From 52243c0a1d8c6f8c1e10c9a722d8e2c9d0a60667 Mon Sep 17 00:00:00 2001 From: Marcus Hill Date: Wed, 8 Feb 2023 14:24:47 +0000 Subject: [PATCH] - Move the initialization of ip, user agent, browser and os vars to guest_header.php - General tidy and bugfixing of undefined vars --- guest_header.php | 4 +- guest_pay_invoice_stripe.php | 3 - guest_view_invoice.php | 1758 +++++++++++++++++----------------- guest_view_quote.php | 1268 ++++++++++++------------ 4 files changed, 1503 insertions(+), 1530 deletions(-) diff --git a/guest_header.php b/guest_header.php index 141bb1bf..71b602a7 100644 --- a/guest_header.php +++ b/guest_header.php @@ -6,7 +6,9 @@ require_once("functions.php"); session_start(); $ip = trim(strip_tags(mysqli_real_escape_string($mysqli, getIP()))); -$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT'])); +$ua = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT'])); +$os = strip_tags(mysqli_real_escape_string($mysqli, getOS($ua))); +$browser = strip_tags(mysqli_real_escape_string($mysqli, getWebBrowser($ua))); ?> diff --git a/guest_pay_invoice_stripe.php b/guest_pay_invoice_stripe.php index 184f63ab..b3d2e8bc 100644 --- a/guest_pay_invoice_stripe.php +++ b/guest_pay_invoice_stripe.php @@ -13,9 +13,6 @@ $config_stripe_publishable = htmlentities($stripe_vars['config_stripe_publishabl $config_stripe_secret = htmlentities($stripe_vars['config_stripe_secret']); $config_stripe_account = intval($stripe_vars['config_stripe_account']); -$os = trim(strip_tags(mysqli_real_escape_string($mysqli, getOS($user_agent)))); -$browser = trim(strip_tags(mysqli_real_escape_string($mysqli, getWebBrowser($user_agent)))); - // Check Stripe is configured if ($config_stripe_enable == 0 || $config_stripe_account == 0 || empty($config_stripe_publishable) || empty($config_stripe_secret)) { echo "

Stripe payments not enabled/configured

"; diff --git a/guest_view_invoice.php b/guest_view_invoice.php index 89ae4568..14c82e2a 100644 --- a/guest_view_invoice.php +++ b/guest_view_invoice.php @@ -2,938 +2,914 @@ require_once("guest_header.php"); -if (isset($_GET['invoice_id'], $_GET['url_key'])) { +if (!isset($_GET['invoice_id'], $_GET['url_key'])) { + echo "

Oops, something went wrong! Please raise a ticket if you believe this is an error.

"; + require_once("guest_footer.php"); + exit(); +} - $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']); - $invoice_id = intval($_GET['invoice_id']); +$url_key = mysqli_real_escape_string($mysqli, $_GET['url_key']); +$invoice_id = intval($_GET['invoice_id']); - $sql = mysqli_query($mysqli, "SELECT * FROM invoices - LEFT JOIN clients ON invoice_client_id = client_id - LEFT JOIN locations ON primary_location = location_id - LEFT JOIN contacts ON primary_contact = contact_id - LEFT JOIN companies ON invoices.company_id = companies.company_id - LEFT JOIN settings ON settings.company_id = companies.company_id - WHERE invoice_id = $invoice_id - AND invoice_url_key = '$url_key'" - ); +$sql = mysqli_query( + $mysqli, + "SELECT * FROM invoices + LEFT JOIN clients ON invoice_client_id = client_id + LEFT JOIN locations ON primary_location = location_id + LEFT JOIN contacts ON primary_contact = contact_id + LEFT JOIN companies ON invoices.company_id = companies.company_id + LEFT JOIN settings ON settings.company_id = companies.company_id + WHERE invoice_id = $invoice_id + AND invoice_url_key = '$url_key'" +); - if (mysqli_num_rows($sql) == 1) { +if (mysqli_num_rows($sql) !== 1) { + // Invalid invoice/key + echo "

Oops, something went wrong! Please raise a ticket if you believe this is an error.

"; + require_once("guest_footer.php"); + exit(); +} - $row = mysqli_fetch_array($sql); - $invoice_id = $row['invoice_id']; - $invoice_prefix = htmlentities($row['invoice_prefix']); - $invoice_number = htmlentities($row['invoice_number']); - $invoice_status = htmlentities($row['invoice_status']); - $invoice_date = $row['invoice_date']; - $invoice_due = $row['invoice_due']; - $invoice_amount = floatval($row['invoice_amount']); - $invoice_currency_code = htmlentities($row['invoice_currency_code']); - $invoice_note = htmlentities($row['invoice_note']); - $invoice_category_id = $row['invoice_category_id']; - $client_id = $row['client_id']; - $client_name = htmlentities($row['client_name']); - $location_address = htmlentities($row['location_address']); - $location_city = htmlentities($row['location_city']); - $location_state = htmlentities($row['location_state']); - $location_zip = htmlentities($row['location_zip']); - $contact_email = htmlentities($row['contact_email']); - $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = htmlentities($row['contact_extension']); - $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $client_website = htmlentities($row['client_website']); - $client_currency_code = htmlentities($row['client_currency_code']); - $client_net_terms = htmlentities($row['client_net_terms']); - if ($client_net_terms == 0) { - $client_net_terms = $config_default_net_terms; - } - $company_id = $row['company_id']; - $company_name = htmlentities($row['company_name']); - $company_address = htmlentities($row['company_address']); - $company_city = htmlentities($row['company_city']); - $company_state = htmlentities($row['company_state']); - $company_zip = htmlentities($row['company_zip']); - $company_phone = formatPhoneNumber($row['company_phone']); - $company_email = htmlentities($row['company_email']); - $company_logo = htmlentities($row['company_logo']); - if (!empty($company_logo)) { - $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); - } - $company_locale = htmlentities($row['company_locale']); - $config_invoice_footer = htmlentities($row['config_invoice_footer']); - $config_stripe_enable = $row['config_stripe_enable']; - $config_stripe_publishable = $row['config_stripe_publishable']; - $config_stripe_secret = $row['config_stripe_secret']; +$row = mysqli_fetch_array($sql); +$invoice_id = $row['invoice_id']; +$invoice_prefix = htmlentities($row['invoice_prefix']); +$invoice_number = htmlentities($row['invoice_number']); +$invoice_status = htmlentities($row['invoice_status']); +$invoice_date = $row['invoice_date']; +$invoice_due = $row['invoice_due']; +$invoice_amount = floatval($row['invoice_amount']); +$invoice_currency_code = htmlentities($row['invoice_currency_code']); +$invoice_note = htmlentities($row['invoice_note']); +$invoice_category_id = $row['invoice_category_id']; +$client_id = $row['client_id']; +$client_name = htmlentities($row['client_name']); +$location_address = htmlentities($row['location_address']); +$location_city = htmlentities($row['location_city']); +$location_state = htmlentities($row['location_state']); +$location_zip = htmlentities($row['location_zip']); +$contact_email = htmlentities($row['contact_email']); +$contact_phone = formatPhoneNumber($row['contact_phone']); +$contact_extension = htmlentities($row['contact_extension']); +$contact_mobile = formatPhoneNumber($row['contact_mobile']); +$client_website = htmlentities($row['client_website']); +$client_currency_code = htmlentities($row['client_currency_code']); +$client_net_terms = htmlentities($row['client_net_terms']); +if ($client_net_terms == 0) { + $client_net_terms = intval($row['config_default_net_terms']); +} +$company_id = $row['company_id']; +$company_name = htmlentities($row['company_name']); +$company_address = htmlentities($row['company_address']); +$company_city = htmlentities($row['company_city']); +$company_state = htmlentities($row['company_state']); +$company_zip = htmlentities($row['company_zip']); +$company_phone = formatPhoneNumber($row['company_phone']); +$company_email = htmlentities($row['company_email']); +$company_website = htmlentities($row['company_website']); +$company_logo = htmlentities($row['company_logo']); +if (!empty($company_logo)) { + $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); +} +$company_locale = htmlentities($row['company_locale']); +$config_invoice_footer = htmlentities($row['config_invoice_footer']); +$config_stripe_enable = $row['config_stripe_enable']; +$config_stripe_publishable = $row['config_stripe_publishable']; +$config_stripe_secret = $row['config_stripe_secret']; - //Set Currency Format - $currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY); +//Set Currency Format +$currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY); - $ip = strip_tags(mysqli_real_escape_string($mysqli,getIP())); +$invoice_tally_total = 0; // Default - $session_user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT'])); - $os = strip_tags(mysqli_real_escape_string($mysqli,getOS($session_user_agent))); - $browser = strip_tags(mysqli_real_escape_string($mysqli,getWebBrowser($session_user_agent))); +//Set Badge color based off of invoice status +$invoice_badge_color = getInvoiceBadgeColor($invoice_status); - $invoice_tally_total = 0; // Default +//Update status to Viewed only if invoice_status = "Sent" +if ($invoice_status == 'Sent') { + mysqli_query($mysqli, "UPDATE invoices SET invoice_status = 'Viewed' WHERE invoice_id = $invoice_id"); +} - //Set Badge color based off of invoice status - $invoice_badge_color = getInvoiceBadgeColor($invoice_status); +//Mark viewed in history +mysqli_query($mysqli, "INSERT INTO history SET history_status = '$invoice_status', history_description = 'Invoice viewed - $ip - $os - $browser', history_created_at = NOW(), history_invoice_id = $invoice_id, company_id = $company_id"); - //Update status to Viewed only if invoice_status = "Sent" - if ($invoice_status == 'Sent') { - mysqli_query($mysqli, "UPDATE invoices SET invoice_status = 'Viewed' WHERE invoice_id = $invoice_id"); - } +if ($invoice_status !== 'Paid') { + $client_name_escaped = mysqli_real_escape_string($mysqli, $row['client_name']); + mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Invoice Viewed', notification = 'Invoice $invoice_prefix$invoice_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id"); +} +$sql_payments = mysqli_query($mysqli, "SELECT * FROM payments, accounts WHERE payment_account_id = account_id AND payment_invoice_id = $invoice_id ORDER BY payments.payment_id DESC"); - //Mark viewed in history - mysqli_query($mysqli, "INSERT INTO history SET history_status = '$invoice_status', history_description = 'Invoice viewed - $ip - $os - $browser', history_created_at = NOW(), history_invoice_id = $invoice_id, company_id = $company_id"); +//Add up all the payments for the invoice and get the total amount paid to the invoice +$sql_amount_paid = mysqli_query($mysqli, "SELECT SUM(payment_amount) AS amount_paid FROM payments WHERE payment_invoice_id = $invoice_id"); +$row = mysqli_fetch_array($sql_amount_paid); +$amount_paid = $row['amount_paid']; - //Prevent SQL Error if client_name has ' in their name example Bill's Market - if ($invoice_status !== 'Paid') { - $client_name_escaped = mysqli_real_escape_string($mysqli, $row['client_name']); - mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Invoice Viewed', notification = 'Invoice $invoice_prefix$invoice_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id"); - } - $sql_payments = mysqli_query($mysqli, "SELECT * FROM payments, accounts WHERE payment_account_id = account_id AND payment_invoice_id = $invoice_id ORDER BY payments.payment_id DESC"); +$balance = $invoice_amount - $amount_paid; - //Add up all the payments for the invoice and get the total amount paid to the invoice - $sql_amount_paid = mysqli_query($mysqli, "SELECT SUM(payment_amount) AS amount_paid FROM payments WHERE payment_invoice_id = $invoice_id"); - $row = mysqli_fetch_array($sql_amount_paid); - $amount_paid = $row['amount_paid']; +//check to see if overdue +$invoice_color = $invoice_badge_color; // Default +if ($invoice_status !== "Paid" && $invoice_status !== "Draft" && $invoice_status !== "Cancelled") { + $unixtime_invoice_due = strtotime($invoice_due) + 86400; + if ($unixtime_invoice_due < time()) { + $invoice_color = "text-danger"; + } +} - $balance = $invoice_amount - $amount_paid; +// Invoice individual items +$sql_invoice_items = mysqli_query($mysqli, "SELECT * FROM invoice_items WHERE item_invoice_id = $invoice_id ORDER BY item_id ASC"); - //check to see if overdue - $invoice_color = $invoice_badge_color; // Default - if ($invoice_status !== "Paid" && $invoice_status !== "Draft" && $invoice_status !== "Cancelled") { - $unixtime_invoice_due = strtotime($invoice_due) + 86400; - if ($unixtime_invoice_due < time()) { - $invoice_color = "text-danger"; - } - } +?> - ?> - -
-
-
- Invoice History - Print - ');"> Download - - - Pay Online (Coming Soon) - - -
+
+
+
+ Invoice History + Print + ');"> Download + + Pay Online (Coming Soon) + +
+
+
+
+
+ ">
-
-
-
- "> -
-
- -
-
- -
-
- -

Invoice

-
-
-
-
-
    -

    • -
    • -
    • -
    • -
    • -
- -
-
- -
    -

    • -
    • -
    • -
    • -
    • -
    • -
- -
-
-
-
-
-
- - - - - - - - - -
Date
Due
-
-
- - - -
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - -
ProductDescriptionQtyPriceTaxTotal
-
+
+ +
+
+
-
+ +

Invoice

+
+
+
+
+
    +

    • +
    • +
    • +
    • +
    • +
-
-
- -
-
-
-
-
- -
-
- - - - - - - 0) { ?> - - - - - - 0) { ?> - - - - - - - - - - -
Subtotal
Tax
Paid
Balance
-
-
+
+
-
+
    +

    • +
    • +
    • +
    • +
    • +
    • +
-
+
+
+
+
+
+
+ + + + + + + + + +
Date
Due
- - - - - 1) { - - ?> - - -
-
- Previous Unpaid Invoices -
-
- - - - - - - - - - - - - > - - - - - - - - - -
Invoice #DateDue DateAmount
( Days Late)
-
-
- - - CURDATE() AND(invoice_status = 'Sent' OR invoice_status = 'Viewed' OR invoice_status = 'Partial') ORDER BY invoice_number DESC"); - - if (mysqli_num_rows($sql) > 1) { - - ?> - - -
-
- Current Invoices -
-
- - - - - - - - - - - - - > - - - - - - - - - -
Invoice #DateDueAmount
(Due in Days)
-
-
- - - - 1) { - - ?> - - -
-
- Previous Invoices Paid -
-
- - - - - - - - - - - - - > - - - - - - - - - - - strtotime($invoice_due)) { - $payment_note = "Late"; - $difference = strtotime($payment_date) - strtotime($invoice_due); - $days = floor($difference / (60*60*24) ) . " Days"; - }else{ - $payment_note = ""; - $days = ""; - } - - - $invoice_tally_total = $invoice_amount + $invoice_tally_total; ?> - + + + + + + - - ?> - - - - -
Invoice #DateDue DateAmount
Payments
- - - -
+ + +
+
- +
+ +
+
+
+
+
+ +
+
+ + + + + + + 0) { ?> + + + + + + 0) { ?> + + + + + + + + + + +
Subtotal
Tax
Paid
Balance
+
+
+ +
+ +
+
+
+ + + + + + 1) { ?> + +
+
+ Previous Unpaid Invoices +
+
+ + + + + + + + + + + + + > + + + + + + + + + +
Invoice #DateDue DateAmount
( Days Late)
+
+
+ + CURDATE() AND(invoice_status = 'Sent' OR invoice_status = 'Viewed' OR invoice_status = 'Partial') ORDER BY invoice_number DESC"); + +if (mysqli_num_rows($sql) > 1) { ?> + + +
+
+ Current Invoices +
+
+ + + + + + + + + + + + + > + + + + + + + + + +
Invoice #DateDueAmount
(Due in Days)
+
+
+ - + + 1) { ?> + +
+
+ Previous Invoices Paid +
+
+ + + + + + + + + + + + + > + + + + + + + + + + + strtotime($invoice_due)) { + $payment_note = "Late"; + $difference = strtotime($payment_date) - strtotime($invoice_due); + $days = floor($difference / (60*60*24) ) . " Days"; + } else { + $payment_note = ""; + $days = ""; + } + + + $invoice_tally_total = $invoice_amount + $invoice_tally_total; + + ?> + + + + + + + + + + +
Invoice #DateDue DateAmount
Payments
- - - -
+
+
+ +

Oops, something went wrong! Please raise a ticket if you believe this is an error.

"; + require_once("guest_footer.php"); + exit(); +} - $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']); - $quote_id = intval($_GET['quote_id']); - $sql = mysqli_query($mysqli,"SELECT * FROM quotes +$url_key = mysqli_real_escape_string($mysqli, $_GET['url_key']); +$quote_id = intval($_GET['quote_id']); + +$sql = mysqli_query( + $mysqli, + "SELECT * FROM quotes LEFT JOIN clients ON quote_client_id = client_id LEFT JOIN locations ON primary_location = location_id LEFT JOIN contacts ON primary_contact = contact_id @@ -15,636 +22,627 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) { LEFT JOIN settings ON settings.company_id = companies.company_id WHERE quote_id = $quote_id AND quote_url_key = '$url_key'" - ); +); - if (mysqli_num_rows($sql) == 1) { - - $row = mysqli_fetch_array($sql); - - $quote_id = $row['quote_id']; - $quote_prefix = htmlentities($row['quote_prefix']); - $quote_number = htmlentities($row['quote_number']); - $quote_status = htmlentities($row['quote_status']); - $quote_date = $row['quote_date']; - $quote_amount = floatval($row['quote_amount']); - $quote_currency_code = htmlentities($row['quote_currency_code']); - $quote_note = htmlentities($row['quote_note']); - $category_id = $row['category_id']; - $client_id = $row['client_id']; - $client_name = htmlentities($row['client_name']); - $location_address = htmlentities($row['location_address']); - $location_city = htmlentities($row['location_city']); - $location_state = htmlentities($row['location_state']); - $location_zip = htmlentities($row['location_zip']); - $contact_email = htmlentities($row['contact_email']); - $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = htmlentities($row['contact_extension']); - $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $client_website = htmlentities($row['client_website']); - $client_currency_code = htmlentities($row['client_currency_code']); - $client_net_terms = htmlentities($row['client_net_terms']); - if ($client_net_terms == 0) { - $client_net_terms = $config_default_net_terms; - } - $company_id = $row['company_id']; - $company_name = htmlentities($row['company_name']); - $company_address = htmlentities($row['company_address']); - $company_city = htmlentities($row['company_city']); - $company_state = htmlentities($row['company_state']); - $company_zip = htmlentities($row['company_zip']); - $company_phone = formatPhoneNumber($row['company_phone']); - $company_email = htmlentities($row['company_email']); - $company_logo = htmlentities($row['company_logo']); - if (!empty($company_logo)) { - $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); - } - $company_locale = htmlentities($row['company_locale']); - $config_quote_footer = htmlentities($row['config_quote_footer']); - - //Set Currency Format - $currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY); - - $ip = strip_tags(mysqli_real_escape_string($mysqli,getIP())); - - $session_user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT'])); - $os = strip_tags(mysqli_real_escape_string($mysqli,getOS($session_user_agent))); - $browser = strip_tags(mysqli_real_escape_string($mysqli,getWebBrowser($session_user_agent))); - - //Update status to Viewed only if invoice_status = "Sent" - if ($quote_status == 'Sent') { - mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Viewed' WHERE quote_id = $quote_id"); - } - - //Mark viewed in history - mysqli_query($mysqli,"INSERT INTO history SET history_status = '$quote_status', history_description = 'Quote viewed - $ip - $os - $browser', history_created_at = NOW(), history_quote_id = $quote_id, company_id = $company_id"); - - //Prevent SQL Error if client_name has ' in their name example Bill's Market - $client_name_escaped = mysqli_escape_string($mysqli,$row['client_name']); - mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Quote Viewed', notification = 'Quote $quote_prefix$quote_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id"); - - ?> - -
- -
-
- - Accept - Decline - -
- -
- Print - ');"> Download -
-
-
- -
-
- "> -
-
-

Quote

-
-
- -
- -
-
    -

    • -
    • -
    • -
    • -
    • -
- -
- -
- -
    -

    • -
    • -
    • -
    • -
    • -
    • -
- -
-
-
-
-
-
- - - - - -
Date
-
-
- - - -
-
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - -
ProductDescriptionQtyPriceTaxTotal
-
-
-
-
- -
-
- -
-
-
-
-
- -
- -
- - - - - - - 0) { ?> - - - - - - 0) { ?> - - - - - - - - - - -
Subtotal
Discount
Tax
Total
-
-
- -
- -
-
-
- - - - - +$row = mysqli_fetch_array($sql); - + +
+ +
+
+ + Accept + Decline + +
+ +
+ Print + ');"> Download +
+
+
+ +
+
+ "> +
+
+

Quote

+
+
+ +
+ +
+
    +

    • +
    • +
    • +
    • +
    • +
+ +
+ +
+ +
    +

    • +
    • +
    • +
    • +
    • +
    • +
+ +
+
+
+
+
+
+ + + + + +
Date
+
+
+ + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
ProductDescriptionQtyPriceTaxTotal
+
+
+
+
+ +
+
+ +
+
+
+
+
+ +
+ +
+ + + + + + + 0) { ?> + + + + + + + + + + +
Subtotal
Tax
Total
+
+
+ +
+ +
+
+
+ + + + + + +