Changeset 3406150

Timestamp:

11/30/2025 12:11:33 PM (3 months ago)

Author:

owthub

Message:

Security Issue Fixed -> Changes in Public Request

File:

• library-management-system/trunk/public/class-library-management-system-public.php (modified) (1 diff)

library-management-system/trunk/public/class-library-management-system-public.php

@@ -88 +88 @@
 
     // All books Shortcode Handler
-    public function owt7_library_all_books_shortcode($template){
-
+    public function owt7_library_all_books_shortcode($template) {
         global $wpdb;
 
-        $book_id = isset( $_REQUEST['bid'] ) ? trim( $_REQUEST['bid'] ) : "";
+        $raw_bid = isset( $_REQUEST['bid'] ) ? trim( wp_unslash( $_REQUEST['bid'] ) ) : '';
+        $book_id = 0;
 
-        $book_id = base64_decode($book_id);
+        if ( $raw_bid !== '' ) {
 
-        if($book_id && intval($book_id) > 0){
-            // Single book data
-            $book = $wpdb->get_row(
-                "SELECT book.*, (SELECT category.name FROM ".$this->table_activator->owt7_library_tbl_category()." as category WHERE category.id = book.category_id LIMIT 1) as category_name, (SELECT bkcase.name FROM ".$this->table_activator->owt7_library_tbl_bookcase()." as bkcase WHERE bkcase.id = book.bookcase_id LIMIT 1) as bookcase_name, (SELECT section.name FROM ".$this->table_activator->owt7_library_tbl_bookcase_sections()." as section WHERE section.id = book.bookcase_section_id LIMIT 1) as section_name from " . $this->table_activator->owt7_library_tbl_books(). " as book WHERE book.id = {$book_id}"
-            );
+            $decoded = base64_decode( $raw_bid, true );
+            if ( $decoded !== false && $decoded !== '' ) {
+                $decoded = trim( $decoded );
+                if ( ctype_digit( $decoded ) ) {
+                    $book_id = intval( $decoded );
+                } else {
+                    $book_id = 0;
+                }
+            }
+        }
 
-            if(!empty($book)){
-                return $this->owt7_library_include_template_file("owt7_library_single_book", compact("book_id", "book"));
-            }else{
-                return $this->owt7_library_include_template_file("errors/owt7_library_404_page");
+        if ( $book_id > 0 ) {
+            $sql = "
+                SELECT book.*,
+                    (SELECT category.name FROM " . $this->table_activator->owt7_library_tbl_category() . " AS category WHERE category.id = book.category_id LIMIT 1) AS category_name,
+                    (SELECT bkcase.name FROM " . $this->table_activator->owt7_library_tbl_bookcase() . " AS bkcase WHERE bkcase.id = book.bookcase_id LIMIT 1) AS bookcase_name,
+                    (SELECT section.name FROM " . $this->table_activator->owt7_library_tbl_bookcase_sections() . " AS section WHERE section.id = book.bookcase_section_id LIMIT 1) AS section_name
+                FROM " . $this->table_activator->owt7_library_tbl_books() . " AS book
+                WHERE book.id = %d
+                LIMIT 1
+            ";
+
+            $prepared = $wpdb->prepare( $sql, $book_id );
+            $book = $wpdb->get_row( $prepared );
+
+            if ( ! empty( $book ) ) {
+                return $this->owt7_library_include_template_file( "owt7_library_single_book", compact( "book_id", "book" ) );
+            } else {
+                return $this->owt7_library_include_template_file( "errors/owt7_library_404_page" );
             }
-        }else{
-             
-            $books_per_page = OWT7_LMS_DEFAULT_SHOW_BOOKS;
+        } else {
+            $books_per_page = (int) OWT7_LMS_DEFAULT_SHOW_BOOKS;
+            if ( $books_per_page <= 0 ) {
+                $books_per_page = 10;
+            }
 
-            $current_page = isset($_GET['p_no']) ? (int)$_GET['p_no'] : OWT7_LMS_DEFAULT_PAGE_NUMBER;
-            $offset = ($current_page - 1) * $books_per_page;
+            $current_page = isset( $_GET['p_no'] ) ? intval( $_GET['p_no'] ) : (int) OWT7_LMS_DEFAULT_PAGE_NUMBER;
+            if ( $current_page < 1 ) {
+                $current_page = 1;
+            }
 
-            // All categories
-            $categories = $wpdb->get_results(
-                "SELECT category.*, (SELECT count(*) FROM ".$this->table_activator->owt7_library_tbl_books()." as book WHERE book.category_id = category.id LIMIT 1) as total_books from " . $this->table_activator->owt7_library_tbl_category(). " as category WHERE status = 1"
-            );
+            $offset = ( $current_page - 1 ) * $books_per_page;
+            if ( $offset < 0 ) {
+                $offset = 0;
+            }
 
-            // Get Total Pages
-            $all_books = $wpdb->get_var("SELECT COUNT(*) FROM {$this->table_activator->owt7_library_tbl_books()} WHERE status = 1");
+            $categories_sql = "
+                SELECT category.*,
+                    (SELECT count(*) FROM " . $this->table_activator->owt7_library_tbl_books() . " AS book WHERE book.category_id = category.id LIMIT 1) AS total_books
+                FROM " . $this->table_activator->owt7_library_tbl_category() . " AS category
+                WHERE status = 1
+            ";
+            $categories = $wpdb->get_results( $categories_sql );
 
-            // Books Per Page Query
-            $books = $wpdb->get_results(
-                "SELECT book.*, (SELECT category.name FROM ".$this->table_activator->owt7_library_tbl_category()." as category WHERE category.id = book.category_id LIMIT 1) as category_name, (SELECT bkcase.name FROM ".$this->table_activator->owt7_library_tbl_bookcase()." as bkcase WHERE bkcase.id = book.bookcase_id LIMIT 1) as bookcase_name, (SELECT section.name FROM ".$this->table_activator->owt7_library_tbl_bookcase_sections()." as section WHERE section.id = book.bookcase_section_id LIMIT 1) as section_name from " . $this->table_activator->owt7_library_tbl_books(). " as book WHERE status = 1 LIMIT {$books_per_page} OFFSET {$offset}"
-            );
+            $all_books = (int) $wpdb->get_var( "SELECT COUNT(*) FROM " . $this->table_activator->owt7_library_tbl_books() . " WHERE status = 1" );
 
-            // Calculate total pages
-            $total_pages = ceil($all_books / $books_per_page);
+            $books_sql = "
+                SELECT book.*,
+                    (SELECT category.name FROM " . $this->table_activator->owt7_library_tbl_category() . " AS category WHERE category.id = book.category_id LIMIT 1) AS category_name,
+                    (SELECT bkcase.name FROM " . $this->table_activator->owt7_library_tbl_bookcase() . " AS bkcase WHERE bkcase.id = book.bookcase_id LIMIT 1) AS bookcase_name,
+                    (SELECT section.name FROM " . $this->table_activator->owt7_library_tbl_bookcase_sections() . " AS section WHERE section.id = book.bookcase_section_id LIMIT 1) AS section_name
+                FROM " . $this->table_activator->owt7_library_tbl_books() . " AS book
+                WHERE status = 1
+                LIMIT %d OFFSET %d
+            ";
+            $prepared_books_sql = $wpdb->prepare( $books_sql, $books_per_page, $offset );
+            $books = $wpdb->get_results( $prepared_books_sql );
 
-            return $this->owt7_library_include_template_file("owt7_library_books", compact("books", "categories", "total_pages", "current_page"));
+            $total_pages = 0;
+            if ( $books_per_page > 0 ) {
+                $total_pages = (int) ceil( $all_books / $books_per_page );
+            }
+
+            return $this->owt7_library_include_template_file( "owt7_library_books", compact( "books", "categories", "total_pages", "current_page" ) );
         }
     }