search

ronknight / InventorySystem

🖥️Create an open-source Inventory Management System using CodeIgniter web framework, Php and MySQL. Original source code from an Online Inventory Management Software found on https://codersfolder.com/2018/02/stock-management-system-v2-codeigniter/.
MIT License
341 stars 143 forks source link

Possible XSS vulnerabilities #23

Open enferas opened 1 year ago

enferas commented 1 year ago

Hello,

I would like to report for possible XSS vulnerabilities.

For example,

In file InventorySystem-master\application\controllers\Stores.php in update function

$data = array(
    'name' => $this->input->post('edit_store_name'),
    'active' => $this->input->post('edit_active'),  
);

$update = $this->model_stores->update($data, $id);

In file InventorySystem-master\application\models\Model_stores.php

public function update($data, $id){
  if($data && $id) {
      $this->db->where('id', $id);
      $update = $this->db->update('stores', $data);
      return ($update == true) ? true : false;
  }
}

Then In file InventorySystem-master\application\controllers\Stores.php

public function fetchStoresDataById($id) {
  if($id) {
      $data = $this->model_stores->getStoresData($id);
      echo json_encode($data);
  }
}

In file InventorySystem-master\application\models\Model_stores.php

public function getStoresData($id = null){
  if($id) {
      $sql = "SELECT * FROM `stores` where id = ?";
      $query = $this->db->query($sql, array($id));
      return $query->row_array();
  }

  $sql = "SELECT * FROM `stores`";
  $query = $this->db->query($sql);
  return $query->result_array();
}
ronknight commented 1 year ago

Please resolve the issue and make a pull request, i'll merge it in. Thank you.