AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More Security fixes escaping search and sortby GET vars

This commit is contained in:
johnny@pittpc.com 2019-08-31 15:38:16 -04:00
parent 71decb9332
commit 9050f4b03a
32 changed files with 108 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
accounts.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "account_id";
}
@ -57,7 +57,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Accounts">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Accounts">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
categories.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "category_type";
}
@ -56,7 +56,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Categories">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Categories">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
client_assets.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "asset_type";
}
@ -60,7 +60,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_contacts.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "contact_name";
}
@ -58,7 +58,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_domains.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "domain_id";
}
@ -59,7 +59,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_invoices.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "invoice_id";
}
@ -61,7 +61,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_locations.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "location_name";
}
@ -60,7 +60,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_logins.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "login_id";
}
@ -61,7 +61,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_networks.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "network_id";
}
@ -60,7 +60,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_payments.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "payment_id";
}
@ -62,7 +62,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_quotes.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "quote_id";
}
@ -61,7 +61,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_recurring.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "recurring_id";
}
@ -61,7 +61,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_software.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "software_id";
}
@ -60,7 +60,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_tickets.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "ticket_id";
}
@ -60,7 +60,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
client_vendors.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "vendor_id";
}
@ -60,7 +60,7 @@ $total_pages = ceil($total_found_rows / 10);
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="tab" value="<?php echo $_GET['tab']; ?>">
<div class="input-group">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<input type="search" class="form-control " name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search <?php echo ucwords($_GET['tab']); ?>">
<div class="input-group-append">
<button class="btn btn-secondary"><i class="fa fa-search"></i></button>
</div>

6
clients.php
View File

@ -15,13 +15,13 @@ if(isset($_GET['p'])){
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "client_id";
}
@ -55,7 +55,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Clients">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Clients">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
companies.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "companies.company_id";
}
@ -59,7 +59,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Companies">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Companies">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
expenses.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "expense_date";
}
@ -61,7 +61,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Expenses">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Expenses">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

2
global_search.php
View File

@ -4,7 +4,7 @@
if(isset($_GET['query'])){
$query = $_GET['query'];
$query = mysqli_real_escape_string($mysqli,$_GET['query']);
$sql_clients = mysqli_query($mysqli,"SELECT * FROM clients WHERE client_name LIKE '%$query%' AND company_id = $session_company_id ORDER BY client_id DESC LIMIT 5");
$sql_vendors = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_name LIKE '%$query%' AND company_id = $session_company_id ORDER BY vendor_id DESC LIMIT 5");

6
invoices.php
View File

@ -59,13 +59,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "invoice_id";
}
@ -150,7 +150,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Invoices">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Invoices">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
payments.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "payment_id";
}
@ -60,7 +60,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Payments">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Payments">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

3
post.php
View File

@ -1168,6 +1168,9 @@ if(isset($_POST['add_quote_to_invoice'])){
$client_id = $row['client_id'];
$category_id = $row['category_id'];
//Generate a unique URL key for clients to access
$url_key = keygen();
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_number = '$invoice_number', invoice_date = '$date', invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), category_id = $category_id, invoice_status = 'Draft', invoice_amount = '$quote_amount', invoice_note = '$quote_note', invoice_created_at = NOW(), client_id = $client_id, company_id = $session_company_id");
$new_invoice_id = mysqli_insert_id($mysqli);

6
products.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "product_name";
}
@ -56,7 +56,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Products">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Products">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
quotes.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "quote_number";
}
@ -60,7 +60,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Quotes">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Quotes">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
recurring.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "recurring_id";
}
@ -60,7 +60,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Recurring Invoices">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Recurring Invoices">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
revenues.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "revenue_id";
}
@ -60,7 +60,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Revenues">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Revenues">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

17
setup.php
View File

@ -297,6 +297,23 @@ if(isset($_POST['add_company_settings'])){
$_SESSION['alert_message'] = '';
}
?>
<?php if(isset($_GET['setup_checks'])){ ?>
<div class="card mb-3">
<div class="card-header">
<h6 class="mt-1"><i class="fa fa-fw fa-checkmark"></i> Setup Checks</h6>
</div>
<div class="card-body">
<ul class="mb-4">
<li>Upload is readable and writeable</li>
<li>PHP 7+ Installed</li>
</ul>
<center><a href="?database" class="btn btn-lg btn-primary mb-5">Install</a></center>
</div>
</div>
<?php } ?>
<?php if(isset($_GET['database'])){ ?>

6
tickets.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "ticket_id";
}
@ -59,7 +59,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Tickets">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Tickets">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
transfers.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "transfer_date";
}
@ -56,7 +56,7 @@ $total_pages = ceil($total_found_rows / 10);
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Transfers">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Transfers">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
trips.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "trip_id";
}
@ -58,7 +58,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Trips">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Trips">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
users.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "user_id";
}
@ -58,7 +58,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Users">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Users">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>

6
vendors.php
View File

@ -15,13 +15,13 @@
}
if(isset($_GET['q'])){
$q = $_GET['q'];
$q = mysqli_real_escape_string($mysqli,$_GET['q']);
}else{
$q = "";
}
if(!empty($_GET['sb'])){
$sb = $_GET['sb'];
$sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
}else{
$sb = "vendor_name";
}
@ -57,7 +57,7 @@
<div class="card-body">
<form autocomplete="off">
<div class="input-group">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo $q;} ?>" placeholder="Search Invoices">
<input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Invoices">
<div class="input-group-append">
<button class="btn btn-primary"><i class="fa fa-search"></i></button>
</div>