AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-02-28 19:04:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update/Fix Mail Functions in POST/quote.php - sanitize POST vars instead the whole mail subject and body which prevents having a mixed of confusing redundant escaped and unescaped vars also

Browse Source
This commit is contained in:
johnnyq
2024-01-20 20:10:33 -05:00
parent 1479caa8e8
commit 63d4419ff5
4 changed files with 50 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
post/quote.php
View File

@@ -8,7 +8,6 @@ if (isset($_POST['add_quote'])) {
require_once 'post/quote_model.php';
$client = intval($_POST['client']);
//Get the last Quote Number and add 1 for the new Quote number
@@ -356,51 +355,49 @@ if (isset($_GET['email_quote'])) {
);
$row = mysqli_fetch_array($sql);
$quote_prefix = $row['quote_prefix'];
$quote_prefix = sanitizeInput($row['quote_prefix']);
$quote_number = intval($row['quote_number']);
$quote_scope = $row['quote_scope'];
$quote_status = $row['quote_status'];
$quote_date = $row['quote_date'];
$quote_expire = $row['quote_expire'];
$quote_scope = sanitizeInput($row['quote_scope']);
$quote_status = sanitizeInput($row['quote_status']);
$quote_date = sanitizeInput($row['quote_date']);
$quote_expire = sanitizeInput($row['quote_expire']);
$quote_amount = floatval($row['quote_amount']);
$quote_url_key = $row['quote_url_key'];
$quote_currency_code = $row['quote_currency_code'];
$quote_url_key = sanitizeInput($row['quote_url_key']);
$quote_currency_code = sanitizeInput($row['quote_currency_code']);
$client_id = intval($row['client_id']);
$client_name = $row['client_name'];
$contact_name = $row['contact_name'];
$contact_email = $row['contact_email'];
$quote_prefix_escaped = sanitizeInput($row['quote_prefix']);
$contact_name_escaped = sanitizeInput($row['contact_name']);
$contact_email_escaped = sanitizeInput($row['contact_email']);
$client_name = sanitizeInput($row['client_name']);
$contact_name = sanitizeInput($row['contact_name']);
$contact_email = sanitizeInput($row['contact_email']);
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$company_name = $row['company_name'];
$company_country = $row['company_country'];
$company_address = $row['company_address'];
$company_city = $row['company_city'];
$company_state = $row['company_state'];
$company_zip = $row['company_zip'];
$company_phone = formatPhoneNumber($row['company_phone']);
$company_email = $row['company_email'];
$company_website = $row['company_website'];
$company_logo = $row['company_logo'];
$company_name = sanitizeInput($row['company_name']);
$company_country = sanitizeInput($row['company_country']);
$company_address = sanitizeInput($row['company_address']);
$company_city = sanitizeInput($row['company_city']);
$company_state = sanitizeInput($row['company_state']);
$company_zip = sanitizeInput($row['company_zip']);
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
$company_email = sanitizeInput($row['company_email']);
$company_website = sanitizeInput($row['company_website']);
$company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config vars from get_settings.php
$config_quote_from_name_escaped = sanitizeInput($config_quote_from_name);
$config_quote_from_email_escaped = sanitizeInput($config_quote_from_email);
$config_quote_from_name = sanitizeInput($config_quote_from_name);
$config_quote_from_email = sanitizeInput($config_quote_from_email);
$config_base_url = sanitizeInput($config_base_url);
$subject = sanitizeInput("Quote [$quote_scope]");
$body = mysqli_escape_string($mysqli, "Hello $contact_name,<br><br>Thank you for your inquiry, we are pleased to provide you with the following estimate.<br><br><br>$quote_scope<br>Total Cost: " . numfmt_format_currency($currency_format, $quote_amount, $quote_currency_code) . "<br><br><br>View and accept your estimate online <a href='https://$config_base_url/guest_view_quote.php?quote_id=$quote_id&url_key=$quote_url_key'>here</a><br><br><br>~<br>$company_name<br>Sales<br>$config_quote_from_email<br>$company_phone");
$subject = "Quote [$quote_scope]";
$body = "Hello $contact_name,<br><br>Thank you for your inquiry, we are pleased to provide you with the following estimate.<br><br><br>$quote_scope<br>Total Cost: " . numfmt_format_currency($currency_format, $quote_amount, $quote_currency_code) . "<br><br><br>View and accept your estimate online <a href=\'https://$config_base_url/guest_view_quote.php?quote_id=$quote_id&url_key=$quote_url_key\'>here</a><br><br><br>--<br>$company_name - Sales<br>$config_quote_from_email<br>$company_phone";
// Queue Mail
$data = [
[
'from' => $config_quote_from_email,
'from_name' => $config_quote_from_name,
'recipient' => $contact_email_escaped,
'recipient_name' => $contact_name_escaped,
'recipient' => $contact_email,
'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body,
]
@@ -409,7 +406,7 @@ if (isset($_GET['email_quote'])) {
// Logging
mysqli_query($mysqli,"INSERT INTO history SET history_status = 'Sent', history_description = 'Emailed Quote!', history_quote_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Email', log_description = '$session_name emailed Quote $quote_prefix_escaped$quote_number to $contact_email_escaped Email ID: ', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $quote_id");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Quote', log_action = 'Email', log_description = '$session_name emailed Quote $quote_prefix$quote_number to $contact_email Email ID: ', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $quote_id");
$_SESSION['alert_message'] = "Quote has been sent";