diff --git a/clients.php b/clients.php index 76a666da..03d922a5 100644 --- a/clients.php +++ b/clients.php @@ -55,8 +55,8 @@ if (empty($_GET['canned_date'])) { //Date Filter if ($_GET['canned_date'] == "custom" && !empty($_GET['date_from'])) { - $date_from = strip_tags(mysqli_real_escape_string($mysqli, $_GET['date_from'])); - $date_to = strip_tags(mysqli_real_escape_string($mysqli, $_GET['date_to'])); + $date_from = sanitizeInput($_GET['date_from']); + $date_to = sanitizeInput($_GET['date_to']); } elseif ($_GET['canned_date'] == "today") { $date_from = date('Y-m-d'); $date_to = date('Y-m-d'); @@ -178,10 +178,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $location_city $location_state $location_zip"; } - $contact_id = $row['contact_id']; + $contact_id = intval($row['contact_id']); $contact_name = htmlentities($row['contact_name']); $contact_title = htmlentities($row['contact_title']); $contact_phone = formatPhoneNumber($row['contact_phone']); @@ -205,8 +205,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $client_referral = htmlentities($row['client_referral']); $client_notes = htmlentities($row['client_notes']); $client_created_at = date('Y-m-d', strtotime($row['client_created_at'])); - $client_updated_at = $row['client_updated_at']; - $client_archive_at = $row['client_archived_at']; + $client_updated_at = htmlentities($row['client_updated_at']); + $client_archive_at = htmlentities($row['client_archived_at']); //Client Tags @@ -215,7 +215,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $sql_client_tags = mysqli_query($mysqli, "SELECT * FROM client_tags LEFT JOIN tags ON client_tags.tag_id = tags.tag_id WHERE client_tags.client_id = $client_id"); while ($row = mysqli_fetch_array($sql_client_tags)) { - $client_tag_id = $row['tag_id']; + $client_tag_id = intval($row['tag_id']); $client_tag_name = htmlentities($row['tag_name']); $client_tag_color = htmlentities($row['tag_color']); $client_tag_icon = htmlentities($row['tag_icon']); @@ -236,12 +236,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $sql_invoice_amounts = mysqli_query($mysqli, "SELECT SUM(invoice_amount) AS invoice_amounts FROM invoices WHERE invoice_client_id = $client_id AND invoice_status NOT LIKE 'Draft' AND invoice_status NOT LIKE 'Cancelled' "); $row = mysqli_fetch_array($sql_invoice_amounts); - $invoice_amounts = $row['invoice_amounts']; + $invoice_amounts = floatval($row['invoice_amounts']); $sql_amount_paid = mysqli_query($mysqli, "SELECT SUM(payment_amount) AS amount_paid FROM payments, invoices WHERE payment_invoice_id = invoice_id AND invoice_client_id = $client_id"); $row = mysqli_fetch_array($sql_amount_paid); - $amount_paid = $row['amount_paid']; + $amount_paid = floatval($row['amount_paid']); $balance = $invoice_amounts - $amount_paid; //set Text color on balance @@ -255,13 +255,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $sql_recurring_monthly_total = mysqli_query($mysqli, "SELECT SUM(recurring_amount) AS recurring_monthly_total FROM recurring WHERE recurring_status = 1 AND recurring_frequency = 'month' AND recurring_client_id = $client_id AND company_id = $session_company_id"); $row = mysqli_fetch_array($sql_recurring_monthly_total); - $recurring_monthly_total = $row['recurring_monthly_total']; + $recurring_monthly_total = floatval($row['recurring_monthly_total']); //Get Yearly Recurring Total $sql_recurring_yearly_total = mysqli_query($mysqli, "SELECT SUM(recurring_amount) AS recurring_yearly_total FROM recurring WHERE recurring_status = 1 AND recurring_frequency = 'year' AND recurring_client_id = $client_id AND company_id = $session_company_id"); $row = mysqli_fetch_array($sql_recurring_yearly_total); - $recurring_yearly_total = $row['recurring_yearly_total'] / 12; + $recurring_yearly_total = floatval($row['recurring_yearly_total']) / 12; $recurring_monthly = $recurring_monthly_total + $recurring_yearly_total; diff --git a/invoice.php b/invoice.php index 698f090a..6c0ac9a7 100644 --- a/invoice.php +++ b/invoice.php @@ -23,20 +23,20 @@ if (isset($_GET['invoice_id'])) { } $row = mysqli_fetch_array($sql); - $invoice_id = $row['invoice_id']; + $invoice_id = intval($row['invoice_id']); $invoice_prefix = htmlentities($row['invoice_prefix']); $invoice_number = htmlentities($row['invoice_number']); $invoice_scope = htmlentities($row['invoice_scope']); $invoice_status = htmlentities($row['invoice_status']); - $invoice_date = $row['invoice_date']; - $invoice_due = $row['invoice_due']; + $invoice_date = htmlentities($row['invoice_date']); + $invoice_due = htmlentities($row['invoice_due']); $invoice_amount = floatval($row['invoice_amount']); $invoice_currency_code = htmlentities($row['invoice_currency_code']); $invoice_note = htmlentities($row['invoice_note']); $invoice_url_key = htmlentities($row['invoice_url_key']); - $invoice_created_at = $row['invoice_created_at']; - $category_id = $row['invoice_category_id']; - $client_id = $row['client_id']; + $invoice_created_at = htmlentities($row['invoice_created_at']); + $category_id = intval($row['invoice_category_id']); + $client_id = intval($row['client_id']); $client_name = htmlentities($row['client_name']); $location_address = htmlentities($row['location_address']); $location_city = htmlentities($row['location_city']); @@ -48,11 +48,11 @@ if (isset($_GET['invoice_id'])) { $contact_mobile = formatPhoneNumber($row['contact_mobile']); $client_website = htmlentities($row['client_website']); $client_currency_code = htmlentities($row['client_currency_code']); - $client_net_terms = htmlentities($row['client_net_terms']); + $client_net_terms = intval($row['client_net_terms']); if ($client_net_terms == 0) { $client_net_terms = $config_default_net_terms; } - $company_id = $row['company_id']; + $company_id = intval($row['company_id']); $company_name = htmlentities($row['company_name']); $company_country = htmlentities($row['company_country']); $company_address = htmlentities($row['company_address']); @@ -119,7 +119,7 @@ if (isset($_GET['invoice_id'])) {
-
+
-
+
-
-
- Edit - Copy - Recurring + + Edit + + + Copy + + + Recurring +
- Print - ');">Download PDF + + Print + + ');"> + Download PDF + - Send Email + + Send Email + - ">Guest URL + "> + Guest URL +
- Cancel + + Cancel +
@@ -171,10 +187,10 @@ if (isset($_GET['invoice_id'])) {
-
+
" alt="Company logo">
-
+
@@ -185,7 +201,7 @@ if (isset($_GET['invoice_id'])) {
-
+

    • @@ -195,7 +211,7 @@ if (isset($_GET['invoice_id'])) {
-
+

    • @@ -248,25 +264,34 @@ if (isset($_GET['invoice_id'])) { $sub_total = 0; while ($row = mysqli_fetch_array($sql_invoice_items)) { - $item_id = $row['item_id']; + $item_id = intval($row['item_id']); $item_name = htmlentities($row['item_name']); $item_description = htmlentities($row['item_description']); $item_quantity = floatval($row['item_quantity']); $item_price = floatval($row['item_price']); $item_tax = floatval($row['item_tax']); $item_total = floatval($row['item_total']); - $item_created_at = $row['item_created_at']; - $tax_id = $row['item_tax_id']; + $item_created_at = htmlentities($row['item_created_at']); + $tax_id = intval($row['item_tax_id']); $total_tax = $item_tax + $total_tax; $sub_total = $item_price * $item_quantity + $sub_total; ?> - + - - +
    + +
    + Edit +
    + Remove +
    +
    + @@ -296,15 +321,15 @@ if (isset($_GET['invoice_id'])) { - + @@ -313,9 +338,9 @@ if (isset($_GET['invoice_id'])) { ?> - - @@ -330,10 +355,10 @@ if (isset($_GET['invoice_id'])) {
    -
    +
    Notes
    - +
    @@ -380,8 +405,8 @@ if (isset($_GET['invoice_id'])) {
    -
    - History +
    + History