Skip to content
Snippets Groups Projects
Commit a392c648 authored by Sibidharan's avatar Sibidharan :speech_balloon:
Browse files

Fixed Insecure Object Accesses

parent 1491d459
No related branches found
No related tags found
No related merge requests found
......@@ -37,15 +37,15 @@ class Folder extends Share{
}
}
public function createNew($name='New Folder'){
if(isset($_SESSION['username']) and strlen($name) <= 45){
public function createNew($name='Default Folder'){
if(isset($_SESSION['username']) and strlen($name) >= 5 and strlen($name) <=45){
$query = "INSERT INTO `apis`.`folders` (`name`, `owner`) VALUES ('$name', '$_SESSION[username]');";
if(mysqli_query($this->db, $query)){
$this->id = mysqli_insert_id($this->db);
return $this->id;
}
} else {
throw new Exception("Cannot create note");
throw new Exception("Cannot create default folderse");
}
}
......@@ -53,8 +53,11 @@ class Folder extends Share{
if($this->id != null){
$query = "SELECT * FROM folders WHERE id=$this->id";
$result = mysqli_query($this->db, $query);
if($result){
if($result && mysqli_num_rows($result) == 1){
$this->data = mysqli_fetch_assoc($result);
if($this->getOwner() != $_SESSION['username']){
throw new Exception("Unauthorized");
}
$this->id = $this->data['id'];
} else {
throw new Exception("Not found");
......
......@@ -133,21 +133,25 @@ class Notes extends Share{
throw new Exception("Note not loaded");
}
} else {
throw new Exception("Unauthorized ".$this->getOwner());
throw new Exception("Unauthorized ");
}
}
public function createNew($title, $body, $folder){
new Folder($folder);
if(isset($_SESSION['username']) and strlen($title) <= 45){
$query = "INSERT INTO `apis`.`notes` (`title`, `body`, `owner`, `folder_id`) VALUES ('$title', '$body', '$_SESSION[username]', '$folder');";
if(mysqli_query($this->db, $query)){
$this->id = mysqli_insert_id($this->db);
$this->refresh();
return $this->id;
$f = new Folder($folder);
if($f->getOwner() == $_SESSION['username']){
if(isset($_SESSION['username']) and strlen($title) <= 45){
$query = "INSERT INTO `apis`.`notes` (`title`, `body`, `owner`, `folder_id`) VALUES ('$title', '$body', '$_SESSION[username]', '$folder');";
if(mysqli_query($this->db, $query)){
$this->id = mysqli_insert_id($this->db);
$this->refresh();
return $this->id;
}
} else {
throw new Exception("Cannot create note");
}
} else {
throw new Exception("Cannot create note");
throw new Exception("Unauthorized");
}
}
}
\ No newline at end of file
......@@ -32,6 +32,8 @@ class Signup {
$this->id = mysqli_insert_id($this->db);
$this->sendVerificationMail();
$f = new Folder();
session_start();
$_SESSION['username'] = $this->username;
$f->createNew('Default Folder');
}
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment