// Sanitize log input to prevent log injection
$safeError = str_replace(["\r", "\n"], ' ', substr($error ?? '', 0, 500));
$safeUserId = str_replace(["\r", "\n"], ' ', substr($userId ?? '', 0, 50));
$safeUserType = str_replace(["\r", "\n"], ' ', substr($userType ?? '', 0, 50));
$safeDevice = str_replace(["\r", "\n"], ' ', substr($device ?? '', 0, 200));
$safeDetails = str_replace(["\r", "\n"], ' ', substr($details ?? '', 0, 1000));
$logMsg = "[$safeUserType ID: $safeUserId] Error: $safeError | Where: $safeDevice | Details: $safeDetails";
appLog($logMsg, "APP_ERROR");
// جملة SQL لإدخال البيانات، مع إضافة الحقل الجديد