From 1a797bab8080d7c79525cd49375efc0b2fc8cba1 Mon Sep 17 00:00:00 2001
From: Ferywir <65760459+Ferywir@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:30:25 +0200
Subject: [PATCH] fix(admin): prevent SQL injection in editAccess Mod [#139]
 (#241)

---
 GameEngine/Admin/Mods/editAccess.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/GameEngine/Admin/Mods/editAccess.php b/GameEngine/Admin/Mods/editAccess.php
index 7a6a52a0..207c5ff6 100755
--- a/GameEngine/Admin/Mods/editAccess.php
+++ b/GameEngine/Admin/Mods/editAccess.php
@@ -33,10 +33,16 @@ $sessionaccess = $access['access'];
 
 if($sessionaccess != 9) die("<h1><font color=\"red\">Access Denied: You are not Admin!</font></h1>");
 
-$access = $_POST['access'];
+// Cast + whitelist the access level. $_POST['access'] was injected raw into
+// the UPDATE below (SQL injection). Only accept the values the admin form
+// offers: 0=Banned, 2=Normal user, 8=Multihunter, 9=Admin.
+$access = (int) $_POST['access'];
+if (!in_array($access, array(0, 2, 8, 9), true)) {
+	die("Invalid access level");
+}
 
-mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET 
-	access = ".$access." 
+mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET
+	access = ".$access."
 	WHERE id = ".$id."") or die(mysqli_error($database->dblink));
 
 header("Location: ../../../Admin/admin.php?p=player&uid=".$id."");