Commit 937288ae authored by AtjonTV's avatar AtjonTV
Browse files

Merge branch 'merge' into 'stable'

* Spell fixes
* Removing "codes.php"
* Removing "oc-function.php.bk"

**THIS IS A SECURITY PATCH**
* SSR-2018-0000002
* SSR-2018-0000003
* SSR-2018-0000004
* SSR-2018-0000005
* SSR-2018-0000006

See merge request root/OpenCAD!5

(Fixes #1)
parents aca11a3e 7727c8d5
## v18.8.26 | 26.08.2018 | Bugfix
+ Adding "CHANGELOG.lbl" - A Line-By-Line changelog
~ Changing "actions/*" - Security Fix (SSR-2018-0000002 to SSR-2018-0000006)
~ Changing "README.md" - Fixing spell
- Deleting "codes.php" - This was deprecated since Codes v2 was created
- Deleting "oc-config.php.bk" - This was a useless copy of the testing config
# Changelog of ATVG-CAD
Read the [Line-by-Line Changelog](CHANGELOG.lbl)
----
## 18.8.x
##### 18.8.26
(26.08.2018)
[Based on OpenCAD 0.2.2.8/0.2.3]
* Security Patch: SSR-2018-0000002 to SSR-2018-0000006
* Fixing Display bug of Version
* Cleanup
##### 18.8.24
(24.08.2018)
[Based on OpenCAD 0.2.2.8/0.2.3]
* Upgrade to new base [07d3048f8](https://gitlab.atvg-studios.at/third-party/OpenCAD/commits/07d3048f81b1fc3f70a3807f6d5bea02cf3e3270)
##### 18.8.23
(23.08.2018)
[Based on OpenCAD 0.2.2.7/0.2.3]
* Upgrade to new base [7741460e3](https://gitlab.atvg-studios.at/third-party/OpenCAD/commits/7741460e3bafea862c7c64343e7c2642e2cf5784)
##### 18.8.22
(22.08.2018)
[Based on OpenCAD 0.2.2.7/0.2.3]
......
......@@ -23,7 +23,7 @@ The reason can be read [here](https://en.wikipedia.org/wiki/XAMPP#Usage):
>Officially, XAMPP's designers intended it for use only as a development tool, to allow website designers and programmers to test their work on their own computers without any access to the Internet. To make this as easy as possible, many important security features are disabled by default. XAMPP has the ability to serve web pages on the World Wide Web. A special tool is provided to
password-protect the most important parts of the package.
Instead of using XAMPP and brining high security risks into your system, we reccomend using LAMPP on Linux, WAMP on Windows, MAMP on macOS, BAMP on BSD or FAMP on FreeBSD as they were made for real world applications.
Instead of using XAMPP and bringing high security risks into your system, we reccomend using LAMPP on Linux, WAMP on Windows, MAMP on macOS, BAMP on BSD or FAMP on FreeBSD as they were made for real world applications.
### Deployment Notes
......@@ -55,4 +55,4 @@ This service does **NOT** contain a server, it just contains the proccess of ins
The main requiremet to request this service is to own a server that meets the [bove listed System Requirements](#installation-requirements).
We reccoment to look into the official [docs](https://guides.opencad.io/alldoc/installation-guides) for a installation guide. If it's not possible for you to follow this guid yourself, you contact us on our [Mattermost](https://mattermost.atvg-studios.at) to recive this installation service.
\ No newline at end of file
We reccoment to look into the official [docs](https://guides.opencad.io/alldoc/installation-guides) for a installation guide. If it's not possible for you to follow this guid yourself, you contact us on our [Mattermost](https://mattermost.atvg-studios.at) to recive this installation service.
......@@ -182,7 +182,7 @@ function delete_user()
die('Could not connect: ' . mysql_error());
}
$uid = $_POST['uid'];
$uid = htmlspecialchars($_POST['uid']);
echo $uid;
$query = "DELETE FROM users WHERE id = ?";
......@@ -315,9 +315,9 @@ function getDepartments()
function getRole()
{
$userID = !empty($_POST['userID']) ? $_POST['userID'] : '';
$userId = $_POST['userId'];
$userId = htmlspecialchars($_POST['userId']);
echo $_POST['userId'];
echo $userId;
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
$site = BASE_URL;
if (!$link)
......@@ -389,7 +389,7 @@ function getUserGroupsApproved($uid)
function approveUser()
{
$uid = $_POST['uid'];
$uid = htmlspecialchars($_POST['uid']);
$site = BASE_URL;
/* If a user has been approved, the following needs to be done:
1. Insert user's groups from temp table to regular table
......@@ -477,7 +477,7 @@ function rejectUser()
1. Delete user's group's from user_departments_temp table
2. Delete user's profile from users table
*/
$uid = $_POST['uid'];
$uid = htmlspecialchars($_POST['uid']);
/* Delete groups from temp table */
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -622,7 +622,7 @@ function getUsers()
echo '<input name="deleteUser" type="submit" class="btn btn-xs btn-link" onclick="deleteUser(' . $row[0] . ')" value="Delete" disabled />';
}
if ($row[4] == '2')
if ($row[5] == '2')
{
if ( ( MODERATOR_REACTIVATE_USER == true && $_SESSION['admin_privilege'] == 1 ) || ( $_SESSION['admin_privilege'] == 2 ) )
{
......@@ -653,7 +653,7 @@ function getUsers()
<button name="editUser" type="button" data-toggle="modal" id="' . $row[0] . '" data-target="#editUserModal" class="btn btn-xs btn-link" disabled >Edit</button>
<input name="deleteUser" type="submit" class="btn btn-xs btn-link" onclick="deleteUser(' . $row[0] . ')" value="Delete" disabled />
';
if ($row[4] == '2')
if ($row[5] == '2')
{
echo '<input name="reactivateUser" type="submit" class="btn btn-xs btn-link" value="Reactivate" disabled/>';
}
......@@ -680,7 +680,7 @@ function getUsers()
// TODO: Add reason, duration
function suspendUser()
{
$uid = $_POST['uid'];
$uid = htmlspecialchars($_POST['uid']);
$site = BASE_URL;
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -720,10 +720,10 @@ function suspendUser()
function suspendUserWithReason()
{
$uid = $_POST['uid'];
$uid = htmlspecialchars($_POST['uid']);
$site = BASE_URL;
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
$suspend_reason = $_POST['suspend_reason'];
$suspend_reason = htmlspecialchars($_POST['suspend_reason']);
if (!$link)
{
......@@ -771,7 +771,7 @@ function suspendUserWithReason()
function reactivateUser()
{
$uid = $_POST['uid'];
$uid = htmlspecialchars($_POST['uid']);
$site = BASE_URL;
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -809,7 +809,7 @@ function reactivateUser()
function getUserDetails()
{
$userId = $_POST['userId'];
$userId = htmlspecialchars($_POST['userId']);
$site = BASE_URL;
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -1018,7 +1018,7 @@ function delete_callhistory()
die('Could not connect: ' . mysql_error());
}
$callid = $_POST['call_id'];
$callid = htmlspecialchars($_POST['call_id']);
echo $callid;
$query = "DELETE FROM call_history WHERE call_id = ?";
......
......@@ -76,8 +76,8 @@ if (isset($_GET['getAOP']))
function quickStatus()
{
$event = $_POST['event'];
$callId = $_POST['callId'];
$event = htmlspecialchars($_POST['event']);
$callId = htmlspecialchars($_POST['callId']);
session_start();
$callsign = $_SESSION['callsign'];
......@@ -276,8 +276,8 @@ function checkTones()
function setTone()
{
$tone = $_POST['tone'];
$action = $_POST['action'];
$tone = htmlspecialchars($_POST['tone']);
$action = htmlspecialchars($_POST['action']);
$status;
switch ($action)
......@@ -327,7 +327,7 @@ function setTone()
function logoutUser()
{
$identifier = $_POST['unit'];
$identifier = htmlspecialchars($_POST['unit']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -361,8 +361,8 @@ function changeStatus()
//var_dump($_POST);
$unit = $_POST['unit'];
$status = $_POST['status'];
$unit = htmlspecialchars($_POST['unit']);
$status = htmlspecialchars($_POST['status']);
$statusId;
$statusDet;
$onCall = false;
......
......@@ -233,7 +233,7 @@ function delete_name()
die('Could not connect: ' .mysql_error());
}
$uid = $_POST['uid'];
$uid = htmlspecialchars($_POST['uid']);
$query = "DELETE FROM ncic_names WHERE id = ?";
......@@ -264,7 +264,7 @@ function delete_plate()
die('Could not connect: ' .mysql_error());
}
$vehid = $_POST['vehid'];
$vehid = htmlspecialchars($_POST['vehid']);
$query = "DELETE FROM ncic_plates WHERE id = ?";
......@@ -291,7 +291,7 @@ function create_name()
{
session_start();
$fullName = $_POST['civNameReq'];
$fullName = htmlspecialchars($_POST['civNameReq']);
$firstName = explode(" ", $fullName) [0];
$lastName = explode(" ", $fullName) [1];
......@@ -338,15 +338,15 @@ function create_name()
$submitttedById = $_SESSION['id'];
//Submission Data
$name;
$dob = $_POST['civDobReq'];
$address = $_POST['civAddressReq'];
$sex = $_POST['civSexReq'];
$race = $_POST['civRaceReq'];
$dlstatus = $_POST['civDL'];
$hair = $_POST['civHairReq'];
$build = $_POST['civBuildReq'];
$weapon = $_POST['civWepStat'];
$deceased = $_POST['civDec'];
$dob = htmlspecialchars($_POST['civDobReq']);
$address = htmlspecialchars($_POST['civAddressReq']);
$sex = htmlspecialchars($_POST['civSexReq']);
$race = htmlspecialchars($_POST['civRaceReq']);
$dlstatus = htmlspecialchars($_POST['civDL']);
$hair = htmlspecialchars($_POST['civHairReq']);
$build = htmlspecialchars($_POST['civBuildReq']);
$weapon = htmlspecialchars($_POST['civWepStat']);
$deceased = htmlspecialchars($_POST['civDec']);
$query = "INSERT INTO ncic_names (submittedByName, submittedById, name, dob, address, gender, race, dl_status, hair_color, build, weapon_permit, deceased)
VALUES (?,?,?,?,?,?,?,?,?,?,?,?)";
......@@ -379,7 +379,7 @@ function create_plate()
{
session_start();
$plate = $_POST['veh_plate'];
$plate = htmlspecialchars($_POST['veh_plate']);
//Remove all spaces from plate
$plate = str_replace(' ', '', $plate);
......@@ -390,23 +390,23 @@ function create_plate()
//Remove all special characters
$plate = preg_replace('/[^A-Za-z0-9\-]/', '', $plate);
$vehicle = $_POST['veh_make_model'];
$vehicle = htmlspecialchars($_POST['veh_make_model']);
$veh_make = explode(" ", $vehicle) [0];
$veh_model = explode(" ", $vehicle) [1];
$uid = $_SESSION['id'];
$submittedById = $_SESSION['id'];
$userId = $_POST['civilian_names'];
$userId = htmlspecialchars($_POST['civilian_names']);
$veh_plate = $plate;
$veh_make;
$veh_model;
$veh_pcolor = $_POST['veh_pcolor'];
$veh_scolor = $_POST['veh_scolor'];
$veh_insurance = $_POST['veh_insurance'];
$flags = $_POST['flags'];
$veh_reg_state = $_POST['veh_reg_state'];
$notes = $_POST['notes'];
$veh_pcolor = htmlspecialchars($_POST['veh_pcolor']);
$veh_scolor = htmlspecialchars($_POST['veh_scolor']);
$veh_insurance = htmlspecialchars($_POST['veh_insurance']);
$flags = htmlspecialchars($_POST['flags']);
$veh_reg_state = htmlspecialchars($_POST['veh_reg_state']);
$notes = htmlspecialchars($_POST['notes']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -472,9 +472,9 @@ function create911Call()
die("Failed to run query: " . $e->getMessage()); //TODO: A function to send me an email when this occurs should be made
}
$caller = $_POST['911_caller'];
$location = $_POST['911_location'];
$description = $_POST['911_description'];
$caller = htmlspecialchars($_POST['911_caller']);
$location = htmlspecialchars($_POST['911_location']);
$description = htmlspecialchars($_POST['911_description']);
$created = date("Y-m-d H:i:s").': 911 Call Received<br/><br/>Caller Name: '.$caller;
......@@ -513,7 +513,7 @@ function edit_name()
{
session_start();
$fullName = $_POST['civNameReq'];
$fullName = htmlspecialchars($_POST['civNameReq']);
$firstName = explode(" ", $fullName) [0];
$lastName = explode(" ", $fullName) [1];
......@@ -560,16 +560,16 @@ function edit_name()
$submitttedById = $_SESSION['id'];
//Submission Data
$name;
$dob = $_POST['civDobReq'];
$address = $_POST['civAddressReq'];
$sex = $_POST['civSexReq'];
$race = $_POST['civRaceReq'];
$dlstatus = $_POST['civDL'];
$hair = $_POST['civHairReq'];
$build = $_POST['civBuildReq'];
$weapon = $_POST['civWepStat'];
$deceased = $_POST['civDec'];
$editid = $_POST['Edit_id'];
$dob = htmlspecialchars($_POST['civDobReq']);
$address = htmlspecialchars($_POST['civAddressReq']);
$sex = htmlspecialchars($_POST['civSexReq']);
$race = htmlspecialchars($_POST['civRaceReq']);
$dlstatus = htmlspecialchars($_POST['civDL']);
$hair = htmlspecialchars($_POST['civHairReq']);
$build = htmlspecialchars($_POST['civBuildReq']);
$weapon = htmlspecialchars($_POST['civWepStat']);
$deceased = htmlspecialchars($_POST['civDec']);
$editid = htmlspecialchars($_POST['Edit_id']);
$query = "UPDATE ncic_names SET name = ?, dob = ?, address = ?, gender = ?, race = ?, dl_status = ?, hair_color = ?, build = ?, weapon_permit = ?, deceased = ? WHERE id = ?";
try
......@@ -599,7 +599,7 @@ function edit_plate()
{
session_start();
$plate = $_POST['veh_plate'];
$plate = htmlspecialchars($_POST['veh_plate']);
//Remove all spaces from plate
$plate = str_replace(' ', '', $plate);
......@@ -610,24 +610,24 @@ function edit_plate()
//Remove all special characters
$plate = preg_replace('/[^A-Za-z0-9\-]/', '', $plate);
$vehicle = $_POST['veh_make_model'];
$vehicle = htmlspecialchars($_POST['veh_make_model']);
$veh_make = explode(" ", $vehicle) [0];
$veh_model = explode(" ", $vehicle) [1];
$uid = $_SESSION['id'];
$submittedById = $_SESSION['id'];
$userId = $_POST['civilian_names'];
$userId = htmlspecialchars($_POST['civilian_names']);
$veh_plate = $plate;
$veh_make;
$veh_model;
$veh_pcolor = $_POST['veh_pcolor'];
$veh_scolor = $_POST['veh_scolor'];
$veh_insurance = $_POST['veh_insurance'];
$flags = $_POST['flags'];
$veh_reg_state = $_POST['veh_reg_state'];
$notes = $_POST['notes'];
$plate_id = $_POST['Edit_plateId'];
$veh_pcolor = htmlspecialchars($_POST['veh_pcolor']);
$veh_scolor = htmlspecialchars($_POST['veh_scolor']);
$veh_insurance = htmlspecialchars($_POST['veh_insurance']);
$flags = htmlspecialchars($_POST['flags']);
$veh_reg_state = htmlspecialchars($_POST['veh_reg_state']);
$notes = htmlspecialchars($_POST['notes']);
$plate_id = htmlspecialchars($_POST['Edit_plateId']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -692,11 +692,11 @@ function editplateid()
}
function create_warrant()
{
$userId = $_POST['civilian_names'];
$warrant_name = $_POST['warrant_name_sel'];
$issuing_agency = $_POST['issuing_agency'];
$userId = htmlspecialchars($_POST['civilian_names']);
$warrant_name = htmlspecialchars($_POST['warrant_name_sel']);
$issuing_agency = htmlspecialchars($_POST['issuing_agency']);
$warrant_name = $_POST['warrant_name_sel'];
$warrant_name = htmlspecialchars($_POST['warrant_name_sel']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -823,7 +823,7 @@ function delete_warrant()
die('Could not connect: ' .mysql_error());
}
$wid = $_POST['wid'];
$wid = htmlspecialchars($_POST['wid']);
$query = "DELETE FROM ncic_warrants WHERE id = ?";
......@@ -850,14 +850,14 @@ function create_weapon()
{
session_start();
$weapon = $_POST['weapon_all'];
$weapon = htmlspecialchars($_POST['weapon_all']);
$wea_type = explode(" ", $weapon) [0];
$wea_name = explode(" ", $weapon) [1];
$uid = $_SESSION['id'];
$submittedById = $_SESSION['id'];
$userId = $_POST['civilian_names'];
$userId = htmlspecialchars($_POST['civilian_names']);
$wea_type;
$wea_name;
......@@ -956,7 +956,7 @@ function delete_weapon()
die('Could not connect: ' .mysql_error());
}
$weaid = $_POST['weaid'];
$weaid = htmlspecialchars($_POST['weaid']);
$query = "DELETE FROM ncic_weapons WHERE id = ?";
......
......@@ -117,8 +117,8 @@ if (isset($_GET['term'])) {
function addNarrative()
{
session_start();
$details = $_POST['details'];
$callId = $_POST['callId'];
$details = htmlspecialchars($_POST['details']);
$callId = htmlspecialchars($_POST['callId']);
$who = $_SESSION['identifier'];
$detailsArr = explode("&", $details);
......@@ -161,7 +161,7 @@ function assignUnit()
{
//var_dump($_POST);
//Need to explode the details by &
$details = $_POST['details'];
$details = htmlspecialchars($_POST['details']);
$detailsArr = explode("&", $details);
if ($detailsArr[0] == 'unit=')
......@@ -248,7 +248,7 @@ function assignUnit()
function storeCall()
{
$callId = $_POST['callId'];
$callId = htmlspecialchars($_POST['callId']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -278,7 +278,7 @@ function storeCall()
function clearCall()
{
$callId = $_POST['callId'];
$callId = htmlspecialchars($_POST['callId']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -404,7 +404,7 @@ function newCall()
}
//Need to explode the details by &
$details = $_POST['details'];
$details = htmlspecialchars($_POST['details']);
$details = urldecode($details);
$detailsArr = explode("&", $details);
......@@ -602,17 +602,17 @@ function cadGetPersonBOLOS()
function create_citation()
{
$userId = $_POST['civilian_names'];
$citation_name_1 = $_POST['citation_name_1'];
$citation_fine_1 = $_POST['citation_fine_1'];
$citation_name_2 = $_POST['citation_name_2'];
$citation_fine_2 = $_POST['citation_fine_2'];
$citation_name_3 = $_POST['citation_name_3'];
$citation_fine_3 = $_POST['citation_fine_3'];
$citation_name_4 = $_POST['citation_name_4'];
$citation_fine_4 = $_POST['citation_fine_4'];
$citation_name_5 = $_POST['citation_name_5'];
$citation_fine_5 = $_POST['citation_fine_5'];
$userId = htmlspecialchars($_POST['civilian_names']);
$citation_name_1 = htmlspecialchars($_POST['citation_name_1']);
$citation_fine_1 = htmlspecialchars($_POST['citation_fine_1']);
$citation_name_2 = htmlspecialchars($_POST['citation_name_2']);
$citation_fine_2 = htmlspecialchars($_POST['citation_fine_2']);
$citation_name_3 = htmlspecialchars($_POST['citation_name_3']);
$citation_fine_3 = htmlspecialchars($_POST['citation_fine_3']);
$citation_name_4 = htmlspecialchars($_POST['citation_name_4']);
$citation_fine_4 = htmlspecialchars($_POST['citation_fine_4']);
$citation_name_5 = htmlspecialchars($_POST['citation_name_5']);
$citation_fine_5 = htmlspecialchars($_POST['citation_fine_5']);
session_start();
$issued_by = $_SESSION['name'];
$date = date('Y-m-d');
......@@ -747,12 +747,12 @@ function create_citation()
function create_warning()
{
$userId = $_POST['civilian_names'];
$warning_name_1 = $_POST['warning_name_1'];
$warning_name_2 = $_POST['warning_name_2'];
$warning_name_3 = $_POST['warning_name_3'];
$warning_name_4 = $_POST['warning_name_4'];
$warning_name_5 = $_POST['warning_name_5'];
$userId = htmlspecialchars($_POST['civilian_names']);
$warning_name_1 = htmlspecialchars($_POST['warning_name_1']);
$warning_name_2 = htmlspecialchars($_POST['warning_name_2']);
$warning_name_3 = htmlspecialchars($_POST['warning_name_3']);
$warning_name_4 = htmlspecialchars($_POST['warning_name_4']);
$warning_name_5 = htmlspecialchars($_POST['warning_name_5']);
session_start();
$issued_by = $_SESSION['name'];
$date = date('Y-m-d');
......@@ -893,11 +893,11 @@ function create_warning()
function create_warrant()
{
$userId = $_POST['civilian_names'];
$warrant_name = $_POST['warrant_name_sel'];
$issuing_agency = $_POST['issuing_agency'];
$userId = htmlspecialchars($_POST['civilian_names']);
$warrant_name = htmlspecialchars($_POST['warrant_name_sel']);
$issuing_agency = htmlspecialchars($_POST['issuing_agency']);
$warrant_name = $_POST['warrant_name_sel'];
$warrant_name = htmlspecialchars($_POST['warrant_name_sel']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -942,7 +942,7 @@ function delete_citation()
die('Could not connect: ' .mysql_error());
}
$cid = $_POST['cid'];
$cid = htmlspecialchars($_POST['cid']);
$query = "DELETE FROM ncic_citations WHERE id = ?";
......@@ -972,7 +972,7 @@ function delete_arrest()
die('Could not connect: ' .mysql_error());
}
$aid = $_POST['aid'];
$aid = htmlspecialchars($_POST['aid']);
$query = "DELETE FROM ncic_arrests WHERE id = ?";
......@@ -1003,7 +1003,7 @@ function delete_warning()
die('Could not connect: ' .mysql_error());
}
$wgid = $_POST['wgid'];
$wgid = htmlspecialchars($_POST['wgid']);
$query = "DELETE FROM ncic_warnings WHERE id = ?";
......@@ -1034,7 +1034,7 @@ function delete_warrant()
die('Could not connect: ' .mysql_error());
}
$wid = $_POST['wid'];
$wid = htmlspecialchars($_POST['wid']);
$query = "DELETE FROM ncic_warrants WHERE id = ?";
......@@ -1308,12 +1308,12 @@ function ncic_warnings()
}
function create_personbolo()
{
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$gender = $_POST['gender'];
$physical_description = $_POST['physical_description'];
$reason_wanted = $_POST['reason_wanted'];
$last_seen = $_POST['last_seen'];
$first_name = htmlspecialchars($_POST['first_name']);
$last_name = htmlspecialchars($_POST['last_name']);
$gender = htmlspecialchars($_POST['gender']);
$physical_description = htmlspecialchars($_POST['physical_description']);
$reason_wanted = htmlspecialchars($_POST['reason_wanted']);
$last_seen = htmlspecialchars($_POST['last_seen']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -1347,13 +1347,13 @@ function create_personbolo()
function create_vehiclebolo()
{
$vehicle_make = $_POST['vehicle_make'];
$vehicle_model = $_POST['vehicle_model'];
$vehicle_plate = $_POST['vehicle_plate'];
$primary_color = $_POST['primary_color'];
$secondary_color = $_POST['secondary_color'];
$reason_wanted = $_POST['reason_wanted'];
$last_seen = $_POST['last_seen'];
$vehicle_make = htmlspecialchars($_POST['vehicle_make']);
$vehicle_model = htmlspecialchars($_POST['vehicle_model']);
$vehicle_plate = htmlspecialchars($_POST['vehicle_plate']);
$primary_color = htmlspecialchars($_POST['primary_color']);
$secondary_color = htmlspecialchars($_POST['secondary_color']);
$reason_wanted = htmlspecialchars($_POST['reason_wanted']);
$last_seen = htmlspecialchars($_POST['last_seen']);
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
......@@ -1393,7 +1393,7 @@ function delete_personbolo()
die('Could not connect: ' .mysql_error());
}
$pbid = $_POST['pbid'];
$pbid = htmlspecialchars($_POST['pbid']);
$query = "DELETE FROM bolos_persons WHERE id = ?";
......@@ -1425,7 +1425,7 @@ function delete_vehiclebolo()
die('Could not connect: ' .mysql_error());
}