AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove some tags there and here some more output formatting all thanks to the great security researcher @indevi0us for pointing these out to us.

This commit is contained in:
johnnyq 2022-12-21 21:31:51 -05:00
parent 9036fe6853
commit 2a16b6d2ae
45 changed files with 150 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
accounts.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all_settings.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "account_name";
}
@ -27,7 +27,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Accounts">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Accounts">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

10
categories.php
View File

@ -1,13 +1,13 @@
<?php include("inc_all_settings.php");
if(isset($_GET['category'])){
$category = mysqli_real_escape_string($mysqli,$_GET['category']);
$category = strip_tags(mysqli_real_escape_string($mysqli,$_GET['category']));
}else{
$category = "Expense";
}
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "category_name";
}
@ -42,18 +42,18 @@ $colors_diff = array_diff($colors_array,$colors_used_array);
<div class="card card-dark">
<div class="card-header py-2">
<h3 class="card-title mt-2"><i class="fa fa-fw fa-list"></i> <?php echo $category; ?> Categories</h3>
<h3 class="card-title mt-2"><i class="fa fa-fw fa-list"></i> <?php echo htmlentities($category); ?> Categories</h3>
<div class="card-tools">
<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addCategoryModal"><i class="fas fa-fw fa-plus"></i> New</button>
</div>
</div>
<div class="card-body">
<form autocomplete="off">
<input type="hidden" name="category" value="<?php echo $category; ?>">
<input type="hidden" name="category" value="<?php echo htmlentities($category); ?>">
<div class="row">
<div class="col-sm-4 mb-2">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Categories">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Categories">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

8
client_assets.php
View File

@ -32,7 +32,7 @@ $row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT(*) AS count FROM as
$other_count = $row['count'];
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "asset_name";
}
@ -75,18 +75,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="card-header py-2">
<h3 class="card-title mt-2"><i class="fa fa-fw fa-desktop"></i> Assets</h3>
<div class="card-tools">
<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addAssetModal"><i class="fas fa-fw fa-plus"></i> New <?php if(!empty($_GET['type'])){ echo ucwords(strip_tags($_GET['type'])); }else{ echo "Asset"; } ?></button>
<button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addAssetModal"><i class="fas fa-fw fa-plus"></i> New <?php if(!empty($_GET['type'])){ echo ucwords(strip_tags(htmlentities($_GET['type']))); }else{ echo "Asset"; } ?></button>
</div>
</div>
<div class="card-body">
<form autocomplete="off">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="type" value="<?php echo strip_tags($_GET['type']); ?>">
<input type="hidden" name="type" value="<?php echo strip_tags(htmlentities($_GET['type'])); ?>">
<div class="row">
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php if(!empty($_GET['type'])){ echo ucwords(strip_tags($_GET['type'])); }else{ echo "Asset"; } ?>s">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search <?php if(!empty($_GET['type'])){ echo ucwords(strip_tags(htmlentities($_GET['type']))); }else{ echo "Asset"; } ?>s">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_certificates.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "certificate_name";
}
@ -33,7 +33,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Certificates">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Certificates">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

6
client_contacts.php
View File

@ -3,7 +3,7 @@
<?php
if(isset($_GET['q'])){
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
$q = strip_tags(mysqli_real_escape_string($mysqli,$_GET['q']));
//Phone Numbers
$n = preg_replace("/[^0-9]/", '',$q);
if(empty($n)){
@ -16,7 +16,7 @@ if(isset($_GET['q'])){
}
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "contact_name";
}
@ -48,7 +48,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Contacts">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Contacts">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_documents.php
View File

@ -11,7 +11,7 @@ if(!empty($_GET['folder_id'])){
// Sort by
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "document_name";
}
@ -130,7 +130,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<input type="hidden" name="client_id" value="<?php echo intval($client_id); ?>">
<input type="hidden" name="folder_id" value="<?php echo $get_folder_id; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Documents">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Documents">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

4
client_domains.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "domain_name";
}
@ -34,7 +34,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Domains">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Domains">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_invoices.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "invoice_number";
}
@ -41,7 +41,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Invoices">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Invoices">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

6
client_locations.php
View File

@ -3,7 +3,7 @@
<?php
if(isset($_GET['q'])){
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
$q = strip_tags(mysqli_real_escape_string($mysqli,$_GET['q']));
//Phone Numbers
$phone_query = preg_replace("/[^0-9]/", '',$q);
if(empty($phone_query)){
@ -15,7 +15,7 @@ if(isset($_GET['q'])){
}
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "location_name";
}
@ -47,7 +47,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Locations">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Locations">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_logins.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "login_name";
}
@ -34,7 +34,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Passwords">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Passwords">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_logs.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "log_id";
}
@ -40,7 +40,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Logs">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Logs">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_networks.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "network_name";
}
@ -35,7 +35,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Networks">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Networks">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_payments.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "payment_date";
}
@ -39,7 +39,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Payments">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Payments">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_quotes.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "quote_number";
}
@ -41,7 +41,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Quotes">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Quotes">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_recurring_invoices.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "recurring_id";
}
@ -35,7 +35,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Recurring Invoices">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Recurring Invoices">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_scheduled_tickets.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "scheduled_ticket_subject";
}
@ -38,7 +38,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Scheduled Tickets">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Scheduled Tickets">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_services.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "service_name";
}
@ -34,7 +34,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<form autocomplete="off">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Services">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Services">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

4
client_shared_items.php
View File

@ -3,7 +3,7 @@
<?php
if(isset($_GET['q'])){
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
$q = strip_tags(mysqli_real_escape_string($mysqli,$_GET['q']));
//Phone Numbers
$phone_query = preg_replace("/[^0-9]/", '',$q);
if(empty($phone_query)){
@ -42,7 +42,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Shared Items">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Shared Items">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_software.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "software_name";
}
@ -35,7 +35,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Licenses">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Licenses">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
client_tickets.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "ticket_number";
}
@ -45,7 +45,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Tickets">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Tickets">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

8
client_trips.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "trip_date";
}
@ -16,8 +16,8 @@ if(!isset($_GET['o'])){
//Date From and Date To Filter
if(isset($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}else{
$dtf = "0000-00-00";
$dtt = "9999-00-00";
@ -52,7 +52,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Trips">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Trips">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

6
client_vendors.php
View File

@ -3,7 +3,7 @@
<?php
if(isset($_GET['q'])){
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
$q = strip_tags(mysqli_real_escape_string($mysqli,$_GET['q']));
//Phone Numbers
$phone_query = preg_replace("/[^0-9]/", '',$q);
if(empty($phone_query)){
@ -15,7 +15,7 @@ if(isset($_GET['q'])){
}
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "vendor_name";
}
@ -45,7 +45,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Vendors">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Vendors">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

14
clients.php
View File

@ -15,7 +15,7 @@ if(isset($_GET['p'])){
//Custom Query Filter
if(isset($_GET['query'])){
$query = mysqli_real_escape_string($mysqli,$_GET['query']);
$query = strip_tags(mysqli_real_escape_string($mysqli,$_GET['query']));
//Phone Numbers
$phone_query = preg_replace("/[^0-9]/", '',$query);
if(empty($phone_query)){
@ -28,7 +28,7 @@ if(isset($_GET['query'])){
//Column Filter
if(!empty($_GET['sortby'])){
$sortby = mysqli_real_escape_string($mysqli,$_GET['sortby']);
$sortby = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sortby']));
}else{
$sortby = "client_accessed_at";
}
@ -55,8 +55,8 @@ if(empty($_GET['canned_date'])) {
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['date_from'])){
$date_from = mysqli_real_escape_string($mysqli,$_GET['date_from']);
$date_to = mysqli_real_escape_string($mysqli,$_GET['date_to']);
$date_from = strip_tags(mysqli_real_escape_string($mysqli,$_GET['date_from']));
$date_to = strip_tags(mysqli_real_escape_string($mysqli,$_GET['date_to']));
}elseif($_GET['canned_date'] == "today"){
$date_from = date('Y-m-d');
$date_to = date('Y-m-d');
@ -119,7 +119,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="query" value="<?php if(isset($query)){echo stripslashes($query);} ?>" placeholder="Search Clients" autofocus>
<input type="search" class="form-control" name="query" value="<?php if(isset($query)){echo stripslashes(htmlentities($query));} ?>" placeholder="Search Clients" autofocus>
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -148,13 +148,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="date_from" max="2999-12-31" value="<?php echo $date_from; ?>">
<input type="date" class="form-control" name="date_from" max="2999-12-31" value="<?php echo htmlentities($date_from); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="date_to" max="2999-12-31" value="<?php echo $date_to; ?>">
<input type="date" class="form-control" name="date_to" max="2999-12-31" value="<?php echo htmlentities($date_to); ?>">
</div>
</div>
</div>

4
companies.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all_settings.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "company_name";
}
@ -28,7 +28,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Companies">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Companies">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

12
expenses.php
View File

@ -3,7 +3,7 @@
//$o = "DESC";
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "expense_date";
}
@ -22,8 +22,8 @@ if(empty($_GET['canned_date'])){
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -83,7 +83,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Expenses">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Expenses">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -117,13 +117,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>

2
global_search.php
View File

@ -4,7 +4,7 @@
if(isset($_GET['query'])){
$query = mysqli_real_escape_string($mysqli,$_GET['query']);
$query = strip_tags(mysqli_real_escape_string($mysqli,$_GET['query']));
$phone_query = preg_replace("/[^0-9]/", '',$query);
if(empty($phone_query)){

8
invoices.php
View File

@ -85,8 +85,8 @@
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -201,11 +201,11 @@
<div class="card-body">
<form class="mb-4" autocomplete="off">
<input type="hidden" name="status" value="<?php if(isset($_GET['status'])){ echo strip_tags($_GET['status']); } ?>">
<input type="hidden" name="status" value="<?php if(isset($_GET['status'])){ echo htmlentities($_GET['status']); } ?>">
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Invoices">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Invoices">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>

10
logs.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all_settings.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "log_id";
}
@ -20,8 +20,8 @@ if(empty($_GET['canned_date'])){
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -68,14 +68,14 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="card card-dark">
<div class="card-header">
<h3 class="card-title"><i class="fa fa-fw fa-eye"></i> Audit Logs <?php echo $extended_query; ?></h3>
<h3 class="card-title"><i class="fa fa-fw fa-eye"></i> Audit Logs</h3>
</div>
<div class="card-body">
<form class="mb-4" autocomplete="off">
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search audit logs">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search audit logs">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>

12
notifications_dismissed.php
View File

@ -2,7 +2,7 @@
//Column Filter
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "notification_timestamp";
}
@ -15,8 +15,8 @@ if(!isset($_GET['o'])){
//Date From and Date To Filter
if(!empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}else{
$dtf = "0000-00-00";
$dtt = "9999-00-00";
@ -44,7 +44,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Dismissed Notifications">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Dismissed Notifications">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>
@ -59,13 +59,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>

2
pagination_head.php
View File

@ -34,7 +34,7 @@ if(isset($_GET['o'])){
// Search
if(isset($_GET['q'])){
$q = mysqli_real_escape_string($mysqli,trim($_GET['q']));
$q = strip_tags(mysqli_real_escape_string($mysqli,trim($_GET['q'])));
}else{
$q = "";
}

12
payments.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "payment_date";
}
@ -20,8 +20,8 @@ if(empty($_GET['canned_date'])){
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -78,7 +78,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Payments">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Payments">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -107,13 +107,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>

4
products.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "product_name";
}
@ -32,7 +32,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Products">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Products">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

12
quotes.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "quote_number";
}
@ -20,8 +20,8 @@ if(empty($_GET['canned_date'])){
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -79,7 +79,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Quotes">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Quotes">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -108,13 +108,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>

12
recurring_invoices.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "recurring_next_date";
}
@ -14,8 +14,8 @@ if(empty($_GET['canned_date'])) {
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -79,7 +79,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Recurring Invoices">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Recurring Invoices">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -108,13 +108,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>

12
revenues.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "revenue_date";
}
@ -20,8 +20,8 @@ if(empty($_GET['canned_date'])){
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -79,7 +79,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Revenues">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Revenues">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -108,13 +108,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>

4
scheduled_tickets.php
View File

@ -2,7 +2,7 @@
include("inc_all.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "scheduled_ticket_subject";
}
@ -34,7 +34,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-4">
<div class="input-group mb-3 mb-md-0">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Scheduled Tickets">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Scheduled Tickets">
<div class="input-group-append">
<button class="btn btn-dark"><i class="fa fa-search"></i></button>
</div>

4
settings_api.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all_settings.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "api_key_name";
}
@ -29,7 +29,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search keys">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search keys">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

4
settings_tags.php
View File

@ -3,7 +3,7 @@
<?php
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "tag_name";
}
@ -51,7 +51,7 @@ $colors_diff = array_diff($colors_array,$colors_used_array);
<div class="col-sm-4 mb-2">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Tags">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Tags">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

2
settings_taxes.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all_settings.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "tax_name";
}

4
side_nav.php
View File

@ -15,7 +15,7 @@
<div class="dropdown brand-link">
<a class="" href="#" data-toggle="dropdown">
<h3 class="brand-text text-light mb-0"><?php echo $session_company_name; ?> <small><i class="fa fa-caret-down"></i></small></h3>
<h3 class="brand-text text-light mb-0"><?php echo htmlentities($session_company_name); ?> <small><i class="fa fa-caret-down"></i></small></h3>
</a>
<ul class="dropdown-menu">
@ -48,7 +48,7 @@
<form class="form-inline mb-3" action="global_search.php">
<div class="input-group">
<input class="form-control form-control-sidebar" type="search" placeholder="Search" name="query" value="<?php if(isset($_GET['query'])){ echo strip_tags($_GET['query']); } ?>">
<input class="form-control form-control-sidebar" type="search" placeholder="Search" name="query" value="<?php if(isset($_GET['query'])){ echo htmlentities($_GET['query']); } ?>">
<div class="input-group-append">
<button class="btn btn-sidebar" type="submit">
<i class="fas fa-search"></i>

16
tickets.php
View File

@ -12,13 +12,13 @@ if (isset($_GET['p'])) {
}
if (isset($_GET['q'])) {
$q = mysqli_real_escape_string($mysqli, $_GET['q']);
$q = strip_tags(mysqli_real_escape_string($mysqli, $_GET['q']));
} else {
$q = "";
}
if (!empty($_GET['sb'])) {
$sb = mysqli_real_escape_string($mysqli, $_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sb']));
} else {
$sb = "ticket_number";
}
@ -74,8 +74,8 @@ if (empty($_GET['canned_date'])) {
}
if ($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])) {
$dtf = mysqli_real_escape_string($mysqli, $_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli, $_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli, $_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli, $_GET['dtt']));
} elseif ($_GET['canned_date'] == "today") {
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -176,7 +176,7 @@ $user_active_assigned_tickets = $row['total_tickets_assigned'];
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if (isset($q)) {
echo htmlentities($q);
echo stripslashes(htmlentities($q));
} ?>" placeholder="Search Tickets">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse"
@ -252,13 +252,13 @@ $user_active_assigned_tickets = $row['total_tickets_assigned'];
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
<div class="col-md-2">
@ -386,7 +386,7 @@ $user_active_assigned_tickets = $row['total_tickets_assigned'];
$ticket_assigned_to_display = "<p class='text-danger'>Not Assigned</p>";
}
} else {
$ticket_assigned_to_display = $row['user_name'];
$ticket_assigned_to_display = htmlentities($row['user_name']);
}
if (empty($contact_name)) {

12
transfers.php
View File

@ -2,7 +2,7 @@
//Column Sortby Filter
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "transfer_date";
}
@ -21,8 +21,8 @@ if(empty($_GET['canned_date'])){
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -80,7 +80,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Transfers">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Transfers">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -109,13 +109,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>

12
trips.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "trip_date";
}
@ -20,8 +20,8 @@
//Date Filter
if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}elseif($_GET['canned_date'] == "today"){
$dtf = date('Y-m-d');
$dtt = date('Y-m-d');
@ -84,7 +84,7 @@
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Trips">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){ echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Trips">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -118,13 +118,13 @@
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>

4
users.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all_settings.php");
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "user_name";
}
@ -29,7 +29,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Users">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Users">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

14
vendors.php
View File

@ -1,7 +1,7 @@
<?php include("inc_all.php");
if(isset($_GET['q'])){
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
$q = strip_tags(mysqli_real_escape_string($mysqli,$_GET['q']));
//Phone Numbers
$phone_query = preg_replace("/[^0-9]/", '',$q);
if(empty($phone_query)){
@ -14,15 +14,15 @@ if(isset($_GET['q'])){
//Column Filter
if(!empty($_GET['sb'])){
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
$sb = strip_tags(mysqli_real_escape_string($mysqli,$_GET['sb']));
}else{
$sb = "vendor_name";
}
//Date From and Date To Filter
if(!empty($_GET['dtf'])){
$dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
$dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
$dtf = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtf']));
$dtt = strip_tags(mysqli_real_escape_string($mysqli,$_GET['dtt']));
}else{
$dtf = "0000-00-00";
$dtt = "9999-00-00";
@ -56,7 +56,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Vendors">
<input type="search" class="form-control" name="q" value="<?php if(isset($q)){echo stripslashes(htmlentities($q));} ?>" placeholder="Search Vendors">
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
@ -69,13 +69,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="col-md-2">
<div class="form-group">
<label>Date From</label>
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo $dtf; ?>">
<input type="date" class="form-control" name="dtf" max="2999-12-31" value="<?php echo htmlentities($dtf); ?>">
</div>
</div>
<div class="col-md-2">
<div class="form-group">
<label>Date To</label>
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo $dtt; ?>">
<input type="date" class="form-control" name="dtt" max="2999-12-31" value="<?php echo htmlentities($dtt); ?>">
</div>
</div>
</div>