Hamza/Siro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth

Browse Source
This commit is contained in:
Hamza-Ayed
2026-06-17 06:22:41 +03:00
parent 4a9e6b22c5
commit d6f29802e0
9 changed files with 67 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
backend/ride/invitor/add.php
View File

@@ -17,7 +17,12 @@ function generateUniqueCode($con) {
}
}
$driverId = filterRequest("driverId");
// Force driverId from JWT — only drivers can manage invitations
if ($role !== 'driver') {
jsonError("Only drivers can create invitations");
exit;
}
$driverId = $user_id;
$inviterDriverPhone = filterRequest("inviterDriverPhone");
// 🔐 تشفير رقم الهاتف
@@ -52,7 +57,8 @@ if ($checkStmt->rowCount() > 0) {
"expirationTime" => $expirationTime
]);
} catch (PDOException $e) {
jsonError("Database error: " . $e->getMessage());
error_log("[invitor/add] DB Error: " . $e->getMessage());
jsonError("Database error occurred");
}
}
@@ -83,7 +89,8 @@ if ($checkStmt->rowCount() > 0) {
jsonError("Failed to save invite data");
}
} catch (PDOException $e) {
jsonError("Database error: " . $e->getMessage());
error_log("[invitor/add] DB Error: " . $e->getMessage());
jsonError("Database error occurred");
}
}
?>