search

SaiyamTuteja / Faculty_Evaluation_System

MIT License
30 stars 48 forks source link

Issue #30 #33 Solved #35

Closed anushkasaxena07 closed 4 months ago

anushkasaxena07 commented 4 months ago

PR Description

The issue with the existing code is that it directly inserts user input into SQL queries, making it vulnerable to SQL injection attacks. To address this, the code needs to be refactored to use prepared statements with parameter binding. Prepared statements separate SQL logic from data, preventing malicious SQL code injection.

Solution:

Here's how to solve the issue:

  1. save_progress() function:

    • Refactor the code to use a prepared statement with parameter binding.
    • Bind parameters to the statement to ensure safe execution.
    • Execute the statement.

  2. delete_progress() function:

    • Refactor to use a prepared statement with parameter binding.
    • Bind the id parameter to the statement.
    • Execute the statement.

  3. save_restriction() function:

    • Loop through the $rid array to handle multiple rows.
    • Use prepared statements with parameter binding for both INSERT and UPDATE operations.
    • Execute the statements within the loop.

  4. save_evaluation() function:

    • Use a prepared statement with parameter binding to insert data into evaluation_list.
    • Loop through $qid to handle multiple question evaluations.
    • Use prepared statements with parameter binding to insert data into evaluation_answers.
    • Execute the statements within the loop.

  5. get_class() function:

    • Refactor to use a prepared statement with parameter binding.
    • Bind parameters for $fid and academic_id.
    • Execute the statement and fetch results.

  6. get_report() function:

    • Refactor to use a prepared statement with parameter binding.
    • Bind parameters for academic_id, faculty_id, subject_id, and class_id.
    • Execute the statement to get evaluation answers.
    • Use a prepared statement to get the total answered rows.
    • Calculate percentages and return the JSON-encoded data.

By implementing these changes, it ensures that user input is properly sanitized, and the application is protected from SQL injection attacks. Prepared statements with parameter binding handle user data safely, preventing malicious SQL injection attempts.

Related Issues: Issue for which you are raising a PR for Avoiding SQL injections using prepared statements of MySQLi #30 Closes https://github.com/SaiyamTuteja/Faculty_Evaluation_System/issues/30

Issue

30

Issue

33

PR Description

  1. I modified the PHP script to include a condition for handling POST requests sent by the form.
  2. Upon receiving the form data, I perform checks to ensure the email doesn't already exist for another user using a SELECT query.
  3. If the email does exist, I echo 2 to indicate this condition.
  4. If the update is successful, I echo 1.
  5. If there's an error during the update process, I echo 0. This implementation ensures that the backend properly handles the scenario where the username already exists when updating user details.

Checklist

[ x] I have gone through the contributing guide [ x] I have updated my branch and synced it with project main branch before making this PR [x ] Is this a bug fix/enhancement/documentation changes [ x] Part of GSSOC [ x] Tested for any breaking changes [x ] Other relevant checks completed

Undertaking

I declare that:

The content I am submitting is original and has not been plagiarized. No portion of the work has been copied from any other source without proper attribution. The work has been checked for plagiarism, and I assure its authenticity. I understand that any violation of this undertaking may have legal consequences that I will bear and could result in the withdrawal of any recognition associated with the work.

[ x] I Agree

aswinikalyan30 commented 4 months ago

Needs more work - Please let me know if you have any trouble setting it up on your local and we can chat over discord

anushkasaxena07 commented 4 months ago

@aswinikalyan30 sorry for my negligence please have a look now is it fine?

aswinikalyan30 commented 4 months ago

Hey @anushkasaxena07 - any progress?

anushkasaxena07 commented 4 months ago

Still working on it

aswinikalyan30 commented 4 months ago

Hey @anushkasaxena07 this has been open for too long, if you're not able to solve it will assign to someone else

aswinikalyan30 commented 4 months ago

Closing this PR as no working changes are made for more than 2 weeks and is blocking contributions from others