private static function allSecure($var) { return DataBase::_secure(htmlspecialchars($var)); }
<?php require 'framework/inc.php'; if (!isset($_GET['request'])) { die('<h3>Bad request</h3>'); } $req = $_GET['request']; $ans = DataBase::query('SELECT ID, fullname FROM users WHERE fullname LIKE ' . DataBase::_secure('%' . $req . '%')); $f = array(); while ($data = $ans->fetch()) { $f[] = $data; } die(json_encode($f));
<?php chdir(__DIR__); require_once 'config.php'; require_once 'session.php'; require_once 'API.php'; require_once 'database.php'; if (count($_POST) > 10) { die($shark['msg']['too-large-request']); } foreach ($_POST as $k => $v) { $_POST[$k] = DataBase::_secure($v); } extract($_POST); if (!isset($key)) { die($shark['msg']['bad-request']); } if (!is_string($key)) { die($shark['msg']['bad-request']); } if (!$db->query('SELECT * FROM API where API_key = "' . $key . '"')->fetch()) { die($shark['msg']['bad-API-key']); } die(API::_request($_POST));
if ($mail['sender'] == User::getID()) { $r = DataBase::update('messages', array('sender_dir' => $_GET['dir']), array('ID' => $_GET['ID'], 'sender' => User::getID()))->fetch(); } else { if ($mail['recipient'] == User::getID()) { $r = DataBase::update('messages', array('recipient_dir' => $_GET['dir']), array('ID' => $_GET['ID'], 'recipient' => User::getID()))->fetch(); } else { die('<h3>Mail not found</h3>'); } } } else { die('<h3>That\'s not your mail !</h3>'); } die('true'); break; case 'unread': $unread = DataBase::query('SELECT COUNT(*) FROM messages WHERE opened = 0 AND recipient_dir = ' . DataBase::_secure($_GET['folder']) . ' AND recipient = ' . User::getID())->fetch()[0]; if (strval($unread)) { die($unread); } else { die; } break; case 'send': // check message HTML does not comport malicious tags // for example with HTMLPurify PHP library $recipient = DataBase::get('users', array('ID'), array('fullname' => $_POST['recipient'])); if (!count($recipient) || $recipient === false) { die('false'); } if (DataBase::insert('messages', array('sender' => User::getID(), 'recipient' => $recipient[0]['ID'], 'subject' => htmlspecialchars($_POST['subject']), 'content' => $_POST['content'], 'sent' => array('NOW()'), 'opened' => 0, 'answerTo' => 0, 'sender_dir' => 'sent', 'recipient_dir' => 'inbox'))) { if (DataBase::insert('messages', array('sender' => User::getID(), 'recipient' => $recipient[0]['ID'], 'subject' => htmlspecialchars($_POST['subject']), 'content' => $_POST['content'], 'sent' => array('NOW()'), 'opened' => 0, 'answerTo' => 0, 'sender_dir' => 'sent', 'recipient_dir' => 'sent'))) {