diff --git a/GameEngine/Database.php b/GameEngine/Database.php
index 5b9230ab..84a1c607 100755
--- a/GameEngine/Database.php
+++ b/GameEngine/Database.php
@@ -3022,42 +3022,35 @@ public function getBestOasisCropBonus($x, $y) {
}
// no need to cache this method
- function getAlliancePermission($ref, $field, $mode) {
- list($ref, $field, $mode) = $this->escape_input($ref, $field, $mode);
- $mode = (int)$mode;
- $ref = (int)$ref;
+
+ function getAlliancePermission($uid, $field, $alliance) {
+ $uid = (int)$uid;
+ $alliance = (int)$alliance;
- // 🔒 Field validation (indirect SQL injection prevention)
- $allowed_fields = ['ap1', 'ap2', 'ap3', 'ap4', 'ap5', 'ap6', 'ap7', 'ap8', 'ap9', 'ap10', 'owner', 'admin'];
- if (!in_array($field, $allowed_fields)) {
- error_log("Invalid field in getAlliancePermission: $field");
- return false;
- }
+ // whitelist câmpuri permise
+ $allowed_fields = ['ap1','ap2','ap3','ap4','ap5','ap6','ap7','ap8','ap9','ap10','owner','admin','rank'];
- // Build the query
- if (!$mode) {
- $q = "SELECT `$field` FROM " . TB_PREFIX . "ali_permission WHERE uid = $ref LIMIT 1";
- } else {
- $q = "SELECT `$field` FROM " . TB_PREFIX . "ali_permission WHERE username = '$ref' LIMIT 1";
- }
+ if (!in_array($field, $allowed_fields)) {
+ error_log("Invalid field in getAlliancePermission: $field");
+ return false;
+ }
- // Run query
- $result = mysqli_query($this->dblink, $q);
+ $q = "SELECT `$field` FROM " . TB_PREFIX . "ali_permission WHERE uid = $uid AND alliance = $alliance LIMIT 1";
- // 🔴 Query error check
- if (!$result) {
- error_log("SQL Error in getAlliancePermission: " . mysqli_error($this->dblink) . " | Query: $q");
- return false;
- }
+ $result = mysqli_query($this->dblink, $q);
- // 🔍 No results?
- if (mysqli_num_rows($result) == 0) {
- return false;
- }
+ if (!$result) {
+ error_log("SQL Error in getAlliancePermission: " . mysqli_error($this->dblink) . " | Query: $q");
+ return false;
+ }
- // ✅ Extract and return the value
- $row = mysqli_fetch_array($result);
- return $row[$field];
+ if (mysqli_num_rows($result) == 0) {
+ return false;
+ }
+
+ $row = mysqli_fetch_assoc($result);
+
+ return $row[$field];
}
function getAlliance($id, $use_cache = true) {
diff --git a/Templates/Alliance/overview.tpl b/Templates/Alliance/overview.tpl
index e59fd865..f327b0d6 100644
--- a/Templates/Alliance/overview.tpl
+++ b/Templates/Alliance/overview.tpl
@@ -73,11 +73,11 @@ include("alli_menu.tpl");
|
- getAlliancePermission($member['id'],"rank",0);
+ $rank = $database->getAlliancePermission($member['id'], "rank", $aid);
//username
$name = $database->getUserField($member['id'],"username",0);
@@ -86,24 +86,21 @@ include("alli_menu.tpl");
if($rank == ''){
echo '';
}
-
+
//if there is user rank defined, user will be printed
else if($rank != ''){
echo "";
echo "| ".stripslashes($rank)." | ";
- echo "".$name." | ";
+ echo "".$name." | ";
echo "
";
}
}
- if($allianceinfo['forumlink'] != '' && $allianceinfo['forumlink'] != '0'){
+ if($allianceinfo['forumlink'] != '' && $allianceinfo['forumlink'] != '0'){
echo "";
- echo "| » to the forum | ";
+ echo "» to the forum | ";
echo "
";
}else{
- ?>
-
- |
-
+ ?>
|
|