From fb225b562f1c29bb67d7343c646ea2f50c2fbc1a Mon Sep 17 00:00:00 2001
From: Ferywir <65760459+Ferywir@users.noreply.github.com>
Date: Tue, 23 Jun 2026 10:12:04 +0200
Subject: [PATCH] fix(admin): repair broken admin-log variables in medals Mod
 (#262)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The post-delete admin-log block referenced variables that were never defined
($admid/$adminID/$medalid/$uid), so on PHP 8.1+ (mysqli throws on error) the
malformed INSERT raised an uncaught mysqli_sql_exception → HTTP 500 after the
medal was already deleted. Use the correct ids ($admid from session, $uid from
POST), look up the target player's username (escaped), and redirect to the
sanitized $uid.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
---
 GameEngine/Admin/Mods/medals.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/GameEngine/Admin/Mods/medals.php b/GameEngine/Admin/Mods/medals.php
index b5b8cd04..b332d972 100755
--- a/GameEngine/Admin/Mods/medals.php
+++ b/GameEngine/Admin/Mods/medals.php
@@ -40,10 +40,12 @@ elseif(isset($_POST['userid']) && !empty($_POST['userid']) && is_numeric($_POST[
     mysqli_query($database->dblink, "UPDATE ".TB_PREFIX."medal set del = 1 WHERE userid = ".$userID."");
 }
 
-$admidID = (int) $_SESSION['id'];
-$name = $database->getUserField($adminID, "name", 0);
+$admid = (int) $_SESSION['id'];
+$uid   = (int) ($_POST['uid'] ?? 0);
+$name  = $database->escape((string) $database->getUserField($uid, "username", 0));
+$medalLogId = isset($medalID) ? $medalID : 0;
 //TODO: Make a dedicated method for logging
-mysqli_query($database->dblink, "INSERT INTO ".TB_PREFIX."admin_log values (0, $admid, 'Deleted medal id [#".$medalid."] from the user <a href=\'admin.php?p=player&uid=$uid\'>$name</a> ',".time().")");
+mysqli_query($database->dblink, "INSERT INTO ".TB_PREFIX."admin_log values (0, $admid, 'Deleted medal id [#".$medalLogId."] from the user <a href=\'admin.php?p=player&uid=$uid\'>$name</a> ',".time().")");
 
-header("Location: ../../../Admin/admin.php?p=player&uid=".$_POST['uid']."");
+header("Location: ../../../Admin/admin.php?p=player&uid=".$uid);
 ?>
\ No newline at end of file