From 3c3e0f5f80a6c88f0a09e9c6e38444eb21d01cd2 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sat, 20 Jan 2024 20:49:37 -0500
Subject: [PATCH] Cleaned up guest_pay_invoice_stripe.php incorrect DB Handling
 for vars was HTML encoding instead of proper SQL escaping

---
 guest_pay_invoice_stripe.php | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/guest_pay_invoice_stripe.php b/guest_pay_invoice_stripe.php
index 8974b865..79306047 100644
--- a/guest_pay_invoice_stripe.php
+++ b/guest_pay_invoice_stripe.php
@@ -252,22 +252,22 @@ if (isset($_GET['invoice_id'], $_GET['url_key']) && !isset($_GET['payment_intent
     // Invoice exists - get details
     $row = mysqli_fetch_array($invoice_sql);
     $invoice_id = intval($row['invoice_id']);
-    $invoice_prefix = nullable_htmlentities($row['invoice_prefix']);
+    $invoice_prefix = sanitizeInput(($row['invoice_prefix']);
     $invoice_number = intval($row['invoice_number']);
     $invoice_amount = floatval($row['invoice_amount']);
-    $invoice_currency_code = nullable_htmlentities($row['invoice_currency_code']);
-    $invoice_url_key = nullable_htmlentities($row['invoice_url_key']);
+    $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);
+    $invoice_url_key = sanitizeInput($row['invoice_url_key']);
     $client_id = intval($row['client_id']);
-    $client_name = nullable_htmlentities($row['client_name']);
-    $contact_name = $row['contact_name'];
-    $contact_email = $row['contact_email'];
+    $client_name = sanitizeInput($row['client_name']);
+    $contact_name = sanitizeInput($row['contact_name']);
+    $contact_email = sanitizeInput($row['contact_email']);
     
     $sql_company = mysqli_query($mysqli, "SELECT * FROM companies WHERE company_id = 1");
     $row = mysqli_fetch_array($sql_company);
 
-    $company_name = mysqli_real_escape_string($mysqli, nullable_htmlentities($row['company_name']));
-    $company_phone = nullable_htmlentities($row['company_phone']);
-    $company_locale = nullable_htmlentities($row['company_locale']);
+    $company_name = sanitizeInput($row['company_name']);
+    $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
+    $company_locale = sanitizeInput($row['company_locale']);
 
     $config_stripe_client_pays_fees = intval(getSettingValue($mysqli, 'config_stripe_client_pays_fees'));
 
@@ -335,14 +335,13 @@ if (isset($_GET['invoice_id'], $_GET['url_key']) && !isset($_GET['payment_intent
     $config_smtp_encryption = $row['config_smtp_encryption'];
     $config_smtp_username = $row['config_smtp_username'];
     $config_smtp_password = $row['config_smtp_password'];
-    $config_mail_from_email = $row['config_mail_from_email'];
-    $config_mail_from_name = $row['config_mail_from_name'];
-    $config_invoice_from_name = $row['config_invoice_from_name'];
-    $config_invoice_from_email = $row['config_invoice_from_email'];
+    $config_invoice_from_name = sanitizeInput($row['config_invoice_from_name']);
+    $config_invoice_from_email = sanitizeInput($row['config_invoice_from_email']);
+    $config_base_url = sanitizeInput($row['config_base_url']);
 
     if (!empty($config_smtp_host)) {
         $subject = "Payment Received - Invoice $invoice_prefix$invoice_number";
-        $body    = "Hello $contact_name,<br><br>We have received your payment in the amount of " . $pi_currency . $pi_amount_paid . " for invoice <a href='https://$config_base_url/guest_view_invoice.php?invoice_id=$invoice_id&url_key=$invoice_url_key'>$invoice_prefix$invoice_number</a>. Please keep this email as a receipt for your records.<br><br>Amount: " . numfmt_format_currency($currency_format, $pi_amount_paid, $invoice_currency_code) . "<br>Balance: " . numfmt_format_currency($currency_format, '0', $invoice_currency_code) . "<br><br>Thank you for your business!<br><br><br>~<br>$company_name<br>Billing Department<br>$config_invoice_from_email<br>$company_phone";
+        $body = "Hello $contact_name,<br><br>We have received your payment in the amount of " . $pi_currency . $pi_amount_paid . " for invoice <a href=\'https://$config_base_url/guest_view_invoice.php?invoice_id=$invoice_id&url_key=$invoice_url_key\'>$invoice_prefix$invoice_number</a>. Please keep this email as a receipt for your records.<br><br>Amount: " . numfmt_format_currency($currency_format, $pi_amount_paid, $invoice_currency_code) . "<br>Balance: " . numfmt_format_currency($currency_format, '0', $invoice_currency_code) . "<br><br>Thank you for your business!<br><br><br>~<br>$company_name - Billing<br>$config_invoice_from_email<br>$company_phone";
 
             $data = [
                 [