From 939bdfe5f32fe90eeba0891e059a038b5751c204 Mon Sep 17 00:00:00 2001
From: = <a.sefaozan@gmail.com>
Date: Sun, 6 Mar 2022 23:35:26 +0300
Subject: [PATCH 1/3] Cross Site Scripting vulnerability fixed

---
 about_manager.php          |  2 +-
 admin/admin_contact.php    |  2 +-
 admin/admin_home.php       |  2 +-
 admin/admin_profile.php    |  8 ++++----
 allocate_room.php          | 12 ++++++------
 allocated_rooms.php        |  8 ++++----
 application_form.php       | 14 +++++++-------
 contact.php                |  6 +++---
 contact_manager.php        |  6 +++---
 empty_rooms.php            |  8 ++++----
 home.php                   |  2 +-
 home_manager.php           |  2 +-
 includes/hm_remove.php     |  2 +-
 includes/login-hm.inc.php  |  2 +-
 includes/login.inc.php     |  2 +-
 message_hostel_manager.php |  8 ++++----
 message_user.php           |  8 ++++----
 profile.php                | 24 ++++++++++++------------
 services.php               |  2 +-
 19 files changed, 60 insertions(+), 60 deletions(-)

diff --git a/about_manager.php b/about_manager.php
index 4e4d125..8a3cdf1 100644
--- a/about_manager.php
+++ b/about_manager.php
@@ -79,7 +79,7 @@ function hideURLbar() {
 						<a class="nav-link" href="contact.php">Contact</a>
 					</li>
 					<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
diff --git a/admin/admin_contact.php b/admin/admin_contact.php
index 2d753cf..73bf9c0 100644
--- a/admin/admin_contact.php
+++ b/admin/admin_contact.php
@@ -72,7 +72,7 @@ function hideURLbar() {
 							<a class="nav-link" href="admin_contact.php">Contact</a>
 						</li>
 						<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
diff --git a/admin/admin_home.php b/admin/admin_home.php
index 53cf45d..c951144 100644
--- a/admin/admin_home.php
+++ b/admin/admin_home.php
@@ -73,7 +73,7 @@ function hideURLbar() {
 						<a class="nav-link" href="admin_contact.php">Contact</a>
 					</li>
 					<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
diff --git a/admin/admin_profile.php b/admin/admin_profile.php
index b6abc47..dd29bd0 100644
--- a/admin/admin_profile.php
+++ b/admin/admin_profile.php
@@ -108,25 +108,25 @@ function hideURLbar() {
 							</div>
 							<div class="abt-agile-right">
 
-								<h3><?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?></h3>
+								<h3><?php echo htmlspecialchars($_SESSION['fname']." ".$_SESSION['lname']); ?></h3>
 								<h5>Admin</h5>
 								<ul class="address">
 									<li>
 										<ul class="address-text">
 											<li><b>Username </b></li>
-											<li>: <?php echo $_SESSION['username']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['username']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>PHONE </b></li>
-											<li>: <?php echo $_SESSION['mob_no']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['mob_no']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>Email </b></li>
-											<li>: <?php echo $_SESSION['email']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['email']); ?></li>
 										</ul>
 									</li>
 								</ul>
diff --git a/allocate_room.php b/allocate_room.php
index 83fd576..3fe55bb 100644
--- a/allocate_room.php
+++ b/allocate_room.php
@@ -83,7 +83,7 @@ function hideURLbar() {
 						<a class="nav-link" href="contact_manager.php">Contact</a>
 					</li>
 					<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -124,7 +124,7 @@ function hideURLbar() {
 <?php
    if (isset($_POST['search'])) {
    	   $search_box = $_POST['search_box'];
-   	   /*echo "<script type='text/javascript'>alert('<?php echo $search_box; ?>')</script>";*/
+   	   /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($search_box); ?>')</script>";*/
    	   $hostel_id = $_SESSION['hostel_id'];
    	   $query_search = "SELECT * FROM Application WHERE Student_id like '$search_box%' and Hostel_id = '$hostel_id' and Application_status = '1'";
    	   $result_search = mysqli_query($conn,$query_search);
@@ -160,7 +160,7 @@ function hideURLbar() {
             $row7 = mysqli_fetch_assoc($result7);
             $student_name = $row7['Fname']." ".$row7['Lname'];
             
-      		echo "<tr><td>{$student_name}</td><td>{$row_search['Student_id']}</td><td>{$hostel_name}</td><td>{$row_search['Message']}</td></tr>\n";
+      		echo htmlspecialchars("<tr><td>{$student_name}</td><td>{$row_search['Student_id']}</td><td>{$hostel_name}</td><td>{$row_search['Message']}</td></tr>\n");
 
    	   }
    }
@@ -208,7 +208,7 @@ function hideURLbar() {
             $row7 = mysqli_fetch_assoc($result7);
             $student_name = $row7['Fname']." ".$row7['Lname'];
             
-      		echo "<tr><td>{$student_name}</td><td>{$row1['Student_id']}</td><td>{$hostel_name}</td><td>{$row1['Message']}</td></tr>\n";
+      		echo htmlspecialchars("<tr><td>{$student_name}</td><td>{$row1['Student_id']}</td><td>{$hostel_name}</td><td>{$row1['Message']}</td></tr>\n");
       	}
       }
     ?>
@@ -230,7 +230,7 @@ function hideURLbar() {
 if(isset($_POST['submit'])){
    $result1 = mysqli_query($conn,$query1);
    
-   /*echo "<script type='text/javascript'>alert('<?php echo $room_no ?>')</script>";*/
+   /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($room_no); ?>')</script>";*/
    while($row1 = mysqli_fetch_assoc($result1)){
          //find the minimum room number
      $query2 = "SELECT * FROM Room where Room_No = (SELECT MIN(Room_No) FROM Room where Allocated = '0' and Hostel_id = '$hostel_id')";
@@ -245,7 +245,7 @@ function hideURLbar() {
      $student_id = $row1['Student_id'];
      $query3 = "UPDATE Application SET Application_status = '0',Room_No = '$room_no' WHERE Student_id = '$student_id'";
      $result3 = mysqli_query($conn,$query3);
-     /*echo "<script type='text/javascript'>alert('<?php echo $result3; ?>')</script>";*/
+     /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($result3); ?>')</script>";*/
      if($result3){
      	$room_id = $row2['Room_id'];
      	$query4 = "UPDATE Student SET Hostel_id = '$hostel_id',Room_id = '$room_id' WHERE Student_id = '$student_id'";
diff --git a/allocated_rooms.php b/allocated_rooms.php
index 39d5ab7..aa83a8f 100644
--- a/allocated_rooms.php
+++ b/allocated_rooms.php
@@ -85,7 +85,7 @@ function hideURLbar() {
 						<a class="nav-link" href="contact_manager.php">Contact</a>
 					</li>
 					<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -126,7 +126,7 @@ function hideURLbar() {
 <?php
    if (isset($_POST['search'])) {
    	   $search_box = $_POST['search_box'];
-   	   /*echo "<script type='text/javascript'>alert('<?php echo $search_box; ?>')</script>";*/
+   	   /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($search_box); ?>')</script>";*/
    	   $hostel_id = $_SESSION['hostel_id'];
    	   $query_search = "SELECT * FROM Student WHERE Student_id like '$search_box%' and Hostel_id = '$hostel_id'";
    	   $result_search = mysqli_query($conn,$query_search);
@@ -164,7 +164,7 @@ function hideURLbar() {
             //student name
             $student_name = $row_search['Fname']." ".$row_search['Lname'];
             
-      		echo "<tr><td>{$student_name}</td><td>{$row_search['Student_id']}</td><td>{$row_search['Mob_no']}</td><td>{$hostel_name}</td><td>{$room_no}</td></tr>\n";
+      		echo htmlspecialchars("<tr><td>{$student_name}</td><td>{$row_search['Student_id']}</td><td>{$row_search['Mob_no']}</td><td>{$hostel_name}</td><td>{$room_no}</td></tr>\n");
    	   }
    }
    ?>
@@ -217,7 +217,7 @@ function hideURLbar() {
             //student name
             $student_name = $row1['Fname']." ".$row1['Lname'];
             
-      		echo "<tr><td>{$student_name}</td><td>{$row1['Student_id']}</td><td>{$row1['Mob_no']}</td><td>{$hostel_name}</td><td>{$room_no}</td></tr>\n";
+      		echo htmlspecialchars("<tr><td>{$student_name}</td><td>{$row1['Student_id']}</td><td>{$row1['Mob_no']}</td><td>{$hostel_name}</td><td>{$room_no}</td></tr>\n");
       	}
       }
     ?>
diff --git a/application_form.php b/application_form.php
index 28692ad..b6d2db5 100644
--- a/application_form.php
+++ b/application_form.php
@@ -65,7 +65,7 @@ function hideURLbar() {
 						<a class="nav-link" href="message_user.php">Message Received</a>
 					</li>
 						<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['roll']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['roll']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -91,17 +91,17 @@ function hideURLbar() {
 	<div class="container">
 		<h2 class="heading text-capitalize mb-sm-5 mb-4"> Application Form </h2>
 			<div class="mail_grid_w3l">
-				<form action="application_form.php?id=<?php echo $_GET['id']?>" method="post">
+				<form action="application_form.php?id=<?php echo htmlspecialchars($_GET['id']); ?>" method="post">
 					<div class="row">
 						<div class="col-md-6 contact_left_grid" data-aos="fade-right">
 							<div class="contact-fields-w3ls">
-								<input type="text" name="Name" placeholder="Name" value="<?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?>" required="" disabled="disabled">
+								<input type="text" name="Name" placeholder="Name" value="<?php echo htmlspecialchars($_SESSION['fname']." ".$_SESSION['lname']); ?>" required="" disabled="disabled">
 							</div>
 							<div class="contact-fields-w3ls">
-								<input type="text" name="roll_no" placeholder="Roll Number" value="<?php echo $_SESSION['roll']?>" required="" disabled="disabled">
+								<input type="text" name="roll_no" placeholder="Roll Number" value="<?php echo htmlspecialchars($_SESSION['roll']); ?>" required="" disabled="disabled">
 							</div>
 							<div class="contact-fields-w3ls">
-								<input type="text" name="hostel" placeholder="Hostel" value="<?php echo $_GET['id']?>" required="" disabled="disabled">
+								<input type="text" name="hostel" placeholder="Hostel" value="<?php echo htmlspecialchars($_GET['id']); ?>" required="" disabled="disabled">
 							</div>
 							<div class="contact-fields-w3ls">
 								<input type="password" name="pwd" placeholder="Password" required="">
@@ -212,12 +212,12 @@ function hideURLbar() {
      $hostel = $_GET['id'];
      $message = $_POST['Message'];
 
-     /*echo "<script type='text/javascript'>alert('<?php echo $roll ?>')</script>";*/
+     /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($roll); ?>')</script>";*/
      $query_imp = "SELECT * FROM Student WHERE Student_id = '$roll'";
      $result_imp = mysqli_query($conn,$query_imp);
      $row_imp = mysqli_fetch_assoc($result_imp);
      $room_id = $row_imp['Room_id'];
-     /*echo "<script type='text/javascript'>alert('<?php echo $room_id ?>')</script>";*/
+     /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($room_id); ?>')</script>";*/
      if(is_null($room_id)){
      
      $query_imp2 = "SELECT * FROM Application WHERE Student_id = '$roll'";
diff --git a/contact.php b/contact.php
index 2c20ab6..6b36ce9 100644
--- a/contact.php
+++ b/contact.php
@@ -72,7 +72,7 @@ function hideURLbar() {
 						<a class="nav-link" href="message_user.php">Message Received</a>
 					</li>
 						<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['roll']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['roll']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -106,10 +106,10 @@ function hideURLbar() {
 								<input type="text" name="hostel_name" placeholder="Hostel Name" required="">
 							</div>
 							<div class="contact-fields-w3ls">
-								<input type="text" name="name" placeholder="Name" value="<?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?>" required="">
+								<input type="text" name="name" placeholder="Name" value="<?php echo htmlspecialchars($_SESSION['fname']." ".$_SESSION['lname']); ?>" required="">
 							</div>
 							<div class="contact-fields-w3ls">
-								<input type="text" name="rol_no" placeholder="Roll Number" value="<?php echo $_SESSION['roll']; ?>" required="">
+								<input type="text" name="rol_no" placeholder="Roll Number" value="<?php echo htmlspecialchars($_SESSION['roll']); ?>" required="">
 							</div>
 							<div class="contact-fields-w3ls">
 								<input type="text" name="subject" placeholder="Subject" required="">
diff --git a/contact_manager.php b/contact_manager.php
index ce0ea1d..9c38bea 100644
--- a/contact_manager.php
+++ b/contact_manager.php
@@ -86,7 +86,7 @@ function hideURLbar() {
 							<a class="nav-link" href="contact.php">Contact</a>
 						</li>
 						<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -123,10 +123,10 @@ function hideURLbar() {
 					<div class="row">
 						<div class="col-md-6 contact_left_grid" data-aos="fade-right">
 							<div class="contact-fields-w3ls">
-								<input type="text" name="name" placeholder="Name"  value="<?php echo $_SESSION['username']; ?>"required="">
+								<input type="text" name="name" placeholder="Name"  value="<?php echo htmlspecialchars($_SESSION['username']); ?>"required="">
 							</div>
 							<div class="contact-fields-w3ls">
-								<input type="text" name="hostel_name" placeholder="Hostel" required="" value="<?php echo $hostel_name; ?>">
+								<input type="text" name="hostel_name" placeholder="Hostel" required="" value="<?php echo htmlspecialchars($hostel_name); ?>">
 							</div>
 							<div class="contact-fields-w3ls">
 								<input type="text" name="student_roll_no" placeholder="Student Roll Number" required="">
diff --git a/empty_rooms.php b/empty_rooms.php
index e3ef472..7d8ee58 100644
--- a/empty_rooms.php
+++ b/empty_rooms.php
@@ -84,7 +84,7 @@ function hideURLbar() {
 						<a class="nav-link" href="contact_manager.php">Contact</a>
 					</li>
 					<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -125,7 +125,7 @@ function hideURLbar() {
 <?php
    if (isset($_POST['search'])) {
    	   $search_box = $_POST['search_box'];
-   	   /*echo "<script type='text/javascript'>alert('<?php echo $search_box; ?>')</script>";*/
+   	   /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($search_box); ?>')</script>";*/
    	   $hostel_id = $_SESSION['hostel_id'];
    	   $query_search = "SELECT * FROM Room WHERE Room_No like '$search_box%' and Hostel_id = '$hostel_id' and Allocated = '0'";
    	   $result_search = mysqli_query($conn,$query_search);
@@ -152,7 +152,7 @@ function hideURLbar() {
    	   else{
    	   	  while($row_search = mysqli_fetch_assoc($result_search)){
          
-      		echo "<tr><td>{$hostel_name}</td><td>{$row_search['Room_No']}</td></tr>\n";
+      		echo htmlspecialchars("<tr><td>{$hostel_name}</td><td>{$row_search['Room_No']}</td></tr>\n");
    	   }
    }
    ?>
@@ -193,7 +193,7 @@ function hideURLbar() {
       }
       else{
       	while($row1 = mysqli_fetch_assoc($result1)){
-      		echo "<tr><td>{$hostel_name}</td><td>{$row1['Room_No']}</td></tr>\n";
+      		echo htmlspecialchars("<tr><td>{$hostel_name}</td><td>{$row1['Room_No']}</td></tr>\n");
       	}
       }
     ?>
diff --git a/home.php b/home.php
index e3c4f8d..d97a141 100644
--- a/home.php
+++ b/home.php
@@ -74,7 +74,7 @@ function hideURLbar() {
 						<a class="nav-link" href="message_user.php">Message Received</a>
 					</li>
 					<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['roll']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['roll']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
diff --git a/home_manager.php b/home_manager.php
index aa8020e..86ee4a1 100644
--- a/home_manager.php
+++ b/home_manager.php
@@ -86,7 +86,7 @@ function hideURLbar() {
 						<a class="nav-link" href="contact_manager.php">Contact</a>
 					</li>
 					<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
diff --git a/includes/hm_remove.php b/includes/hm_remove.php
index 513ac2c..4f67152 100644
--- a/includes/hm_remove.php
+++ b/includes/hm_remove.php
@@ -72,7 +72,7 @@
         else {
           echo "<script type='text/javascript'>alert('Not SET')</script>";
         }
-        //echo $_SESSION['lname'];
+        //echo htmlspecialchars($_SESSION['lname']);
         header("Location: ../home.php?login=success");
         //exit();
       }
diff --git a/includes/login-hm.inc.php b/includes/login-hm.inc.php
index 549198b..0b57cd6 100644
--- a/includes/login-hm.inc.php
+++ b/includes/login-hm.inc.php
@@ -40,7 +40,7 @@
         else {
           echo "<script type='text/javascript'>alert('Not SET')</script>";
         }
-        //echo $_SESSION['lname'];
+        //echo htmlspecialchars($_SESSION['lname']);
         if($_SESSION['isadmin']==0){
           header("Location: ../home_manager.php?login=success");
         }
diff --git a/includes/login.inc.php b/includes/login.inc.php
index c2c2434..364c0ae 100644
--- a/includes/login.inc.php
+++ b/includes/login.inc.php
@@ -37,7 +37,7 @@
         else {
           echo "<script type='text/javascript'>alert('Not SET')</script>";
         }
-        //echo $_SESSION['lname'];
+        //echo htmlspecialchars($_SESSION['lname']);
         header("Location: ../home.php?login=success");
         //exit();
       }
diff --git a/message_hostel_manager.php b/message_hostel_manager.php
index ee1ed45..82e1cd8 100644
--- a/message_hostel_manager.php
+++ b/message_hostel_manager.php
@@ -99,7 +99,7 @@ function hideURLbar() {
 						<a class="nav-link" href="contact_manager.php">Contact</a>
 					</li>
 					<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -132,9 +132,9 @@ function hideURLbar() {
 
     <div class="container">
       <div class="card">
-      <div class="card-header"><b><?php echo $row['subject_h']; ?></b></div>
-      <div class="card-body"><?php echo $row['message']; ?></div> 
-      <div class="card-footer"><?php echo $row['sender_id'] ?><span style="float: right"><?php echo $row['msg_date']." ".$row['msg_time']; ?></span></div>
+      <div class="card-header"><b><?php echo htmlspecialchars($row['subject_h']); ?></b></div>
+      <div class="card-body"><?php echo htmlspecialchars($row['message']); ?></div> 
+      <div class="card-footer"><?php echo htmlspecialchars($row['sender_id']); ?><span style="float: right"><?php echo htmlspecialchars($row['msg_date']." ".$row['msg_time']); ?></span></div>
   </div>
 </div>
 <br><br>
diff --git a/message_user.php b/message_user.php
index a923aeb..e84eb9f 100644
--- a/message_user.php
+++ b/message_user.php
@@ -78,7 +78,7 @@ function hideURLbar() {
 						<a class="nav-link" href="message_user.php">Message Received</a>
 					</li>
 						<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['roll']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['roll']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -115,9 +115,9 @@ function hideURLbar() {
 
     <div class="container">
       <div class="card">
-      <div class="card-header"><b><?php echo $row['subject_h']; ?></b></div>
-      <div class="card-body"><?php echo $row['message']; ?></div> 
-      <div class="card-footer"><?php echo $hostel_name." Hostel Manager"; ?><span style="float: right"><?php echo $row['msg_date']." ".$row['msg_time']; ?></span></div>
+      <div class="card-header"><b><?php echo htmlspecialchars($row['subject_h']); ?></b></div>
+      <div class="card-body"><?php echo htmlspecialchars($row['message']); ?></div> 
+      <div class="card-footer"><?php echo htmlspecialchars($hostel_name." Hostel Manager"); ?><span style="float: right"><?php echo htmlspecialchars($row['msg_date']." ".$row['msg_time']); ?></span></div>
   </div>
 </div>
 <br><br>
diff --git a/profile.php b/profile.php
index 79873a6..78cf247 100644
--- a/profile.php
+++ b/profile.php
@@ -80,7 +80,7 @@ function hideURLbar() {
 							<a class="nav-link" href="contact.php">Contact</a>
 						</li>
 						<li class="dropdown nav-item">
-							<!--<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['roll']; ?>
+							<!--<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['roll']); ?>
 								<b class="caret"></b>
 							</a>
 							<ul class="dropdown-menu agile_short_dropdown">
@@ -124,31 +124,31 @@ function hideURLbar() {
 							</div>
 							<div class="abt-agile-right">
 
-								<h3><?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?></h3>
+								<h3><?php echo htmlspecialchars($_SESSION['fname']." ".$_SESSION['lname']); ?></h3>
 								<h5>Student</h5>
 								<ul class="address">
 									<li>
 										<ul class="address-text">
 											<li><b>Roll No </b></li>
-											<li>: <?php echo $_SESSION['roll']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['roll']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>PHONE </b></li>
-											<li>: <?php echo $_SESSION['mob_no']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['mob_no']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>DEPT </b></li>
-											<li>: <?php echo $_SESSION['department']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['department']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>YEAR OF STUDY </b></li>
-											<li>: <?php echo $_SESSION['year_of_study']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['year_of_study']); ?></li>
 										</ul>
 									</li>
 								</ul>
@@ -163,7 +163,7 @@ function hideURLbar() {
 						</div>
 						<div class="abt-agile-right">
 
-							<h3><?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?></h3>
+							<h3><?php echo htmlspecialchars($_SESSION['fname']." ".$_SESSION['lname']); ?></h3>
 							<h5>Student</h5>
 							<ul class="address">
 								<li>
@@ -187,7 +187,7 @@ function hideURLbar() {
 										 ?>
 
 
-										<li>: <?php echo $hostelName; ?></li>
+										<li>: <?php echo htmlspecialchars($hostelName); ?></li>
 									</ul>
 								</li>
 								<li>
@@ -209,7 +209,7 @@ function hideURLbar() {
 												}
 											}
 										 ?>
-										<li>: <?php echo $roomNo; ?></li>
+										<li>: <?php echo htmlspecialchars($roomNo); ?></li>
 									</ul>
 								</li>
 							</ul>
@@ -296,19 +296,19 @@ function hideURLbar() {
 										$hmemail = 'none';
 									}
 								 ?>
-								<h3><?php echo $hmfname." ".$hmlname; ?></h3>
+								<h3><?php echo htmlspecialchars($hmfname." ".$hmlname); ?></h3>
 								<h5>Admin</h5>
 								<ul class="address">
 									<li>
 										<ul class="address-text">
 											<li><b>PHONE </b></li>
-											<li>: <?php echo $hmMob; ?></li>
+											<li>: <?php echo htmlspecialchars($hmMob); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>Email </b></li>
-											<li>: <?php echo $hmemail; ?></li>
+											<li>: <?php echo htmlspecialchars($hmemail); ?></li>
 										</ul>
 									</li>
 								</ul>
diff --git a/services.php b/services.php
index b48656c..204a601 100644
--- a/services.php
+++ b/services.php
@@ -75,7 +75,7 @@ function hideURLbar() {
 						<a class="nav-link" href="message_user.php">Message Received</a>
 					</li>
 						<li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['roll']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['roll']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">

From 153984f77e0f333cb7d866d76b11d35a52ac9006 Mon Sep 17 00:00:00 2001
From: = <a.sefaozan@gmail.com>
Date: Mon, 7 Mar 2022 02:49:25 +0300
Subject: [PATCH 2/3] SQL Injection Vulnerability Fixed

---
 admin/create_hm.php       |   8 +--
 admin/manager_profile.php |  41 +++++++++----
 allocate_room.php         |  24 ++++++--
 includes/config.inc.php   |   4 +-
 includes/hm_remove.php    | 125 ++++++++++++++++++++++----------------
 includes/hm_signup.php    |  32 ++++++----
 includes/login-hm.inc.php |  11 +++-
 includes/login.inc.php    |  17 ++++--
 8 files changed, 170 insertions(+), 92 deletions(-)

diff --git a/admin/create_hm.php b/admin/create_hm.php
index eb5c26a..b9d4845 100644
--- a/admin/create_hm.php
+++ b/admin/create_hm.php
@@ -117,25 +117,25 @@ function hideURLbar() {
 							</div>
 							<div class="abt-agile-right">
 
-								<h3><?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?></h3>
+								<h3><?php echo htmlspecialchars($_SESSION['fname']." ".$_SESSION['lname']); ?></h3>
 								<h5>Admin</h5>
 								<ul class="address">
 									<li>
 										<ul class="address-text">
 											<li><b>Username </b></li>
-											<li>: <?php echo $_SESSION['username']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['username']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>PHONE </b></li>
-											<li>: <?php echo $_SESSION['mob_no']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['mob_no']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>Email </b></li>
-											<li>: <?php echo $_SESSION['email']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['email']); ?></li>
 										</ul>
 									</li>
 								</ul>
diff --git a/admin/manager_profile.php b/admin/manager_profile.php
index 6a6c7a4..d611eaf 100644
--- a/admin/manager_profile.php
+++ b/admin/manager_profile.php
@@ -125,25 +125,25 @@ function hideURLbar() {
 							</div>
 							<div class="abt-agile-right">
 
-								<h3><?php echo $_SESSION['fname']." ".$_SESSION['lname']; ?></h3>
+								<h3><?php echo htmlspecialchars($_SESSION['fname']." ".$_SESSION['lname']); ?></h3>
 								<h5>Hostel Manager</h5>
 								<ul class="address">
 									<li>
 										<ul class="address-text">
 											<li><b>Username </b></li>
-											<li>: <?php echo $_SESSION['username']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['username']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>PHONE </b></li>
-											<li>: <?php echo $_SESSION['mob_no']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['mob_no']); ?></li>
 										</ul>
 									</li>
 									<li>
 										<ul class="address-text">
 											<li><b>Email </b></li>
-											<li>: <?php echo $_SESSION['email']; ?></li>
+											<li>: <?php echo htmlspecialchars($_SESSION['email']); ?></li>
 										</ul>
 									</li>
                   <li>
@@ -151,15 +151,23 @@ function hideURLbar() {
 											<li><b>Managing Hostel </b></li>
                       <?php
                           $HOID = $_SESSION['hostel_id'];
-                          $query999 = "SELECT * FROM Hostel WHERE Hostel_id = '$HOID'";
-                          $result999 = mysqli_query($conn,$query999);
+
+						  $query999 = "SELECT * FROM Hostel WHERE Hostel_id = ?";
+						  $stmt = mysqli_stmt_init($conn);
+						  if(!mysqli_stmt_prepare($stmt, $query999)){
+							header("Location: ../admin/create_hm.php?error=sqlerror");
+							exit();
+						  }
+						  mysqli_stmt_bind_param($stmt, "s", $HOID);
+						  mysqli_stmt_execute($stmt);
+						  $result999 = mysqli_stmt_get_result($stmt);
                           $row999 = mysqli_fetch_assoc($result999);
                           $HNM = $row999['Hostel_name'];
                           if(!$HNM){
                             $HNM='None';
                           }
                        ?>
-											<li>: <?php echo $HNM; ?></li>
+											<li>: <?php echo htmlspecialchars($HNM); ?></li>
 										</ul>
 									</li>
 								</ul>
@@ -176,8 +184,15 @@ function hideURLbar() {
             <div class="abt-agile-right">
 							<?php
 									$ad=1;
-									$queryA = "SELECT * FROM Hostel_Manager WHERE Isadmin = '$ad'";
-									$resultA = mysqli_query($conn,$queryA);
+									$queryA = "SELECT * FROM Hostel_Manager WHERE Isadmin = ?";
+									$stmt = mysqli_stmt_init($conn);
+									if(!mysqli_stmt_prepare($stmt, $queryA)){
+									  header("Location: ../admin/create_hm.php?error=sqlerror");
+									  exit();
+									}
+									mysqli_stmt_bind_param($stmt, "s", $ad);
+									mysqli_stmt_execute($stmt);
+									$resultA = mysqli_stmt_get_result($stmt);
 									$rowA = mysqli_fetch_assoc($resultA);
 									$adFname = $rowA['Fname'];
 									$adLname = $rowA['Lname'];
@@ -185,25 +200,25 @@ function hideURLbar() {
 									$adMob = $rowA['Mob_no'];
 									$adEmail = $rowA['Email'];
 							 ?>
-              <h3><?php echo $adFname." ".$adLname; ?></h3>
+              <h3><?php echo htmlspecialchars($adFname." ".$adLname); ?></h3>
               <h5>Admin</h5>
               <ul class="address">
                 <li>
                   <ul class="address-text">
                     <li><b>Username </b></li>
-                    <li>: <?php echo $adUname; ?></li>
+                    <li>: <?php echo htmlspecialchars($adUname); ?></li>
                   </ul>
                 </li>
                 <li>
                   <ul class="address-text">
                     <li><b>PHONE </b></li>
-                    <li>: <?php echo $adMob; ?></li>
+                    <li>: <?php echo htmlspecialchars($adMob); ?></li>
                   </ul>
                 </li>
                 <li>
                   <ul class="address-text">
                     <li><b>Email </b></li>
-                    <li>: <?php echo $adEmail; ?></li>
+                    <li>: <?php echo htmlspecialchars($adEmail); ?></li>
                   </ul>
                 </li>
                 
diff --git a/allocate_room.php b/allocate_room.php
index 3fe55bb..a85f0af 100644
--- a/allocate_room.php
+++ b/allocate_room.php
@@ -130,8 +130,17 @@ function hideURLbar() {
    	   $result_search = mysqli_query($conn,$query_search);
 
    	   //select the hostel name from hostel table
-       $query6 = "SELECT * FROM Hostel WHERE Hostel_id = '$hostel_id'";
-       $result6 = mysqli_query($conn,$query6);
+	   $query6 = "SELECT * FROM Hostel WHERE Hostel_id = ?";
+	   $stmt = mysqli_stmt_init($conn);
+	   if(!mysqli_stmt_prepare($stmt, $query6)){
+		 header("Location: ../create_hm.php?error=sqlerror");
+		 exit();
+	   }
+	   mysqli_stmt_bind_param($stmt, "s", $hostel_id);
+	   mysqli_stmt_execute($stmt);
+	   $result6 = mysqli_stmt_get_result($stmt);
+
+
        $row6 = mysqli_fetch_assoc($result6);
        $hostel_name = $row6['Hostel_name'];
    	   ?>
@@ -203,8 +212,15 @@ function hideURLbar() {
       	while($row1 = mysqli_fetch_assoc($result1)){
       		//get the name of the student to display
             $student_id = $row1['Student_id']; 
-            $query7 = "SELECT * FROM Student WHERE Student_id = '$student_id'";
-            $result7 = mysqli_query($conn,$query7);
+			$query7 = "SELECT * FROM Hostel WHERE Student_id = ?";
+			$stmt = mysqli_stmt_init($conn);
+			if(!mysqli_stmt_prepare($stmt, $query7)){
+			  header("Location: ../create_hm.php?error=sqlerror");
+			  exit();
+			}
+			mysqli_stmt_bind_param($stmt, "s", $student_id);
+			mysqli_stmt_execute($stmt);
+			$result7 = mysqli_stmt_get_result($stmt);
             $row7 = mysqli_fetch_assoc($result7);
             $student_name = $row7['Fname']." ".$row7['Lname'];
             
diff --git a/includes/config.inc.php b/includes/config.inc.php
index 2634478..2351b1b 100644
--- a/includes/config.inc.php
+++ b/includes/config.inc.php
@@ -1,8 +1,8 @@
 <?php
   session_start();
-  $servername = "hms.test"; //change this  accordingly
+  $servername = "localhost"; //change this  accordingly hms.test
   $dBUsername = "root";
-  $dBPassword = "root";
+  $dBPassword = ""; //root
   $dBName = "hostel_management_system";
  // session_start();
   $conn=mysqli_connect($servername, $dBUsername, $dBPassword, $dBName);
diff --git a/includes/hm_remove.php b/includes/hm_remove.php
index 4f67152..4ea878d 100644
--- a/includes/hm_remove.php
+++ b/includes/hm_remove.php
@@ -13,73 +13,96 @@
     exit();
   }
   else {
-      $sql = "SELECT *FROM Hostel_Manager WHERE Username = '$username'";
+      $sql = "SELECT * FROM Hostel_Manager WHERE Username = ?";
+      $stmt = mysqli_stmt_init($conn);
+      if(!mysqli_stmt_prepare($stmt, $sql)){
+        header("Location: ../admin/create_hm.php?error=sqlerror");
+        exit();
+      }
+      mysqli_stmt_bind_param($stmt, "s", $username);
+      mysqli_stmt_execute($stmt);
+      $result = mysqli_stmt_get_result($stmt);
       $result = mysqli_query($conn, $sql);
       if($row = mysqli_fetch_assoc($result)){
-
-      $sql2 = "SELECT *FROM Hostel WHERE Hostel_name = '$hostel_name'";
-      $result2 = mysqli_query($conn, $sql2);
-      if($row2 = mysqli_fetch_assoc($result2)){
-        $HNO = $row2['Hostel_id'];
-        if ($HNO == $row['Hostel_id']) {
-          $pwdCheck = password_verify($Adminpassword, $_SESSION['PSWD']);
-          if ($pwdCheck==false) {
-            header("Location: ../admin/create_hm.php?error=wrongpwd");
-            exit();
-          }
-          else {
-            $sql3 = "DELETE FROM Hostel_Manager WHERE Username = '$username'";
-            $result3 = mysqli_query($conn, $sql3);
-            if($result3){
-              header("Location: ../admin/create_hm.php?DeletionSuccessful");
+        $sql2 = "SELECT * FROM Hostel WHERE Hostel_name = ?";
+        $stmt2 = mysqli_stmt_init($conn);
+        if(!mysqli_stmt_prepare($stmt2, $sql)){
+          header("Location: ../admin/create_hm.php?error=sqlerror");
+          exit();
+        }
+        mysqli_stmt_bind_param($stmt2, "s", $hostel_name);
+        mysqli_stmt_execute($stmt2);
+        $result2 = mysqli_stmt_get_result($stmt2);
+        $result2 = mysqli_query($conn, $sql2);
+        if($row2 = mysqli_fetch_assoc($result2)){
+          $HNO = $row2['Hostel_id'];
+          if ($HNO == $row['Hostel_id']) {
+            $pwdCheck = password_verify($Adminpassword, $_SESSION['PSWD']);
+            if ($pwdCheck==false) {
+              header("Location: ../admin/create_hm.php?error=wrongpwd");
               exit();
             }
             else {
-              header("Location: ../admin/create_hm.php?error=DeletionFailed");
-              exit();
+              $sql3 = "DELETE FROM Hostel_Manager WHERE Username = ?";
+              $stmt3 = mysqli_stmt_init($conn);
+              if(!mysqli_stmt_prepare($stmt3, $sql3)){
+                header("Location: ../admin/create_hm.php?error=sqlerror");
+                exit();
+              }
+              mysqli_stmt_bind_param($stmt3, "s", $username);
+              mysqli_stmt_execute($stmt3);
+              $result3 = mysqli_stmt_get_result($stmt3);
+              $result3 = mysqli_query($conn, $sql3);
+              if($result3){
+                header("Location: ../admin/create_hm.php?DeletionSuccessful");
+                exit();
+              }
+              else {
+                header("Location: ../admin/create_hm.php?error=DeletionFailed");
+                exit();
+              }
             }
           }
+          else {
+            header("Location: ../admin/create_hm.php?error=wronghostel");
+            exit();
+          }
         }
         else {
-          header("Location: ../admin/create_hm.php?error=wronghostel");
+          header("Location: ../admin/create_hm.php?error=nohostel");
           exit();
         }
-      }
-      else {
-        header("Location: ../admin/create_hm.php?error=nohostel");
-        exit();
-      }
 
-      $pwdCheck = password_verify($password, $row['Pwd']);
-      if($pwdCheck == false){
-        header("Location: ../index.php?error=wrongpwd");
-        exit();
-      }
-      else if($pwdCheck == true) {
+        $pwdCheck = password_verify($password, $row['Pwd']);
+        if($pwdCheck == false){
+          header("Location: ../index.php?error=wrongpwd");
+          exit();
+        }
+        else if($pwdCheck == true) {
 
-        //session_start();
-        $_SESSION['roll'] = $row['Student_id'];
-        $_SESSION['fname'] = $row['Fname'];
-        $_SESSION['lname'] = $row['Lname'];
-        $_SESSION['mob_no'] = $row['Mob_no'];
-        $_SESSION['department'] = $row['Dept'];
-        $_SESSION['year_of_study'] = $row['Year_of_study'];
-        $_SESSION['hostel_id'] = $row['Hostel_id'];
-        $_SESSION['room_id'] = $row['Room_id'];
-        if(isset($_SESSION['department'])){
-          echo "<script type='text/javascript'>alert('Set')</script>";
+          //session_start();
+          $_SESSION['roll'] = $row['Student_id'];
+          $_SESSION['fname'] = $row['Fname'];
+          $_SESSION['lname'] = $row['Lname'];
+          $_SESSION['mob_no'] = $row['Mob_no'];
+          $_SESSION['department'] = $row['Dept'];
+          $_SESSION['year_of_study'] = $row['Year_of_study'];
+          $_SESSION['hostel_id'] = $row['Hostel_id'];
+          $_SESSION['room_id'] = $row['Room_id'];
+          if(isset($_SESSION['department'])){
+            echo "<script type='text/javascript'>alert('Set')</script>";
+          }
+          else {
+            echo "<script type='text/javascript'>alert('Not SET')</script>";
+          }
+          //echo htmlspecialchars($_SESSION['lname']);
+          header("Location: ../home.php?login=success");
+          //exit();
         }
         else {
-          echo "<script type='text/javascript'>alert('Not SET')</script>";
+          header("Location: ../index.php?error=strangeerr");
+          exit();
         }
-        //echo htmlspecialchars($_SESSION['lname']);
-        header("Location: ../home.php?login=success");
-        //exit();
-      }
-      else {
-        header("Location: ../index.php?error=strangeerr");
-        exit();
-      }
     }
     else{
       header("Location: ../admin/create_hm.php?error=nouser");
diff --git a/includes/hm_signup.php b/includes/hm_signup.php
index ec11fcd..35ac3f4 100644
--- a/includes/hm_signup.php
+++ b/includes/hm_signup.php
@@ -24,7 +24,7 @@
   }
   else {
 
-    $sql = "SELECT Username FROM Hostel_Manager WHERE Username=?";
+    $sql = "SELECT Username FROM Hostel_Manager WHERE Username= ?";
     $stmt = mysqli_stmt_init($conn);
     if(!mysqli_stmt_prepare($stmt, $sql)){
       header("Location: ../admin/create_hm.php?error=sqlerror");
@@ -40,20 +40,28 @@
         exit();
       }
       else {
-      //  $sql = "INSERT INTO Hostel_Manager (Student_id, Fname, Lname, Mob_no, Dept, Year_of_study, Pwd) VALUES (?, ?, ?, ?, ?, ?, ?)";
-        //$sql = "INSERT INTO Hostel_Manager (Username, Fname, Lname, Mob_no, Hostel_id, Email, Pwd, Isadmin) VALUES (?, ?, ?, ?, ?, ?, ?, ?)";
-        //$stmt = mysqli_stmt_init($conn);
-
           $hashedPwd = password_hash($password, PASSWORD_DEFAULT);
-          $sql = "SELECT *FROM Hostel WHERE Hostel_name = '$hostel_name'";
-          $result = mysqli_query($conn, $sql);
+          $sql = "SELECT * FROM Hostel WHERE Hostel_name = ?";
+          $stmt = mysqli_stmt_init($conn);
+          if(!mysqli_stmt_prepare($stmt, $sql)){
+            header("Location: ../create_hm.php?error=sqlerror");
+            exit();
+          }
+          mysqli_stmt_bind_param($stmt, "s", $hostel_name);
+          mysqli_stmt_execute($stmt);
+          $result = mysqli_stmt_get_result($stmt);
           if($row = mysqli_fetch_assoc($result)){
-            $HostelID = $row[Hostel_id];
+            $HostelID = $row['Hostel_id'];
             $zz = 0;
-            $sql = "INSERT INTO Hostel_Manager (Username, Fname, Lname, Mob_no, Hostel_id, Email, Pwd, Isadmin) VALUES ('$username', '$fname', '$lname', '$mobile', '$HostelID', '$email', '$hashedPwd', '$zz')";
-          //  mysqli_stmt_bind_param($stmt, "ssssssss",'$username', $fname, $lname, $mobile, $HostelID, $email, $hashedPwd, $zz);
-          //  mysqli_stmt_execute($stmt);
-          $result = mysqli_query($conn, $sql);
+          $sql = "INSERT INTO Hostel_Manager (Username, Fname, Lname, Mob_no, Hostel_id, Pwd, Isadmin) VALUES (?, ?, ?, ?, ?, ?, ?)";
+          $stmt = mysqli_stmt_init($conn);
+          if(!mysqli_stmt_prepare($stmt, $sql)){
+            header("Location: ../create_hm.php?error=sqlerror2");
+            exit();
+          }
+          mysqli_stmt_bind_param($stmt, "sssssss", $username, $fname, $lname, $mobile, $HostelID, $hashedPwd, $zz);
+          mysqli_stmt_execute($stmt);
+          $result = mysqli_stmt_get_result($stmt);
           if($result){
             header("Location: ../admin/create_hm.php?added=success");
           }
diff --git a/includes/login-hm.inc.php b/includes/login-hm.inc.php
index 0b57cd6..83bf4f6 100644
--- a/includes/login-hm.inc.php
+++ b/includes/login-hm.inc.php
@@ -12,8 +12,15 @@
     exit();
   }
   else {
-    $sql = "SELECT *FROM Hostel_Manager WHERE Username = '$username'";
-    $result = mysqli_query($conn, $sql);
+    $sql = "SELECT * FROM Hostel_Manager WHERE Username = ?";
+    $stmt = mysqli_stmt_init($conn);
+    if(!mysqli_stmt_prepare($stmt, $sql)){
+      header("Location: ../login-hostel_manager.php?error=sqlerror");
+      exit();
+    }
+    mysqli_stmt_bind_param($stmt, "s", $username);
+    mysqli_stmt_execute($stmt);
+    $result = mysqli_stmt_get_result($stmt);
     if($row = mysqli_fetch_assoc($result)){
       $pwdCheck = password_verify($password, $row['Pwd']);
       if($pwdCheck == false){
diff --git a/includes/login.inc.php b/includes/login.inc.php
index 364c0ae..8f5d727 100644
--- a/includes/login.inc.php
+++ b/includes/login.inc.php
@@ -12,12 +12,21 @@
     exit();
   }
   else {
-    $sql = "SELECT *FROM Student WHERE Student_id = '$roll'";
-    $result = mysqli_query($conn, $sql);
+
+    $sql = "SELECT * FROM Student WHERE Student_id = ?";
+    $stmt = mysqli_stmt_init($conn);
+    if(!mysqli_stmt_prepare($stmt, $sql)){
+      header("Location: ../index.php?error=sqlerror");
+      exit();
+    }
+    mysqli_stmt_bind_param($stmt, "s", $roll);
+    mysqli_stmt_execute($stmt);
+    $result = mysqli_stmt_get_result($stmt);
+
     if($row = mysqli_fetch_assoc($result)){
       $pwdCheck = password_verify($password, $row['Pwd']);
       if($pwdCheck == false){
-        header("Location: ../index.php?error=wrongpwd");
+        header("Location: ../index.php?error=wrongcreds");
         exit();
       }
       else if($pwdCheck == true) {
@@ -47,7 +56,7 @@
       }
     }
     else{
-      header("Location: ../index.php?error=nouser");
+      header("Location: ../index.php?error=wrongcreds");
       exit();
     }
   }

From 4238d674106cc0944381f34eaa7313b59848d450 Mon Sep 17 00:00:00 2001
From: = <a.sefaozan@gmail.com>
Date: Mon, 7 Mar 2022 22:27:57 +0300
Subject: [PATCH 3/3] SQL Injection Vulnerability Fixed

---
 admin/students.php        |   8 +--
 application_form.php      | 130 +++++++++++++++++++++++---------------
 contact.php               |  36 +++++++++--
 contact_manager.php       |  17 +++--
 includes/hm_remove.php    |   3 -
 includes/login-hm.inc.php |   2 +-
 message_user.php          |  19 ++++--
 profile.php               |  35 ++++++++--
 8 files changed, 165 insertions(+), 85 deletions(-)

diff --git a/admin/students.php b/admin/students.php
index 808d937..77e509f 100644
--- a/admin/students.php
+++ b/admin/students.php
@@ -67,7 +67,7 @@ function hideURLbar() {
 							<a class="nav-link" href="admin_contact.php">Contact</a>
 						</li>
 			            <li class="dropdown nav-item">
-						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo $_SESSION['username']; ?>
+						<a href="#" class="dropdown-toggle nav-link" data-toggle="dropdown"><?php echo htmlspecialchars($_SESSION['username']); ?>
 							<b class="caret"></b>
 						</a>
 						<ul class="dropdown-menu agile_short_dropdown">
@@ -109,7 +109,7 @@ function hideURLbar() {
 <?php
    if (isset($_POST['search'])) {
    	   $search_box = $_POST['search_box'];
-   	   /*echo "<script type='text/javascript'>alert('<?php echo $search_box; ?>')</script>";*/
+   	   /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($search_box); ?>')</script>";*/
    	   $hostel_id = $_SESSION['hostel_id'];
    	   $query_search = "SELECT * FROM Student WHERE Student_id like '$search_box%'";
    	   $result_search = mysqli_query($conn,$query_search);
@@ -151,7 +151,7 @@ function hideURLbar() {
             //student name
             $student_name = $row_search['Fname']." ".$row_search['Lname'];
 
-      		echo "<tr><td>{$student_name}</td><td>{$row_search['Student_id']}</td><td>{$row_search['Mob_no']}</td><td>{$hostel_name}</td><td>{$room_no}</td></tr>\n";
+      		echo htmlspecialchars("<tr><td>{$student_name}</td><td>{$row_search['Student_id']}</td><td>{$row_search['Mob_no']}</td><td>{$hostel_name}</td><td>{$room_no}</td></tr>\n");
    	   }
    }
    ?>
@@ -213,7 +213,7 @@ function hideURLbar() {
             //student name
             $student_name = $row1['Fname']." ".$row1['Lname'];
 
-      		echo "<tr><td>{$student_name}</td><td>{$row1['Student_id']}</td><td>{$row1['Mob_no']}</td><td>{$HNM}</td><td>{$room_no}</td></tr>\n";
+      		echo htmlspecialchars("<tr><td>{$student_name}</td><td>{$row1['Student_id']}</td><td>{$row1['Mob_no']}</td><td>{$HNM}</td><td>{$room_no}</td></tr>\n");
       	}
       }
     ?>
diff --git a/application_form.php b/application_form.php
index b6d2db5..a716482 100644
--- a/application_form.php
+++ b/application_form.php
@@ -204,60 +204,86 @@ function hideURLbar() {
 </html>
 
 <?php
-   //echo 'Hello';
-   
-   if(isset($_POST['submit'])){
-     $roll = $_SESSION['roll'];
-     $password = $_POST['pwd'];
-     $hostel = $_GET['id'];
-     $message = $_POST['Message'];
+   	if(isset($_POST['submit'])){
+    	$roll = $_SESSION['roll'];
+     	$password = $_POST['pwd'];
+     	$hostel = $_GET['id'];
+     	$message = $_POST['Message'];
 
      /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($roll); ?>')</script>";*/
-     $query_imp = "SELECT * FROM Student WHERE Student_id = '$roll'";
-     $result_imp = mysqli_query($conn,$query_imp);
-     $row_imp = mysqli_fetch_assoc($result_imp);
-     $room_id = $row_imp['Room_id'];
-     /*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($room_id); ?>')</script>";*/
-     if(is_null($room_id)){
-     
-     $query_imp2 = "SELECT * FROM Application WHERE Student_id = '$roll'";
-     $result_imp2 = mysqli_query($conn,$query_imp2);
-     if(mysqli_num_rows($result_imp2)==0){
-
-
-     $query = "SELECT * FROM Student WHERE Student_id = '$roll'";
-     $result = mysqli_query($conn,$query);
-     if($row = mysqli_fetch_assoc($result)){
-     	$pwdCheck = password_verify($password, $row['Pwd']);
-     	
-        if($pwdCheck == false){
-            echo "<script type='text/javascript'>alert('Incorrect Password!!')</script>";
-      }
-      else if($pwdCheck == true) {
-
-      	    $query2 = "SELECT * FROM Hostel WHERE Hostel_name = '$hostel'";
-      	    $result2 = mysqli_query($conn,$query2);
-      	    $row2 = mysqli_fetch_assoc($result2);
-      	    $hostel_id = $row2['Hostel_id'];
-            $query3 = "INSERT INTO Application (Student_id,Hostel_id,Application_status,Message) VALUES ('$roll','$hostel_id',true,'$message')";
-            $result3 = mysqli_query($conn,$query3);
-
-            if($result3){
-            	 echo "<script type='text/javascript'>alert('Application sent successfully')</script>";
-            }
-      }
-     }
-
-     }
-     else{
-     	echo "<script type='text/javascript'>alert('You have Already applied for a Room')</script>";
-     }
-    
-     }
-     else{
-          echo "<script type='text/javascript'>alert('You have Already been alloted a Room')</script>";   
-      }
+		$query_imp = "SELECT * FROM Student WHERE Student_id = ?";
+		$stmt = mysqli_stmt_init($conn);
+		if(!mysqli_stmt_prepare($stmt, $query_imp)){
+			header("Location: ../create_hm.php?error=sqlerror");
+			exit();
+		}
+			mysqli_stmt_bind_param($stmt, "s", $roll);
+			mysqli_stmt_execute($stmt);
+			$result_imp = mysqli_stmt_get_result($stmt);
+			$row_imp = mysqli_fetch_assoc($result_imp);
+			$room_id = $row_imp['Room_id'];
+			/*echo "<script type='text/javascript'>alert('<?php echo htmlspecialchars($room_id); ?>')</script>";*/
+			if(is_null($room_id)){
+			$query_imp2 = "SELECT * FROM Application WHERE Student_id = ?";
+			$stmt = mysqli_stmt_init($conn);
+			if(!mysqli_stmt_prepare($stmt, $query_imp2)){
+				header("Location: ../create_hm.php?error=sqlerror");
+				exit();
+			}
+				mysqli_stmt_bind_param($stmt, "s", $roll);
+				mysqli_stmt_execute($stmt);
+				$result_imp2 = mysqli_stmt_get_result($stmt);
 
+				if(mysqli_num_rows($result_imp2)==0){
+					$query = "SELECT * FROM Student WHERE Student_id = ?";
+					$stmt = mysqli_stmt_init($conn);
+					if(!mysqli_stmt_prepare($stmt, $query)){
+						header("Location: ../create_hm.php?error=sqlerror");
+						exit();
+					}
+					mysqli_stmt_bind_param($stmt, "s", $roll);
+					mysqli_stmt_execute($stmt);
+					$result = mysqli_stmt_get_result($stmt);
+					if($row = mysqli_fetch_assoc($result)){
+						$pwdCheck = password_verify($password, $row['Pwd']);
+						if($pwdCheck == false){
+							echo "<script type='text/javascript'>alert('Incorrect Password!!')</script>";
+						}
+						else if($pwdCheck == true) {
+							$query2 = "SELECT * FROM Hostel WHERE Hostel_name = ?";
+							$stmt = mysqli_stmt_init($conn);
+							if(!mysqli_stmt_prepare($stmt, $query2)){
+								header("Location: ../create_hm.php?error=sqlerror");
+								exit();
+							}
+							mysqli_stmt_bind_param($stmt, "s", $hostel);
+							mysqli_stmt_execute($stmt);
+							$result2 = mysqli_stmt_get_result($stmt);
+							$row2 = mysqli_fetch_assoc($result2);
+							$hostel_id = $row2['Hostel_id'];
+							$Application_status = 1;
 
-}
+							$query3 = "INSERT INTO Application (Student_id, Hostel_id, Application_status, Message) VALUES (?, ?, ?, ?)";
+							$stmt = mysqli_stmt_init($conn);
+							if(!mysqli_stmt_prepare($stmt, $query3)){
+							header("Location: ../create_hm.php?error=sqlerror");
+							exit();
+							}
+							mysqli_stmt_bind_param($stmt, "ssss", $roll, $hostel_id, $Application_status, $message);
+							mysqli_stmt_execute($stmt);
+							$result3 = mysqli_stmt_affected_rows($stmt);
+							if($result3){
+								echo "<script type='text/javascript'>alert('Application sent successfully')</script>";
+							}
+						}
+					}
+				}
+				else{
+					echo "<script type='text/javascript'>alert('You have Already applied for a Room')</script>";
+				}
+			}
+			else{
+				echo "<script type='text/javascript'>alert('You have Already been alloted a Room')</script>";   
+			}
+	}
 ?>
\ No newline at end of file
diff --git a/contact.php b/contact.php
index 6b36ce9..a6be3d6 100644
--- a/contact.php
+++ b/contact.php
@@ -212,23 +212,45 @@ function hideURLbar() {
 	$message = $_POST['message'];
 	$hostel_name = $_POST['hostel_name'];
 
-    $query7 = "SELECT * FROM Hostel WHERE Hostel_name = '$hostel_name'";
-    $result7 = mysqli_query($conn,$query7);
+    $query7 = "SELECT * FROM Hostel WHERE Hostel_name = ?";
+	$stmt = mysqli_stmt_init($conn);
+	if(!mysqli_stmt_prepare($stmt, $query7)){
+	  header("Location: ../create_hm.php?error=sqlerror");
+	  exit();
+	}
+	mysqli_stmt_bind_param($stmt, "s", $hostel_name);
+	mysqli_stmt_execute($stmt);
+	$result7 = mysqli_stmt_get_result($stmt);
     $row7 = mysqli_fetch_assoc($result7);
     $hostel_id = $row7['Hostel_id'];
 
-    $query6 = "SELECT * FROM Hostel_Manager WHERE Hostel_id = '$hostel_id'";
-    $result6 = mysqli_query($conn,$query6);
+    $query6 = "SELECT * FROM Hostel_Manager WHERE Hostel_id = ?";
+	$stmt = mysqli_stmt_init($conn);
+	if(!mysqli_stmt_prepare($stmt, $query6)){
+	  header("Location: ../create_hm.php?error=sqlerror");
+	  exit();
+	}
+	mysqli_stmt_bind_param($stmt, "s", $hostel_id);
+	mysqli_stmt_execute($stmt);
+	$result6 = mysqli_stmt_get_result($stmt);
     $row6 = mysqli_fetch_assoc($result6);
-    $hos_man_user = $row6['Hostel_man_id'];
+    $hos_man_id = $row6['Hostel_man_id'];
 
 	$roll = $_SESSION['roll'];
 
     $today_date =  date("Y-m-d");
     $time = date("h:i A");
 
-	$query = "INSERT INTO Message (sender_id,receiver_id,hostel_id,subject_h,message,msg_date,msg_time) VALUES ('$roll','$hos_man_id','$hostel_id','$subject','$message','$today_date','$time')";
-    $result = mysqli_query($conn,$query);
+	$query = "INSERT INTO Message (sender_id, receiver_id, hostel_id, subject_h, message, msg_date, msg_time) VALUES (?, ?, ?, ?, ?, ?, ?)";
+    
+	$stmt = mysqli_stmt_init($conn);
+	if(!mysqli_stmt_prepare($stmt, $query)){
+	  header("Location: ../create_hm.php?error=sqlerror");
+	  exit();
+	}
+	mysqli_stmt_bind_param($stmt, "sssssss", $roll, $hos_man_id, $hostel_id, $subject, $message, $today_date, $time);
+	mysqli_stmt_execute($stmt);
+	$result = mysqli_stmt_affected_rows($stmt);
     if($result){
          echo "<script type='text/javascript'>alert('Message sent Successfully!')</script>";
     }
diff --git a/contact_manager.php b/contact_manager.php
index 9c38bea..f97b3e0 100644
--- a/contact_manager.php
+++ b/contact_manager.php
@@ -108,11 +108,18 @@ function hideURLbar() {
 </div>
 <!-- //banner --> 
 <?php
-$hostel_id = $_SESSION['hostel_id'];
-$query6 = "SELECT * FROM Hostel WHERE Hostel_id = '$hostel_id'";
-       $result6 = mysqli_query($conn,$query6);
-       $row6 = mysqli_fetch_assoc($result6);
-       $hostel_name = $row6['Hostel_name'];
+	$hostel_id = $_SESSION['hostel_id'];
+	$query6 = "SELECT * FROM Hostel WHERE Hostel_id = ?";
+	$stmt = mysqli_stmt_init($conn);
+	if(!mysqli_stmt_prepare($stmt, $query6)){
+		header("Location: ../create_hm.php?error=sqlerror");
+		exit();
+	}
+	mysqli_stmt_bind_param($stmt, "s", $hostel_id);
+	mysqli_stmt_execute($stmt);
+	$result6 = mysqli_stmt_get_result($stmt);
+    $row6 = mysqli_fetch_assoc($result6);
+   $hostel_name = $row6['Hostel_name'];
 ?>
 <!-- contact -->
 <section class="contact py-5">
diff --git a/includes/hm_remove.php b/includes/hm_remove.php
index 4ea878d..5c70108 100644
--- a/includes/hm_remove.php
+++ b/includes/hm_remove.php
@@ -22,7 +22,6 @@
       mysqli_stmt_bind_param($stmt, "s", $username);
       mysqli_stmt_execute($stmt);
       $result = mysqli_stmt_get_result($stmt);
-      $result = mysqli_query($conn, $sql);
       if($row = mysqli_fetch_assoc($result)){
         $sql2 = "SELECT * FROM Hostel WHERE Hostel_name = ?";
         $stmt2 = mysqli_stmt_init($conn);
@@ -33,7 +32,6 @@
         mysqli_stmt_bind_param($stmt2, "s", $hostel_name);
         mysqli_stmt_execute($stmt2);
         $result2 = mysqli_stmt_get_result($stmt2);
-        $result2 = mysqli_query($conn, $sql2);
         if($row2 = mysqli_fetch_assoc($result2)){
           $HNO = $row2['Hostel_id'];
           if ($HNO == $row['Hostel_id']) {
@@ -52,7 +50,6 @@
               mysqli_stmt_bind_param($stmt3, "s", $username);
               mysqli_stmt_execute($stmt3);
               $result3 = mysqli_stmt_get_result($stmt3);
-              $result3 = mysqli_query($conn, $sql3);
               if($result3){
                 header("Location: ../admin/create_hm.php?DeletionSuccessful");
                 exit();
diff --git a/includes/login-hm.inc.php b/includes/login-hm.inc.php
index 83bf4f6..228b5b6 100644
--- a/includes/login-hm.inc.php
+++ b/includes/login-hm.inc.php
@@ -24,7 +24,7 @@
     if($row = mysqli_fetch_assoc($result)){
       $pwdCheck = password_verify($password, $row['Pwd']);
       if($pwdCheck == false){
-        header("Location: ../login-hostel_manager.php?error=wrongpwd");
+        header("Location: ../login-hostel_manager.php?error=wrongcreds");
         exit();
       }
       else if($pwdCheck == true) {
diff --git a/message_user.php b/message_user.php
index e84eb9f..7a4b67a 100644
--- a/message_user.php
+++ b/message_user.php
@@ -102,16 +102,23 @@ function hideURLbar() {
 
 <?php
     $roll_no = $_SESSION['roll'];
-    $query = "SELECT * FROM Message WHERE receiver_id ='$roll_no'";
-    $result = mysqli_query($conn,$query);
+    $query = "SELECT * FROM Message WHERE receiver_id = ?";
+	$stmt = mysqli_stmt_init($conn);
+	if(!mysqli_stmt_prepare($stmt, $query)){
+	  header("Location: ../create_hm.php?error=sqlerror");
+	  exit();
+	}
+	mysqli_stmt_bind_param($stmt, "s", $roll_no);
+	mysqli_stmt_execute($stmt);
+	$result = mysqli_stmt_get_result($stmt);
 
     while ($row = mysqli_fetch_assoc($result)){  
     	$hostel_id = $row['hostel_id'];
     	$query6 = "SELECT * FROM Hostel WHERE Hostel_id = '$hostel_id'";
-       $result6 = mysqli_query($conn,$query6);
-       $row6 = mysqli_fetch_assoc($result6);
-       $hostel_name = $row6['Hostel_name'];
-          ?> 
+       	$result6 = mysqli_query($conn,$query6);
+       	$row6 = mysqli_fetch_assoc($result6);
+       	$hostel_name = $row6['Hostel_name'];
+?> 
 
     <div class="container">
       <div class="card">
diff --git a/profile.php b/profile.php
index 78cf247..e76e63e 100644
--- a/profile.php
+++ b/profile.php
@@ -174,9 +174,16 @@ function hideURLbar() {
 											if($hostelId == NULL){
 												$hostelName = 'None';
 											}
-											else {
-												$sql = "SELECT * FROM Hostel WHERE Hostel_id = '$hostelId'";
-												$result = mysqli_query($conn, $sql);
+											else {				
+												$sql = "SELECT * FROM Hostel WHERE Hostel_id = ?";
+												$stmt = mysqli_stmt_init($conn);
+												if(!mysqli_stmt_prepare($stmt, $sql)){
+												  header("Location: ../create_hm.php?error=sqlerror");
+												  exit();
+												}
+												mysqli_stmt_bind_param($stmt, "s", $hostelId);
+												mysqli_stmt_execute($stmt);
+												$result = mysqli_stmt_get_result($stmt);
 												if($row = mysqli_fetch_assoc($result)){
 													$hostelName = $row['Hostel_name'];
 												}
@@ -199,8 +206,15 @@ function hideURLbar() {
 												$roomNo = 'None';
 											}
 											else {
-												$sql = "SELECT * FROM Room WHERE Room_id = '$roomId'";
-												$result = mysqli_query($conn, $sql);
+												$sql = "SELECT * FROM Room WHERE Room_id = ?";
+												$stmt = mysqli_stmt_init($conn);
+												if(!mysqli_stmt_prepare($stmt, $sql)){
+												  header("Location: ../create_hm.php?error=sqlerror");
+												  exit();
+												}
+												mysqli_stmt_bind_param($stmt, "s", $roomId);
+												mysqli_stmt_execute($stmt);
+												$result = mysqli_stmt_get_result($stmt);
 												if($row = mysqli_fetch_assoc($result)){
 													$roomNo = $row['Room_No'];
 												}
@@ -281,8 +295,15 @@ function hideURLbar() {
 							<div class="abt-agile-right">
 								<?php
 									$Hid = $_SESSION['hostel_id'];
-									$sql1 = "SELECT * FROM Hostel_Manager WHERE Hostel_id = '$Hid'";
-									$result1 = mysqli_query($conn, $sql1);
+									$sql1 = "SELECT * FROM Hostel_Manager WHERE Hostel_id = ?";
+									$stmt = mysqli_stmt_init($conn);
+									if(!mysqli_stmt_prepare($stmt, $sql1)){
+									  header("Location: ../create_hm.php?error=sqlerror");
+									  exit();
+									}
+									mysqli_stmt_bind_param($stmt, "s", $Hid);
+									mysqli_stmt_execute($stmt);
+									$result1 = mysqli_stmt_get_result($stmt);
 									if($row1 = mysqli_fetch_assoc($result1)){
 										$hmfname = $row1['Fname'];
 										$hmlname = $row1['Lname'];