AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More updating with new sanitize function and more logging and alerting cont

This commit is contained in:
johnnyq 2023-02-16 22:26:38 -05:00
parent 4708f6b117
commit 8a91ae0e46
8 changed files with 353 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
accounts.php
View File

@ -3,7 +3,7 @@
require_once("inc_all.php");
if (!empty($_GET['sb'])) {
$sb = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sb']));
$sb = sanitizeInput($_GET['sb']);
} else {
$sb = "account_name";
}
@ -32,7 +32,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if (isset($q)) { echo strip_tags(htmlentities($q)); } ?>" placeholder="Search Accounts">
<input type="search" class="form-control col-md-4" name="q" value="<?php if (isset($q)) { echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Accounts">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>
@ -53,23 +53,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<?php
while ($row = mysqli_fetch_array($sql)) {
$account_id = $row['account_id'];
$account_id = intval($row['account_id']);
$account_name = htmlentities($row['account_name']);
$opening_balance = $row['opening_balance'];
$opening_balance = floatval($row['opening_balance']);
$account_currency_code = htmlentities($row['account_currency_code']);
$account_notes = htmlentities($row['account_notes']);
$sql_payments = mysqli_query($mysqli, "SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id");
$row = mysqli_fetch_array($sql_payments);
$total_payments = $row['total_payments'];
$total_payments = floatval($row['total_payments']);
$sql_revenues = mysqli_query($mysqli, "SELECT SUM(revenue_amount) AS total_revenues FROM revenues WHERE revenue_account_id = $account_id");
$row = mysqli_fetch_array($sql_revenues);
$total_revenues = $row['total_revenues'];
$total_revenues = floatval($row['total_revenues']);
$sql_expenses = mysqli_query($mysqli, "SELECT SUM(expense_amount) AS total_expenses FROM expenses WHERE expense_account_id = $account_id");
$row = mysqli_fetch_array($sql_expenses);
$total_expenses = $row['total_expenses'];
$total_expenses = floatval($row['total_expenses']);
$balance = $opening_balance + $total_payments + $total_revenues - $total_expenses;
?>

4
check_login.php
View File

@ -23,8 +23,8 @@ if (!isset($_SESSION['logged']) || !$_SESSION['logged']) {
}
// User IP & UA
$session_ip = strip_tags(mysqli_real_escape_string($mysqli, getIP()));
$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$session_ip = sanitizeInput(getIP());
$session_user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
$session_user_id = $_SESSION['user_id'];

1
client_document_edit_modal.php
View File

@ -9,6 +9,7 @@
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="modal-body bg-white">
<div class="form-group">

1
client_document_folder_rename_modal.php
View File

@ -9,6 +9,7 @@
</div>
<form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="folder_id" value="<?php echo $folder_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="modal-body bg-white">
<div class="form-group">

6
clients.php
View File

@ -15,7 +15,7 @@ if (isset($_GET['p'])) {
//Custom Query Filter
if (isset($_GET['query'])) {
$query = strip_tags(mysqli_real_escape_string($mysqli, $_GET['query']));
$query = sanitizeInput($_GET['query']);
//Phone Numbers
$phone_query = preg_replace("/[^0-9]/", '', $query);
if (empty($phone_query)) {
@ -28,7 +28,7 @@ if (isset($_GET['query'])) {
//Column Filter
if (!empty($_GET['sortby'])) {
$sortby = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sortby']));
$sortby = sanitizeInput($_GET['sortby']);
} else {
$sortby = "client_accessed_at";
}
@ -121,7 +121,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<div class="row">
<div class="col-sm-4">
<div class="input-group">
<input type="search" class="form-control" name="query" value="<?php if (isset($query)) {echo strip_tags(htmlentities($query));} ?>" placeholder="Search Clients" autofocus>
<input type="search" class="form-control" name="query" value="<?php if (isset($query)) { echo stripslashes(htmlentities($query)); } ?>" placeholder="Search Clients" autofocus>
<div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button>

18
login.php
View File

@ -12,13 +12,13 @@ require_once("functions.php");
require_once("rfc6238.php");
// IP & User Agent for logging
$ip = strip_tags(mysqli_real_escape_string($mysqli, getIP()));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$ip = sanitizeInput(getIP());
$user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
// Block brute force password attacks - check recent failed login attempts for this IP
// Block access if more than 15 failed login attempts have happened in the last 10 minutes
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS failed_login_count FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 10 MINUTE)"));
$failed_login_count = $row['failed_login_count'];
$failed_login_count = intval($row['failed_login_count']);
if ($failed_login_count >= 15) {
@ -77,10 +77,10 @@ if (isset($_POST['login'])) {
// User password correct (partial login)
// Set temporary user variables
$user_name = strip_tags(mysqli_real_escape_string($mysqli, $row['user_name']));
$user_id = $row['user_id'];
$user_email = $row['user_email'];
$token = $row['user_token'];
$user_name = sanitizeInput($row['user_name']);
$user_id = intval($row['user_id']);
$user_email = sanitizeInput($row['user_email']);
$token = sanitizeInput($row['user_token']);
// Checking for user 2FA
if (empty($token) || TokenAuth6238::verify($token, $current_code)) {
@ -89,10 +89,10 @@ if (isset($_POST['login'])) {
// Check this login isn't suspicious
$sql_ip_prev_logins = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS ip_previous_logins FROM logs WHERE log_type = 'Login' AND log_action = 'Success' AND log_ip = '$ip' AND log_user_id = '$user_id'"));
$ip_previous_logins = $sql_ip_prev_logins['ip_previous_logins'];
$ip_previous_logins = sanitizeInput($sql_ip_prev_logins['ip_previous_logins']);
$sql_ua_prev_logins = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS ua_previous_logins FROM logs WHERE log_type = 'Login' AND log_action = 'Success' AND log_user_agent = '$user_agent' AND log_user_id = '$user_id'"));
$ua_prev_logins = $sql_ua_prev_logins['ua_previous_logins'];
$ua_prev_logins = sanitizeInput($sql_ua_prev_logins['ua_previous_logins']);
// Notify if both the user agent and IP are different
if (!empty($config_smtp_host) && $ip_previous_logins == 0 && $ua_prev_logins == 0) {

2
pagination_head.php
View File

@ -34,7 +34,7 @@ if (isset($_GET['o'])) {
// Search
if (isset($_GET['q'])) {
$q = strip_tags(mysqli_real_escape_string($mysqli, trim($_GET['q'])));
$q = sanitizeInput($_GET['q']);
} else {
$q = "";
}

652
post.php
View File

File diff suppressed because it is too large Load Diff