From 1a7aff8dfb695fa0aff58efcdcb1af5ca8dc0a05 Mon Sep 17 00:00:00 2001
From: Fadhil Imam Kurnia <fadhilimamk@gmail.com>
Date: Sat, 7 Oct 2017 09:16:32 +0700
Subject: [PATCH] Add validation, not showing current user in order search

---
 public/order.js                    | 3 ++-
 src/controller/OrderController.php | 9 +++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/public/order.js b/public/order.js
index 0b73fd1..f3f8a13 100755
--- a/public/order.js
+++ b/public/order.js
@@ -8,10 +8,11 @@ var resultData;
 
 function makeOrder() {
 
+    var customerID = document.getElementById('customer-id').innerHTML;
     var orderPickup = document.getElementById('orderPickup').value;
     var orderDestination = document.getElementById('orderDestination').value;
     var orderPreferredDriver = document.getElementById('orderPreferredDriver').value;
-    var data = "pickup="+orderPickup+"&destination="+orderDestination+"&driver="+orderPreferredDriver;
+    var data = "id="+customerID+"&pickup="+orderPickup+"&destination="+orderDestination+"&driver="+orderPreferredDriver;
 
     var xhttp = new XMLHttpRequest();
     xhttp.onreadystatechange = function() {
diff --git a/src/controller/OrderController.php b/src/controller/OrderController.php
index 4d36ec0..846c6b3 100644
--- a/src/controller/OrderController.php
+++ b/src/controller/OrderController.php
@@ -27,6 +27,7 @@ class OrderController {
 
 
     public static function MakeOrderHandler() {
+        $id = simpleCrypt($_POST['id'], 'd');
         $pickup = $_POST['pickup'];
         $destination = $_POST['destination'];
         $driver = $_POST['driver'];
@@ -41,10 +42,10 @@ class OrderController {
             WHERE user.id IN (
                 SELECT DISTINCT id_driver 
                 FROM prefered_location 
-                WHERE location = ? OR location = ?
+                WHERE (location = ? OR location = ?) AND user.id <> ?
             )'
         );
-        $stmt->execute(array($pickup, $destination));
+        $stmt->execute(array($pickup, $destination, $id));
         if ($stmt === false) {
             echo "Error";
             return;
@@ -62,9 +63,9 @@ class OrderController {
                 'SELECT 
                 user.id AS id, name, username, photo, rating, sum_order 
             FROM user NATURAL JOIN driver 
-            WHERE username = ?'
+            WHERE username = ? AND user.id <> ?'
             );
-            $stmt->execute(array($driver));
+            $stmt->execute(array($driver, $id));
             if ($stmt === false) {
                 echo "Error";
                 return;
-- 
GitLab