Fix #17: SQL injection + mass data exposure (backend)

- Fixed SQL injection in ride/license/get.php (interpolated variable → parameterized query) - Added admin role checks to all 3 mass data endpoints (driver tokens, passenger tokens, phones+tokens) - Added pagination (50/page) to all 4 mass data endpoints - Fixed LIMIT to use placeholders with type binding
2026-06-17 07:45:35 +03:00
parent f528e1d3c5
commit e51d266a0f
5 changed files with 80 additions and 15 deletions
--- a/backend/ride/license/get.php
+++ b/backend/ride/license/get.php
@@ -5,10 +5,10 @@ require_once __DIR__ . '/../../connect.php';
 // $promo_code = filterRequest("promo_code"); 
 $driverID = filterRequest("driverID");

-$sql = "SELECT * FROM `lisenceDetails`WHERE`driverID`='$driverID'";
+$sql = "SELECT * FROM `lisenceDetails` WHERE `driverID` = :driverID";

 $stmt = $con->prepare($sql);
-$stmt->execute();
+$stmt->execute([':driverID' => $driverID]);
 $result = $stmt->fetchAll(PDO::FETCH_ASSOC);

 if ($result) {