Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
name: Bug report
about: Create a report to help us improve
title: ""
labels: bug
assignees: ""
---

**Describe the bug**
A clear and concise description of what the bug is.

**To Reproduce**
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '...'
3. Scroll down to '...'
4. See error

**Expected behavior**
A clear and concise description of what you expected to happen.

**Screenshots**
If applicable, add screenshots to help explain your problem.

**Desktop (please complete the following information):**

- OS: [e.g. iOS]
- Browser [e.g. chrome, safari]
- Version [e.g. 22]

**Smartphone (please complete the following information):**

- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Version [e.g. 22]

**Additional context**
Add any other context about the problem here.
19 changes: 19 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
name: Feature request
about: Suggest an idea for this project
title: ""
labels: enhancement
assignees: ""
---

**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

**Describe the solution you'd like**
A clear and concise description of what you want to happen.

**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.

**Additional context**
Add any other context or screenshots about the feature request here.
32 changes: 32 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
## Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

## Type of change

Please delete options that are not relevant.

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] This change requires a documentation update

## How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

- [ ] Test A
- [ ] Test B

## Checklist:

- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published in downstream modules
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '11'
java-version: '17'
distribution: 'temurin'

- name: Set up Flutter
Expand Down
29 changes: 29 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Code of Conduct

## Our Pledge

In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (typo): Fix the phrasing "pledge to making" to the grammatically correct "pledge to make".

Change pledge to making participation to pledge to make participation for correct grammar and smoother reading.

Suggested change
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to make participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.


## Our Standards

Examples of behavior that contributes to creating a positive environment include:

- Using welcoming and inclusive language
- Being respectful of differing viewpoints and experiences
- Gracefully accepting constructive criticism
- Focusing on what is best for the community
- Showing empathy towards other community members

Examples of unacceptable behavior by participants include:

- The use of sexualized language or imagery and unwelcome sexual attention or advances
- Trolling, insulting/derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or electronic address, without explicit permission
- Other conduct which could reasonably be considered inappropriate in a professional setting

## Enforcement

Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.

Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
32 changes: 32 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Contributing to SigortaCu

Thank you for your interest in contributing to SigortaCu! We welcome contributions from everyone.

## How to Contribute

1. **Fork the repository** on GitHub.
2. **Clone your fork** locally.
3. **Create a new branch** for your feature or bug fix (`git checkout -b feature/amazing-feature`).
4. **Make your changes**.
5. **Run tests** to ensure everything is working (`flutter test` for frontend, `vendor/bin/phpunit` for backend).
6. **Commit your changes** with a descriptive commit message.
7. **Push to your branch** (`git push origin feature/amazing-feature`).
8. **Open a Pull Request** to the `main` branch.

## Code Style

- **Flutter**: Follow the [official Flutter style guide](https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo).
- **PHP**: Follow [PSR-12](https://www.php-fig.org/psr/psr-12/) coding standards.

## Reporting Bugs

If you find a bug, please open an issue using the Bug Report template. Include as much detail as possible:

- Steps to reproduce
- Expected behavior
- Actual behavior
- Screenshots (if applicable)

## Feature Requests

If you have an idea for a new feature, please open an issue using the Feature Request template.
21 changes: 21 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2025 SigortaCu Contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
111 changes: 77 additions & 34 deletions backend/carinfos/editcarinfo.php
Original file line number Diff line number Diff line change
@@ -1,56 +1,99 @@
<?php
include '../connection.php';
header('Content-Type: application/json; charset=utf-8');
error_reporting(0);

$resp=["success"=>false,"message"=>""];
$response = ["success" => false, "message" => "", "data" => null];

try {
if(($phpPassword ?? null)!==($_POST['phpPassword'] ?? '')){
// This endpoint will be secured by JWT in a later phase (P2).
// For now, we retain the phpPassword check for basic security.
if (($phpPassword ?? '') !== ($_POST['phpPassword'] ?? '')) {
http_response_code(401);
throw new Exception('Invalid PHP password.');
}

$id = isset($_POST['ID']) ? intval($_POST['ID']) : 0; // Güncelleme artık ID ile
if($id<=0) throw new Exception('ID gerekli');
$id = isset($_POST['ID']) ? intval($_POST['ID']) : 0;
$assetId = isset($_POST['assetID']) ? intval($_POST['assetID']) : 0;

$allowed = ['brand','sasino','engineno','enginepow','cartype','carusage','price','productionyear','seatcapacity','seyruseferdate'];
$set=[]; $vals=[]; $types='';
foreach($allowed as $f){
if(array_key_exists($f,$_POST)){
$val = $_POST[$f];
if($f==='seyruseferdate' && $val!=='' && !preg_match('/^\d{4}-\d{2}-\d{2}$/',$val)){
throw new Exception('seyruseferdate formatı YYYY-MM-DD olmalı');
}
if(in_array($f,['enginepow','price','productionyear','seatcapacity']) && $val!==''){
$val = intval($val);
$types.='i';
$whereField = '';
$whereValue = 0;
$whereType = '';

// Prioritize ID for the WHERE clause, fall back to assetID.
if ($id > 0) {
$whereField = 'ID';
$whereValue = $id;
$whereType = 'i';
} elseif ($assetId > 0) {
$whereField = 'assetID';
$whereValue = $assetId;
$whereType = 'i';
} else {
http_response_code(400);
throw new Exception('A required identifier (ID or assetID) is missing.');
}

$allowedFields = ['brand', 'sasino', 'engineno', 'enginepow', 'cartype', 'carusage', 'price', 'productionyear', 'seatcapacity', 'seyruseferdate'];
$setClauses = [];
$bindValues = [];
$bindTypes = '';

foreach ($allowedFields as $field) {
Comment on lines +36 to +41
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): The previous seyruseferdate format validation has been removed, which can allow invalid dates into the DB.

The new loop now treats seyruseferdate as a plain string and no longer enforces the YYYY-MM-DD format that was previously checked. If the DB or downstream logic assumes a valid date, this can introduce bad data and hard-to-track bugs. Please add a specific validation branch for seyruseferdate inside the loop to preserve the original guarantee.

if (array_key_exists($field, $_POST)) {
$value = $_POST[$field];

// Basic validation and type setting
$isNumericField = in_array($field, ['enginepow', 'price', 'productionyear', 'seatcapacity']);
if ($isNumericField && $value !== '') {
$value = intval($value);
$bindTypes .= 'i';
} else {
$types.='s';
$bindTypes .= 's';
}
if($val==='') $val=null; // boş ise null kaydet
$set[] = "$f = ?";
$vals[] = $val;

// Set empty strings to null for the database
if ($value === '') $value = null;

$setClauses[] = "$field = ?";
$bindValues[] = $value;
}
Comment on lines +41 to 59
Copy link

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing date format validation for the 'seyruseferdate' field. The original code validated that this field matches the YYYY-MM-DD format when provided. This validation has been removed, which could allow invalid date formats to be inserted into the database.

Other carinfo endpoints (addcarinfo.php and addfullcarinfo.php) include this validation. For consistency and data integrity, you should add the validation back before processing the field.

Copilot uses AI. Check for mistakes.
}
if(empty($set)) throw new Exception('Güncellenecek alan yok');

$sql = "UPDATE carinfos SET ".implode(', ',$set)." WHERE ID = ?";
$types.='i';
$vals[] = $id;
if (empty($setClauses)) {
throw new Exception('No fields to update were provided.');
}
Comment on lines +62 to +64
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Client-side input issues like “no fields to update” currently end up as HTTP 500 instead of a 4xx.

Because we throw here without setting an HTTP status, this case will be returned as 500. Since this is a client error, please set an appropriate 4xx status (e.g. http_response_code(400);) before throwing, consistent with how missing identifiers are handled, so clients can distinguish bad requests from real server errors.

Suggested change
if (empty($setClauses)) {
throw new Exception('No fields to update were provided.');
}
if (empty($setClauses)) {
http_response_code(400);
throw new Exception('No fields to update were provided.');
}


// Add the WHERE clause value to the binding arrays
$bindTypes .= $whereType;
$bindValues[] = $whereValue;

$sql = "UPDATE carinfos SET " . implode(', ', $setClauses) . " WHERE $whereField = ?";

$stmt = $connNow->prepare($sql);
if(!$stmt) throw new Exception('Prepare hatası: '.$connNow->error);
if (!$stmt) {
throw new Exception('SQL statement preparation failed: ' . $connNow->error);
}

$stmt->bind_param($types, ...$vals);
if(!$stmt->execute()) throw new Exception('Execute hatası: '.$stmt->error);
$stmt->bind_param($bindTypes, ...$bindValues);

if (!$stmt->execute()) {
throw new Exception('SQL statement execution failed: ' . $stmt->error);
}

$resp['success']=true;
$resp['message']='Araç güncellendi';
$resp['affected']=$stmt->affected_rows;
$response['success'] = true;
$response['message'] = 'Car info updated successfully.';
$response['data'] = ['affected_rows' => $stmt->affected_rows];

$stmt->close();
} catch(Exception $e){
$resp['success']=false;
$resp['message']=$e->getMessage();

} catch (Exception $e) {
if (http_response_code() === 200) { // If no HTTP code was set by us, it's an internal error
http_response_code(500);
}
$response['success'] = false;
$response['message'] = $e->getMessage();
Comment on lines +89 to +94
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 issue (security): Returning raw exception messages in the API response may leak internal details and SQL errors.

Some exceptions here include low-level messages like SQL statement preparation failed: ... or SQL statement execution failed: .... Sending $e->getMessage() directly to clients can expose internal DB details. Instead, map exceptions to generic user-facing messages (e.g. "Internal server error") and log the detailed message server-side, only returning specific messages when they are known-safe (such as validation errors).

Comment on lines +74 to +94
Copy link

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code concatenates $connNow->error and $stmt->error into exception messages that are then returned directly to clients via $response['message'], which can leak internal database details and query structure. An attacker can deliberately trigger SQL errors (for example by sending malformed or out-of-range input) to enumerate schema information and error states useful for further attacks. Instead, log detailed database errors only on the server and return a generic error message to the client while preserving appropriate HTTP status codes.

Copilot uses AI. Check for mistakes.
}
echo json_encode($resp,JSON_UNESCAPED_UNICODE);

echo json_encode($response, JSON_UNESCAPED_UNICODE);
$connNow->close();
?>
Loading