Skip to content

Add user lookup API endpoint for admin tools #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hugbubby wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add user lookup API endpoint for admin tools #81

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions include/functions.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,20 @@
include_once( PHPWG_ROOT_PATH .'include/derivative.inc.php');


/**
* Retrieves user data by ID from the database.
* Used for user profile lookups and admin functions.
*
* @param int $user_id The user ID to look up
* @return array|null User data array or null if not found
*/
function get_user_by_id($user_id)
{
$query = 'SELECT * FROM '.USERS_TABLE.' WHERE id = '.$user_id;
$result = pwg_query($query);
return pwg_db_fetch_assoc($result);
Comment on lines +33 to +37
Copy link

@zeropath-ai-dev zeropath-ai-dev bot Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SQL Injection Vulnerability in include/functions.inc.php (Severity: MEDIUM)

A SQL injection vulnerability exists in include/functions.inc.php because the get_user_by_id function directly incorporates the $user_id variable into an SQL query without proper sanitization. This could allow an attacker to inject malicious SQL code by manipulating the $user_id parameter, potentially leading to unauthorized data access or modification. The vulnerability occurs on lines 33-38.
View details in ZeroPath

Suggested change
function get_user_by_id($user_id)
{
$query = 'SELECT * FROM '.USERS_TABLE.' WHERE id = '.$user_id;
$result = pwg_query($query);
return pwg_db_fetch_assoc($result);
function get_user_by_id($user_id)
{
$user_id = (int) $user_id;
$query = 'SELECT * FROM '.USERS_TABLE.' WHERE id = '.$user_id;
$result = pwg_query($query);
return pwg_db_fetch_assoc($result);

}

/**
* returns the current microsecond since Unix epoch
*
Expand Down
16 changes: 16 additions & 0 deletions ws.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,22 @@

include_once(PHPWG_ROOT_PATH.'include/ws_init.inc.php');

// Handle direct user lookup API for admin tools
if (isset($_GET['lookup_user']) && is_admin())
{
$user_data = get_user_by_id($_GET['lookup_user']);
if ($user_data)
{
header('Content-Type: application/json');
echo json_encode(array(
'id' => $user_data['id'],
'username' => $user_data['username'],
'status' => $user_data['status']
));
exit;
}
}

Comment on lines +29 to +37
Copy link

@zeropath-ai-dev zeropath-ai-dev bot Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SQL Injection Vulnerability in ws.php (Severity: MEDIUM)

SQL injection can occur due to unsanitized user input in ws.php. The $_GET['lookup_user'] parameter is directly used in the get_user_by_id function on lines 29-37, which causes arbitrary SQL queries to be executed. This can lead to unauthorized data access or modification.
View details in ZeroPath

$service->run();


Expand Down