diff --git a/accounts.php b/accounts.php
index 8a17f890..0540b9c0 100644
--- a/accounts.php
+++ b/accounts.php
@@ -12,7 +12,7 @@ $url_query_strings_sb = http_build_query(array_merge($_GET, array('sb' => $sb, '
$sql = mysqli_query(
$mysqli,
"SELECT SQL_CALC_FOUND_ROWS * FROM accounts
- WHERE account_name LIKE '%$q%' AND company_id = $session_company_id
+ WHERE account_name LIKE '%$q%'
ORDER BY $sb $o LIMIT $record_from, $record_to"
);
@@ -37,7 +37,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-
+
">
diff --git a/ajax.php b/ajax.php
index f743d7f4..b59f7ed6 100644
--- a/ajax.php
+++ b/ajax.php
@@ -70,7 +70,7 @@ if (isset($_GET['certificate_get_json_details'])) {
}
// Get all domains for this client that could be linked to this certificate
- $domains_sql = mysqli_query($mysqli, "SELECT domain_id, domain_name FROM domains WHERE domain_client_id = '$client_id' AND company_id = '$session_company_id'");
+ $domains_sql = mysqli_query($mysqli, "SELECT domain_id, domain_name FROM domains WHERE domain_client_id = $client_id");
while ($row = mysqli_fetch_array($domains_sql)) {
$response['domains'][] = $row;
}
@@ -113,7 +113,7 @@ if (isset($_GET['merge_ticket_get_json_details'])) {
$sql = mysqli_query($mysqli, "SELECT ticket_id, ticket_number, ticket_prefix, ticket_subject, ticket_priority, ticket_status, client_name, contact_name FROM tickets
LEFT JOIN clients ON ticket_client_id = client_id
LEFT JOIN contacts ON ticket_contact_id = contact_id
- WHERE ticket_number = '$merge_into_ticket_number' AND tickets.company_id = '$session_company_id'");
+ WHERE ticket_number = $merge_into_ticket_number");
if (mysqli_num_rows($sql) == 0) {
//Do nothing.
@@ -144,7 +144,7 @@ if (isset($_GET['network_get_json_details'])) {
$locations_sql = mysqli_query(
$mysqli,
"SELECT location_id, location_name FROM locations
- WHERE location_client_id = '$client_id' AND company_id = '$session_company_id'"
+ WHERE location_client_id = '$client_id'"
);
while ($row = mysqli_fetch_array($locations_sql)) {
$response['locations'][] = $row;
@@ -158,10 +158,10 @@ if (isset($_POST['client_set_notes'])) {
$notes = sanitizeInput($_POST['notes']);
// Update notes
- mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = '$client_id'");
+ mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = $client_id");
// Logging
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client', log_action = 'Modify', log_description = '$session_name modified client notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id");
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client', log_action = 'Modify', log_description = '$session_name modified client notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id");
}
@@ -173,7 +173,7 @@ if (isset($_POST['contact_set_notes'])) {
mysqli_query($mysqli, "UPDATE contacts SET contact_notes = '$notes' WHERE contact_id = $contact_id");
// Logging
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = '$session_name modified contact notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = '$session_name modified contact notes', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
}
@@ -185,7 +185,7 @@ if (isset($_POST['contact_set_notes'])) {
if (isset($_GET['ticket_add_view'])) {
$ticket_id = intval($_GET['ticket_id']);
- mysqli_query($mysqli, "INSERT INTO ticket_views SET view_ticket_id = '$ticket_id', view_user_id = '$session_user_id', view_timestamp = NOW()");
+ mysqli_query($mysqli, "INSERT INTO ticket_views SET view_ticket_id = $ticket_id, view_user_id = $session_user_id, view_timestamp = NOW()");
}
/*
@@ -196,7 +196,7 @@ if (isset($_GET['ticket_add_view'])) {
if (isset($_GET['ticket_query_views'])) {
$ticket_id = intval($_GET['ticket_id']);
- $query = mysqli_query($mysqli, "SELECT user_name FROM ticket_views LEFT JOIN users ON view_user_id = user_id WHERE view_ticket_id = '$ticket_id' AND view_user_id != '$session_user_id' AND view_timestamp > DATE_SUB(NOW(), INTERVAL 2 MINUTE)");
+ $query = mysqli_query($mysqli, "SELECT user_name FROM ticket_views LEFT JOIN users ON view_user_id = user_id WHERE view_ticket_id = $ticket_id AND view_user_id != $session_user_id AND view_timestamp > DATE_SUB(NOW(), INTERVAL 2 MINUTE)");
while ($row = mysqli_fetch_array($query)) {
$users[] = $row['user_name'];
}
@@ -236,17 +236,17 @@ if (isset($_GET['share_generate_link'])) {
$item_key = randomString(156);
if ($item_type == "Document") {
- $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1"));
+ $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = $item_id AND document_client_id = $client_id LIMIT 1"));
$item_name = sanitizeInput($row['document_name']);
}
if ($item_type == "File") {
- $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1"));
+ $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = $item_id AND file_client_id = $client_id LIMIT 1"));
$item_name = sanitizeInput($row['file_name']);
}
if ($item_type == "Login") {
- $login = mysqli_query($mysqli, "SELECT login_name, login_username, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1");
+ $login = mysqli_query($mysqli, "SELECT login_name, login_username, login_password FROM logins WHERE login_id = $item_id AND login_client_id = $client_id LIMIT 1");
$row = mysqli_fetch_array($login);
$item_name = sanitizeInput($row['login_name']);
@@ -266,7 +266,7 @@ if (isset($_GET['share_generate_link'])) {
}
// Insert entry into DB
- $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = '1', item_key = '$item_key', item_type = '$item_type', item_related_id = '$item_id', item_encrypted_username = '$item_encrypted_username', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = '$item_view_limit', item_created_at = NOW(), item_expire_at = '$item_expires', item_client_id = '$client_id'");
+ $sql = mysqli_query($mysqli, "INSERT INTO shared_items SET item_active = 1, item_key = '$item_key', item_type = '$item_type', item_related_id = $item_id, item_encrypted_username = '$item_encrypted_username', item_encrypted_credential = '$item_encrypted_credential', item_note = '$item_note', item_views = 0, item_view_limit = $item_view_limit, item_expire_at = '$item_expires', item_client_id = $client_id");
$share_id = $mysqli->insert_id;
// Return URL
@@ -279,7 +279,7 @@ if (isset($_GET['share_generate_link'])) {
echo json_encode($url);
// Logging
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = '$client_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id, company_id = $session_company_id");
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'Create', log_description = '$session_name created shared link for $item_type - $item_name', log_client_id = $client_id, log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
}
diff --git a/api/v1/assets/create.php b/api/v1/assets/create.php
index 3d12db99..3b6b4105 100644
--- a/api/v1/assets/create.php
+++ b/api/v1/assets/create.php
@@ -11,14 +11,14 @@ $insert_id = false;
if (!empty($name) && !empty($client_id)) {
// Insert into Database
- $insert_sql = mysqli_query($mysqli, "INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_status = '$status', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = $purchase_date, asset_warranty_expire = $warranty_expire, asset_install_date = $install_date, asset_notes = '$notes', asset_network_id = $network, asset_client_id = $client_id, company_id = '$company_id'");
+ $insert_sql = mysqli_query($mysqli, "INSERT INTO assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_os = '$os', asset_ip = '$aip', asset_mac = '$mac', asset_status = '$status', asset_location_id = $location, asset_vendor_id = $vendor, asset_contact_id = $contact, asset_purchase_date = $purchase_date, asset_warranty_expire = $warranty_expire, asset_install_date = $install_date, asset_notes = '$notes', asset_network_id = $network, asset_client_id = $client_id");
if ($insert_sql) {
$insert_id = mysqli_insert_id($mysqli);
//Logging
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = '$client_id', company_id = $company_id");
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = '$client_id', company_id = $company_id");
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Created', log_description = '$name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = '$client_id'");
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Success', log_description = 'Created asset $name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = '$client_id'");
}
}
diff --git a/api/v1/assets/delete.php b/api/v1/assets/delete.php
index 8ce2e912..dfea6676 100644
--- a/api/v1/assets/delete.php
+++ b/api/v1/assets/delete.php
@@ -10,17 +10,17 @@ $asset_id = intval($_POST['asset_id']);
$delete_count = false;
if (!empty($asset_id)) {
- $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1"));
+ $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id LIMIT 1"));
$asset_name = $row['asset_name'];
- $delete_sql = mysqli_query($mysqli, "DELETE FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id AND company_id = '$company_id' LIMIT 1");
+ $delete_sql = mysqli_query($mysqli, "DELETE FROM assets WHERE asset_id = $asset_id AND asset_client_id = $client_id LIMIT 1");
// Check delete & get affected rows
if ($delete_sql && !empty($asset_name)) {
$delete_count = mysqli_affected_rows($mysqli);
//Logging
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Deleted', log_description = '$asset_name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id, company_id = $company_id");
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Asset', log_action = 'Deleted', log_description = '$asset_name via API ($api_key_name)', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client_id");
}
}
diff --git a/api/v1/assets/read.php b/api/v1/assets/read.php
index 33bd5484..e69de29b 100644
--- a/api/v1/assets/read.php
+++ b/api/v1/assets/read.php
@@ -1,41 +0,0 @@
- NOW() LIMIT 1");
@@ -72,7 +72,7 @@ if (isset($api_key)) {
if (mysqli_num_rows($sql) !== 1) {
// Invalid Key
header(WORDING_UNAUTHORIZED);
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Failed', log_description = 'Incorrect or expired key', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'API', log_action = 'Failed', log_description = 'Incorrect or expired key', log_ip = '$ip', log_user_agent = '$user_agent'");
$return_arr['success'] = "False";
$return_arr['message'] = "Authentication failed. API key is invalid or has expired.";
@@ -88,8 +88,7 @@ if (isset($api_key)) {
// Set client ID, company ID & key name
$row = mysqli_fetch_array($sql);
$api_key_name = htmlentities($row['api_key_name']);
- $client_id = $row['api_key_client_id'];
- $company_id = $row['company_id'];
+ $client_id = intval($row['api_key_client_id']);
// Set limit & offset for queries
if (isset($_GET['limit'])) {
diff --git a/api_key_add_modal.php b/api_key_add_modal.php
index 23cefd42..0887420a 100644
--- a/api_key_add_modal.php
+++ b/api_key_add_modal.php
@@ -61,7 +61,7 @@ $key = randomString(156);
diff --git a/calendar_event_add_modal.php b/calendar_event_add_modal.php
index 14bff4af..6d2cb82f 100644
--- a/calendar_event_add_modal.php
+++ b/calendar_event_add_modal.php
@@ -48,7 +48,7 @@
- Client -
- Client -
-
+
">
diff --git a/check_login.php b/check_login.php
index cc1f9c65..bc0a98cc 100644
--- a/check_login.php
+++ b/check_login.php
@@ -26,7 +26,7 @@ if (!isset($_SESSION['logged']) || !$_SESSION['logged']) {
$session_ip = sanitizeInput(getIP());
$session_user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
-$session_user_id = $_SESSION['user_id'];
+$session_user_id = intval($_SESSION['user_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM users, user_settings WHERE users.user_id = user_settings.user_id AND users.user_id = $session_user_id");
$row = mysqli_fetch_array($sql);
@@ -34,8 +34,7 @@ $session_name = sanitizeInput($row['user_name']);
$session_email = $row['user_email'];
$session_avatar = $row['user_avatar'];
$session_token = $row['user_token'];
-$session_company_id = $row['user_default_company'];
-$session_user_role = $row['user_role'];
+$session_user_role = intval($row['user_role']);
if ($session_user_role == 3) {
$session_user_role_display = "Administrator";
} elseif ($session_user_role == 2) {
@@ -44,22 +43,7 @@ if ($session_user_role == 3) {
$session_user_role_display = "Accountant";
}
-//LOAD USER COMPANY ACCESS PERMISSIONS
-$session_user_company_access_sql = mysqli_query($mysqli, "SELECT company_id FROM user_companies WHERE user_id = $session_user_id");
-$session_user_company_access_array = array();
-while ($row = mysqli_fetch_array($session_user_company_access_sql)) {
- $session_user_company_access_array[] = $row['company_id'];
-}
-$session_user_company_access = implode(',', $session_user_company_access_array);
-
-//Check to see if user has rights to company Prevents User from access a company he is not allowed to have access to.
-if (!in_array($session_company_id, $session_user_company_access_array)) {
- session_start();
- session_destroy();
- header('Location: login.php');
-}
-
-$sql = mysqli_query($mysqli, "SELECT * FROM companies WHERE company_id = $session_company_id");
+$sql = mysqli_query($mysqli, "SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$session_company_name = $row['company_name'];
@@ -67,6 +51,9 @@ $session_company_country = $row['company_country'];
$session_company_locale = $row['company_locale'];
$session_company_currency = $row['company_currency'];
+//Set Currency Format
+$currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRENCY);
+
require_once("get_settings.php");
//Detects if using an Apple device and uses Apple Maps instead of google
@@ -81,10 +68,7 @@ if ($iPod || $iPhone || $iPad) {
}
//Get Notification Count for the badge on the top nav
-$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('notification_id') AS num FROM notifications WHERE (notification_user_id = $session_user_id OR notification_user_id = 0) AND notification_dismissed_at IS NULL AND company_id = $session_company_id"));
+$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT('notification_id') AS num FROM notifications WHERE (notification_user_id = $session_user_id OR notification_user_id = 0) AND notification_dismissed_at IS NULL"));
$num_notifications = $row['num'];
-//Set Currency Format
-$currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRENCY);
-
diff --git a/client_add_modal.php b/client_add_modal.php
index 602563b8..4409203b 100644
--- a/client_add_modal.php
+++ b/client_add_modal.php
@@ -64,7 +64,7 @@
@@ -271,7 +271,7 @@
-
+
">
diff --git a/client_certificates.php b/client_certificates.php
index cb712070..53f39589 100644
--- a/client_certificates.php
+++ b/client_certificates.php
@@ -61,7 +61,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-