From 6e07ddc94c4dbac077f25ce60a868982e55f9c16 Mon Sep 17 00:00:00 2001
From: Xuxfff <1683793776@qq.com>
Date: Wed, 12 Oct 2022 13:57:35 +0800
Subject: [PATCH 1/6] =?UTF-8?q?fix:=E4=BF=AE=E5=A4=8D=E4=BA=86=E4=BB=BB?=
 =?UTF-8?q?=E6=84=8F=E6=96=87=E4=BB=B6=E8=AF=BB=E5=8F=96=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Download.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Download.php b/Download.php
index 4ddeb4b..d59e90e 100644
--- a/Download.php
+++ b/Download.php
@@ -8,7 +8,7 @@ session_start();
 
 // 修改这一行设置你的文件下载目录
 // IMPORTANT: Do not delete the following conditional test
-if (strpos($_GET['file'], "../") != false) { // 检查是否有 ../，防止用户构造路径，访问某个他不应该访问的目录
+if (strpos($_GET['file'], "../") !== false) { // 检查是否有 ../，防止用户构造路径，访问某个他不应该访问的目录
     die("Sorry.  Nothing to download.");
 }
 
-- 
2.17.1


From 4bf8d8d9705254285e1c2e52222314075f02a6cb Mon Sep 17 00:00:00 2001
From: Xuxfff <1683793776@qq.com>
Date: Wed, 12 Oct 2022 14:05:56 +0800
Subject: [PATCH 2/6] =?UTF-8?q?fix:=E4=BF=AE=E5=A4=8D=E4=BA=86xss=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Reset_password.php   | 4 ++--
 recover_password.php | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Reset_password.php b/Reset_password.php
index 7af1740..02a277e 100644
--- a/Reset_password.php
+++ b/Reset_password.php
@@ -8,8 +8,8 @@
 
 
 include 'Header.php';
-$token=$_GET['token'];
-$email=$_GET['email'];
+$token=htmlspecialchars($_GET['token']);
+$email=htmlspecialchars($_GET['email']);
 ?>
 
 <div class="row">
diff --git a/recover_password.php b/recover_password.php
index 0512f13..d9ae8a2 100644
--- a/recover_password.php
+++ b/recover_password.php
@@ -27,9 +27,9 @@ include 'Header.php';
       <div class="panel-body">
         <form method="post" action="Script.php">
         <input type="hidden" name="frm_recover_password" value="true"/>
-        Student number  <input type="text" name="sno" placeholder="Enter your student number" class="form-control" required="required" value="<?php echo $_SESSION['student_number']; ?>">
+        Student number  <input type="text" name="sno" placeholder="Enter your student number" class="form-control" required="required" value="<?php echo htmlspecialchars($_SESSION['student_number']); ?>">
 	<br/>
-        Email  <input type="text" name="email" placeholder="Enter your email address" class="form-control" required="required" value="<?php echo $_SESSION['user_email']; ?>">
+        Email  <input type="text" name="email" placeholder="Enter your email address" class="form-control" required="required" value="<?php echo htmlspecialchars($_SESSION['user_email']); ?>">
 	<br/>
         <input type="submit" class="btn-primary" value="Recover">
           
@@ -38,7 +38,7 @@ include 'Header.php';
 <?php
 
 if(isset($_SESSION['info_recover_password'])) {
-  echo  '<hr><div class="alert alert-danger" role="alert">'.$_SESSION['info_recover_password'].'</div>';
+  echo  '<hr><div class="alert alert-danger" role="alert">'.htmlspecialchars($_SESSION['info_recover_password']).'</div>';
   $_SESSION['info_recover_password']=null;
 }
 
-- 
2.17.1


From 38551c4174824623076a07e7fe3ee104291afa06 Mon Sep 17 00:00:00 2001
From: Xuxfff <1683793776@qq.com>
Date: Wed, 12 Oct 2022 14:17:33 +0800
Subject: [PATCH 3/6] fix:fix the sql injection

---
 batch_insert.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/batch_insert.php b/batch_insert.php
index 20867af..afad832 100644
--- a/batch_insert.php
+++ b/batch_insert.php
@@ -19,7 +19,7 @@ if (!$conn) {
 }
 
 //获得用户名数据
-$source = $_POST['users'];
+$source = mysqli_real_escape_string($conn,$_POST['users']);
 
 //如有多个空格，删除剩一个空格
 $source1 = preg_replace('/\s\s+/', ' ', $source);
@@ -31,13 +31,12 @@ $source2 = trim($source1);
 //根据空格拆分
 $user = explode(' ', $source2);
 
-
 //插入数据
 for($index=0; $index < count($user); $index++) {
     $result = mysqli_query($conn, "SELECT * FROM `students_data` WHERE Student_ID='$user[$index]'");    
     if (mysqli_num_rows($result) < 1) {
         if (! mysqli_query($conn, "REPLACE INTO `students_data`(`Student_ID`, `Passport_Number`) VALUES('$user[$index]', '')" ) ) {
-            echo "SQL Error: " . $sql_stmt . "<br>" . mysqli_error($conn);
+            echo "SQL Error: " . $sql_stmt . "<br>" .htmlspecialchars(mysqli_error($conn));
         } else {
             echo "<p>Student number $user[$index] added.</p>";
         }
-- 
2.17.1


From e8a181d795691be230841ea487d9ffbd4b4e3fb7 Mon Sep 17 00:00:00 2001
From: Xuxfff <1683793776@qq.com>
Date: Wed, 12 Oct 2022 14:17:50 +0800
Subject: [PATCH 4/6] fix:fix the sql injection

---
 Script.php | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/Script.php b/Script.php
index d1110ef..b089078 100644
--- a/Script.php
+++ b/Script.php
@@ -248,7 +248,7 @@ if (!empty($_POST["frm_reset_password"])) {
 
                 // Password Update
                 $hashed_password = hash('sha512', $password);
-                $sql = "UPDATE users_table set HashPassword='$hashed_password' where User_ID=$userid;";
+                $sql = "UPDATE users_table set HashPassword='$hashed_password' where User_ID='$userid';";
                 if ($con->query($sql) === TRUE) {
 
                     error_reporting(0);
@@ -430,7 +430,7 @@ if (!empty($_POST["frm_uploadlab"])) {
 
     $sql = "INSERT INTO `lab_reports_table`(`Course_ID`, `Posted_Date`, `Deadline`, `Instructions`,
                      `Title`, `Attachment_link_1`, `Attachment_link_2`, `Attachment_link_3`, `Attachment_link_4`,Marks,Type) 
-                     VALUES ('$course_id','$date','$deadline','$instructions','$title','$targetfile','$targetfile2','$targetfile3','$targetfile3',$marks,'$type')";
+                     VALUES ('$course_id','$date','$deadline','$instructions','$title','$targetfile','$targetfile2','$targetfile3','$targetfile3','$marks','$type')";
 
     if ($con->query($sql) === TRUE) {
 
@@ -467,7 +467,7 @@ if (!empty($_POST["frm_submitlab"])) {
     $date = date("Y-m-d H:i:s");
 
     // GET UPLOADED FILES
-    $labName = mysqli_query($con, "SELECT * FROM `lab_reports_table` WHERE Lab_Report_ID=$lab_id");
+    $labName = mysqli_query($con, "SELECT * FROM `lab_reports_table` WHERE Lab_Report_ID='$lab_id'");
     while ($row = mysqli_fetch_assoc($labName)) {
         $lab_name = $row['Title'];
         $_SESSION['Sub_Type'] = $row['Type']; // submission type, either Individual or Group
@@ -571,13 +571,13 @@ if (!empty($_POST["frm_submitlab"])) {
         $group_id = 0; // FIXME
     }
 
-    $sql1 = "DELETE FROM lab_report_submissions where Lab_Report_ID=$lab_id and Student_id=$student_id and Course_Group_id=$group_id";
+    $sql1 = "DELETE FROM lab_report_submissions where Lab_Report_ID='$lab_id' and Student_id='$student_id' and Course_Group_id='$group_id'";
     if ($con->query($sql1) === TRUE) {
     }
 
     $sql = "INSERT INTO `lab_report_submissions`(`Submission_Date`, `Lab_Report_ID`, `Student_id`,"
         . " `Course_Group_id`, `Attachment1`, `Notes`, `Attachment2`, `Attachment3`, `Attachment4`, `Status`, `Title`,`Remarking_Reason`)"
-        . " VALUES ('$date',$lab_id,$student_id,$group_id,'$targetfile','$instructions','$targetfile2','$targetfile3','$targetfile4',"
+        . " VALUES ('$date','$lab_id','$student_id','$group_id','$targetfile','$instructions','$targetfile2','$targetfile3','$targetfile4',"
         . "'Pending','$title','')";
 
     if ($con->query($sql) === TRUE) {
@@ -665,7 +665,7 @@ if (!empty($_GET["updatevisibility"])) {
     $header = mysqli_real_escape_string($con, $_GET["header"]);
     $labid = mysqli_real_escape_string($con, $_GET["labid"]);
 
-    $sql = "UPDATE `lab_report_submissions` SET `Visibility`='$status' WHERE Submission_ID=$id
+    $sql = "UPDATE `lab_report_submissions` SET `Visibility`='$status' WHERE Submission_ID='$id'
               ";
 
     if ($con->query($sql) === TRUE) {
@@ -687,7 +687,7 @@ if (!empty($_GET["remarking"])) {
     $status = mysqli_real_escape_string($con, $_GET["status"]);
     $details = mysqli_real_escape_string($con, $_GET["details"]);
 
-    $sql = "UPDATE `lab_report_submissions` SET `Status`='Remarking',Remarking_Reason='$details' WHERE Submission_ID=$id
+    $sql = "UPDATE `lab_report_submissions` SET `Status`='Remarking',Remarking_Reason='$details' WHERE Submission_ID='$id'
               ";
 
     if ($con->query($sql) === TRUE) {
@@ -709,7 +709,7 @@ if (!empty($_GET["creategroup"])) {
     $name = mysqli_real_escape_string($con, $_GET["name"]);
 
     $sql = "INSERT INTO `course_groups_table`(`Group_Name`, 
-                  `Group_Leader`, `Course_id`) VALUES ('$name',$student_id,$id)";
+                  `Group_Leader`, `Course_id`) VALUES ('$name','$student_id','$id')";
 
     if ($con->query($sql) === TRUE) {
 
@@ -719,7 +719,7 @@ if (!empty($_GET["creategroup"])) {
         }
 
         $sql = "INSERT INTO `course_group_members_table`( `Course_Group_id`, `Student_ID`, `Status`) 
-                          VALUES ($gid,$student_id,'Created')";
+                          VALUES ('$gid','$student_id','Created')";
         if ($con->query($sql) === TRUE) {
             $_SESSION["info_ReMarking"] = "Course group Created";
             header("Location: Course.php?url=" . $url);
@@ -746,7 +746,7 @@ if (!empty($_GET["groupinvite"])) {
         header("Location: Course.php?url=" . $url);
     } else {
         $sql = "INSERT INTO `course_group_members_table`( `Course_Group_id`, `Student_ID`, `Status`)
-                      VALUES ($groupid,$student_id,'Invited')";
+                      VALUES ('$groupid','$student_id','Invited')";
     }
 
     if ($con->query($sql) === TRUE) {
@@ -800,10 +800,10 @@ if (!empty($_GET["acceptinvite"])) {
     $groupid = mysqli_real_escape_string($con, $_GET["groupid"]);
 
     if ($action == 1) {
-        $sql = "Update  `course_group_members_table` set Status='Joined' where  Course_Group_id =$groupid and student_id=$student_id 
+        $sql = "Update  `course_group_members_table` set Status='Joined' where  Course_Group_id ='$groupid' and student_id='$student_id' 
                          ";
     } else {
-        $sql = "Delete from  `course_group_members_table`  where  Course_Group_id =$groupid and student_id=$student_id 
+        $sql = "Delete from  `course_group_members_table`  where  Course_Group_id ='$groupid' and student_id='$student_id' 
                          ";
     }
 
@@ -830,11 +830,11 @@ if (!empty($_GET["extenddeadline"])) {
     $deadline = $date . " " . $time;
 
     if ($type == 1) {
-        $sql = "UPDATE `lab_reports_table` SET  `Deadline`='$deadline'  WHERE Lab_Report_ID=$id";
+        $sql = "UPDATE `lab_reports_table` SET  `Deadline`='$deadline'  WHERE Lab_Report_ID='$id'";
     } else {
         $sql = "INSERT INTO `extended_deadlines_table`(`Student_ID`, "
             . "`Lab_Report_ID`, `Extended_Deadline_Date`,"
-            . " `ReasonsForExtension`) VALUES ($stdid,$id,'$deadline','$reason')";
+            . " `ReasonsForExtension`) VALUES ('$stdid','$id','$deadline','$reason')";
     }
 
     if ($con->query($sql) === TRUE) {
@@ -856,7 +856,7 @@ if (!empty($_GET["ignoreremarking"])) {
 
     $subid = mysqli_real_escape_string($con, $_GET["subid"]);
 
-    $sql = "UPDATE lab_report_submissions SET Status='Marked' WHERE Submission_ID=$subid";
+    $sql = "UPDATE lab_report_submissions SET Status='Marked' WHERE Submission_ID='$subid'";
 
     if ($con->query($sql) === TRUE) {
 
@@ -874,7 +874,7 @@ if (!empty($_GET["assignTA"])) {
     $id = mysqli_real_escape_string($con, $_GET["id"]);
     $ta = mysqli_real_escape_string($con, $_GET["ta"]);
 
-    $sql = "INSERT INTO `course_ta`(`Course_ID`, `TA`) VALUES ($id,$ta)";
+    $sql = "INSERT INTO `course_ta`(`Course_ID`, `TA`) VALUES ('$id','$ta')";
 
     if ($con->query($sql) === TRUE) {
 
@@ -893,9 +893,9 @@ if (!empty($_GET["AcceptStudent"])) {
     $rs = mysqli_real_escape_string($con, $_GET["rs"]);
 
     if ($rs == "yes") {
-        $sql = "Update  course_students_table set Status='Joined' Where ID=$id";
+        $sql = "Update  course_students_table set Status='Joined' Where ID='$id'";
     } else {
-        $sql = "Delete FROM  course_students_table Where ID=$id";
+        $sql = "Delete FROM  course_students_table Where ID='$id'";
     }
 
     if ($con->query($sql) === TRUE) {
@@ -931,7 +931,7 @@ if (!empty($_GET["action"])) {
     }
 
     if ($action == "passchange"  && $_SESSION['user_id'] == $uid) {
-        $sql = "UPDATE users_table set Password='$pass' where User_ID=$uid;";
+        $sql = "UPDATE users_table set Password='$pass' where User_ID='$uid';";
         if ($con->query($sql) === TRUE) {
             error_reporting(0);
             echo "Password has been changed";
@@ -945,7 +945,7 @@ if (!empty($_GET["action"])) {
     }
 
     if ($action == "statuschange" && $_SESSION['user_id'] == $uid && ($_SESSION['user_type'] == "Lecturer" || $_SESSION['user_type'] == "Admin")) {
-        $sql = "UPDATE users_table set Status='$status' where User_ID=$uid;";
+        $sql = "UPDATE users_table set Status='$status' where User_ID='$uid';";
         if ($con->query($sql) === TRUE) {
             $_SESSION["info_Admin_Users"] = $type . " user  Status updated successfully ";
             header("Location: Admin.php");
@@ -1018,7 +1018,7 @@ INNER JOIN lab_reports_table on lab_reports_table.Lab_Report_ID=lab_report_submi
 
 INNER JOIN users_table on users_table.Student_ID=lab_report_submissions.Student_id
 
-WHERE lab_report_submissions.Lab_Report_ID=$lab";
+WHERE lab_report_submissions.Lab_Report_ID='$lab'";
 
     $export  = mysqli_query($con, $select);
 
-- 
2.17.1


From 308df1617c58dff6902f7f340c47280973e61392 Mon Sep 17 00:00:00 2001
From: Xuxfff <1683793776@qq.com>
Date: Thu, 13 Oct 2022 19:53:39 +0800
Subject: [PATCH 5/6] fix:fix the Stored XSS

---
 Script.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Script.php b/Script.php
index b089078..7191f4d 100644
--- a/Script.php
+++ b/Script.php
@@ -681,11 +681,11 @@ if (!empty($_GET["updatevisibility"])) {
 
 if (!empty($_GET["remarking"])) {
 
-    $id = mysqli_real_escape_string($con, $_GET["id"]);
-    $url = mysqli_real_escape_string($con, $_GET["url"]);
+    $id = htmlspecialchars(mysqli_real_escape_string($con, $_GET["id"]));
+    $url = htmlspecialchars(mysqli_real_escape_string($con, $_GET["url"]));
 
-    $status = mysqli_real_escape_string($con, $_GET["status"]);
-    $details = mysqli_real_escape_string($con, $_GET["details"]);
+    $status = htmlspecialchars(mysqli_real_escape_string($con, $_GET["status"]));
+    $details = htmlspecialchars(mysqli_real_escape_string($con, $_GET["details"]));
 
     $sql = "UPDATE `lab_report_submissions` SET `Status`='Remarking',Remarking_Reason='$details' WHERE Submission_ID='$id'
               ";
-- 
2.17.1


From 94ca1c51b32b3efea8e4fa0a520e5db6666a38f9 Mon Sep 17 00:00:00 2001
From: Hui Lan <lanhui@zjnu.edu.cn>
Date: Tue, 25 Oct 2022 16:33:17 +0800
Subject: [PATCH 6/6] Reset_password.php: add whitespaces around =

---
 Reset_password.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Reset_password.php b/Reset_password.php
index 02a277e..d08d9ab 100644
--- a/Reset_password.php
+++ b/Reset_password.php
@@ -8,8 +8,8 @@
 
 
 include 'Header.php';
-$token=htmlspecialchars($_GET['token']);
-$email=htmlspecialchars($_GET['email']);
+$token = htmlspecialchars($_GET['token']);
+$email = htmlspecialchars($_GET['email']);
 ?>
 
 <div class="row">
-- 
2.17.1