From 97d93e0af20035121388b9a3549e2620143a8b67 Mon Sep 17 00:00:00 2001 From: NaysKutzu Date: Wed, 22 Nov 2023 21:07:41 +0000 Subject: [PATCH] PUSH -> SQLI Protected the admin page for tickets --- view/admin/tickets/list.php | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/view/admin/tickets/list.php b/view/admin/tickets/list.php index f6196d2..d776e4c 100644 --- a/view/admin/tickets/list.php +++ b/view/admin/tickets/list.php @@ -9,22 +9,25 @@ die(); } - $ticketsPerPage = 20; -$page = isset($_GET['page']) && is_numeric($_GET['page']) ? (int) $_GET['page'] : 1; +$page = isset($_GET['page']) && is_numeric($_GET['page']) ? (int)$_GET['page'] : 1; $offset = ($page - 1) * $ticketsPerPage; -$searchKeyword = isset($_GET['search']) ? $_GET['search'] : ''; +$searchKeyword = isset($_GET['search']) ? mysqli_real_escape_string($conn, $_GET['search']) : ''; $searchCondition = ''; if (!empty($searchKeyword)) { - $searchCondition = " WHERE `subject` LIKE '%$searchKeyword%' OR `description` LIKE '%$searchKeyword%'"; + $searchKeyword = '%' . $searchKeyword . '%'; + $searchCondition = " WHERE `subject` LIKE '$searchKeyword' OR `description` LIKE '$searchKeyword'"; } + $tickets_query = "SELECT * FROM mythicaldash_tickets" . $searchCondition . " ORDER BY `id` LIMIT $offset, $ticketsPerPage"; $result = $conn->query($tickets_query); + $totalTicketsQuery = "SELECT COUNT(*) AS total_tickets FROM mythicaldash_tickets" . $searchCondition; $totalResult = $conn->query($totalTicketsQuery); $totalTickets = $totalResult->fetch_assoc()['total_tickets']; $totalPages = ceil($totalTickets / $ticketsPerPage); +$displaySearchKeyword = str_replace("%", "", $searchKeyword); ?>
+ value="">