From c9ce8744c16eb5b945e807307d837eac00a08f63 Mon Sep 17 00:00:00 2001
From: Henry Gross-Hellsen <6283258+cowpod@users.noreply.github.com>
Date: Mon, 28 Oct 2024 23:25:10 -0700
Subject: [PATCH] new-build: sanitize input, limit 1

---
 functions/new-build.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/functions/new-build.php b/functions/new-build.php
index 0bf0019..228dfc7 100644
--- a/functions/new-build.php
+++ b/functions/new-build.php
@@ -24,17 +24,22 @@
 $db->connect();
 
 if ($_GET['type']=="update") {
-    $db->execute("INSERT INTO builds(`name`,`minecraft`,`java`,`mods`,`modpack`,`public`) SELECT `name`,`minecraft`,`java`,`mods`,`modpack`,`public` FROM `builds` WHERE `modpack` = '".$_GET['id']."' ORDER BY `id` DESC LIMIT 1");
+    $db->execute("INSERT INTO builds(`name`,`minecraft`,`java`,`mods`,`modpack`,`public`) SELECT `name`,`minecraft`,`java`,`mods`,`modpack`,`public` FROM `builds` WHERE `modpack` = '".$db->sanitize($_GET['id'])."' ORDER BY `id` DESC LIMIT 1");
     $db->execute("UPDATE `builds` SET `name` = '".$db->sanitize($_GET['name'])."' WHERE `modpack` = ".$db->sanitize($_GET['id'])." ORDER BY `id` DESC LIMIT 1");
     $db->execute("UPDATE `builds` SET `public` = 0 WHERE `modpack` = ".$db->sanitize($_GET['id'])." ORDER BY `id` DESC LIMIT 1");
 } else {
     $db->execute("INSERT INTO builds(`name`,`modpack`,`public`) VALUES ('".$db->sanitize($_GET['name'])."','".$db->sanitize($_GET['id'])."',0)");
 }
-$lpq = $db->query("SELECT `name`,`modpack`,`public` FROM `builds` WHERE `public` = 1 AND `modpack` = ".$db->sanitize($_GET['id'])." ORDER BY `id` DESC");
-if ($lpq) {
-    assert(sizeof($lpq)==1);
+
+$lpq = $db->query("SELECT `name`,`modpack`,`public` FROM `builds` WHERE `public` = 1 AND `modpack` = ".$db->sanitize($_GET['id'])." ORDER BY `id` DESC LIMIT 1");
+if ($lpq && sizeof($lpq)==1) {
     $latest_public = $lpq[0];
+} else {
+    $db->disconnect();
+    error_log("new-build.php: couldn't select latest build");
+    die("new-build.php: couldn't select latest build");
 }
+
 if (!empty($latest_public['name'])) {
     $db->execute("UPDATE `modpacks` SET `latest` = '".$latest_public['name']."' WHERE `id` = ".$db->sanitize($_GET['id']));
 }