AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More updating with new sanitize function and more logging and alerting cont

This commit is contained in:
johnnyq 2023-02-16 22:26:38 -05:00
parent 4708f6b117
commit 8a91ae0e46
8 changed files with 353 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
accounts.php
View File

@ -3,7 +3,7 @@
require_once("inc_all.php"); require_once("inc_all.php");
if (!empty($_GET['sb'])) { if (!empty($_GET['sb'])) {
$sb = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sb'])); $sb = sanitizeInput($_GET['sb']);
} else { } else {
$sb = "account_name"; $sb = "account_name";
} }
@ -32,7 +32,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<div class="card-body"> <div class="card-body">
<form autocomplete="off"> <form autocomplete="off">
<div class="input-group"> <div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if (isset($q)) { echo strip_tags(htmlentities($q)); } ?>" placeholder="Search Accounts"> <input type="search" class="form-control col-md-4" name="q" value="<?php if (isset($q)) { echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Accounts">
<div class="input-group-append"> <div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button> <button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div> </div>
@ -53,23 +53,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<?php <?php
while ($row = mysqli_fetch_array($sql)) { while ($row = mysqli_fetch_array($sql)) {
$account_id = $row['account_id']; $account_id = intval($row['account_id']);
$account_name = htmlentities($row['account_name']); $account_name = htmlentities($row['account_name']);
$opening_balance = $row['opening_balance']; $opening_balance = floatval($row['opening_balance']);
$account_currency_code = htmlentities($row['account_currency_code']); $account_currency_code = htmlentities($row['account_currency_code']);
$account_notes = htmlentities($row['account_notes']); $account_notes = htmlentities($row['account_notes']);
$sql_payments = mysqli_query($mysqli, "SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id"); $sql_payments = mysqli_query($mysqli, "SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id");
$row = mysqli_fetch_array($sql_payments); $row = mysqli_fetch_array($sql_payments);
$total_payments = $row['total_payments']; $total_payments = floatval($row['total_payments']);
$sql_revenues = mysqli_query($mysqli, "SELECT SUM(revenue_amount) AS total_revenues FROM revenues WHERE revenue_account_id = $account_id"); $sql_revenues = mysqli_query($mysqli, "SELECT SUM(revenue_amount) AS total_revenues FROM revenues WHERE revenue_account_id = $account_id");
$row = mysqli_fetch_array($sql_revenues); $row = mysqli_fetch_array($sql_revenues);
$total_revenues = $row['total_revenues']; $total_revenues = floatval($row['total_revenues']);
$sql_expenses = mysqli_query($mysqli, "SELECT SUM(expense_amount) AS total_expenses FROM expenses WHERE expense_account_id = $account_id"); $sql_expenses = mysqli_query($mysqli, "SELECT SUM(expense_amount) AS total_expenses FROM expenses WHERE expense_account_id = $account_id");
$row = mysqli_fetch_array($sql_expenses); $row = mysqli_fetch_array($sql_expenses);
$total_expenses = $row['total_expenses']; $total_expenses = floatval($row['total_expenses']);
$balance = $opening_balance + $total_payments + $total_revenues - $total_expenses; $balance = $opening_balance + $total_payments + $total_revenues - $total_expenses;
?> ?>

4
check_login.php
View File

@ -23,8 +23,8 @@ if (!isset($_SESSION['logged']) || !$_SESSION['logged']) {
} }
// User IP & UA // User IP & UA
$session_ip = strip_tags(mysqli_real_escape_string($mysqli, getIP())); $session_ip = sanitizeInput(getIP());
$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT'])); $session_user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
$session_user_id = $_SESSION['user_id']; $session_user_id = $_SESSION['user_id'];

1
client_document_edit_modal.php
View File

@ -9,6 +9,7 @@
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="document_id" value="<?php echo $document_id; ?>"> <input type="hidden" name="document_id" value="<?php echo $document_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="modal-body bg-white"> <div class="modal-body bg-white">
<div class="form-group"> <div class="form-group">

1
client_document_folder_rename_modal.php
View File

@ -9,6 +9,7 @@
</div> </div>
<form action="post.php" method="post" autocomplete="off"> <form action="post.php" method="post" autocomplete="off">
<input type="hidden" name="folder_id" value="<?php echo $folder_id; ?>"> <input type="hidden" name="folder_id" value="<?php echo $folder_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<div class="modal-body bg-white"> <div class="modal-body bg-white">
<div class="form-group"> <div class="form-group">

6
clients.php
View File

@ -15,7 +15,7 @@ if (isset($_GET['p'])) {
//Custom Query Filter //Custom Query Filter
if (isset($_GET['query'])) { if (isset($_GET['query'])) {
$query = strip_tags(mysqli_real_escape_string($mysqli, $_GET['query'])); $query = sanitizeInput($_GET['query']);
//Phone Numbers //Phone Numbers
$phone_query = preg_replace("/[^0-9]/", '', $query); $phone_query = preg_replace("/[^0-9]/", '', $query);
if (empty($phone_query)) { if (empty($phone_query)) {
@ -28,7 +28,7 @@ if (isset($_GET['query'])) {
//Column Filter //Column Filter
if (!empty($_GET['sortby'])) { if (!empty($_GET['sortby'])) {
$sortby = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sortby'])); $sortby = sanitizeInput($_GET['sortby']);
} else { } else {
$sortby = "client_accessed_at"; $sortby = "client_accessed_at";
} }
@ -121,7 +121,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
<div class="row"> <div class="row">
<div class="col-sm-4"> <div class="col-sm-4">
<div class="input-group"> <div class="input-group">
<input type="search" class="form-control" name="query" value="<?php if (isset($query)) {echo strip_tags(htmlentities($query));} ?>" placeholder="Search Clients" autofocus> <input type="search" class="form-control" name="query" value="<?php if (isset($query)) { echo stripslashes(htmlentities($query)); } ?>" placeholder="Search Clients" autofocus>
<div class="input-group-append"> <div class="input-group-append">
<button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button> <button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
<button class="btn btn-primary"><i class="fa fa-search"></i></button> <button class="btn btn-primary"><i class="fa fa-search"></i></button>

18
login.php
View File

@ -12,13 +12,13 @@ require_once("functions.php");
require_once("rfc6238.php"); require_once("rfc6238.php");
// IP & User Agent for logging // IP & User Agent for logging
$ip = strip_tags(mysqli_real_escape_string($mysqli, getIP())); $ip = sanitizeInput(getIP());
$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT'])); $user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
// Block brute force password attacks - check recent failed login attempts for this IP // Block brute force password attacks - check recent failed login attempts for this IP
// Block access if more than 15 failed login attempts have happened in the last 10 minutes // Block access if more than 15 failed login attempts have happened in the last 10 minutes
$row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS failed_login_count FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 10 MINUTE)")); $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS failed_login_count FROM logs WHERE log_ip = '$ip' AND log_type = 'Login' AND log_action = 'Failed' AND log_created_at > (NOW() - INTERVAL 10 MINUTE)"));
$failed_login_count = $row['failed_login_count']; $failed_login_count = intval($row['failed_login_count']);
if ($failed_login_count >= 15) { if ($failed_login_count >= 15) {
@ -77,10 +77,10 @@ if (isset($_POST['login'])) {
// User password correct (partial login) // User password correct (partial login)
// Set temporary user variables // Set temporary user variables
$user_name = strip_tags(mysqli_real_escape_string($mysqli, $row['user_name'])); $user_name = sanitizeInput($row['user_name']);
$user_id = $row['user_id']; $user_id = intval($row['user_id']);
$user_email = $row['user_email']; $user_email = sanitizeInput($row['user_email']);
$token = $row['user_token']; $token = sanitizeInput($row['user_token']);
// Checking for user 2FA // Checking for user 2FA
if (empty($token) || TokenAuth6238::verify($token, $current_code)) { if (empty($token) || TokenAuth6238::verify($token, $current_code)) {
@ -89,10 +89,10 @@ if (isset($_POST['login'])) {
// Check this login isn't suspicious // Check this login isn't suspicious
$sql_ip_prev_logins = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS ip_previous_logins FROM logs WHERE log_type = 'Login' AND log_action = 'Success' AND log_ip = '$ip' AND log_user_id = '$user_id'")); $sql_ip_prev_logins = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS ip_previous_logins FROM logs WHERE log_type = 'Login' AND log_action = 'Success' AND log_ip = '$ip' AND log_user_id = '$user_id'"));
$ip_previous_logins = $sql_ip_prev_logins['ip_previous_logins']; $ip_previous_logins = sanitizeInput($sql_ip_prev_logins['ip_previous_logins']);
$sql_ua_prev_logins = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS ua_previous_logins FROM logs WHERE log_type = 'Login' AND log_action = 'Success' AND log_user_agent = '$user_agent' AND log_user_id = '$user_id'")); $sql_ua_prev_logins = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT COUNT(log_id) AS ua_previous_logins FROM logs WHERE log_type = 'Login' AND log_action = 'Success' AND log_user_agent = '$user_agent' AND log_user_id = '$user_id'"));
$ua_prev_logins = $sql_ua_prev_logins['ua_previous_logins']; $ua_prev_logins = sanitizeInput($sql_ua_prev_logins['ua_previous_logins']);
// Notify if both the user agent and IP are different // Notify if both the user agent and IP are different
if (!empty($config_smtp_host) && $ip_previous_logins == 0 && $ua_prev_logins == 0) { if (!empty($config_smtp_host) && $ip_previous_logins == 0 && $ua_prev_logins == 0) {

2
pagination_head.php
View File

@ -34,7 +34,7 @@ if (isset($_GET['o'])) {
// Search // Search
if (isset($_GET['q'])) { if (isset($_GET['q'])) {
$q = strip_tags(mysqli_real_escape_string($mysqli, trim($_GET['q']))); $q = sanitizeInput($_GET['q']);
} else { } else {
$q = ""; $q = "";
} }

652
post.php
View File

File diff suppressed because it is too large Load Diff