From 6cd8649296fb3e99aec01ee90ec633d490bd439c Mon Sep 17 00:00:00 2001 From: johnnyq Date: Sat, 7 Jan 2023 17:26:19 -0500 Subject: [PATCH] Do not htmlentities client name into notifications --- guest_view_invoice.php | 2 +- guest_view_quote.php | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/guest_view_invoice.php b/guest_view_invoice.php index f4f07b28..97d30ad6 100644 --- a/guest_view_invoice.php +++ b/guest_view_invoice.php @@ -95,7 +95,7 @@ if(isset($_GET['invoice_id'], $_GET['url_key'])){ mysqli_query($mysqli,"INSERT INTO history SET history_status = '$invoice_status', history_description = 'Invoice viewed - $ip - $os - $browser', history_created_at = NOW(), history_invoice_id = $invoice_id, company_id = $company_id"); //Prevent SQL Error if client_name has ' in their name example Bill's Market - $client_name_escaped = mysqli_escape_string($mysqli,$client_name); + $client_name_escaped = mysqli_escape_string($mysqli,$row['client_name']); mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Invoice Viewed', notification = 'Invoice $invoice_prefix$invoice_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id"); $sql_payments = mysqli_query($mysqli,"SELECT * FROM payments, accounts WHERE payment_account_id = account_id AND payment_invoice_id = $invoice_id ORDER BY payments.payment_id DESC"); diff --git a/guest_view_quote.php b/guest_view_quote.php index 57eb17c1..f2ac1870 100644 --- a/guest_view_quote.php +++ b/guest_view_quote.php @@ -77,7 +77,9 @@ if(isset($_GET['quote_id'], $_GET['url_key'])){ //Mark viewed in history mysqli_query($mysqli,"INSERT INTO history SET history_status = '$quote_status', history_description = 'Quote viewed - $ip - $os - $browser - $device', history_created_at = NOW(), history_quote_id = $quote_id, company_id = $company_id"); - mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Quote Viewed', notification = 'Quote $quote_prefix$quote_number has been viewed by $client_name - $ip - $os - $browser - $device', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id"); + //Prevent SQL Error if client_name has ' in their name example Bill's Market + $client_name_escaped = mysqli_escape_string($mysqli,$row['client_name']); + mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Quote Viewed', notification = 'Quote $quote_prefix$quote_number has been viewed by $client_name_escaped - $ip - $os - $browser - $device', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id"); ?>