Parameterize registration.php; atomic player delete
- All staff paths (build, lock, edit, editgame, delete, add, search) and the render SELECTs now use db.php helpers with bound params. Removes SQL injection via playerid/missionid/callsign/newtype/newmap/buildmissions. - Delete routes through new pqs_remove_player() (shared lock + transaction, resyncs numplayers from real occupancy instead of a raw numplayers-1). - Drop a stray buggy line ($callsign from an undefined $line) and guard $_SERVER['SERVER_ADDR']. build now sets nummercs=0 (strict-mode safe). Verified on the stack: build/edit/delete/editgame/lock/search all work; delete resyncs numplayers; no errors. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -96,6 +96,30 @@ function pqs_enqueue_player(string $callsign, string $mech, int $merc = 0): int
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Atomically remove a player from the queue and resync their mission's
|
||||
* numplayers from actual occupancy. Under the shared lock so it can't race a
|
||||
* concurrent registration/commit.
|
||||
*/
|
||||
function pqs_remove_player(int $playerid): void
|
||||
{
|
||||
pqs_with_queue_lock(function () use ($playerid) {
|
||||
$db = pqs_db();
|
||||
$db->begin_transaction();
|
||||
try {
|
||||
$row = pqs_row("SELECT MissionID FROM pqs_queue WHERE ID = ?", 'i', [$playerid]);
|
||||
pqs_exec("DELETE FROM pqs_queue WHERE ID = ?", 'i', [$playerid]);
|
||||
if ($row !== null && $row['MissionID'] !== null) {
|
||||
pqs_sync_numplayers((int) $row['MissionID']);
|
||||
}
|
||||
$db->commit();
|
||||
} catch (Throwable $e) {
|
||||
$db->rollback();
|
||||
throw $e;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Atomically add a player to a SPECIFIC mission (staff "new" action). Does not
|
||||
* pick a mission or enforce capacity — staff may intentionally overfill — but
|
||||
|
||||
Reference in New Issue
Block a user