Parameterize registration.php; atomic player delete

- All staff paths (build, lock, edit, editgame, delete, add, search) and the
  render SELECTs now use db.php helpers with bound params. Removes SQL injection
  via playerid/missionid/callsign/newtype/newmap/buildmissions.
- Delete routes through new pqs_remove_player() (shared lock + transaction,
  resyncs numplayers from real occupancy instead of a raw numplayers-1).
- Drop a stray buggy line ($callsign from an undefined $line) and guard
  $_SERVER['SERVER_ADDR']. build now sets nummercs=0 (strict-mode safe).

Verified on the stack: build/edit/delete/editgame/lock/search all work; delete
resyncs numplayers; no errors.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Cyd
2026-07-01 14:04:04 -05:00
co-authored by Claude Opus 4.8
parent 5aa01db123
commit 530326b8e4
2 changed files with 91 additions and 169 deletions
+24
View File
@@ -96,6 +96,30 @@ function pqs_enqueue_player(string $callsign, string $mech, int $merc = 0): int
});
}
/**
* Atomically remove a player from the queue and resync their mission's
* numplayers from actual occupancy. Under the shared lock so it can't race a
* concurrent registration/commit.
*/
function pqs_remove_player(int $playerid): void
{
pqs_with_queue_lock(function () use ($playerid) {
$db = pqs_db();
$db->begin_transaction();
try {
$row = pqs_row("SELECT MissionID FROM pqs_queue WHERE ID = ?", 'i', [$playerid]);
pqs_exec("DELETE FROM pqs_queue WHERE ID = ?", 'i', [$playerid]);
if ($row !== null && $row['MissionID'] !== null) {
pqs_sync_numplayers((int) $row['MissionID']);
}
$db->commit();
} catch (Throwable $e) {
$db->rollback();
throw $e;
}
});
}
/**
* Atomically add a player to a SPECIFIC mission (staff "new" action). Does not
* pick a mission or enforce capacity — staff may intentionally overfill — but