From 9040fdf847a5f08aeeea4bca6b1722f099a4968e Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 27 Mar 2022 22:26:22 +0100
Subject: [PATCH] Misc small changes/fixes

---
 api/v1/validate_api_key.php | 9 ++++++---
 campaign.php                | 4 +---
 campaign_track.php          | 6 ++----
 check_login.php             | 9 +++------
 client.php                  | 2 +-
 client_asset_add_modal.php  | 4 ++--
 client_asset_copy_modal.php | 4 ++--
 client_overview.php         | 2 --
 cron.php                    | 1 -
 invoices.php                | 6 +++---
 post.php                    | 7 +++----
 side_nav.php                | 4 ++--
 12 files changed, 25 insertions(+), 33 deletions(-)

diff --git a/api/v1/validate_api_key.php b/api/v1/validate_api_key.php
index 080394d0..91658e53 100644
--- a/api/v1/validate_api_key.php
+++ b/api/v1/validate_api_key.php
@@ -24,6 +24,9 @@ $user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_A
 // Setup return array
 $return_arr = array();
 
+// Unauthorised wording
+DEFINE("WORDING_UNAUTHORIZED", "HTTP/1.1 401 Unauthorized");
+
 /*
  * API Notes:
  *
@@ -48,7 +51,7 @@ if($_SERVER['REQUEST_METHOD'] !== "GET" AND $_SERVER['REQUEST_METHOD'] !== "POST
 
 // Check API key is provided
 if(!isset($_GET['api_key']) AND !isset($_POST['api_key'])){
-  header("HTTP/1.1 401 Unauthorized");
+  header(WORDING_UNAUTHORIZED);
   exit();
 }
 
@@ -69,13 +72,13 @@ if(isset($api_key)){
   // Failed
   if(mysqli_num_rows($sql) !== 1){
     // Invalid Key
-    header("HTTP/1.1 401 Unauthorized");
+    header(WORDING_UNAUTHORIZED);
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'API', log_action = 'Failed', log_description = 'Incorrect or expired Key', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
 
     $return_arr['success'] = "False";
     $return_arr['message'] = "API Key authentication failure or expired.";
 
-    header("HTTP/1.1 401 Unauthorized");
+    header(WORDING_UNAUTHORIZED);
     echo json_encode($return_arr);
     exit();
   }
diff --git a/campaign.php b/campaign.php
index 3038be6d..6c0f0a7c 100644
--- a/campaign.php
+++ b/campaign.php
@@ -18,13 +18,11 @@ if(isset($_GET['campaign_id'])){
 
   //Set Badge color based off of campaign status
   if($campaign_status == "Sent"){
-    $campaign_badge_color = "warning text-white";
+    $campaign_badge_color = "success";
   }elseif($campaign_status == "Queued"){
     $campaign_badge_color = "info";
   }elseif($campaign_status == "Sending"){
     $campaign_badge_color = "primary";
-  }elseif($campaign_status == "Sent"){
-    $campaign_badge_color = "success";
   }else{
     $campaign_badge_color = "secondary";
   }
diff --git a/campaign_track.php b/campaign_track.php
index 5b9485f1..35579dd7 100644
--- a/campaign_track.php
+++ b/campaign_track.php
@@ -29,10 +29,8 @@ if(isset($_GET['message_id'])){
     $sql = mysqli_query($mysqli,"SELECT message_id FROM campaign_messages WHERE message_id = $message_id AND message_hash = '$message_hash'");
     if(mysqli_num_rows($sql) == 1){
         // Server variables
-        $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
-        $referer = $_SERVER['HTTP_REFERER'];
-        $user_agent = $_SERVER['HTTP_USER_AGENT'];
-        mysqli_query($mysqli,"UPDATE campaign_messages SET message_ip = '$ip', message_referer = '$referer', message_user_agent = '$user_agent', message_opened_at = NOW() WHERE message_id = $message_id");
+        $ip = trim(strip_tags(mysqli_real_escape_string($mysqli,get_ip())));
+        mysqli_query($mysqli,"UPDATE campaign_messages SET message_ip = '$ip', message_opened_at = NOW() WHERE message_id = $message_id");
     }
 }
 
diff --git a/check_login.php b/check_login.php
index ac03550b..8215b6d8 100644
--- a/check_login.php
+++ b/check_login.php
@@ -11,7 +11,7 @@
 	}
 
 	//Check to see if setup is enabled
-	if(!isset($config_enable_setup) or $config_enable_setup == 1){
+	if(!isset($config_enable_setup) || $config_enable_setup == 1){
   	header("Location: setup.php");
   	exit;
 	}
@@ -24,11 +24,8 @@
 	// SESSION FINGERPRINT
 	$session_ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
 	$session_os = strip_tags(mysqli_real_escape_string($mysqli,get_os()));
-	//$session_browser = strip_tags(mysqli_real_escape_string($mysqli,get_web_browser()));
-	//$session_device = strip_tags(mysqli_real_escape_string($mysqli,get_device()));
-	//$session_user_agent = "$session_os - $session_browser";
-	
-	// Get user agent
+
+	// User agent
 	$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
 
 	$session_user_id = $_SESSION['user_id'];
diff --git a/client.php b/client.php
index e04cbcc0..3af3273e 100644
--- a/client.php
+++ b/client.php
@@ -235,7 +235,7 @@ $location_phone = formatPhoneNumber($location_phone);
         } 
         ?>
       </div>
-      <?php if($session_user_role == 1 OR $session_user_role == 3){ ?>
+      <?php if($session_user_role == 1 || $session_user_role == 3){ ?>
       <div class="col-md-3 border-left">
         <h4 class="text-secondary">Billing</h4>
         <h6 class="ml-1 text-secondary">Paid <div class="text-dark float-right"> <?php echo numfmt_format_currency($currency_format, $amount_paid, $client_currency_code); ?></div></h6>
diff --git a/client_asset_add_modal.php b/client_asset_add_modal.php
index ee3764a8..505b928b 100644
--- a/client_asset_add_modal.php
+++ b/client_asset_add_modal.php
@@ -96,7 +96,7 @@
               </div>
               <?php } ?>
 
-              <?php if($_GET['type'] !== 'network' AND $_GET['type'] !== 'other'){ ?>
+              <?php if($_GET['type'] !== 'network' && $_GET['type'] !== 'other'){ ?>
               <div class="form-group">
                 <label>Operating System</label>
                 <div class="input-group">
@@ -136,7 +136,7 @@
                 </div>
               </div>
 
-              <?php if($_GET['type'] !== 'network' AND $_GET['type'] !== 'servers' AND $_GET['type'] !== 'other'){ ?>
+              <?php if($_GET['type'] !== 'network' && $_GET['type'] !== 'servers' && $_GET['type'] !== 'other'){ ?>
               <div class="form-group">
                 <label>Assigned To</label>
                 <div class="input-group">
diff --git a/client_asset_copy_modal.php b/client_asset_copy_modal.php
index f465ad4f..88a7b474 100644
--- a/client_asset_copy_modal.php
+++ b/client_asset_copy_modal.php
@@ -94,7 +94,7 @@
               </div>
               <?php } ?>
 
-              <?php if($asset_type !== 'Phone' AND $asset_type !== 'Mobile Phone' AND $asset_type !== 'Tablet' AND $asset_type !== 'Access Point' AND $asset_type !== 'Printer' AND $asset_type !== 'Camera' AND $asset_type !== 'TV' AND $asset_type !== 'Other'){ ?>
+              <?php if($asset_type !== 'Phone' && $asset_type !== 'Mobile Phone' && $asset_type !== 'Tablet' && $asset_type !== 'Access Point' && $asset_type !== 'Printer' && $asset_type !== 'Camera' && $asset_type !== 'TV' && $asset_type !== 'Other'){ ?>
               <div class="form-group">
                 <label>Operating System</label>
                 <div class="input-group">
@@ -134,7 +134,7 @@
                 </div>
               </div>
 
-              <?php if($asset_type !== 'Firewall/Router' AND $asset_type !== 'Switch' AND $asset_type !== 'Access Point' AND $asset_type !== 'Printer' AND $asset_type !== 'Server' AND $asset_type !== 'Virtual Machine'){ ?>
+              <?php if($asset_type !== 'Firewall/Router' && $asset_type !== 'Switch' && $asset_type !== 'Access Point' && $asset_type !== 'Printer' && $asset_type !== 'Server' && $asset_type !== 'Virtual Machine'){ ?>
               <div class="form-group">
                 <label>Assigned To</label>
                 <div class="input-group">
diff --git a/client_overview.php b/client_overview.php
index f6190b08..65da814d 100644
--- a/client_overview.php
+++ b/client_overview.php
@@ -74,8 +74,6 @@ $sql_tickets_stale = mysqli_query($mysqli,"SELECT * FROM tickets
               $contact_extension = $row['contact_extension'];
               $contact_mobile = formatPhoneNumber($row['contact_mobile']);
               $contact_email = $row['contact_email'];
-              //$client_id = $row['client_id'];
-              //$client_name = $row['client_name'];
               $department_name = $row['department_name'];
 
               ?>
diff --git a/cron.php b/cron.php
index 48b7d782..30332cd6 100644
--- a/cron.php
+++ b/cron.php
@@ -75,7 +75,6 @@ while($row = mysqli_fetch_array($sql_companies)){
         while ($row = mysqli_fetch_row($result)) {
           $sqlScript .= "INSERT INTO $table VALUES(";
           for ($j = 0; $j < $columnCount; $j ++) {
-            $row[$j] = $row[$j];
 
             if (isset($row[$j])) {
               $sqlScript .= '"' . $row[$j] . '"';
diff --git a/invoices.php b/invoices.php
index e361eafc..68a96e21 100644
--- a/invoices.php
+++ b/invoices.php
@@ -107,7 +107,7 @@
   }
   
   //Date Filter
-  if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
+  if($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])){
     $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
     $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
   }elseif($_GET['canned_date'] == "today"){
@@ -224,7 +224,7 @@
 
   <div class="card-body">
     <form class="mb-4" autocomplete="off">
-      <input type="hidden" name="status" value="<?php if(isset($_GET['status'])){ echo $_GET['status']; } ?>">
+      <input type="hidden" name="status" value="<?php if(isset($_GET['status'])){ echo strip_tags($_GET['status']); } ?>">
       <div class="row">
         <div class="col-sm-4">
           <div class="input-group">
@@ -316,7 +316,7 @@
 
             $now = time();
 
-            if(($invoice_status == "Sent" or $invoice_status == "Partial" or $invoice_status == "Viewed") and strtotime($invoice_due) + 86400 < $now ){
+            if(($invoice_status == "Sent" || $invoice_status == "Partial" || $invoice_status == "Viewed") && strtotime($invoice_due) + 86400 < $now ){
               $overdue_color = "text-danger font-weight-bold";
             }else{
               $overdue_color = "";
diff --git a/post.php b/post.php
index 58cbb827..594fa55b 100644
--- a/post.php
+++ b/post.php
@@ -1135,7 +1135,6 @@ if(isset($_GET['download_database'])){
             while ($row = mysqli_fetch_row($result)) {
                 $sqlScript .= "INSERT INTO $table VALUES(";
                 for ($j = 0; $j < $columnCount; $j ++) {
-                    $row[$j] = $row[$j];
                     
                     if (isset($row[$j])) {
                         $sqlScript .= '"' . $row[$j] . '"';
@@ -1391,7 +1390,7 @@ if(isset($_POST['edit_client'])){
     
     //Add new tags
     foreach($_POST['tags'] as $tag){
-        intval($tag);
+        $tag = intval($tag);
         mysqli_query($mysqli,"INSERT INTO client_tags SET client_id = $client_id, tag_id = $tag");
     }
 
@@ -1938,7 +1937,7 @@ if(isset($_POST['edit_campaign'])){
     //Create Recipient List based off tags selected
     if(isset($_POST['tags'])){
         foreach($_POST['tags'] as $tag){
-            intval($tag);
+            $tag = intval($tag);
             
             $sql = mysqli_query($mysqli,"SELECT * FROM clients
                 LEFT JOIN contacts ON contacts.contact_id = clients.primary_contact
@@ -6744,7 +6743,7 @@ if(isset($_POST['add_file'])){
         // get details of the uploaded file
         $file_error = 0;
         $file_tmp_path = $_FILES['file']['tmp_name'];
-        $file_name = $_FILES['file']['name'];
+        $file_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_FILES['file']['name'])));
         $file_size = $_FILES['file']['size'];
         $file_type = $_FILES['file']['type'];
         $file_extension = strtolower(end(explode('.',$_FILES['file']['name'])));
diff --git a/side_nav.php b/side_nav.php
index d9eb4677..386f799b 100644
--- a/side_nav.php
+++ b/side_nav.php
@@ -48,7 +48,7 @@
 
       <form class="form-inline mb-2" action="global_search.php">
         <div class="input-group">
-          <input class="form-control form-control-sidebar" type="search" placeholder="Search" name="query" value="<?php if(isset($_GET['query'])){ echo $_GET['query']; } ?>">
+          <input class="form-control form-control-sidebar" type="search" placeholder="Search" name="query" value="<?php if(isset($_GET['query'])){ echo strip_tags($_GET['query']); } ?>">
           <div class="input-group-append">
             <button class="btn btn-sidebar" type="submit">
               <i class="fas fa-search"></i>
@@ -127,7 +127,7 @@
           </a>
         </li>
         <li class="nav-item">
-          <a href="recurring_invoices.php" class="nav-link <?php if(basename($_SERVER["PHP_SELF"]) == "recurring_invoices.php" OR basename($_SERVER["PHP_SELF"]) == "recurring_invoices.php") { echo "active"; } ?>">
+          <a href="recurring_invoices.php" class="nav-link <?php if(basename($_SERVER["PHP_SELF"]) == "recurring_invoices.php") { echo "active"; } ?>">
             <i class="nav-icon fas fa-sync-alt"></i>
             <p>Recurring</p>
           </a>