feat: sanitize client name input to allow only letters, numbers, underscores, and dashes

2025-11-08 13:56:11 +03:00
parent f6e6feb52c
commit 932a893d69
2 changed files with 22 additions and 1 deletions
@@ -40,6 +40,10 @@ class VpnClient {
    public static function create(int $serverId, int $userId, string $name, ?int $expiresInDays = null): int {
        $pdo = DB::conn();
        
+        // Sanitize client name (replace spaces and special characters)
+        $name = trim($name);
+        $name = preg_replace('/[^a-zA-Z0-9_-]/', '_', $name);
+        
        // Get server data
        $server = new VpnServer($serverId);
        $serverData = $server->getData();