From 68005723e6953215a2bf5ad916aba6883742711e Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 12 Feb 2023 15:50:45 +0000
Subject: [PATCH 1/2] API

- Refactor comments/client id var
- Add basic read endpoint for docs, products, expenses, quotes and invoices
---
 api/v1/assets/read.php        | 25 ++++++++++++-------------
 api/v1/certificates/read.php  | 21 ++++++++++-----------
 api/v1/clients/read.php       | 14 +++++++-------
 api/v1/contacts/read.php      | 14 +++++++-------
 api/v1/documents/read.php     | 19 +++++++++++++++++++
 api/v1/domains/read.php       | 13 ++++++++-----
 api/v1/expenses/read.php      | 21 +++++++++++++++++++++
 api/v1/invoices/read.php      | 19 +++++++++++++++++++
 api/v1/networks/read.php      | 21 ++++++++++-----------
 api/v1/products/read.php      | 21 +++++++++++++++++++++
 api/v1/quotes/read.php        | 19 +++++++++++++++++++
 api/v1/require_get_method.php | 10 +++++++---
 api/v1/software/read.php      | 33 ++++++++++++++++-----------------
 api/v1/tickets/read.php       |  8 ++++----
 14 files changed, 180 insertions(+), 78 deletions(-)
 create mode 100644 api/v1/documents/read.php
 create mode 100644 api/v1/expenses/read.php
 create mode 100644 api/v1/invoices/read.php
 create mode 100644 api/v1/products/read.php
 create mode 100644 api/v1/quotes/read.php

diff --git a/api/v1/assets/read.php b/api/v1/assets/read.php
index 45a636cd..33bd5484 100644
--- a/api/v1/assets/read.php
+++ b/api/v1/assets/read.php
@@ -7,29 +7,28 @@ require_once('../require_get_method.php');
 if (isset($_GET['asset_id'])) {
     $id = intval($_GET['asset_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_id = '$id' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// Asset query via type
-elseif (isset($_GET['asset_type'])) {
+} elseif (isset($_GET['asset_type'])) {
+    // Asset query via type
+
     $type = mysqli_real_escape_string($mysqli, ucfirst($_GET['asset_type']));
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_type = '$type' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
-}
 
-// Asset query via name
-elseif (isset($_GET['asset_name'])) {
+} elseif (isset($_GET['asset_name'])) {
+    // Asset query via name
+
     $name = mysqli_real_escape_string($mysqli, $_GET['asset_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_name = '$name' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
-}
 
-// Asset query via serial
-elseif (isset($_GET['asset_serial'])) {
+} elseif (isset($_GET['asset_serial'])) {
+    // Asset query via serial
+
     $serial = mysqli_real_escape_string($mysqli, $_GET['asset_serial']);
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_serial = '$serial' AND asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
-}
 
-// Asset query via client ID
-elseif (isset($_GET['client_id']) && $client_id == "%") {
-    $client_id = intval($_GET['client_id']);
+} elseif (isset($_GET['client_id'])) {
+    // Asset query via client ID
+
     $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 }
 
diff --git a/api/v1/certificates/read.php b/api/v1/certificates/read.php
index a968eecf..7781efca 100644
--- a/api/v1/certificates/read.php
+++ b/api/v1/certificates/read.php
@@ -7,24 +7,23 @@ require_once('../require_get_method.php');
 if (isset($_GET['certificate_id'])) {
     $id = intval($_GET['certificate_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_id = '$id' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// Certificate by name
-elseif (isset($_GET['certificate_name'])) {
+} elseif (isset($_GET['certificate_name'])) {
+    // Certificate by name
+
     $name = mysqli_real_escape_string($mysqli, $_GET['certificate_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_name = '$name' AND certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
-}
 
-// Certificate via client ID (if allowed)
-elseif (isset($_GET['client_id']) && $client_id == "%") {
-    $client_id = intval($_GET['client_id']);
+} elseif (isset($_GET['client_id'])) {
+    // Certificate via client ID
+
     $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
-}
 
-// All certificates
-else {
+} else {
+    // All certificates
+
     $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY certificate_id LIMIT $limit OFFSET $offset");
 }
 
 // Output
-require_once("../read_output.php");
\ No newline at end of file
+require_once("../read_output.php");
diff --git a/api/v1/clients/read.php b/api/v1/clients/read.php
index af5577e5..cdcfd602 100644
--- a/api/v1/clients/read.php
+++ b/api/v1/clients/read.php
@@ -7,18 +7,18 @@ require_once('../require_get_method.php');
 if (isset($_GET['client_id'])) {
     $id = intval($_GET['client_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = '$id' AND client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// Specific client via name (single)
-elseif (isset($_GET['client_name'])) {
+} elseif (isset($_GET['client_name'])) {
+    // Specific client via name (single)
+
     $name = mysqli_real_escape_string($mysqli, $_GET['client_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_name = '$name' AND client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// All clients
-else {
+} else {
+    // All clients
+
     $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY client_id LIMIT $limit OFFSET $offset");
 }
 
 // Output
-require_once("../read_output.php");
\ No newline at end of file
+require_once("../read_output.php");
diff --git a/api/v1/contacts/read.php b/api/v1/contacts/read.php
index 19acda88..6ac4c17e 100644
--- a/api/v1/contacts/read.php
+++ b/api/v1/contacts/read.php
@@ -7,18 +7,18 @@ require_once('../require_get_method.php');
 if (isset($_GET['contact_id'])) {
     $id = intval($_GET['contact_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$id' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// Specific contact via email (single)
-elseif (isset($_GET['contact_email'])) {
+} elseif (isset($_GET['contact_email'])) {
+    // Specific contact via email (single)
+
     $email = mysqli_real_escape_string($mysqli, $_GET['contact_email']);
     $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// All contacts
-else {
+} else {
+    // All contacts
+
     $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY contact_id LIMIT $limit OFFSET $offset");
 }
 
 // Output
-require_once("../read_output.php");
\ No newline at end of file
+require_once("../read_output.php");
diff --git a/api/v1/documents/read.php b/api/v1/documents/read.php
new file mode 100644
index 00000000..ede88862
--- /dev/null
+++ b/api/v1/documents/read.php
@@ -0,0 +1,19 @@
+<?php
+
+require_once('../validate_api_key.php');
+require_once('../require_get_method.php');
+
+if (isset($_GET['document_id'])) {
+    // Document via ID (single)
+
+    $id = intval($_GET['document_id']);
+    $sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_id = '$id' AND document_client_id LIKE '$client_id' AND company_id = '$company_id'");
+
+} else {
+    // All documents
+
+    $sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY document_id LIMIT $limit OFFSET $offset");
+}
+
+// Output
+require_once("../read_output.php");
diff --git a/api/v1/domains/read.php b/api/v1/domains/read.php
index f0cf2b7a..bf2f139e 100644
--- a/api/v1/domains/read.php
+++ b/api/v1/domains/read.php
@@ -9,15 +9,18 @@ if (isset($_GET['domain_id'])) {
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = '$id' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id'");
 }
 
-// Domain by name
+
 elseif (isset($_GET['domain_name'])) {
+    // Domain by name
+
     $name = mysqli_real_escape_string($mysqli, $_GET['domain_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
 }
 
-// Domain via client ID (if allowed)
-elseif (isset($_GET['client_id']) && $client_id == "%") {
-    $client_id = intval($_GET['client_id']);
+
+elseif (isset($_GET['client_id'])) {
+    // Domain via client ID
+
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
 }
 
@@ -27,4 +30,4 @@ else {
 }
 
 // Output
-require_once("../read_output.php");
\ No newline at end of file
+require_once("../read_output.php");
diff --git a/api/v1/expenses/read.php b/api/v1/expenses/read.php
new file mode 100644
index 00000000..ece31ced
--- /dev/null
+++ b/api/v1/expenses/read.php
@@ -0,0 +1,21 @@
+<?php
+
+require_once('../validate_api_key.php');
+require_once('../require_get_method.php');
+
+// Expenses aren't stored against client IDs, so we instead validate the API key is for All Clients
+
+if (isset($_GET['expense_id']) && $client_id == "%") {
+    // Expense via ID (single)
+
+    $id = intval($_GET['expense_id']);
+    $sql = mysqli_query($mysqli, "SELECT * FROM expenses WHERE expense_id = '$id' AND company_id = '$company_id'");
+
+} elseif ($client_id == "%") {
+    // All expenses
+
+    $sql = mysqli_query($mysqli, "SELECT * FROM expenses WHERE company_id = '$company_id' ORDER BY expense_id LIMIT $limit OFFSET $offset");
+}
+
+// Output
+require_once("../read_output.php");
diff --git a/api/v1/invoices/read.php b/api/v1/invoices/read.php
new file mode 100644
index 00000000..3fb44a5f
--- /dev/null
+++ b/api/v1/invoices/read.php
@@ -0,0 +1,19 @@
+<?php
+
+require_once('../validate_api_key.php');
+require_once('../require_get_method.php');
+
+if (isset($_GET['invoice_id'])) {
+    // Invoice via ID (single)
+
+    $id = intval($_GET['invoice_id']);
+    $sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_id = '$id' AND invoice_client_id LIKE '$client_id' AND company_id = '$company_id'");
+
+} else {
+    // All invoices
+
+    $sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY invoice_id LIMIT $limit OFFSET $offset");
+}
+
+// Output
+require_once("../read_output.php");
diff --git a/api/v1/networks/read.php b/api/v1/networks/read.php
index e76cfaa1..553faa6f 100644
--- a/api/v1/networks/read.php
+++ b/api/v1/networks/read.php
@@ -7,24 +7,23 @@ require_once('../require_get_method.php');
 if (isset($_GET['network_id'])) {
     $id = intval($_GET['network_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_id = '$id' AND network_client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// Network by name
-elseif (isset($_GET['network_name'])) {
+} elseif (isset($_GET['network_name'])) {
+    // Network by name
+
     $name = mysqli_real_escape_string($mysqli, $_GET['network_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_name = '$name' AND network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
-}
 
-// Network via client ID (if allowed)
-elseif (isset($_GET['client_id']) && $client_id == "%") {
-    $client_id = intval($_GET['client_id']);
+} elseif (isset($_GET['client_id'])) {
+    // Network via client ID
+
     $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
-}
 
-// All networks
-else {
+} else {
+    // All networks
+
     $sql = mysqli_query($mysqli, "SELECT * FROM networks WHERE network_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY network_id LIMIT $limit OFFSET $offset");
 }
 
 // Output
-require_once("../read_output.php");
\ No newline at end of file
+require_once("../read_output.php");
diff --git a/api/v1/products/read.php b/api/v1/products/read.php
new file mode 100644
index 00000000..dc968e0c
--- /dev/null
+++ b/api/v1/products/read.php
@@ -0,0 +1,21 @@
+<?php
+
+require_once('../validate_api_key.php');
+require_once('../require_get_method.php');
+
+// Products aren't stored against client IDs, so we instead validate the API key is for All Clients
+
+if (isset($_GET['product_id']) && $client_id == "%") {
+    // product via ID (single)
+
+    $id = intval($_GET['product_id']);
+    $sql = mysqli_query($mysqli, "SELECT * FROM products WHERE product_id = '$id' AND company_id = '$company_id'");
+
+} elseif ($client_id == "%") {
+    // All products
+
+    $sql = mysqli_query($mysqli, "SELECT * FROM products WHERE company_id = '$company_id' ORDER BY product_id LIMIT $limit OFFSET $offset");
+}
+
+// Output
+require_once("../read_output.php");
diff --git a/api/v1/quotes/read.php b/api/v1/quotes/read.php
new file mode 100644
index 00000000..5dac7d8a
--- /dev/null
+++ b/api/v1/quotes/read.php
@@ -0,0 +1,19 @@
+<?php
+
+require_once('../validate_api_key.php');
+require_once('../require_get_method.php');
+
+if (isset($_GET['quote_id'])) {
+    // quote via ID (single)
+
+    $id = intval($_GET['quote_id']);
+    $sql = mysqli_query($mysqli, "SELECT * FROM quotes WHERE quote_id LIKE '$id' AND quote_client_id = '$client_id' AND company_id = '$company_id'");
+
+} else {
+    // All quotes
+
+    $sql = mysqli_query($mysqli, "SELECT * FROM quotes WHERE quote_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY quote_id LIMIT $limit OFFSET $offset");
+}
+
+// Output
+require_once("../read_output.php");
diff --git a/api/v1/require_get_method.php b/api/v1/require_get_method.php
index 4ce0b1f9..bc6cafdc 100644
--- a/api/v1/require_get_method.php
+++ b/api/v1/require_get_method.php
@@ -7,7 +7,11 @@ if ($_SERVER['REQUEST_METHOD'] !== "GET") {
     exit();
 }
 
-// Wildcard client ID for most SELECT queries
+// Wildcard client ID for most SELECT queries, unless otherwise specified (and allowed)
 if ($client_id == 0) {
-    $client_id = "%";
-}
\ No newline at end of file
+    if (isset($_GET['client_id'])) {
+        $client_id = intval($_GET['client_id']);
+    } else {
+        $client_id = "%";
+    }
+}
diff --git a/api/v1/software/read.php b/api/v1/software/read.php
index 0b09d9a0..7d1b1820 100644
--- a/api/v1/software/read.php
+++ b/api/v1/software/read.php
@@ -7,36 +7,35 @@ require_once('../require_get_method.php');
 if (isset($_GET['software_id'])) {
     $id = intval($_GET['software_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_id = '$id' AND software_client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// Specific software via key
-if (isset($_GET['software_key'])) {
+} elseif (isset($_GET['software_key'])) {
+    // Specific software via key
+
     $key = mysqli_real_escape_string($mysqli, $_GET['software_license']);
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_key = '$key' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
-}
 
-// Software by name
-elseif (isset($_GET['software_name'])) {
+} elseif (isset($_GET['software_name'])) {
+    // Software by name
+
     $name = mysqli_real_escape_string($mysqli, $_GET['software_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_name = '$name' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
-}
 
-// Software via type
-elseif (isset($_GET['software_type'])) {
+} elseif (isset($_GET['software_type'])) {
+    // Software via type
+
     $type = intval($_GET['software_type']);
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_type = '$type' AND software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
-}
 
-// Software via client ID (if allowed)
-elseif (isset($_GET['client_id']) && $client_id == "%") {
-    $client_id = intval($_GET['client_id']);
+} elseif (isset($_GET['client_id'])) {
+    // Software via client ID
+
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
-}
 
-// All software(s)
-else {
+} else {
+    // All software(s)
+
     $sql = mysqli_query($mysqli, "SELECT * FROM software WHERE software_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY software_id LIMIT $limit OFFSET $offset");
 }
 
 // Output
-require_once("../read_output.php");
\ No newline at end of file
+require_once("../read_output.php");
diff --git a/api/v1/tickets/read.php b/api/v1/tickets/read.php
index b0ee19e6..075212c4 100644
--- a/api/v1/tickets/read.php
+++ b/api/v1/tickets/read.php
@@ -7,12 +7,12 @@ require_once('../require_get_method.php');
 if (isset($_GET['ticket_id'])) {
     $id = intval($_GET['ticket_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$id' AND ticket_client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-// All tickets
-else {
+} else {
+    // All tickets
+
     $sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY ticket_id LIMIT $limit OFFSET $offset");
 }
 
 // Output
-require_once("../read_output.php");
\ No newline at end of file
+require_once("../read_output.php");

From 6f7f679682c0bff879bf1d9990e3b649a2febdbc Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 12 Feb 2023 15:56:09 +0000
Subject: [PATCH 2/2] Tidy

---
 api/v1/domains/read.php | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/api/v1/domains/read.php b/api/v1/domains/read.php
index bf2f139e..be282458 100644
--- a/api/v1/domains/read.php
+++ b/api/v1/domains/read.php
@@ -7,25 +7,21 @@ require_once('../require_get_method.php');
 if (isset($_GET['domain_id'])) {
     $id = intval($_GET['domain_id']);
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_id = '$id' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id'");
-}
 
-
-elseif (isset($_GET['domain_name'])) {
+} elseif (isset($_GET['domain_name'])) {
     // Domain by name
 
     $name = mysqli_real_escape_string($mysqli, $_GET['domain_name']);
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_name = '$name' AND domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY asset_id LIMIT $limit OFFSET $offset");
-}
 
-
-elseif (isset($_GET['client_id'])) {
+} elseif (isset($_GET['client_id'])) {
     // Domain via client ID
 
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
-}
 
-// All domains
-else {
+} else {
+    // All domains
+
     $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id LIKE '$client_id' AND company_id = '$company_id' ORDER BY domain_id LIMIT $limit OFFSET $offset");
 }