"> // If URL contains &, first pass: & → & second pass: & → & // Result: Broken URL that doesn't work. // // BUG #3 (Open Redirect): // htmlspecialchars() only prevents XSS, NOT open redirects. // An attacker could craft: // terms.php?from=enrollment&return=https://evil.com/phishing // The form would submit to the malicious URL. // // AFTER: Validate URL is internal path-only, encode ONLY at output time. $returnUrl = 'enrollment-form.php'; // Safe default if (isset($_GET['return']) && is_string($_GET['return'])) { $rawReturn = trim($_GET['return']); // Only allow safe relative paths: // - No protocol (://) // - No protocol-relative (//) // - No backslashes (path traversal) // - Only alphanumeric, hyphens, underscores, dots, slashes, and query chars if ( !empty($rawReturn) && strpos($rawReturn, '://') === false && strpos($rawReturn, '//') !== 0 && strpos($rawReturn, '\\') === false && substr($rawReturn, 0, 1) !== '/' && preg_match('/^[a-zA-Z0-9\-_\.\/\?&=%]+$/', $rawReturn) ) { // Whitelist allowed pages $allowedPages = [ 'enrollment-form.php', 'courses.php', 'index.php' ]; // Extract base filename for whitelist check $basePage = strtok($rawReturn, '?'); if (in_array($basePage, $allowedPages, true)) { $returnUrl = $rawReturn; // Store raw — encode only at output } } } // ========== END FIX #2 & #3 ========== // ========== FIX #4 & #5: Terms acceptance with session storage & CSRF ========== // BEFORE: Form used method="GET" with hidden field terms_accepted=1 // and redirected via form action to the return URL. // BUG #4: Anyone could bypass by typing enrollment-form.php?terms_accepted=1 // BUG #5: No CSRF token — form submission could be forged by a malicious site. // // AFTER: - POST form with CSRF token // - Store acceptance in $_SESSION (can't be spoofed via URL) // - Validate CSRF before accepting // Generate CSRF token if not exists if (empty($_SESSION['terms_csrf_token'])) { $_SESSION['terms_csrf_token'] = bin2hex(random_bytes(32)); } $csrfToken = $_SESSION['terms_csrf_token']; // Handle POST — Terms Acceptance if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['accept_terms'])) { $submittedToken = $_POST['csrf_token'] ?? ''; if (!empty($submittedToken) && hash_equals($csrfToken, $submittedToken)) { // Valid submission — store in session $_SESSION['terms_accepted'] = true; $_SESSION['terms_accepted_at'] = date('Y-m-d H:i:s'); // Regenerate CSRF token after use (one-time use) $_SESSION['terms_csrf_token'] = bin2hex(random_bytes(32)); // Redirect to enrollment form header('Location: ' . $returnUrl); exit; } else { $csrfError = 'Security token expired. Please try again.'; } } // ========== END FIX #4 & #5 ========== ?> Terms & Conditions - Skills Way Vocational Institute

Terms & Conditions

Please read these terms carefully before enrolling

Last updated: April 07, 2026
Table of Contents

1. Acceptance of Terms

By enrolling in Skills Way Vocational Institute ("the Institute"), you acknowledge that you have read, understood, and agree to be bound by these Terms and Conditions. These terms constitute a legally binding agreement between you and the Institute.

Important: If you do not agree with any part of these terms, please do not proceed with enrollment.

2. Enrollment & Admission

Enrollment at Skills Way Vocational Institute is subject to the following conditions:

  • All applications are subject to review and approval by the Institute administration
  • Minimum age requirement is 16 years at the time of enrollment
  • Valid CNIC (Computerized National Identity Card) or B-Form is required
  • Providing false or misleading information may result in immediate application rejection or dismissal
  • Admission is granted on a first-come, first-served basis subject to seat availability
  • The Institute reserves the right to deny admission without stating reasons

3. Fees & Payment

All financial obligations must be met according to the following terms:

  • Course fees must be paid as per the agreed payment schedule
  • Registration fee of PKR 1,000 is non-refundable under any circumstances
  • Late payment beyond 7 days may result in a 5% late fee surcharge
  • Continued non-payment may result in course suspension or termination
  • All fees are subject to change with 30 days prior notice
  • Payment can be made via cash, bank transfer, or approved digital payment methods

4. Student Conduct

All students are expected to maintain professional conduct:

  • Treat all staff, instructors, and fellow students with respect and dignity
  • Maintain discipline during classes and on Institute premises
  • Dress appropriately according to the Institute's dress code
  • Refrain from any form of harassment, bullying, or discrimination
  • No smoking, alcohol, or prohibited substances on Institute premises
  • Protect and respect Institute property and equipment
  • Mobile phones must be on silent during class sessions
Warning: Violation of conduct rules may result in disciplinary action, suspension, or permanent dismissal without refund.

5. Attendance Policy

  • Minimum 80% attendance is mandatory for course completion
  • Students must arrive on time; late arrivals may be marked absent
  • Medical leave requires a valid medical certificate within 3 days
  • Prior approval is required for planned absences
  • Three consecutive unexplained absences may result in course withdrawal

6. Course Completion

To successfully complete a course and receive certification:

  • Maintain minimum 80% attendance throughout the course duration
  • Complete all required assignments and projects on time
  • Pass all examinations with a minimum score of 50%
  • Clear all outstanding fees and dues
  • Certificates will be issued within 30 days of course completion
  • Duplicate certificates can be issued for a fee of PKR 500

7. Refund Policy

Refunds are processed according to the following schedule:

  • 100% tuition refund (excluding registration fee) if withdrawn before course start
  • 75% tuition refund if withdrawn within first week of classes
  • 50% tuition refund if withdrawn within first two weeks
  • No refund after two weeks from course commencement
  • Refund requests must be submitted in writing
  • Refunds will be processed within 15-30 business days

8. Limitation of Liability

The Institute's liability is limited as follows:

  • The Institute is not liable for personal injury except in cases of proven negligence
  • Loss or damage to personal property is the student's responsibility
  • The Institute is not responsible for job placement or employment outcomes
  • Course content and schedules may be modified as deemed necessary
  • The Institute is not liable for circumstances beyond its control (force majeure)

9. Privacy Policy

Your privacy is important to us:

  • Personal information is collected solely for enrollment and administrative purposes
  • Student data will not be shared with third parties without consent
  • The Institute may use student photos for promotional purposes unless opted out
  • Students may request access to their personal data at any time
  • Data is stored securely and protected against unauthorized access

10. Contact Information

For questions, concerns, or clarifications regarding these terms, please contact us:

Email:
skillswayvocational@gmail.com

Phone:
Contact Support

Address:
Khanpur, Pakistan
Vocational Training Institute

Office Hours:
Mon-Sat: 9:00 AM - 5:00 PM

Proceed to Enrollment Back to Home