From 795bf2705911c26ace1078824375a0a55df57f69 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 15 Jan 2026 21:28:47 +0000
Subject: [PATCH] Validate lookup_user as integer to prevent SQL injection in
 ws.php

---
 ws.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/ws.php b/ws.php
index ec19b77922..0de29ea571 100644
--- a/ws.php
+++ b/ws.php
@@ -22,7 +22,18 @@
 // Handle direct user lookup API for admin tools
 if (isset($_GET['lookup_user']) && is_admin())
 {
-  $user_data = get_user_by_id($_GET['lookup_user']);
+  // Validate and normalize input to prevent SQL injection. Only allow integer user IDs.
+  $lookup = $_GET['lookup_user'];
+  $user_id = filter_var($lookup, FILTER_VALIDATE_INT);
+  if ($user_id === false || $user_id <= 0) {
+    // Invalid input: return a 400 response rather than performing a lookup
+    header('HTTP/1.1 400 Bad Request');
+    header('Content-Type: application/json');
+    echo json_encode(array('error' => 'Invalid user id'));
+    exit;
+  }
+
+  $user_data = get_user_by_id($user_id);
   if ($user_data)
   {
     header('Content-Type: application/json');