new-build: sanitize input, limit 1

cowpod · Oct 29, 2024 · c9ce874 · c9ce874
1 parent c2d0ecf
commit c9ce874
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/functions/new-build.php b/functions/new-build.php
@@ -24,17 +24,22 @@
 $db->connect();
 
 if ($_GET['type']=="update") {
-    $db->execute("INSERT INTO builds(`name`,`minecraft`,`java`,`mods`,`modpack`,`public`) SELECT `name`,`minecraft`,`java`,`mods`,`modpack`,`public` FROM `builds` WHERE `modpack` = '".$_GET['id']."' ORDER BY `id` DESC LIMIT 1");
+    $db->execute("INSERT INTO builds(`name`,`minecraft`,`java`,`mods`,`modpack`,`public`) SELECT `name`,`minecraft`,`java`,`mods`,`modpack`,`public` FROM `builds` WHERE `modpack` = '".$db->sanitize($_GET['id'])."' ORDER BY `id` DESC LIMIT 1");
     $db->execute("UPDATE `builds` SET `name` = '".$db->sanitize($_GET['name'])."' WHERE `modpack` = ".$db->sanitize($_GET['id'])." ORDER BY `id` DESC LIMIT 1");
     $db->execute("UPDATE `builds` SET `public` = 0 WHERE `modpack` = ".$db->sanitize($_GET['id'])." ORDER BY `id` DESC LIMIT 1");
 } else {
     $db->execute("INSERT INTO builds(`name`,`modpack`,`public`) VALUES ('".$db->sanitize($_GET['name'])."','".$db->sanitize($_GET['id'])."',0)");
 }
-$lpq = $db->query("SELECT `name`,`modpack`,`public` FROM `builds` WHERE `public` = 1 AND `modpack` = ".$db->sanitize($_GET['id'])." ORDER BY `id` DESC");
-if ($lpq) {
-    assert(sizeof($lpq)==1);
+
+$lpq = $db->query("SELECT `name`,`modpack`,`public` FROM `builds` WHERE `public` = 1 AND `modpack` = ".$db->sanitize($_GET['id'])." ORDER BY `id` DESC LIMIT 1");
+if ($lpq && sizeof($lpq)==1) {
     $latest_public = $lpq[0];
+} else {
+    $db->disconnect();
+    error_log("new-build.php: couldn't select latest build");
+    die("new-build.php: couldn't select latest build");
 }
+
 if (!empty($latest_public['name'])) {
     $db->execute("UPDATE `modpacks` SET `latest` = '".$latest_public['name']."' WHERE `id` = ".$db->sanitize($_GET['id']));
 }