From f2850b295ee21bc299799343a3bc4d004d05651d Mon Sep 17 00:00:00 2001
From: jp-wagner <jan-philipp.wagner@gmx.net>
Date: Sun, 18 Aug 2024 21:16:50 +0200
Subject: [PATCH] Fix security issues

---
 WebApp/functions_database.php | 26 ++++++++++++++------------
 WebApp/functions_security.php |  1 +
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/WebApp/functions_database.php b/WebApp/functions_database.php
index faea302..5edd9c0 100644
--- a/WebApp/functions_database.php
+++ b/WebApp/functions_database.php
@@ -188,21 +188,23 @@ public static function transaction_delete_all ()
 
 
     //Delete group transaction
-    public static function transaction_delete_group ($TrDeleteArr)
-        {
-            $const_dbpath = costant::database_path();
-            $N = count($TrDeleteArr);
-            $SQLDelete = "";
-            for($i=0; $i < $N; $i++)
-                {$SQLDelete = $SQLDelete.$TrDeleteArr[$i] . ",";}
-            $SQLDelete = rtrim($SQLDelete, ",");
+    public static function transaction_delete_group($TrDeleteArr)
+	{
+	    $const_dbpath = costant::database_path();
+	    $N = count($TrDeleteArr);
 
-            $db = new PDO("sqlite:${const_dbpath}");
-            $db->exec   ("DELETE FROM New_Transaction WHERE ID IN (${SQLDelete});");
+	    // Create placeholders for each element in $TrDeleteArr
+	    $placeholders = rtrim(str_repeat('?,', $N), ',');
 
-            $db = null;
-        }
+	    // Prepare the SQL statement
+	    $db = new PDO("sqlite:${const_dbpath}");
+	    $stmt = $db->prepare("DELETE FROM New_Transaction WHERE ID IN (${placeholders})");
+
+	    // Execute the statement with the array of IDs
+	    $stmt->execute($TrDeleteArr);
 
+	    $db = null;
+	}
 
     // Update transaction
     public static function transaction_update ($TrEditedId,$TrDate,$TrStatus,$TrType,$TrAccount,$TrToAccount,$TrPayee,$TrCategory,$TrSubCategory,$TrAmount,$TrNotes)
diff --git a/WebApp/functions_security.php b/WebApp/functions_security.php
index e193823..bb98706 100644
--- a/WebApp/functions_security.php
+++ b/WebApp/functions_security.php
@@ -24,6 +24,7 @@ public static function redirect_if_not_loggedin ()
                 elseif ($_SERVER['PHP_SELF'] != "/index.php")
                 {
                     header("Location: index.php");
+		    exit();
                 }
             }
         }