a8748cf4c9
M-01: Host header injection - replaced HTTP_HOST with APP_DOMAIN M-02: Unauthenticated CRUD - ownership checks on carDrivers add/delete M-03: MD5 tracking token - replaced md5() with hash_hmac sha256 M-04: Webhook SMS - absolute log path instead of relative M-05: Weak 3-digit OTP - already noted as requirement (Fix #5) M-06: Redis without auth - added password + prefix to cancel_ride_by_driver M-07: SSRF bypass - str_ends_with -> strict equality in allowlist
61 lines
2.3 KiB
PHP
61 lines
2.3 KiB
PHP
<?php
|
|
require_once __DIR__ . '/../../connect.php';
|
|
|
|
// التحقق من أن المستخدم يملك هذا المعرف
|
|
if ($role !== 'admin' && $role !== 'super_admin' && (string)$user_id !== (string)$driverID) {
|
|
jsonError("Unauthorized: You can only add cars to your own account");
|
|
exit;
|
|
}
|
|
|
|
// استقبال القيم
|
|
$driverID = filterRequest("driverID");
|
|
$vin = $encryptionHelper->encryptData(filterRequest("vin"));
|
|
$car_plate = $encryptionHelper->encryptData(filterRequest("car_plate"));
|
|
$make = filterRequest("make");
|
|
$model = filterRequest("model");
|
|
$year = filterRequest("year");
|
|
$expiration_date = filterRequest("expiration_date");
|
|
$color = filterRequest("color");
|
|
$owner = $encryptionHelper->encryptData(filterRequest("owner"));
|
|
$color_hex = filterRequest("color_hex");
|
|
$address = $encryptionHelper->encryptData(filterRequest("address"));
|
|
$displacement = filterRequest("displacement");
|
|
$fuel = filterRequest("fuel");
|
|
$registration_date = filterRequest("registration_date");
|
|
|
|
// SQL statement
|
|
$sql = "INSERT INTO `captains_car` (
|
|
`driverID`, `vin`, `car_plate`, `make`, `model`, `year`, `expiration_date`,
|
|
`color`, `owner`, `color_hex`, `address`, `displacement`, `fuel`, `registration_date`
|
|
) VALUES (
|
|
:driverID, :vin, :car_plate, :make, :model, :year, :expiration_date,
|
|
:color, :owner, :color_hex, :address, :displacement, :fuel, :registration_date
|
|
)";
|
|
|
|
$stmt = $con->prepare($sql);
|
|
|
|
// Bind parameters
|
|
$stmt->bindParam(':driverID', $driverID);
|
|
$stmt->bindParam(':vin', $vin);
|
|
$stmt->bindParam(':car_plate', $car_plate);
|
|
$stmt->bindParam(':make', $make);
|
|
$stmt->bindParam(':model', $model);
|
|
$stmt->bindParam(':year', $year, PDO::PARAM_INT);
|
|
$stmt->bindParam(':expiration_date', $expiration_date);
|
|
$stmt->bindParam(':color', $color);
|
|
$stmt->bindParam(':owner', $owner);
|
|
$stmt->bindParam(':color_hex', $color_hex);
|
|
$stmt->bindParam(':address', $address);
|
|
$stmt->bindParam(':displacement', $displacement);
|
|
$stmt->bindParam(':fuel', $fuel);
|
|
$stmt->bindParam(':registration_date', $registration_date);
|
|
|
|
$stmt->execute();
|
|
$insertedId = $con->lastInsertId();
|
|
|
|
if ($stmt->rowCount() > 0) {
|
|
jsonSuccess(["id" => $insertedId]);
|
|
} else {
|
|
jsonError("Failed to save car registration information");
|
|
}
|
|
?>
|