payfrit/payfrit-biz
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2026-03-21. You can view files and clone it, but cannot push or open issues or pull requests.
payfrit-biz/api
History
John Mizerek 3f15b0c8b6 Fix SQL injection, wrong PK, and hardcoded production URLs 
Security:
- orders/submit.cfm: parameterize IN clause (was string-interpolated)
- auth/completeProfile.cfm: fix UserID → ID on Users table PK

Environment-aware URLs:
- Add application.baseUrl to config/environment.cfm
- Replace all hardcoded https://biz.payfrit.com with application.baseUrl in:
  orders/getDetail, tasks/getDetails, auth/completeProfile, auth/avatar,
  stripe/onboard, users/search, workers/onboardingLink, workers/earlyUnlock

Also fix submit.cfm qMeta.ItemID → qMeta.ID (column not in SELECT)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 21:14:19 -08:00
..
addresses Fix missing datasource in addresses/list.cfm and LIKE on INT column in setDefault.cfm 2026-01-31 21:05:06 -08:00
admin Move 70 one-off admin scripts to api/admin/_scripts/ (gitignored) 2026-01-31 20:38:49 -08:00
app Add about.cfm API endpoint for mobile app About screennAdds server-side content for About Payfrit screen allowing content updates without releasing new app versions.nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 00:38:58 -08:00
assignments Fix remaining prefixed DB column names across 17 API files 2026-01-31 20:35:24 -08:00
auth Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
beacons Complete DB column normalization: strip redundant table-name prefixes from all SQL queries 2026-01-31 20:03:40 -08:00
businesses Fix header image URL to use relative path instead of hardcoded production domain 2026-01-31 20:52:19 -08:00
chat Fix TaskID → ID in WHERE clauses on Tasks table (4 files + cron copy) 2026-01-31 21:00:46 -08:00
config Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
debug Normalize database column and table names across entire codebase 2026-01-30 15:39:12 -08:00
dev Normalize database column and table names across entire codebase 2026-01-30 15:39:12 -08:00
import Normalize database column and table names across entire codebase 2026-01-30 15:39:12 -08:00
menu Fix prefixed column names in uploadHeader, stripe/onboard, stripe/createPaymentIntent 2026-01-31 20:56:35 -08:00
orders Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
portal Fix remaining prefixed DB column names across 17 API files 2026-01-31 20:35:24 -08:00
ratings Complete DB column normalization: strip redundant table-name prefixes from all SQL queries 2026-01-31 20:03:40 -08:00
servicepoints Fix remaining prefixed DB column names across 17 API files 2026-01-31 20:35:24 -08:00
setup Fix remaining prefixed DB column names across 17 API files 2026-01-31 20:35:24 -08:00
stations Normalize database column and table names across entire codebase 2026-01-30 15:39:12 -08:00
stripe Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
tasks Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
users Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
workers Fix SQL injection, wrong PK, and hardcoded production URLs 2026-01-31 21:14:19 -08:00
Application.cfm Restore API performance tracking and fix perf dashboard 2026-01-30 17:04:12 -08:00