Merge branch 'prevent-sqlinjection' into 'develop'

Prevent sqlinjection

See merge request bluekay/shopping-list!12

.htaccess

@@ -6,7 +6,7 @@
   RewriteRule ^([a-zA-Z0-9-]+)$ ?site=$1
 
   #alles, was versucht ein Script aufzurufen
-  RewriteRule /bin/(.+) /bin/$1
+  RewriteRule /js/(.+) /js/$1
 
   #Error Seite
   RewriteRule ^error/([a-zA-Z0-9-_]+)$ ?site=error&id=$1

config/config.php

@@ -2,4 +2,5 @@
 $CONFIG = array (
   'installed' => false,
 );
+
 ?>

cont/adduser.php

@@ -1,6 +1,6 @@
 <head>
     <link rel="stylesheet" href="/style/adduser.css">
-    <script src="/bin/adduser.js" charset="utf-8"></script>
+    <script src="/js/adduser.js" charset="utf-8"></script>
 </head>
 <h1>Benutzer hinzufügen</h1>
 <div class="adduser">

cont/error.php

@@ -3,7 +3,7 @@
 <head>
     <title>Installationsfehler</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <script src="/bin/error.js" charset="utf-8"></script>
+    <script src="/js/error.js" charset="utf-8"></script>
 </head>
 <body>
   <div class="container">

cont/list.php

@@ -1,4 +1,4 @@
-<script src="/bin/list.js" charset="utf-8"></script>
+<script src="/js/list.js" charset="utf-8"></script>
 <div class="container mt-5">
   <h1>Liste</h1>
 </div>
@@ -28,7 +28,7 @@
           $checked = "";
         }
 
-        print_r("<div class='$div_item_row_classes $div_item_row_color_classes'>");
+        print_r("<div class='list-row $div_item_row_classes $div_item_row_color_classes'>");
             print_r("<div class='$div_item_checkbox_classes'><input type='checkbox' class='$input_item_checkbox_classes' data-color='$color_theme' data-id='$item->ID' $checked></div>");
             print_r("<div class='$div_item_quantity_classes'>$item->Anzahl $item->Einheit</div>");
             print_r("<div class='$div_item_name_classes'>$item->Name</div>");

cont/login.php

@@ -15,7 +15,7 @@
         <input type="password" class="form-control" name="pass" id="pass" placeholder="**********" required="required">
     </div>
     <div class="form-group form-check">
-        <input type="checkbox" class="form-check-input" id="rememberme">
+        <input type="checkbox" class="form-check-input" id="rememberme" name="rememberme">
         <label class="form-check-label" for="rememberme">Angemeldet bleiben</label>
     </div>
     <button type="submit" class="btn btn-primary">Login</button>

cont/manageRecipe.php

@@ -2,7 +2,7 @@
   if($_SERVER["REQUEST_URI"]!="/new-recipe"){
     $submitFunction = "update";
     $title = "Bearbeiten";
-    $script = '<script src="/bin/edit-recipe.js" charset="utf-8"></script>';
+    $script = '<script src="/js/edit-recipe.js" charset="utf-8"></script>';
     $additionalInput = "<input type='hidden' name='id' value=''>";
   }
   else{
@@ -12,8 +12,8 @@
     $additionalInput = "";
   }
 ?>
-<script src="/bin/manageRecipe.js" charset="utf-8"></script>
-<script src="/bin/autocomplete.js" charset="utf-8"></script>
+<script src="/js/manageRecipe.js" charset="utf-8"></script>
+<script src="/js/autocomplete.js" charset="utf-8"></script>
 <?php echo $script; ?>
 <div class="container mt-5">
   <h1><?php echo $title ?></h1>

cont/nav.php

@@ -1,16 +1,47 @@
-<nav class="navbar navbar-inverse bg-secondary rounded-bottom pt-0 pb-0">
-    <div class="container-fluid">
+<nav class="navbar navbar-expand-sm navbar-dark bg-dark rounded-bottom fixed-top">
+  <a class="navbar-brand" href="/">
+    <i class="fas fa-check-square w-auto"></i>
+    ShoppingList
+  </a>
 
-      <ul class="nav navbar-left">
-        <a class="navbar-brand text-light font-weight-bold p-2" href="/"><i class="fas fa-check-square w-auto"></i></a>
-        <a class="text-light font-weight-bold text-decoration-none p-2 ml-1" href="/list">Liste</a>
-        <a class="text-light font-weight-bold text-decoration-none p-2 ml-1" href="/recipes">Rezepte</a>
-      </ul>
+  <button class="navbar-toggler float-right" type="button" data-toggle="collapse" data-target="#navbarToggleResponsive" aria-controls="navbarToggleResponsive" aria-expanded="false" aria-label="Toggle navigation">
+    <i class="fas fa-bars"></i>
+  </button>
+  
+  <div class="collapse navbar-collapse">
+    <ul class="navbar-nav mr-auto">
+      <li class="nav-item <?php if(($site=="list")||($site=="-1")){print_r("active");} ?>">
+        <a class="nav-link" href="/list"><i class="fas fa-list"></i> Liste</a>
+      </li>
+      <li class="nav-item <?php if($site=="recipes"){print_r("active");} ?>">
+        <a class="nav-link" href="/recipes"><i class="fas fa-book"></i> Rezepte</a>
+      </li>
+    </ul>
+    <ul class="navbar-nav">
+      <li class="nav-item <?php if($site=="settings"){print_r("active");} ?>">
+        <a class="nav-link" href="/settings"><i class="fas fa-user-cog"></i></a>
+      </li>
+      <li class="nav-item">
+        <a class="nav-link" href="/php/logout.php"><i class="fas fa-sign-out-alt"></i></a>
+      </li>
+    </ul>
+  </div>
 
-      <ul class="nav navbar-right text-light">
-        <a class="fas fa-user-cog text-light text-decoration-none p-1" href="/settings"></a>
-        <a class="fas fa-sign-out-alt text-light text-decoration-none p-1" href="/php/logout.php" id='logout'></a>
-      </ul>
 
-    </div>
-</nav>
+  <div class="collapse w-75 pl-2" id="navbarToggleResponsive">
+    <ul class="navbar-nav mr-auto">
+      <li class="nav-item <?php if($site=="list"){print_r("active");} ?>">
+        <a class="nav-link" href="/list"><i class="fas fa-list"></i> Liste</a>
+      </li>
+      <li class="nav-item <?php if($site=="recipes"){print_r("active");} ?>">
+        <a class="nav-link" href="/recipes"><i class="fas fa-book"></i> Rezepte</a>
+      </li>
+      <li class="nav-item <?php if($site=="settings"){print_r("active");} ?>">
+        <a class="nav-link" href="/settings"><i class="fas fa-user-cog"></i> Einstellungen</a>
+      </li>
+      <li class="nav-item">
+        <a class="nav-link" href="/php/logout.php"><i class="fas fa-sign-out-alt"></i> Logout</a>
+      </li>
+    </ul>
+  </div>
+</nav>

cont/recipe.php

@@ -1,13 +1,12 @@
-<script src="/bin/recipe.js" charset="utf-8"></script>
+<script src="/js/recipe.js" charset="utf-8"></script>
 <?php
   include $_SESSION["docroot"].'/php/classes.recipe.php';
-  include $_SESSION["docroot"].'/php/classes.parsedown.php';
   $book = new cookbook;
   $book->getRecipe($_GET["number"]);
   $recipe = $book->sites[0];
 ?>
 
-<div class="dropdown text-right mt-4">
+<div class="dropdown text-right mt-5">
   <button class="btn btn-primary dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
     Menü
   </button>

cont/recipes.php

@@ -1,5 +1,4 @@
-<!-- <link rel="stylesheet" href="/style/recipes.css"> -->
-<script src="/bin/search.js" charset="utf-8"></script>
+<script src="/js/search.js" charset="utf-8"></script>
 
 <div class="container mt-5 mb-5">
     <h1>Rezepte</h1>

cont/settings.php

@@ -1,4 +1,4 @@
-<script src="/bin/settings.js" charset="utf-8"></script>
+<script src="/js/settings.js" charset="utf-8"></script>
 <div class="container mt-5">
     <h1>Einstellungen</h1>
 </div>
@@ -112,11 +112,8 @@
 
 <div class="toast fixed-bottom m-2" role="alert" id="toast-pw-success" aria-live="assertive" aria-atomic="true" data-delay="4000" data-animation="true">
     <div class="toast-header">
-        <i class="close_toast fas fa-check-square w-auto mr-2"></i>
+        <i class="fas fa-check-square w-auto mr-2"></i>
         <strong class="mr-auto">ShoppingList</strong>
-        <button type="button" class="ml-2 mb-1 close" data-dismiss="toast" aria-label="Close">
-            <span aria-hidden="true">&times;</span>
-        </button>
     </div>
     <div class="toast-body">
         Passwort erfolgreich geändert!
@@ -125,11 +122,8 @@
 
 <div class="toast fixed-bottom m-2" role="alert" id="toast-list-import-success" aria-live="assertive" aria-atomic="true" data-delay="4000" data-animation="true">
     <div class="toast-header">
-        <i class="close_toast fas fa-check-square w-auto mr-2"></i>
+        <i class="fas fa-check-square w-auto mr-2"></i>
         <strong class="mr-auto">ShoppingList</strong>
-        <button type="button" class="ml-2 mb-1 close" data-dismiss="toast" aria-label="Close">
-            <span aria-hidden="true">&times;</span>
-        </button>
     </div>
     <div class="toast-body">
         Liste erfolgreich importiert!
@@ -138,24 +132,18 @@
 
 <div class="toast fixed-bottom m-2" role="alert" id="toast-recipe-import-success" aria-live="assertive" aria-atomic="true" data-delay="4000" data-animation="true">
     <div class="toast-header">
-        <i class="close_toast fas fa-check-square w-auto mr-2"></i>
+        <i class="fas fa-check-square w-auto mr-2"></i>
         <strong class="mr-auto">ShoppingList</strong>
-        <button type="button" class="ml-2 mb-1 close" data-dismiss="toast" aria-label="Close">
-            <span aria-hidden="true">&times;</span>
-        </button>
     </div>
     <div class="toast-body">
         Rezepte erfolgreich importiert!
     </div>
 </div>
 
-<div class="toast fixed-bottom m-2" role="alert" id="toast-recipe-import-warning" aria-live="assertive" aria-atomic="true" data-autohide="false" data-animation="true">
+<div class="toast fixed-bottom m-2" role="alert" id="toast-recipe-import-warning" aria-live="assertive" aria-atomic="true" data-autohide="4000" data-animation="true">
     <div class="toast-header">
         <i class="close_toast fas fa-check-square w-auto mr-2"></i>
         <strong class="mr-auto">ShoppingList</strong>
-        <button type="button" class="ml-2 mb-1 close" data-dismiss="toast" aria-label="Close">
-            <span aria-hidden="true">&times;</span>
-        </button>
     </div>
     <div class="toast-body">
         Nicht alle Rezepte konnten importiert werden! Fehlerhafte Rezepte wieder exportiert.

fonts/lato/OFL.txt

@@ -1,93 +0,0 @@
-Copyright (c) 2010-2014 by tyPoland Lukasz Dziedzic (team@latofonts.com) with Reserved Font Name "Lato"
-
-This Font Software is licensed under the SIL Open Font License, Version 1.1.
-This license is copied below, and is also available with a FAQ at:
-http://scripts.sil.org/OFL
-
-
------------------------------------------------------------
-SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
------------------------------------------------------------
-
-PREAMBLE
-The goals of the Open Font License (OFL) are to stimulate worldwide
-development of collaborative font projects, to support the font creation
-efforts of academic and linguistic communities, and to provide a free and
-open framework in which fonts may be shared and improved in partnership
-with others.
-
-The OFL allows the licensed fonts to be used, studied, modified and
-redistributed freely as long as they are not sold by themselves. The
-fonts, including any derivative works, can be bundled, embedded, 
-redistributed and/or sold with any software provided that any reserved
-names are not used by derivative works. The fonts and derivatives,
-however, cannot be released under any other type of license. The
-requirement for fonts to remain under this license does not apply
-to any document created using the fonts or their derivatives.
-
-DEFINITIONS
-"Font Software" refers to the set of files released by the Copyright
-Holder(s) under this license and clearly marked as such. This may
-include source files, build scripts and documentation.
-
-"Reserved Font Name" refers to any names specified as such after the
-copyright statement(s).
-
-"Original Version" refers to the collection of Font Software components as
-distributed by the Copyright Holder(s).
-
-"Modified Version" refers to any derivative made by adding to, deleting,
-or substituting -- in part or in whole -- any of the components of the
-Original Version, by changing formats or by porting the Font Software to a
-new environment.
-
-"Author" refers to any designer, engineer, programmer, technical
-writer or other person who contributed to the Font Software.
-
-PERMISSION & CONDITIONS
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of the Font Software, to use, study, copy, merge, embed, modify,
-redistribute, and sell modified and unmodified copies of the Font
-Software, subject to the following conditions:
-
-1) Neither the Font Software nor any of its individual components,
-in Original or Modified Versions, may be sold by itself.
-
-2) Original or Modified Versions of the Font Software may be bundled,
-redistributed and/or sold with any software, provided that each copy
-contains the above copyright notice and this license. These can be
-included either as stand-alone text files, human-readable headers or
-in the appropriate machine-readable metadata fields within text or
-binary files as long as those fields can be easily viewed by the user.
-
-3) No Modified Version of the Font Software may use the Reserved Font
-Name(s) unless explicit written permission is granted by the corresponding
-Copyright Holder. This restriction only applies to the primary font name as
-presented to the users.
-
-4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
-Software shall not be used to promote, endorse or advertise any
-Modified Version, except to acknowledge the contribution(s) of the
-Copyright Holder(s) and the Author(s) or with their explicit written
-permission.
-
-5) The Font Software, modified or unmodified, in part or in whole,
-must be distributed entirely under this license, and must not be
-distributed under any other license. The requirement for fonts to
-remain under this license does not apply to any document created
-using the Font Software.
-
-TERMINATION
-This license becomes null and void if any of the above conditions are
-not met.
-
-DISCLAIMER
-THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
-OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
-COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
-DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
-OTHER DEALINGS IN THE FONT SOFTWARE.

fonts/newscycle/OFL.txt

@@ -1,93 +0,0 @@
-Copyright (c) 2010-2011, Nathan Willis (nwillis@glyphography.com), with Reserved Font Name "News Cycle."
-
-This Font Software is licensed under the SIL Open Font License, Version 1.1.
-This license is copied below, and is also available with a FAQ at:
-http://scripts.sil.org/OFL
-
-
------------------------------------------------------------
-SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
------------------------------------------------------------
-
-PREAMBLE
-The goals of the Open Font License (OFL) are to stimulate worldwide
-development of collaborative font projects, to support the font creation
-efforts of academic and linguistic communities, and to provide a free and
-open framework in which fonts may be shared and improved in partnership
-with others.
-
-The OFL allows the licensed fonts to be used, studied, modified and
-redistributed freely as long as they are not sold by themselves. The
-fonts, including any derivative works, can be bundled, embedded, 
-redistributed and/or sold with any software provided that any reserved
-names are not used by derivative works. The fonts and derivatives,
-however, cannot be released under any other type of license. The
-requirement for fonts to remain under this license does not apply
-to any document created using the fonts or their derivatives.
-
-DEFINITIONS
-"Font Software" refers to the set of files released by the Copyright
-Holder(s) under this license and clearly marked as such. This may
-include source files, build scripts and documentation.
-
-"Reserved Font Name" refers to any names specified as such after the
-copyright statement(s).
-
-"Original Version" refers to the collection of Font Software components as
-distributed by the Copyright Holder(s).
-
-"Modified Version" refers to any derivative made by adding to, deleting,
-or substituting -- in part or in whole -- any of the components of the
-Original Version, by changing formats or by porting the Font Software to a
-new environment.
-
-"Author" refers to any designer, engineer, programmer, technical
-writer or other person who contributed to the Font Software.
-
-PERMISSION & CONDITIONS
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of the Font Software, to use, study, copy, merge, embed, modify,
-redistribute, and sell modified and unmodified copies of the Font
-Software, subject to the following conditions:
-
-1) Neither the Font Software nor any of its individual components,
-in Original or Modified Versions, may be sold by itself.
-
-2) Original or Modified Versions of the Font Software may be bundled,
-redistributed and/or sold with any software, provided that each copy
-contains the above copyright notice and this license. These can be
-included either as stand-alone text files, human-readable headers or
-in the appropriate machine-readable metadata fields within text or
-binary files as long as those fields can be easily viewed by the user.
-
-3) No Modified Version of the Font Software may use the Reserved Font
-Name(s) unless explicit written permission is granted by the corresponding
-Copyright Holder. This restriction only applies to the primary font name as
-presented to the users.
-
-4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
-Software shall not be used to promote, endorse or advertise any
-Modified Version, except to acknowledge the contribution(s) of the
-Copyright Holder(s) and the Author(s) or with their explicit written
-permission.
-
-5) The Font Software, modified or unmodified, in part or in whole,
-must be distributed entirely under this license, and must not be
-distributed under any other license. The requirement for fonts to
-remain under this license does not apply to any document created
-using the Font Software.
-
-TERMINATION
-This license becomes null and void if any of the above conditions are
-not met.
-
-DISCLAIMER
-THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
-OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
-COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
-DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
-OTHER DEALINGS IN THE FONT SOFTWARE.

index.php

@@ -45,9 +45,9 @@ $user->get_info($_COOKIE["token"]);
   }
   ?>
   <link rel="stylesheet" href="/style/helper.css">
-  <script src="/bin/jquery.js"></script>
-  <script src="/bin/main.js"></script>
-  <title>Einkaufsliste</title>
+  <script src="/js/jquery.js"></script>
+  <script src="/js/main.js"></script>
+  <title>ShoppingList</title>
 </head>
 
 <body>
@@ -55,7 +55,7 @@ $user->get_info($_COOKIE["token"]);
   if ($site && ($site != "login")) {
     include $_SESSION["docroot"] . '/cont/nav.php';
   }
-  echo '<div id="content" class="container">';
+  echo '<div id="content" class="container pt-4">';
   switch ($site) {
     case "login":
       include $_SESSION["docroot"] . '/cont/login.php';
@@ -100,7 +100,7 @@ $user->get_info($_COOKIE["token"]);
   }
   echo "</div>";
   ?>
-  <script src="bin/bootstrap.bundle.min.js"></script>
+  <script src="js/bootstrap.bundle.min.js"></script>
 </body>
 
 </html>

install/install.php

@@ -39,7 +39,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <link rel="stylesheet" href="/style/fontawesome/css/all.css">
     <link rel="stylesheet" href="/style/main.css">
-    <script src="/bin/jquery.js"></script>
+    <script src="/js/jquery.js"></script>
   </head>
   <body>
 

install/install_action.php

@@ -45,7 +45,6 @@ $CONFIG["host"] = $_POST['dbhost'];
 $CONFIG["username"] = $_POST['username'];
 $CONFIG["passwd"] = $_POST['passwd'];
 $CONFIG["database"] = $_POST['database'];
-$CONFIG["theme"] = "default";
 
 file_put_contents($_SESSION["docroot"].'/config/config.php', '<?php '."\r\n".'$CONFIG = '.var_export($CONFIG, true).";\n\r?>");
 

install/install_adduser.php

@@ -4,8 +4,8 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <link rel="stylesheet" href="/style/fontawesome/css/all.css">
   <link rel="stylesheet" href="/style/main.css">
-  <script src="/bin/jquery.js"></script>
-  <script src="/bin/adduser.js" charset="utf-8"></script>
+  <script src="/js/jquery.js"></script>
+  <script src="/js/adduser.js" charset="utf-8"></script>
   <title>Benutzer hinzufügen</title>
 </head>
 <body>

js/list.js

@@ -1,4 +1,5 @@
 $(document).ready(function () {
+  highlightNewEntry();
   $("input[type=checkbox]").change(checkItem);
   $("#remove").click(deleteCheckeditems);
   $("#nameField").focus();
@@ -6,6 +7,25 @@ $(document).ready(function () {
   $("#nameField").on("focus", function () { $(this).select(); });
 });
 
+function highlightNewEntry(){
+  var cookies = document.cookie;
+  var cookieRegExp = new RegExp(/;?\s+newItem=(\d+)/g);
+  var match = cookieRegExp.exec(cookies);
+  if(match!=null){  
+    var newID = match[1];
+    var checkBox = $("[data-id=" + newID + "]");
+    var newRow = checkBox.parent().parent();
+    newRow.removeClass($(checkBox).data("color"));
+    newRow.addClass("alert-primary");
+    setTimeout(function () {
+      newRow.removeClass("alert-primary");
+      newRow.addClass($(checkBox).data("color"));
+    }, 1000);
+    document.cookie = "newItem=-1"
+    console.log(document.cookie);
+  }
+}
+
 function deleteCheckeditems() {
   $.post({
     url: "api/list/del",

php/auth.php

@@ -13,7 +13,10 @@
       $token = "-1";
     }
 
-    $result = $mysqli->query('SELECT * FROM `sessions` WHERE `session_id` = \''.$token.'\';');
+    $selectQuery = $mysqli->prepare('SELECT * FROM `sessions` WHERE `session_id` = ?;');
+    $selectQuery->bind_param("s", $token);
+    $selectQuery->execute();
+    $result = $selectQuery->get_result();
 
     if(($result->num_rows) == 0 && (!(in_array("site", array_keys($_GET))) || $_GET["site"]!="login"))
     {

php/classes.list.php

@@ -19,7 +19,7 @@
     function shopping(){
       include $_SESSION["docroot"].'/config/config.php';
       include $_SESSION["docroot"].'/php/connect.php';
-      $result = $mysqli->query("SELECT * FROM `ViewEinkauf` ORDER BY `ViewEinkauf`.`Name` ASC");
+      $result = $mysqli->query("SELECT * FROM `ViewEinkauf` ORDER BY `ViewEinkauf`.`Name` ASC;");
       while($item = $result->fetch_assoc()){
         $this->addItem($item["ID"], $item["Anzahl"], $item["Einheit"], $item["Name"], $item["Erledigt"]);
       }
@@ -30,15 +30,20 @@
       include $_SESSION["docroot"].'/config/config.php';
       include $_SESSION["docroot"].'/php/connect.php';
       if(!is_int($einheit)){
-        $unit_query = "SELECT * FROM `Einheit` WHERE `Name` = \"$einheit\"";
-        $result = $mysqli->query($unit_query);
+        $selectQuery = $mysqli->prepare("SELECT * FROM `Einheit` WHERE `Name` = ?;");
+        $selectQuery->bind_param("s", $einheit);
+        $selectQuery->execute();
+        $result = $selectQuery->get_result();
         while($row = $result->fetch_assoc()){
           $einheit = $row["ID"];
         }
       }
-      $insertQuery = "INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (".$anzahl.", ".$einheit.", '".$name."', 0)";
-      $mysqli->query($insertQuery);
+      $insertQuery = $mysqli->prepare("INSERT INTO `Einkauf` (`Anzahl`, `Einheit`, `Name`, `Erledigt`) VALUES (?, ?, ?, 0);");
+      $insertQuery->bind_param("sss", $anzahl, $einheit, $name);
+      $result = $insertQuery->execute();
+      $insertID = $mysqli->insert_id;
       $mysqli->close();
+      return $insertID;
     }
 
     function newItems($itemList){
@@ -50,14 +55,16 @@
     function removeChecked(){
       include $_SESSION["docroot"].'/config/config.php';
       include $_SESSION["docroot"].'/php/connect.php';
-      $mysqli->query("DELETE FROM `Einkauf` WHERE `Erledigt`=1");
+      $mysqli->query("DELETE FROM `Einkauf` WHERE `Erledigt`=1;");
       $mysqli->close();
     }
 
     function check($id, $status){
       include $_SESSION["docroot"].'/config/config.php';
       include $_SESSION["docroot"].'/php/connect.php';
-      $mysqli->query("UPDATE `Einkauf` SET `Erledigt` = $status WHERE `Einkauf`.`ID` = $id");
+      $updateQuery = $mysqli->prepare("UPDATE `Einkauf` SET `Erledigt` = $status WHERE `Einkauf`.`ID` = ?;");
+      $updateQuery->bind_param("s", $id);
+      $updateQuery->execute();
       $mysqli->close();
     }
 
@@ -89,7 +96,7 @@
     function units(){
       include $_SESSION["docroot"].'/config/config.php';
       include $_SESSION["docroot"].'/php/connect.php';
-      $result = $mysqli->query("SELECT * FROM `Einheit`");
+      $result = $mysqli->query("SELECT * FROM `Einheit`;");
       while($item = $result->fetch_assoc()){
         $this->addItem($item["ID"], $item["Name"], $item["Standard"]);
       }

php/classes.recipe.php

@@ -14,7 +14,7 @@
     }
     function unitList(){
       include $_SESSION["docroot"].'/php/connect.php';
-      $result = $mysqli->query("SELECT * FROM `Einheit`");
+      $result = $mysqli->query("SELECT * FROM `Einheit`;");
       while($item = $result->fetch_assoc()){
         $this->addItem($item["ID"], $item["Name"], $item["Standard"]);
       }
@@ -22,7 +22,10 @@
     }
     function getID($Name){
       include $_SESSION["docroot"].'/php/connect.php';
-      $result = $mysqli->query("SELECT `ID` FROM `Einheit` WHERE `Name` = '$Name'");
+      $selectQuery = $mysqli->prepare("SELECT `ID` FROM `Einheit` WHERE `Name` = ?;");
+      $selectQuery->bind_param("s", "$Name");
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       $ID = $result->fetch_assoc();
       return $ID["ID"];
     }
@@ -57,16 +60,28 @@
     public $sites = array();
     function getRecipe($ID){
       include $_SESSION["docroot"].'/php/connect.php';
-      $recipes = $mysqli->query("SELECT * FROM `Rezept` WHERE `ID` = $ID ORDER BY Name ASC");
+      $selectQuery = $mysqli->prepare("SELECT * FROM `Rezept` WHERE `ID` = ? ORDER BY Name ASC;");
+      $selectQuery->bind_param("s", $ID);
+      $selectQuery->execute();
+      $recipes = $selectQuery->get_result();
       while($recipe = $recipes->fetch_assoc()){
         $current = new recipe($RID = $recipe["ID"], $RName = $recipe["Name"], $RDuration = $recipe["Dauer"], $RDescription = $recipe["Beschreibung"]);
-        $recepieIngredients = $mysqli->query("SELECT * FROM `RezeptZutat` WHERE `Rezept` = $RID");
+        $selectIngredientsQuery = $mysqli->prepare("SELECT * FROM `RezeptZutat` WHERE `Rezept` = ?;");
+        $selectIngredientsQuery->bind_param("s", $RID);
+        $selectIngredientsQuery->execute();
+        $recepieIngredients = $selectIngredientsQuery->get_result();
         while($recepieIngredient = $recepieIngredients->fetch_assoc()){
           $IID = $recepieIngredient["Zutat"];
           $IAmount = $recepieIngredient["Menge"];
-          $units = $mysqli->query("SELECT `Name` FROM `Einheit` WHERE `ID` = ".$recepieIngredient["Einheit"]);
+          $selectUnitQuery = $mysqli->prepare("SELECT `Name` FROM `Einheit` WHERE `ID` = ?;");
+          $selectUnitQuery->bind_param("s", $recepieIngredient["Einheit"]);
+          $selectUnitQuery->execute();
+          $units = $selectUnitQuery->get_result();
           while($unit = $units->fetch_assoc()){$IUnit = $unit["Name"];}
-          $names = $mysqli->query("SELECT `Name` FROM `Zutat` WHERE `ID` = ".$recepieIngredient["Zutat"]);
+          $selectNamesQuery = $mysqli->prepare("SELECT `Name` FROM `Zutat` WHERE `ID` = ?;");
+          $selectNamesQuery->bind_param("s", $recepieIngredient["Zutat"]);
+          $selectNamesQuery->execute();
+          $names = $selectNamesQuery->get_result();
           while($name = $names->fetch_assoc()){$IName = $name["Name"];}
           $current->addIngredient($IID, $IAmount, $IUnit, $IName);
         }
@@ -80,13 +95,22 @@
       $recipes = $mysqli->query("SELECT * FROM `Rezept` ORDER BY Name ASC");
       while($recipe = $recipes->fetch_assoc()){
         $current = new recipe($RID = $recipe["ID"], $RName = $recipe["Name"], $RDuration = $recipe["Dauer"], $RDescription = $recipe["Beschreibung"]);
-        $recepieIngredients = $mysqli->query("SELECT * FROM `RezeptZutat` WHERE `Rezept` = $RID");
+        $selectIngredientsQuery = $mysqli->prepare("SELECT * FROM `RezeptZutat` WHERE `Rezept` = ?;");
+        $selectIngredientsQuery->bind_param("s", $RID);
+        $selectIngredientsQuery->execute();
+        $recepieIngredients = $selectIngredientsQuery->get_result();
         while($recepieIngredient = $recepieIngredients->fetch_assoc()){
           $IID = $recepieIngredient["Zutat"];
           $IAmount = $recepieIngredient["Menge"];
-          $units = $mysqli->query("SELECT `Name` FROM `Einheit` WHERE `ID` = ".$recepieIngredient["Einheit"]);
+          $selectUnitQuery = $mysqli->prepare("SELECT `Name` FROM `Einheit` WHERE `ID` = ?;");
+          $selectUnitQuery->bind_param("s", $recepieIngredient["Einheit"]);
+          $selectUnitQuery->execute();
+          $units = $selectUnitQuery->get_result();
           while($unit = $units->fetch_assoc()){$IUnit = $unit["Name"];}
-          $names = $mysqli->query("SELECT `Name` FROM `Zutat` WHERE `ID` = ".$recepieIngredient["Zutat"]);
+          $selectNamesQuery = $mysqli->prepare("SELECT `Name` FROM `Zutat` WHERE `ID` = ?;");
+          $selectNamesQuery->bind_param("s", $recepieIngredient["Zutat"]);
+          $selectNamesQuery->execute();
+          $names = $selectNamesQuery->get_result();
           while($name = $names->fetch_assoc()){$IName = $name["Name"];}
           $current->addIngredient($IID, $IAmount, $IUnit, $IName);
         }
@@ -103,7 +127,10 @@
       $import = json_decode($_POST["content"]);
       if($import->sites!=null){
         foreach ($import->sites as $site) {
-          $result = $mysqli->query("SELECT * FROM `Rezept` WHERE `Name`='$site->Name'");
+          $selectQuery = $mysqli->prepare("SELECT * FROM `Rezept` WHERE `Name`=?;");
+          $selectQuery->bind_param("s", $site->Name);
+          $selectQuery->execute();
+          $result = $selectQuery->get_result();
           if($result->num_rows>0){
             array_push($failed_sites, $site);
           }
@@ -132,53 +159,83 @@
 
     function newRecipe($Name, $Dauer, $Beschreibung, $Zutaten){
       include $_SESSION["docroot"].'/php/connect.php';
-      $mysqli->query("INSERT INTO `Rezept` (`Name`, `Dauer`, `Beschreibung`) VALUES ('$Name', '$Dauer', '$Beschreibung')");
+      $insertQuery = $mysqli->prepare("INSERT INTO `Rezept` (`Name`, `Dauer`, `Beschreibung`) VALUES (?, ?, ?);");
+      $insertQuery->bind_param("sss", $Name, $Dauer, $Beschreibung);
+      $insertQuery->execute();
       $RezeptID = $mysqli->insert_id;
       foreach ($Zutaten as $Zutat) {
         $ZutatID = null;
-        $result = $mysqli->query("SELECT ID FROM `Zutat` WHERE `Name` LIKE '".$Zutat["Name"]."'");
+        $selectIngredientsQuery = $mysqli->prepare("SELECT ID FROM `Zutat` WHERE `Name` LIKE ?;");
+        $selectIngredientsQuery->bind_param("s", $Zutat["Name"]);
+        $selectIngredientsQuery->execute();
+        $result = $selectIngredientsQuery->get_result();
         if($result->num_rows>0){
           $item = $result->fetch_assoc();
           $ZutatID = $item["ID"];
         }
         else{
-          $mysqli->query("INSERT INTO `Zutat` (`Name`) VALUES ('".ucwords($Zutat["Name"])."')");
+          $UppercaseName = ucwords($Zutat["Name"]);
+          $insertIngredientsQuery = $mysqli->prepare("INSERT INTO `Zutat` (`Name`) VALUES (?);");
+          $insertIngredientsQuery->bind_param("s", $UppercaseName);
+          $insertIngredientsQuery->execute();
           $ZutatID = $mysqli->insert_id;
         }
-        $mysqli->query("INSERT INTO `RezeptZutat` (`Rezept`,`Menge`,`Einheit`,`Zutat`) VALUES ('{$RezeptID}','{$Zutat["Amount"]}','{$Zutat["Unit"]}','{$ZutatID}');");
+        $inserRecipeQuery = $mysqli->prepare("INSERT INTO `RezeptZutat` (`Rezept`,`Menge`,`Einheit`,`Zutat`) VALUES (?,?,?,?);");
+        $inserRecipeQuery->bind_param("ssss", $RezeptID, $Zutat["Amount"], $Zutat["Unit"], $ZutatID);
+        $inserRecipeQuery->execute();
       }
       $mysqli->close();
     }
 
     function updateRecipe($ID, $Name, $Dauer, $Beschreibung, $Zutaten){
       include $_SESSION["docroot"].'/php/connect.php';
-      $mysqli->query("UPDATE `Rezept` SET `Name` = '$Name', `Dauer` = '$Dauer', `Beschreibung` = '$Beschreibung' WHERE `Rezept`.`ID` = $ID;");
-      $mysqli->query("DELETE FROM RezeptZutat WHERE Rezept = $ID");
+      $updateQuery = $mysqli->prepare("UPDATE `Rezept` SET `Name` = ?, `Dauer` = ?, `Beschreibung` = ? WHERE `Rezept`.`ID` = ?;");
+      $updateQuery->bind_param("ssss", $Name, $Dauer, $Beschreibung, $ID);
+      $updateQuery->execute();
+      $deleteQuery = $mysqli->prepare("DELETE FROM RezeptZutat WHERE Rezept = ?;");
+      $deleteQuery->bind_param("s", $ID);
+      $deleteQuery->execute();
       foreach ($Zutaten as $Zutat) {
         $ZutatID = null;
-        $result = $mysqli->query("SELECT ID FROM `Zutat` WHERE `Name` LIKE '".$Zutat["Name"]."'");
+        $selectIngredientsQuery = $mysqli->prepare("SELECT ID FROM `Zutat` WHERE `Name` LIKE ?;");
+        $selectIngredientsQuery->bind_param("s", $Zutat["Name"]);
+        $selectIngredientsQuery->execute();
+        $result = $selectIngredientsQuery->get_result();
         if($result->num_rows>0){
           while($item = $result->fetch_assoc()){ $ZutatID = $item["ID"];}
         }
         else{
-          $mysqli->query("INSERT INTO `Zutat` (`Name`) VALUES ('".ucwords($Zutat["Name"])."')");
+          $uppercaseName = ucwords($Zutat["Name"]);
+          $insertIngredientsQuery = $mysqli->prepare("INSERT INTO `Zutat` (`Name`) VALUES (?);");
+          $insertIngredientsQuery->bind_param("s", $uppercaseName);
+          $insertIngredientsQuery->execute();
           $ZutatID = $mysqli->insert_id;
         }
-        $mysqli->query("INSERT INTO `RezeptZutat` (`Rezept`,`Menge`,`Einheit`,`Zutat`) VALUES ('{$ID}','{$Zutat["Amount"]}','{$Zutat["Unit"]}','{$ZutatID}');");
+        $insertRecipeIngredientsQuery = $mysqli->prepare("INSERT INTO `RezeptZutat` (`Rezept`,`Menge`,`Einheit`,`Zutat`) VALUES (?,?,?,?);");
+        $insertRecipeIngredientsQuery->bind_param("ssss", $ID, $Zutat["Amount"], $Zutat["Unit"], $ZutatID);
+        $insertRecipeIngredientsQuery->execute();
       }
     }
 
     function removeRecipe($ID){
       include $_SESSION["docroot"].'/php/connect.php';
-      $mysqli->query("DELETE FROM `RezeptZutat` WHERE `Rezept`=$ID");
-      $mysqli->query("DELETE FROM Rezept WHERE ID=$ID");
+      $deleteQuery = $mysqli->prepare("DELETE FROM `RezeptZutat` WHERE `Rezept`=?;");
+      $deleteQuery->bind_param("s", $ID);
+      $deleteQuery->execute();
+      $deleteQuery = $mysqli->prepare("DELETE FROM Rezept WHERE ID=?;");
+      $deleteQuery->bind_param("s", $ID);
+      $deleteQuery->execute();
       $mysqli->close();
     }
 
     function getAllIngredientsContaining($q){
       include $_SESSION["docroot"].'/php/connect.php';
       $values = array();
-      $result = $mysqli->query("SELECT Name FROM Zutat WHERE Name LIKE '%$q%' ORDER BY Name ASC");
+      $filterValue = "%$q%";
+      $selectQuery = $mysqli->prepare("SELECT Name FROM Zutat WHERE Name LIKE ? ORDER BY Name ASC");
+      $selectQuery->bind_param("s", $filterValue);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       while($item = $result->fetch_assoc()){
         array_push($values, $item["Name"]);
       }

php/classes.user.php

@@ -5,8 +5,10 @@
 
     function get_info($session_id) {
       include $_SESSION["docroot"].'/php/connect.php';
-      $query = "SELECT uid, username, email, theme, last_login, salt FROM `users` WHERE `uid` = (SELECT user FROM `sessions` WHERE `session_id` = \"$session_id\")";
-      $result = $mysqli->query($query);
+      $selectQuery = $mysqli->prepare("SELECT uid, username, email, theme, last_login, salt FROM `users` WHERE `uid` = (SELECT user FROM `sessions` WHERE `session_id` = ?);");
+      $selectQuery->bind_param("s", $session_id);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       $user = $result->fetch_assoc();
       $this->uid = $user["uid"];
       $this->username = $user["username"];
@@ -21,11 +23,15 @@
       include $_SESSION["docroot"].'/php/hash.php';
       include $_SESSION["docroot"].'/php/connect.php';
       $current_pwhash = hash_password($current, $this->salt);
-      $query = "SELECT `uid` FROM `users` WHERE `uid` = $this->uid AND `password` = '$current_pwhash'";
-      $result = $mysqli->query($query);
+      $selectQuery = $mysqli->prepare("SELECT `uid` FROM `users` WHERE `uid` = ? AND `password` = ?;");
+      $selectQuery->bind_param("ss", $this->uid, $current_pwhash);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       if($result->num_rows===1){
         $new_pwdhash = hash_password($new, $this->salt);
-        $mysqli->query("UPDATE `users` SET `password` = '$new_pwdhash' WHERE `users`.`uid` = $this->uid;");
+        $updateQuery = $mysqli->prepare("UPDATE `users` SET `password` = ? WHERE `users`.`uid` = ?;");
+        $updateQuery->bind_param("ss", $new_pwdhash, $this->uid);
+        $updateQuery->execute();
         $mysqli->close();
         print_r("0");
       }
@@ -35,20 +41,25 @@
     }
 
     function change_mail($mailaddress){
-      include $_SESSION["docroot"].'/php/hash.php';
       include $_SESSION["docroot"].'/php/connect.php';
       $this->mail = $mailaddress;
-      $result = $mysqli->query("UPDATE `users` SET `email` = '$mailaddress' WHERE `users`.`uid` = $this->uid;");
+      $updateQuery = $mysqli->prepare("UPDATE `users` SET `email` = ? WHERE `users`.`uid` = ?;");
+      $updateQuery->bind_param("ss", $mailaddress, $this->uid);
+      $updateQuery->execute();
       $mysqli->close();
     }
 
     function change_username($newname){
-      include $_SESSION["docroot"].'/php/hash.php';
       include $_SESSION["docroot"].'/php/connect.php';
       $this->username = $newname;
-      $result = $mysqli->query("SELECT * WHERE `username` = $this->username;");
+      $selectQuery = $mysqli->prepare("SELECT * FROM `users` WHERE `username` =  ?;");
+      $selectQuery->bind_param("s", $this->username);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       if($result->num_rows==0){
-        $result = $mysqli->query("UPDATE `users` SET `username` = '$newname' WHERE `users`.`uid` = $this->uid;");
+        $updateQuery = $mysqli->prepare("UPDATE `users` SET `username` = ? WHERE `users`.`uid` = ?;");
+        $updateQuery->bind_param("ss", $newname, $this->uid);
+        $updateQuery->execute();
         print_r("0");
       }
       else{
@@ -59,7 +70,9 @@
 
     function change_theme($theme){
       include $_SESSION["docroot"].'/php/connect.php';
-      $result = $mysqli->query("UPDATE `users` SET `theme` = '$theme' WHERE `users`.`uid` = $this->uid;");
+      $updateQuery = $mysqli->prepare("UPDATE `users` SET `theme` = ? WHERE `users`.`uid` = ?;");
+      $updateQuery->bind_param("ss", $theme, $this->uid);
+      $updateQuery->execute();
       if($result){
         print_r("0");
       }
@@ -72,13 +85,17 @@
       include $_SESSION["docroot"].'/php/connect.php';
       include $_SESSION["docroot"].'/php/hash.php';
 
-      $query = "SELECT `uid` FROM `users` WHERE `username` = '$uname'";
-      $result = $mysqli->query($query);
+      $selectQuery = $mysqli->prepare("SELECT `uid` FROM `users` WHERE `username` = ?;");
+      $selectQuery->bind_param("s", $uname);
+      $selectQuery->execute();
+      $result = $selectQuery->get_result();
       if($result->num_rows==0){
         $salt = create_salt();
         $passhash = hash_password($password, $salt);
-        $query = "INSERT INTO `users` (`username`, `password`, `salt`, `last_login`) VALUES ('$uname', '$passhash', '$salt', CURRENT_TIMESTAMP);";
-        $result = $mysqli->query($query);
+        $insertQuery = $mysqli->prepare("INSERT INTO `users` (`username`, `password`, `salt`, `last_login`) VALUES (?, ?, ?, CURRENT_TIMESTAMP);");
+        $insertQuery->bind_param("sss", $uname, $passhash, $salt);
+        $insertQuery->execute();
+        $result = $insertQuery->get_result();
         unset($salt);
         unset($password);
         print_r(0);

php/edit-list.php

@@ -4,7 +4,8 @@
 
   switch ($_GET["function"]) {
     case 'new':
-      $shopping->newItem($_POST["anzahl"], $_POST["einheit"], $_POST["name"]);
+      $newID = $shopping->newItem($_POST["anzahl"], $_POST["einheit"], $_POST["name"]);
+      setcookie("newItem", "$newID", 0, "/", "");
       header("Location: /list");
       break;
 

php/login.php

@@ -4,9 +4,10 @@ include $_SESSION["docroot"].'/config/config.php';
 include $_SESSION["docroot"].'/php/connect.php';
 include $_SESSION["docroot"].'/php/hash.php';
 
-
-$query = 'SELECT `uid`,`username`,`password`,`salt` FROM users WHERE `username`=\''.$_POST['user'].'\';';
-$result = $mysqli->query($query);
+$selectQuery = $mysqli->prepare('SELECT `uid`,`username`,`password`,`salt` FROM users WHERE `username`=?;');
+$selectQuery->bind_param("s", $_POST['user']);
+$selectQuery->execute();
+$result = $selectQuery->get_result();
 
 if ($result->num_rows == 1)
 {
@@ -27,13 +28,24 @@ if ($result->num_rows == 1)
       $session_expiry = date('Y-m-d H:i:s', time()+86400);
     }
 
-    $mysqli->query('INSERT INTO `sessions` (`session_id`, `user`, `expires`) VALUES (\''.$token.'\', \''.$userdetails["uid"].'\', \''.$session_expiry.'\'); ');
+    $insertQuery = $mysqli->prepare('INSERT INTO `sessions` (`session_id`, `user`, `expires`) VALUES (?,?,?);');
+    $insertQuery->bind_param("sss", $token, $userdetails["uid"], $session_expiry);
+    $insertQuery->execute();
 
   }
-    $mysqli->query('UPDATE `users` SET `last_login` = \''.date("Y-m-d H:i:s").'\'  WHERE `uid` = \''.$userdetails["uid"].'\';');
-    $mysqli->close();
-    header("Location: ".$_POST["refurl"]);
-    exit(0);
+  else
+  {
+    setcookie("token", "false", 0, "/", "");
+    header("Location: /");
+    exit(1);
+  }
+  $lastLoginDate = date("Y-m-d H:i:s");
+  $updateQuery = $mysqli->prepare("UPDATE `users` SET `last_login` = ? WHERE `uid` = ?;");
+  $updateQuery->bind_param("ss", $lastLoginDate, $userdetails["uid"]);
+  $updateQuery->execute();
+  $mysqli->close();
+  header("Location: ".$_POST["refurl"]);
+  exit(0);
 }
 else
 {
@@ -41,4 +53,4 @@ else
   header("Location: /");
   exit(1);
 }
-?>
+?>

php/logout.php

@@ -3,7 +3,9 @@ session_start();
 include $_SESSION["docroot"].'/config/config.php';
 include $_SESSION["docroot"].'/php/connect.php';
 
-$mysqli->query('DELETE FROM `sessions` WHERE `session_id`=\''.$_COOKIE["token"].'\';');
+$deleteQuery = $mysqli->prepare('DELETE FROM `sessions` WHERE `session_id`=?;');
+$deleteQuery->bind_param("s", $_COOKIE["token"]);
+$deleteQuery->execute();
 
 unset($_SESSION);
 session_destroy();

style/helper.css

@@ -1,9 +1,9 @@
 .toast {
     right: 0;
     left: unset !important;
-    pointer-events: none
+    pointer-events: none;
 }
 
-.close_toast {
-    pointer-events: all;
+.list-row {
+    transition: .5s;
 }

style/themes/cyborg.css

@@ -1,4 +1,4 @@
-@import url("/fonts/roboto/Roboto-Regular.ttf");
+@import url("https://fonts.googleapis.com/css?family=Roboto:400,700");
 :root {
   --blue: #2A9FD6;
   --indigo: #6610f2;

style/themes/flatly.css

@@ -1,4 +1,4 @@
-@import url("/fonts/lato/Lato-Regular.ttf");
+@import url("https://fonts.googleapis.com/css?family=Lato:400,700,400italic");
 :root {
   --blue: #2C3E50;
   --indigo: #6610f2;

style/themes/journal.css

@@ -1,4 +1,4 @@
-@import url("/fonts/newscycle/NewsCycle-Regular.ttf");
+@import url("https://fonts.googleapis.com/css?family=News+Cycle:400,700");
 :root {
   --blue: #EB6864;
   --indigo: #6610f2;

style/themes/sandstone.css

@@ -1,4 +1,4 @@
-@import url("/fonts/roboto/Roboto-Regular.ttf");
+@import url("https://fonts.googleapis.com/css?family=Roboto:400,500,700");
 :root {
   --blue: #325D88;
   --indigo: #6610f2;