From d83906508d158feb59afb0fdcaadf6ce372894ec Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 28 Mar 2022 20:39:35 +0100
Subject: [PATCH 1/3] Fix potential sql injection in add_company - post.php

---
 post.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/post.php b/post.php
index 2ca8b0e9..54ce0ba2 100644
--- a/post.php
+++ b/post.php
@@ -509,7 +509,7 @@ if(isset($_POST['add_company'])){
     mysqli_query($mysqli,"INSERT INTO companies SET company_name = '$name', company_address = '$address', company_city = '$city', company_state = '$state', company_zip = '$zip', company_country = '$country', company_phone = '$phone', company_email = '$email', company_website = '$website', company_locale = '$locale', company_currency = '$currency_code',company_created_at = NOW()");
 
     $company_id = mysqli_insert_id($mysqli);
-    $config_base_url = $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
+    $config_base_url = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']));
     $config_api_key = keygen();
     
     mkdir("uploads/clients/$company_id");

From 4ba313f7526fd39e9b259256fc84685052f022d1 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 28 Mar 2022 20:45:31 +0100
Subject: [PATCH 2/3] Fix potential sql injection in delete_file if param
 add_location was also specified - post.php

---
 post.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/post.php b/post.php
index 54ce0ba2..2fe355c7 100644
--- a/post.php
+++ b/post.php
@@ -6804,6 +6804,7 @@ if(isset($_GET['delete_file'])){
     $sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql_file);
     $client_id = $row['file_client_id'];
+    $file_name = $row['file_name'];
     $file_reference_name = $row['file_reference_name'];
 
     unlink("uploads/clients/$session_company_id/$client_id/$file_reference_name");

From 9a183774cb0c31e9b3dceed52fd1b237d28819a0 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 28 Mar 2022 20:47:12 +0100
Subject: [PATCH 3/3] Escape server http host/uri submitted to database during
 setup

---
 setup.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.php b/setup.php
index 05c4ea03..40fbb2eb 100644
--- a/setup.php
+++ b/setup.php
@@ -923,7 +923,7 @@ if(isset($_POST['add_company_settings'])){
   mysqli_query($mysqli,"INSERT INTO companies SET company_name = '$name', company_address = '$address', company_city = '$city', company_state = '$state', company_zip = '$zip', company_country = '$country', company_phone = '$phone', company_email = '$email', company_website = '$website', company_locale = '$locale', company_currency = '$currency_code', company_created_at = NOW()");
 
   $company_id = mysqli_insert_id($mysqli);
-  $config_base_url = $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
+  $config_base_url = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']));
 
   mkdir_missing("uploads/clients/$company_id");
   file_put_contents("uploads/clients/$company_id/index.php", "");