diff --git a/login.php b/login.php
index d64330c9..dd1e2c25 100644
--- a/login.php
+++ b/login.php
@@ -56,8 +56,8 @@ $config_smtp_port = intval($row['config_smtp_port']);
$config_smtp_encryption = $row['config_smtp_encryption'];
$config_smtp_username = $row['config_smtp_username'];
$config_smtp_password = $row['config_smtp_password'];
-$config_mail_from_email = $row['config_mail_from_email'];
-$config_mail_from_name = $row['config_mail_from_name'];
+$config_mail_from_email = sanitizeInput($row['config_mail_from_email']);
+$config_mail_from_name = sanitizeInput($row['config_mail_from_name']);
// Client Portal Enabled
$config_client_portal_enable = intval($row['config_client_portal_enable']);
diff --git a/post/contact.php b/post/contact.php
index 2a730981..036096d8 100644
--- a/post/contact.php
+++ b/post/contact.php
@@ -68,7 +68,6 @@ if (isset($_POST['edit_contact'])) {
require_once 'post/contact_model.php';
-
$contact_id = intval($_POST['contact_id']);
$send_email = intval($_POST['send_email']);
@@ -98,12 +97,18 @@ if (isset($_POST['edit_contact'])) {
// Send contact a welcome e-mail, if specified
if ($send_email && !empty($auth_method) && !empty($config_smtp_host)) {
- // Un-sanitizied used in body of email
- $contact_name = $_POST['name'];
-
// Sanitize Config vars from get_settings.php
- $config_ticket_from_email_escaped = sanitizeInput($config_ticket_from_email);
- $config_ticket_from_name_escaped = sanitizeInput($config_ticket_from_name);
+ $config_ticket_from_email = sanitizeInput($config_ticket_from_email);
+ $config_ticket_from_name = sanitizeInput($config_ticket_from_name);
+ $config_mail_from_email = sanitizeInput($config_mail_from_email);
+ $config_mail_from_name = sanitizeInput($config_mail_from_name);
+ $config_base_url = sanitizeInput($config_base_url);
+
+ // Get Company Phone Number
+ $sql = mysqli_query($mysqli,"SELECT company_name, company_phone FROM companies WHERE company_id = 1");
+ $row = mysqli_fetch_array($sql);
+ $company_name = sanitizeInput($row['company_name']);
+ $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
// Authentication info (azure, reset password, or tech-provided temporary password)
@@ -112,11 +117,11 @@ if (isset($_POST['edit_contact'])) {
} elseif (empty($_POST['contact_password'])) {
$password_info = "Request a password reset at https://$config_base_url/portal/login_reset.php";
} else {
- $password_info = $_POST['contact_password'] . " -- Please change on first login";
+ $password_info = mysqli_real_escape_string($mysqli, $_POST['contact_password'] . " -- Please change on first login");
}
- $subject = sanitizeInput("Your new $session_company_name support portal account");
- $body = mysqli_real_escape_string($mysqli, "Hello, $contact_name
$session_company_name has created a support portal account for you.
Username: $email
Password: $password_info
Login URL: https://$config_base_url/portal/
~
$session_company_name
Support Department
$config_ticket_from_email");
+ $subject = "Your new $company_name portal account";
+ $body = "Hello $name,
$company_name has created a support portal account for you.
Username: $email
Password: $password_info
Login URL: https://$config_base_url/portal/
--
$company_name - Support
$config_ticket_from_email
$company_phone";
// Queue Mail
$data = [
@@ -124,7 +129,7 @@ if (isset($_POST['edit_contact'])) {
'from' => $config_mail_from_email,
'from_name' => $config_mail_from_name,
'recipient' => $email,
- 'recipient_name' => $contact_name,
+ 'recipient_name' => $name,
'subject' => $subject,
'body' => $body,
]
diff --git a/post/event.php b/post/event.php
index cbfddd9e..2955a31c 100644
--- a/post/event.php
+++ b/post/event.php
@@ -39,27 +39,31 @@ if (isset($_POST['add_event'])) {
//If email is checked
if ($email_event == 1) {
- $sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON primary_contact = contact_id WHERE client_id = $client");
+ $sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client");
$row = mysqli_fetch_array($sql_client);
- $client_name = $row['client_name'];
- $contact_name = $row['contact_name'];
- $contact_email = $row['contact_email'];
+ $client_name = sanitizeInput($row['client_name']);
+ $contact_name = sanitizeInput($row['contact_name']);
+ $contact_email = sanitizeInput($row['contact_email']);
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
- $company_name = $row['company_name'];
- $company_country = $row['company_country'];
- $company_address = $row['company_address'];
- $company_city = $row['company_city'];
- $company_state = $row['company_state'];
- $company_zip = $row['company_zip'];
- $company_phone = formatPhoneNumber($row['company_phone']);
- $company_email = $row['company_email'];
- $company_website = $row['company_website'];
- $company_logo = $row['company_logo'];
+ $company_name = sanitizeInput($row['company_name']);
+ $company_country = sanitizeInput($row['company_country']);
+ $company_address = sanitizeInput($row['company_address']);
+ $company_city = sanitizeInput($row['company_city']);
+ $company_state = sanitizeInput($row['company_state']);
+ $company_zip = sanitizeInput($row['company_zip']);
+ $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
+ $company_email = sanitizeInput($row['company_email']);
+ $company_website = sanitizeInput($row['company_website']);
+ $company_logo = sanitizeInput($row['company_logo']);
+
+ // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
+ $config_mail_from_name = sanitizeInput($config_mail_from_name);
+ $config_mail_from_email = sanitizeInput($config_mail_from_email);
$subject = "New Calendar Event";
- $body = "Hello $contact_name,
A calendar event has been scheduled: $title at $start
~
$company_name
$company_phone";
+ $body = "Hello $contact_name,
A calendar event has been scheduled:
Event Title: $title
Event Date: $start
--
$company_name
$company_phone";
$data = [
[
@@ -75,7 +79,7 @@ if (isset($_POST['add_event'])) {
// Logging for email (success/fail)
if ($mail === true) {
- mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar Event', log_action = 'Email', log_description = '$session_name emailed event $title to $contact_name from client $client_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', client_id = $client, log_user_id = $session_user_id, log_entity_id = $event_id");
+ mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Calendar Event', log_action = 'Email', log_description = '$session_name emailed event $title to $contact_name from client $client_name', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client, log_user_id = $session_user_id, log_entity_id = $event_id");
} else {
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $contact_email'");
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $contact_email regarding $subject. $mail', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_user_id = $session_user_id");
@@ -104,28 +108,32 @@ if (isset($_POST['edit_event'])) {
//If email is checked
if ($email_event == 1) {
- $sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON primary_contact = contact_id WHERE client_id = $client");
+ $sql_client = mysqli_query($mysqli,"SELECT * FROM clients JOIN contacts ON contact_client_id = client_id WHERE contact_primary = 1 AND client_id = $client");
$row = mysqli_fetch_array($sql_client);
- $client_name = $row['client_name'];
- $contact_name = $row['contact_name'];
- $contact_email = $row['contact_email'];
+ $client_name = sanitizeInput($row['client_name']);
+ $contact_name = sanitizeInput($row['contact_name']);
+ $contact_email = sanitizeInput($row['contact_email']);
$sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
- $company_name = $row['company_name'];
- $company_country = $row['company_country'];
- $company_address = $row['company_address'];
- $company_city = $row['company_city'];
- $company_state = $row['company_state'];
- $company_zip = $row['company_zip'];
- $company_phone = formatPhoneNumber($row['company_phone']);
- $company_email = $row['company_email'];
- $company_website = $row['company_website'];
- $company_logo = $row['company_logo'];
+ $company_name = sanitizeInput($row['company_name']);
+ $company_country = sanitizeInput($row['company_country']);
+ $company_address = sanitizeInput($row['company_address']);
+ $company_city = sanitizeInput($row['company_city']);
+ $company_state = sanitizeInput($row['company_state']);
+ $company_zip = sanitizeInput($row['company_zip']);
+ $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
+ $company_email = sanitizeInput($row['company_email']);
+ $company_website = sanitizeInput($row['company_website']);
+ $company_logo = sanitizeInput($row['company_logo']);
+
+ // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
+ $config_mail_from_name = sanitizeInput($config_mail_from_name);
+ $config_mail_from_email = sanitizeInput($config_mail_from_email);
$subject = "Calendar Event Rescheduled";
- $body = "Hello $contact_name,
A calendar event has been rescheduled: $title at $start
~
$company_name
$company_phone";
+ $body = "Hello $contact_name,
A calendar event has been rescheduled:
Event Title: $title
Event Date: $start
--
$company_name
$company_phone";
$data = [
[