mirror of https://github.com/itflow-org/itflow
Update/Fix Mail Functions in POST/contact.php and event.php - sanitize POST vars instead the whole mail subject and body which prevents having a mixed of confusing redundant escaped and unescaped vars also fixed scheduling calendar events was not working to send an email out
This commit is contained in:
johnnyq
parent
91eff8f9b6
commit
92ccd7de14
|
|
@ -56,8 +56,8 @@ $config_smtp_port = intval($row['config_smtp_port']);
|
|||
$config_smtp_encryption = $row['config_smtp_encryption'];
|
||||
$config_smtp_username = $row['config_smtp_username'];
|
||||
$config_smtp_password = $row['config_smtp_password'];
|
||||
$config_mail_from_email = $row['config_mail_from_email'];
|
||||
$config_mail_from_name = $row['config_mail_from_name'];
|
||||
$config_mail_from_email = sanitizeInput($row['config_mail_from_email']);
|
||||
$config_mail_from_name = sanitizeInput($row['config_mail_from_name']);
|
||||
|
||||
// Client Portal Enabled
|
||||
$config_client_portal_enable = intval($row['config_client_portal_enable']);
|
||||
|
|
|
|||
|
|
@ -68,7 +68,6 @@ if (isset($_POST['edit_contact'])) {
|
|||
|
||||
require_once 'post/contact_model.php';
|
||||
|
||||
|
||||
$contact_id = intval($_POST['contact_id']);
|
||||
$send_email = intval($_POST['send_email']);
|
||||
|
||||
|
|
@ -98,12 +97,18 @@ if (isset($_POST['edit_contact'])) {
|
|||
// Send contact a welcome e-mail, if specified
|
||||
if ($send_email && !empty($auth_method) && !empty($config_smtp_host)) {
|
||||
|
||||
// Un-sanitizied used in body of email
|
||||
$contact_name = $_POST['name'];
|
||||
|
||||
// Sanitize Config vars from get_settings.php
|
||||
$config_ticket_from_email_escaped = sanitizeInput($config_ticket_from_email);
|
||||
$config_ticket_from_name_escaped = sanitizeInput($config_ticket_from_name);
|
||||
$config_ticket_from_email = sanitizeInput($config_ticket_from_email);
|
||||
$config_ticket_from_name = sanitizeInput($config_ticket_from_name);
|
||||
$config_mail_from_email = sanitizeInput($config_mail_from_email);
|
||||
$config_mail_from_name = sanitizeInput($config_mail_from_name);
|
||||
$config_base_url = sanitizeInput($config_base_url);
|
||||
|
||||
// Get Company Phone Number
|
||||
$sql = mysqli_query($mysqli,"SELECT company_name, company_phone FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($sql);
|
||||
$company_name = sanitizeInput($row['company_name']);
|
||||
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
|
||||
|
||||
// Authentication info (azure, reset password, or tech-provided temporary password)
|
||||
|
||||
|
|
@ -112,11 +117,11 @@ if (isset($_POST['edit_contact'])) {
|
|||
} elseif (empty($_POST['contact_password'])) {
|
||||
$password_info = "Request a password reset at https://$config_base_url/portal/login_reset.php";
|
||||
} else {
|
||||
$password_info = $_POST['contact_password'] . " -- Please change on first login";
|
||||
$password_info = mysqli_real_escape_string($mysqli, $_POST['contact_password'] . " -- Please change on first login");
|
||||
}
|
||||
|
||||
$subject = sanitizeInput("Your new $session_company_name support portal account");
|
||||
$body = mysqli_real_escape_string($mysqli, "Hello, $contact_name<br><br>$session_company_name has created a support portal account for you. <br><br>Username: $email<br>Password: $password_info<br><br>Login URL: https://$config_base_url/portal/<br><br>~<br>$session_company_name<br>Support Department<br>$config_ticket_from_email");
|
||||
$subject = "Your new $company_name portal account";
|
||||
$body = "Hello $name,<br><br>$company_name has created a support portal account for you. <br><br>Username: $email<br>Password: $password_info<br><br>Login URL: https://$config_base_url/portal/<br><br>--<br>$company_name - Support<br>$config_ticket_from_email<br>$company_phone";
|
||||
|
||||
// Queue Mail
|
||||
$data = [
|
||||
|
|
@ -124,7 +129,7 @@ if (isset($_POST['edit_contact'])) {
|
|||
'from' => $config_mail_from_email,
|
||||
'from_name' => $config_mail_from_name,
|
||||
'recipient' => $email,
|
||||
'recipient_name' => $contact_name,
|
||||
'recipient_name' => $name,
|
||||
'subject' => $subject,
|
||||
'body' => $body,
|
||||
]
|
||||
|
|
|
|||
|
|
@ -39,27 +39,31 @@ if (isset($_POST['add_event'])) {
|
|||
//If email is checked
|
||||
if ($email_event == 1) {
|
||||
|
||||
$sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON primary_contact = contact_id WHERE client_id = $client");
|
||||
$sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client");
|
||||
$row = mysqli_fetch_array($sql_client);
|
||||
$client_name = $row['client_name'];
|
||||
$contact_name = $row['contact_name'];
|
||||
$contact_email = $row['contact_email'];
|
||||
$client_name = sanitizeInput($row['client_name']);
|
||||
$contact_name = sanitizeInput($row['contact_name']);
|
||||
$contact_email = sanitizeInput($row['contact_email']);
|
||||
|
||||
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($sql_company);
|
||||
$company_name = $row['company_name'];
|
||||
$company_country = $row['company_country'];
|
||||
$company_address = $row['company_address'];
|
||||
$company_city = $row['company_city'];
|
||||
$company_state = $row['company_state'];
|
||||
$company_zip = $row['company_zip'];
|
||||
$company_phone = formatPhoneNumber($row['company_phone']);
|
||||
$company_email = $row['company_email'];
|
||||
$company_website = $row['company_website'];
|
||||
$company_logo = $row['company_logo'];
|
||||
$company_name = sanitizeInput($row['company_name']);
|
||||
$company_country = sanitizeInput($row['company_country']);
|
||||
$company_address = sanitizeInput($row['company_address']);
|
||||
$company_city = sanitizeInput($row['company_city']);
|
||||
$company_state = sanitizeInput($row['company_state']);
|
||||
$company_zip = sanitizeInput($row['company_zip']);
|
||||
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
|
||||
$company_email = sanitizeInput($row['company_email']);
|
||||
$company_website = sanitizeInput($row['company_website']);
|
||||
$company_logo = sanitizeInput($row['company_logo']);
|
||||
|
||||
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
|
||||
$config_mail_from_name = sanitizeInput($config_mail_from_name);
|
||||
$config_mail_from_email = sanitizeInput($config_mail_from_email);
|
||||
|
||||
$subject = "New Calendar Event";
|
||||
$body = "Hello $contact_name,<br><br>A calendar event has been scheduled: $title at $start<br><br><br>~<br>$company_name<br>$company_phone";
|
||||
$body = "Hello $contact_name,<br><br>A calendar event has been scheduled:<br><br>Event Title: $title<br>Event Date: $start<br><br><br>--<br>$company_name<br>$company_phone";
|
||||
|
||||
$data = [
|
||||
[
|
||||
|
|
@ -75,7 +79,7 @@ if (isset($_POST['add_event'])) {
|
|||
|
||||
// Logging for email (success/fail)
|
||||
if ($mail === true) {
|
||||
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar Event', log_action = 'Email', log_description = '$session_name emailed event $title to $contact_name from client $client_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', client_id = $client, log_user_id = $session_user_id, log_entity_id = $event_id");
|
||||
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar Event', log_action = 'Email', log_description = '$session_name emailed event $title to $contact_name from client $client_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client, log_user_id = $session_user_id, log_entity_id = $event_id");
|
||||
} else {
|
||||
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $contact_email'");
|
||||
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $contact_email regarding $subject. $mail', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
|
||||
|
|
@ -104,28 +108,32 @@ if (isset($_POST['edit_event'])) {
|
|||
//If email is checked
|
||||
if ($email_event == 1) {
|
||||
|
||||
$sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON primary_contact = contact_id WHERE client_id = $client");
|
||||
$sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client");
|
||||
$row = mysqli_fetch_array($sql_client);
|
||||
$client_name = $row['client_name'];
|
||||
$contact_name = $row['contact_name'];
|
||||
$contact_email = $row['contact_email'];
|
||||
$client_name = sanitizeInput($row['client_name']);
|
||||
$contact_name = sanitizeInput($row['contact_name']);
|
||||
$contact_email = sanitizeInput($row['contact_email']);
|
||||
|
||||
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
|
||||
$row = mysqli_fetch_array($sql_company);
|
||||
$company_name = $row['company_name'];
|
||||
$company_country = $row['company_country'];
|
||||
$company_address = $row['company_address'];
|
||||
$company_city = $row['company_city'];
|
||||
$company_state = $row['company_state'];
|
||||
$company_zip = $row['company_zip'];
|
||||
$company_phone = formatPhoneNumber($row['company_phone']);
|
||||
$company_email = $row['company_email'];
|
||||
$company_website = $row['company_website'];
|
||||
$company_logo = $row['company_logo'];
|
||||
$company_name = sanitizeInput($row['company_name']);
|
||||
$company_country = sanitizeInput($row['company_country']);
|
||||
$company_address = sanitizeInput($row['company_address']);
|
||||
$company_city = sanitizeInput($row['company_city']);
|
||||
$company_state = sanitizeInput($row['company_state']);
|
||||
$company_zip = sanitizeInput($row['company_zip']);
|
||||
$company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
|
||||
$company_email = sanitizeInput($row['company_email']);
|
||||
$company_website = sanitizeInput($row['company_website']);
|
||||
$company_logo = sanitizeInput($row['company_logo']);
|
||||
|
||||
// Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
|
||||
$config_mail_from_name = sanitizeInput($config_mail_from_name);
|
||||
$config_mail_from_email = sanitizeInput($config_mail_from_email);
|
||||
|
||||
|
||||
$subject = "Calendar Event Rescheduled";
|
||||
$body = "Hello $contact_name,<br><br>A calendar event has been rescheduled: $title at $start<br><br><br>~<br>$company_name<br>$company_phone";
|
||||
$body = "Hello $contact_name,<br><br>A calendar event has been rescheduled:<br><br>Event Title: $title<br>Event Date: $start<br><br><br>--<br>$company_name<br>$company_phone";
|
||||
|
||||
$data = [
|
||||
[
|
||||
|
|
|
|||
Loading…
Reference in New Issue