From bd9aec48d7333b3cc7eabbb2dab5dd371649bb8b Mon Sep 17 00:00:00 2001
From: Christos Choutouridis <hoo2@hoo2.net>
Date: Sun, 11 Jan 2026 16:48:48 +0200
Subject: [PATCH] Fix SQL injection in the rest of the passman

---
 passman-dev/php/passman/dashboard.php | 58 ++++++++++++++++++++++-----
 passman-dev/php/passman/notes.php     | 23 ++++++++---
 passman-dev/php/passman/register.php  | 16 ++++++--
 3 files changed, 76 insertions(+), 21 deletions(-)

diff --git a/passman-dev/php/passman/dashboard.php b/passman-dev/php/passman/dashboard.php
index f2c2bd9..dcc8401 100644
--- a/passman-dev/php/passman/dashboard.php
+++ b/passman-dev/php/passman/dashboard.php
@@ -26,12 +26,23 @@ if(isset($_POST['new_website'], $_POST['new_username'], $_POST['new_password'])
 	$new_username = trim($_POST["new_username"]);
 	$new_password = trim($_POST["new_password"]);
 
-	// Insert new web site
-	$sql_query = "INSERT INTO websites (login_user_id,web_url,web_username,web_password) VALUES " .
-				"((SELECT id FROM login_users WHERE username='{$username}'),'{$new_website}','{$new_username}','{$new_password}');";
+	// Insert new web site using a prepared statement to prevent SQL injection.
+	$sql_query = "INSERT INTO websites (login_user_id, web_url, web_username, web_password) VALUES " .
+				"((SELECT id FROM login_users WHERE username = ?), ?, ?, ?)";
+
+	$stmt = $conn->prepare($sql_query);
+	if ($stmt === false) {
+		$conn->close();
+		die("Prepare failed.");
+	}
+
+	$stmt->bind_param("ssss", $username, $new_website, $new_username, $new_password);
 	//echo $sql_query;
-	$result = $conn->query($sql_query);
-	$conn -> close();
+
+	$result = $stmt->execute();
+	$stmt->close();
+	$conn->close();
+
 
 	// After processing, redirect to the same page to clear the form
 	unset($_POST['new_website']);
@@ -45,11 +56,25 @@ if(isset($_POST['new_website'], $_POST['new_username'], $_POST['new_password'])
 if(isset($_POST['delete_website']) && trim($_POST["websiteid"] != '')) {
 	$webid = trim($_POST["websiteid"]);
 
+	// Cast to int to avoid unexpected input and use a prepared statement to prevent SQL injection.
+	$webid = (int)trim($_POST["websiteid"]);
+
 	// Delete selected web site
-	$sql_query = "DELETE FROM websites WHERE webid='{$webid}';";
+	$sql_query = "DELETE FROM websites WHERE webid = ?";
+
+	$stmt = $conn->prepare($sql_query);
+	if ($stmt === false) {
+		$conn->close();
+		die("Prepare failed.");
+	}
+
+	$stmt->bind_param("i", $webid);
 	//echo $sql_query;
-	$result = $conn->query($sql_query);
-	$conn -> close();
+
+	$result = $stmt->execute();
+	$stmt->close();
+	$conn->close();
+
 
 	// After processing, redirect to the same page to clear the form
 	unset($_POST['websiteid']);
@@ -57,10 +82,21 @@ if(isset($_POST['delete_website']) && trim($_POST["websiteid"] != '')) {
 	exit();
 }
 
-// Display list of user's web sites
-$sql_query = "SELECT * FROM websites INNER JOIN login_users ON websites.login_user_id=login_users.id WHERE login_users.username='{$username}';";
+// Display list of user's web sites using a prepared statement to prevent SQL injection.
+$sql_query = "SELECT * FROM websites INNER JOIN login_users ON websites.login_user_id=login_users.id WHERE login_users.username = ?";
 //echo $sql_query;
-$result = $conn->query($sql_query);
+
+$stmt = $conn->prepare($sql_query);
+if ($stmt === false) {
+    $conn->close();
+    die("Prepare failed.");
+}
+
+$stmt->bind_param("s", $username);
+$stmt->execute();
+$result = $stmt->get_result();
+$stmt->close();
+
 
 //echo htmlspecialchars($username);
 echo "<h3>Entries of " . $username . "</h3>";
diff --git a/passman-dev/php/passman/notes.php b/passman-dev/php/passman/notes.php
index 4b3131c..2cadfba 100644
--- a/passman-dev/php/passman/notes.php
+++ b/passman-dev/php/passman/notes.php
@@ -50,13 +50,24 @@ if(isset($_POST['new_note']) && trim($_POST['new_note']) !='') {
 	//$sql_query = "INSERT INTO notes (login_user_id,note) VALUES " .
 	//			 "((SELECT id FROM login_users WHERE username='{$username}'),('{$new_note}'));";
 
-	$sql_query = "INSERT INTO notes (login_user_id, note) ".
-				 "VALUES ((SELECT id FROM login_users WHERE username='{$username}'), '{$new_note}')";
+    // Insert new note using a prepared statement to prevent SQL injection.
+    $sql_query = "INSERT INTO notes (login_user_id, note) ".
+                "VALUES ((SELECT id FROM login_users WHERE username = ?), ?)";
+
+    $stmt = $conn->prepare($sql_query);
+    if ($stmt === false) {
+        // Fail closed (do not leak DB details).
+        $conn->close();
+        die("Prepare failed.");
+    }
+
+    $stmt->bind_param("ss", $username, $new_note);
+    //echo $sql_query;
+
+    $result = $stmt->execute();
+    $stmt->close();
+    $conn->close();
 
-	//echo $sql_query;
-	
-	$result = $conn->query($sql_query);
-	$conn -> close();
 
 	// After processing, redirect to the same page to clear the form
 	unset($_POST['new_note']);
diff --git a/passman-dev/php/passman/register.php b/passman-dev/php/passman/register.php
index 1759a08..1c3516f 100644
--- a/passman-dev/php/passman/register.php
+++ b/passman-dev/php/passman/register.php
@@ -29,11 +29,19 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") {
 		//}
 		require_once __DIR__ . "/config.php";
 
-		// Insert a new user
-		$sql_query = "INSERT INTO login_users (username,password) VALUES ('{$new_username}','{$new_password}');";
-		//echo $sql_query;
+		// Insert a new user using a prepared statement to prevent SQL injection.
+		$sql_query = "INSERT INTO login_users (username, password) VALUES (?, ?)";
+
+		$stmt = $conn->prepare($sql_query);
+		if ($stmt === false) {
+			$login_message = "Database error (prepare failed).";
+			$result = false;
+		} else {
+			$stmt->bind_param("ss", $new_username, $new_password);
+			$result = $stmt->execute();
+			$stmt->close();
+		}
 
-		$result = $conn->query($sql_query);
 
 		unset($_POST['new_username']);
 		unset($_POST['new_password']);