From 95f190c89d2936d1f42895db340bb20dae8ccce3 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Mon, 20 Feb 2023 22:02:39 -0500 Subject: [PATCH] More UI work and santitizeInput migrations --- account_add_modal.php | 6 +- account_edit_modal.php | 6 +- accounts.php | 12 ++- ajax.php | 16 ++-- api_key_add_modal.php | 8 +- calendar_add_modal.php | 6 +- calendar_event_add_modal.php | 16 ++-- calendar_event_edit_modal.php | 18 ++--- client_add_modal.php | 6 +- client_edit_modal.php | 12 +-- clients.php | 14 +++- cron.php | 16 +++- post.php | 3 +- ticket.php | 148 +++++++++++++++++----------------- ticket_add_modal.php | 32 ++++---- ticket_edit_modal.php | 22 ++--- ticket_invoice_add_modal.php | 22 ++--- ticket_merge_modal.php | 6 +- ticket_reply_edit_modal.php | 9 ++- tickets.php | 44 +++++----- top_nav.php | 4 +- 21 files changed, 223 insertions(+), 203 deletions(-) diff --git a/account_add_modal.php b/account_add_modal.php index fb8db55f..7663d926 100644 --- a/account_add_modal.php +++ b/account_add_modal.php @@ -2,7 +2,7 @@
-
New Account
+
New Account
@@ -52,8 +52,8 @@
- - + +
diff --git a/account_edit_modal.php b/account_edit_modal.php index cdac0780..eb230d98 100644 --- a/account_edit_modal.php +++ b/account_edit_modal.php @@ -2,7 +2,7 @@
-
Editing account:
+
Editing account:
@@ -28,8 +28,8 @@
- - + +
diff --git a/accounts.php b/accounts.php index f078e396..c6d3044b 100644 --- a/accounts.php +++ b/accounts.php @@ -24,9 +24,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
-

Accounts

+

Accounts

- +
@@ -84,10 +84,14 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
- Edit + + Edit +
- Archive + + Archive +
diff --git a/ajax.php b/ajax.php index c8b54fd5..f743d7f4 100644 --- a/ajax.php +++ b/ajax.php @@ -155,7 +155,7 @@ if (isset($_GET['network_get_json_details'])) { if (isset($_POST['client_set_notes'])) { $client_id = intval($_POST['client_id']); - $notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['notes']))); + $notes = sanitizeInput($_POST['notes']); // Update notes mysqli_query($mysqli, "UPDATE clients SET client_notes = '$notes' WHERE client_id = '$client_id'"); @@ -167,7 +167,7 @@ if (isset($_POST['client_set_notes'])) { if (isset($_POST['contact_set_notes'])) { $contact_id = intval($_POST['contact_id']); - $notes = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['notes']))); + $notes = sanitizeInput($_POST['notes']); // Update notes mysqli_query($mysqli, "UPDATE contacts SET contact_notes = '$notes' WHERE contact_id = $contact_id"); @@ -228,28 +228,28 @@ if (isset($_GET['share_generate_link'])) { $item_encrypted_credential = ''; // Default empty $client_id = intval($_GET['client_id']); - $item_type = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['type']))); + $item_type = sanitizeInput($_GET['type']); $item_id = intval($_GET['id']); - $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['note']))); + $item_note = sanitizeInput($_GET['note']); $item_view_limit = intval($_GET['views']); - $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli, $_GET['expires']))); + $item_expires = sanitizeInput($_GET['expires']); $item_key = randomString(156); if ($item_type == "Document") { $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1")); - $item_name = strip_tags(mysqli_real_escape_string($mysqli, $row['document_name'])); + $item_name = sanitizeInput($row['document_name']); } if ($item_type == "File") { $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_id' AND file_client_id = '$client_id' LIMIT 1")); - $item_name = strip_tags(mysqli_real_escape_string($mysqli, $row['file_name'])); + $item_name = sanitizeInput($row['file_name']); } if ($item_type == "Login") { $login = mysqli_query($mysqli, "SELECT login_name, login_username, login_password FROM logins WHERE login_id = '$item_id' AND login_client_id = '$client_id' LIMIT 1"); $row = mysqli_fetch_array($login); - $item_name = strip_tags(mysqli_real_escape_string($mysqli, $row['login_name'])); + $item_name = sanitizeInput($row['login_name']); // Decrypt & re-encrypt username/password for sharing $login_encryption_key = randomString(); diff --git a/api_key_add_modal.php b/api_key_add_modal.php index 5303699f..e07fc39a 100644 --- a/api_key_add_modal.php +++ b/api_key_add_modal.php @@ -5,7 +5,7 @@ $key = randomString(156);
-
New Key
+
New Key
@@ -63,7 +63,7 @@ $key = randomString(156); @@ -73,8 +73,8 @@ $key = randomString(156);
- - + +
diff --git a/calendar_add_modal.php b/calendar_add_modal.php index c9a4dd6c..80dcc7f1 100644 --- a/calendar_add_modal.php +++ b/calendar_add_modal.php @@ -2,7 +2,7 @@
-
New Calendar
+
New Calendar
@@ -32,8 +32,8 @@
- - + +
diff --git a/calendar_event_add_modal.php b/calendar_event_add_modal.php index 40a8be28..14bff4af 100644 --- a/calendar_event_add_modal.php +++ b/calendar_event_add_modal.php @@ -2,7 +2,7 @@
-
New Event
+
New Event
@@ -12,13 +12,13 @@ @@ -50,7 +50,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM calendars WHERE company_id = $session_company_id ORDER BY calendar_name ASC"); while ($row = mysqli_fetch_array($sql)) { - $calendar_id = $row['calendar_id']; + $calendar_id = intval($row['calendar_id']); $calendar_name = htmlentities($row['calendar_name']); $calendar_color = htmlentities($row['calendar_color']); ?> @@ -119,7 +119,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM clients LEFT JOIN contacts ON primary_contact = contact_id WHERE clients.company_id = $session_company_id ORDER BY client_name ASC"); while ($row = mysqli_fetch_array($sql)) { - $client_id = $row['client_id']; + $client_id = intval($row['client_id']); $client_name = htmlentities($row['client_name']); $contact_email = htmlentities($row['contact_email']); ?> @@ -147,8 +147,8 @@
- - + +
diff --git a/calendar_event_edit_modal.php b/calendar_event_edit_modal.php index e00a6802..651e5054 100644 --- a/calendar_event_edit_modal.php +++ b/calendar_event_edit_modal.php @@ -2,7 +2,7 @@
-
+
@@ -15,13 +15,13 @@ @@ -52,7 +52,7 @@ $sql_calendars_select = mysqli_query($mysqli, "SELECT * FROM calendars WHERE company_id = $session_company_id ORDER BY calendar_name ASC"); while ($row = mysqli_fetch_array($sql_calendars_select)) { - $calendar_id_select = $row['calendar_id']; + $calendar_id_select = intval($row['calendar_id']); $calendar_name_select = htmlentities($row['calendar_name']); $calendar_color_select = htmlentities($row['calendar_color']); ?> @@ -118,7 +118,7 @@ $sql_clients = mysqli_query($mysqli, "SELECT * FROM clients LEFT JOIN contacts ON primary_contact = contact_id WHERE clients.company_id = $session_company_id ORDER BY client_name ASC"); while ($row = mysqli_fetch_array($sql_clients)) { - $client_id_select = $row['client_id']; + $client_id_select = intval($row['client_id']); $client_name_select = htmlentities($row['client_name']); $contact_email_select = htmlentities($row['contact_email']); ?> @@ -145,9 +145,9 @@
- Delete - - + Delete + +
diff --git a/client_add_modal.php b/client_add_modal.php index b3515ea7..8834fd0b 100644 --- a/client_add_modal.php +++ b/client_add_modal.php @@ -274,7 +274,7 @@ $sql_tags_select = mysqli_query($mysqli, "SELECT * FROM tags WHERE tag_type = 1 AND company_id = $session_company_id ORDER BY tag_name ASC"); while ($row = mysqli_fetch_array($sql_tags_select)) { - $tag_id_select = $row['tag_id']; + $tag_id_select = intval($row['tag_id']); $tag_name_select = htmlentities($row['tag_name']); $tag_color_select = htmlentities($row['tag_color']); $tag_icon_select = htmlentities($row['tag_icon']); @@ -300,8 +300,8 @@
- - + +
diff --git a/client_edit_modal.php b/client_edit_modal.php index 2f5f950d..fbc7c12b 100644 --- a/client_edit_modal.php +++ b/client_edit_modal.php @@ -140,7 +140,7 @@ $sql_tags_select = mysqli_query($mysqli, "SELECT * FROM tags WHERE tag_type = 1 AND company_id = $session_company_id ORDER BY tag_name ASC"); while ($row = mysqli_fetch_array($sql_tags_select)) { - $tag_id_select = $row['tag_id']; + $tag_id_select = intval($row['tag_id']); $tag_name_select = htmlentities($row['tag_name']); $tag_color_select = htmlentities($row['tag_color']); $tag_icon_select = htmlentities($row['tag_icon']); @@ -150,9 +150,9 @@
" name="tags[]" value="" >
@@ -166,8 +166,8 @@
- - + +
diff --git a/clients.php b/clients.php index 03d922a5..bf33533c 100644 --- a/clients.php +++ b/clients.php @@ -201,7 +201,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $contact_email = htmlentities($row['contact_email']); $client_website = htmlentities($row['client_website']); $client_currency_code = htmlentities($row['client_currency_code']); - $client_net_terms = htmlentities($row['client_net_terms']); + $client_net_terms = intval($row['client_net_terms']); $client_referral = htmlentities($row['client_referral']); $client_notes = htmlentities($row['client_notes']); $client_created_at = date('Y-m-d', strtotime($row['client_created_at'])); @@ -331,11 +331,17 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
- Edit + + Edit +
- Archive + + Archive +
- Delete + + Delete +
diff --git a/cron.php b/cron.php index 86a48c09..79320439 100644 --- a/cron.php +++ b/cron.php @@ -82,6 +82,9 @@ while ($row = mysqli_fetch_array($sql_companies)) { // Clean-up old dismissed notifications mysqli_query($mysqli, "DELETE FROM notifications WHERE notification_dismissed_at < CURDATE() - INTERVAL 90 DAY"); + //Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Cron', log_action = 'Task', log_description = 'Cron cleaned up old data', company_id = $company_id"); + /* @@ -158,6 +161,8 @@ while ($row = mysqli_fetch_array($sql_companies)) { } } + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Cron', log_action = 'Task', log_description = 'Cron created notifications for domain expiring', company_id = $company_id"); // CERTIFICATES EXPIRING @@ -187,6 +192,8 @@ while ($row = mysqli_fetch_array($sql_companies)) { } } + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Cron', log_action = 'Task', log_description = 'Cron created notifications for certificates expiring', company_id = $company_id"); // Asset Warranties Expiring @@ -215,6 +222,8 @@ while ($row = mysqli_fetch_array($sql_companies)) { } } + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Cron', log_action = 'Task', log_description = 'Cron created notifications for asset warranties expiring', company_id = $company_id"); // Scheduled tickets @@ -328,7 +337,8 @@ while ($row = mysqli_fetch_array($sql_companies)) { } } - + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Cron', log_action = 'Task', log_description = 'Cron created sent out scheduled tickets', company_id = $company_id"); // PAST DUE INVOICE Notifications //$invoiceAlertArray = [$config_invoice_overdue_reminders]; @@ -397,6 +407,8 @@ while ($row = mysqli_fetch_array($sql_companies)) { } } + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Cron', log_action = 'Task', log_description = 'Cron created notifications for past due invoices and sent out notifications to the primary contacts email', company_id = $company_id"); //Send Recurring Invoices that match todays date and are active @@ -515,6 +527,8 @@ while ($row = mysqli_fetch_array($sql_companies)) { } //End if Autosend is on } //End Recurring Invoices Loop + // Logging + mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Cron', log_action = 'Task', log_description = 'Cron created invoices from recurring invoices and sent emails out', company_id = $company_id"); // TELEMETRY diff --git a/post.php b/post.php index c6334529..9a67ed03 100644 --- a/post.php +++ b/post.php @@ -4137,7 +4137,7 @@ if(isset($_GET['email_invoice'])){ ); $row = mysqli_fetch_array($sql); - $invoice_id = $row['invoice_id']; + $invoice_id = intval($row['invoice_id']); $invoice_prefix = $row['invoice_prefix']; $invoice_number = $row['invoice_number']; $invoice_status = $row['invoice_status']; @@ -4148,7 +4148,6 @@ if(isset($_GET['email_invoice'])){ $invoice_currency_code = $row['invoice_currency_code']; $client_id = $row['client_id']; $client_name = $row['client_name']; - $client_name = $row['client_name']; $contact_name = $row['contact_name']; $contact_email = $row['contact_email']; $contact_phone = formatPhoneNumber($row['contact_phone']); diff --git a/ticket.php b/ticket.php index bace5515..76b1f8c2 100644 --- a/ticket.php +++ b/ticket.php @@ -24,10 +24,11 @@ if (isset($_GET['ticket_id'])) { } else { $row = mysqli_fetch_array($sql); - $client_id = $row['client_id']; + $client_id = intval($row['client_id']); $client_name = htmlentities($row['client_name']); $client_type = htmlentities($row['client_type']); $client_website = htmlentities($row['client_website']); + $client_net_terms = htmlentities($row['client_net_terms']); if ($client_net_terms == 0) { $client_net_terms = $config_default_net_terms; @@ -39,22 +40,6 @@ if (isset($_GET['ticket_id'])) { $ticket_subject = htmlentities($row['ticket_subject']); $ticket_details = $row['ticket_details']; $ticket_priority = htmlentities($row['ticket_priority']); - $ticket_feedback = htmlentities($row['ticket_feedback']); - $ticket_status = htmlentities($row['ticket_status']); - $ticket_created_at = $row['ticket_created_at']; - $ticket_date = date('Y-m-d', strtotime($ticket_created_at)); - $ticket_updated_at = $row['ticket_updated_at']; - $ticket_closed_at = $row['ticket_closed_at']; - $ticket_created_by = $row['ticket_created_by']; - - if ($ticket_status == "Open") { - $ticket_status_display = "$ticket_status"; - } elseif ($ticket_status == "Working") { - $ticket_status_display = "$ticket_status"; - } else { - $ticket_status_display = "$ticket_status"; - } - //Set Ticket Bage Color based of priority if ($ticket_priority == "High") { $ticket_priority_display = "$ticket_priority"; @@ -65,8 +50,36 @@ if (isset($_GET['ticket_id'])) { } else { $ticket_priority_display = "-"; } + $ticket_feedback = htmlentities($row['ticket_feedback']); + + $ticket_status = htmlentities($row['ticket_status']); + if ($ticket_status == "Open") { + $ticket_status_display = "$ticket_status"; + } elseif ($ticket_status == "Working") { + $ticket_status_display = "$ticket_status"; + } else { + $ticket_status_display = "$ticket_status"; + } + + $ticket_created_at = htmlentities($row['ticket_created_at']); + $ticket_date = date('Y-m-d', strtotime($ticket_created_at)); + $ticket_updated_at = htmlentities($row['ticket_updated_at']); + $ticket_closed_at = htmlentities($row['ticket_closed_at']); + + $ticket_assigned_to = intval($row['ticket_assigned_to']); + if (empty($ticket_assigned_to)) { + $ticket_assigned_to_display = "Not Assigned"; + } else { + $ticket_assigned_to_display = htmlentities($row['user_name']); + } - $contact_id = $row['contact_id']; + //Ticket Created By + $ticket_created_by = intval($row['ticket_created_by']); + $ticket_created_by_sql = mysqli_query($mysqli, "SELECT user_name FROM users WHERE user_id = $ticket_created_by"); + $row = mysqli_fetch_array($ticket_created_by_sql); + $ticket_created_by_display = htmlentities($row['user_name']); + + $contact_id = intval($row['contact_id']); $contact_name = htmlentities($row['contact_name']); $contact_title = htmlentities($row['contact_title']); $contact_email = htmlentities($row['contact_email']); @@ -74,7 +87,22 @@ if (isset($_GET['ticket_id'])) { $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $asset_id = $row['asset_id']; + if ($contact_id) { + //Get Contact Ticket Stats + $ticket_related_open = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS ticket_related_open FROM tickets WHERE ticket_status != 'Closed' AND ticket_contact_id = $contact_id "); + $row = mysqli_fetch_array($ticket_related_open); + $ticket_related_open = intval($row['ticket_related_open']); + + $ticket_related_closed = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS ticket_related_closed FROM tickets WHERE ticket_status = 'Closed' AND ticket_contact_id = $contact_id "); + $row = mysqli_fetch_array($ticket_related_closed); + $ticket_related_closed = intval($row['ticket_related_closed']); + + $ticket_related_total = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS ticket_related_total FROM tickets WHERE ticket_contact_id = $contact_id "); + $row = mysqli_fetch_array($ticket_related_total); + $ticket_related_total = intval($row['ticket_related_total']); + } + + $asset_id = intval($row['asset_id']); $asset_ip = htmlentities($row['asset_ip']); $asset_name = htmlentities($row['asset_name']); $asset_type = htmlentities($row['asset_type']); @@ -82,9 +110,9 @@ if (isset($_GET['ticket_id'])) { $asset_model = htmlentities($row['asset_model']); $asset_serial = htmlentities($row['asset_serial']); $asset_os = htmlentities($row['asset_os']); - $asset_warranty_expire = $row['asset_warranty_expire']; + $asset_warranty_expire = htmlentities($row['asset_warranty_expire']); - $vendor_id = $row['ticket_vendor_id']; + $vendor_id = intval($row['ticket_vendor_id']); $vendor_name = htmlentities($row['vendor_name']); $vendor_description = htmlentities($row['vendor_description']); $vendor_account_number = htmlentities($row['vendor_account_number']); @@ -105,45 +133,10 @@ if (isset($_GET['ticket_id'])) { $location_zip = htmlentities($row['location_zip']); $location_phone = formatPhoneNumber($row['location_phone']); - $ticket_assigned_to = $row['ticket_assigned_to']; - if (empty($ticket_assigned_to)) { - $ticket_assigned_to_display = "Not Assigned"; - } else { - $ticket_assigned_to_display = htmlentities($row['user_name']); - } - - //Ticket Created By - $ticket_created_by = $row['ticket_created_by']; - $ticket_created_by_sql = mysqli_query($mysqli, "SELECT user_name FROM users WHERE user_id = $ticket_created_by"); - $row = mysqli_fetch_array($ticket_created_by_sql); - $ticket_created_by_display = htmlentities($row['user_name']); - - //Ticket Assigned To - if (empty($ticket_assigned_to)) { - $ticket_assigned_to_display = "Not Assigned"; - } else { - $ticket_assigned_to_display = htmlentities($row['user_name']); - } - - if ($contact_id) { - //Get Contact Ticket Stats - $ticket_related_open = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS ticket_related_open FROM tickets WHERE ticket_status != 'Closed' AND ticket_contact_id = $contact_id "); - $row = mysqli_fetch_array($ticket_related_open); - $ticket_related_open = $row['ticket_related_open']; - - $ticket_related_closed = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS ticket_related_closed FROM tickets WHERE ticket_status = 'Closed' AND ticket_contact_id = $contact_id "); - $row = mysqli_fetch_array($ticket_related_closed); - $ticket_related_closed = $row['ticket_related_closed']; - - $ticket_related_total = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS ticket_related_total FROM tickets WHERE ticket_contact_id = $contact_id "); - $row = mysqli_fetch_array($ticket_related_total); - $ticket_related_total = $row['ticket_related_total']; - } - //Get Total Ticket Time $ticket_total_reply_time = mysqli_query($mysqli, "SELECT SEC_TO_TIME(SUM(TIME_TO_SEC(ticket_reply_time_worked))) AS ticket_total_reply_time FROM ticket_replies WHERE ticket_reply_archived_at IS NULL AND ticket_reply_ticket_id = $ticket_id"); $row = mysqli_fetch_array($ticket_total_reply_time); - $ticket_total_reply_time = $row['ticket_total_reply_time']; + $ticket_total_reply_time = htmlentities($row['ticket_total_reply_time']); //Client Tags $client_tag_name_display_array = array(); @@ -151,7 +144,7 @@ if (isset($_GET['ticket_id'])) { $sql_client_tags = mysqli_query($mysqli, "SELECT * FROM client_tags LEFT JOIN tags ON client_tags.tag_id = tags.tag_id WHERE client_tags.client_id = $client_id"); while ($row = mysqli_fetch_array($sql_client_tags)) { - $client_tag_id = $row['tag_id']; + $client_tag_id = intval($row['tag_id']); $client_tag_name = htmlentities($row['tag_name']); $client_tag_color = htmlentities($row['tag_color']); $client_tag_icon = htmlentities($row['tag_icon']); @@ -189,11 +182,16 @@ if (isset($_GET['ticket_id'])) { } // Get technicians to assign the ticket to - $sql_assign_to_select = mysqli_query($mysqli, "SELECT users.user_id, user_name FROM users - LEFT JOIN user_companies ON users.user_id = user_companies.user_id - LEFT JOIN user_settings on users.user_id = user_settings.user_id - WHERE user_companies.company_id = $session_company_id - AND user_role > 1 AND user_archived_at IS NULL ORDER BY user_name ASC"); + $sql_assign_to_select = mysqli_query( + $mysqli, + "SELECT users.user_id, user_name FROM users + LEFT JOIN user_companies ON users.user_id = user_companies.user_id + LEFT JOIN user_settings on users.user_id = user_settings.user_id + WHERE user_companies.company_id = $session_company_id + AND user_role > 1 + AND user_archived_at IS NULL + ORDER BY user_name ASC" + ); ?> @@ -303,21 +301,21 @@ if (isset($_GET['ticket_id'])) { - +

@@ -592,7 +590,7 @@ if (isset($_GET['ticket_id'])) { diff --git a/ticket_add_modal.php b/ticket_add_modal.php index ad194005..0a7ff3d1 100644 --- a/ticket_add_modal.php +++ b/ticket_add_modal.php @@ -2,7 +2,7 @@

-
New Ticket
+
New Ticket
@@ -13,16 +13,16 @@ @@ -62,7 +62,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC"); while ($row = mysqli_fetch_array($sql)) { - $client_id = $row['client_id']; + $client_id = intval($row['client_id']); $client_name = htmlentities($row['client_name']); ?> @@ -100,13 +100,13 @@ $sql = mysqli_query( $mysqli, "SELECT users.user_id, user_name FROM users - LEFT JOIN user_companies ON users.user_id = user_companies.user_id - LEFT JOIN user_settings on users.user_id = user_settings.user_id - WHERE user_companies.company_id = $session_company_id - AND user_role > 1 AND user_archived_at IS NULL ORDER BY user_name ASC" + LEFT JOIN user_companies ON users.user_id = user_companies.user_id + LEFT JOIN user_settings on users.user_id = user_settings.user_id + WHERE user_companies.company_id = $session_company_id + AND user_role > 1 AND user_archived_at IS NULL ORDER BY user_name ASC" ); while ($row = mysqli_fetch_array($sql)) { - $user_id = $row['user_id']; + $user_id = intval($row['user_id']); $user_name = htmlentities($row['user_name']); ?> @@ -132,7 +132,7 @@ @@ -156,7 +156,7 @@ $sql_assets = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id = $client_id AND asset_archived_at IS NULL ORDER BY asset_name ASC"); while ($row = mysqli_fetch_array($sql_assets)) { - $asset_id_select = $row['asset_id']; + $asset_id_select = intval($row['asset_id']); $asset_name_select = htmlentities($row['asset_name']); ?> @@ -181,7 +181,7 @@ $sql_vendors = mysqli_query($mysqli, "SELECT * FROM vendors WHERE vendor_client_id = $client_id AND vendor_template = 0 AND vendor_archived_at IS NULL ORDER BY vendor_name ASC"); while ($row = mysqli_fetch_array($sql_vendors)) { - $vendor_id_select = $row['vendor_id']; + $vendor_id_select = intval($row['vendor_id']); $vendor_name_select = htmlentities($row['vendor_name']); ?> @@ -198,8 +198,8 @@
- - + +
diff --git a/ticket_edit_modal.php b/ticket_edit_modal.php index b8e0ab6f..c165f84c 100644 --- a/ticket_edit_modal.php +++ b/ticket_edit_modal.php @@ -2,7 +2,7 @@
-
Editing ticket: -
+
Editing ticket: -
@@ -15,16 +15,16 @@ @@ -81,7 +81,7 @@ AND user_role > 1 AND user_archived_at IS NULL ORDER BY user_name ASC" ); while ($row = mysqli_fetch_array($sql_assign_to_select)) { - $user_id = $row['user_id']; + $user_id = intval($row['user_id']); $user_name = htmlentities($row['user_name']); ?> @@ -109,7 +109,7 @@ $sql_client_contacts_select = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id = $client_id ORDER BY contact_name ASC"); while ($row = mysqli_fetch_array($sql_client_contacts_select)) { - $contact_id_select = $row['contact_id']; + $contact_id_select = intval($row['contact_id']); $contact_name_select = htmlentities($row['contact_name']); ?> @@ -137,7 +137,7 @@ $sql_assets = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id = $client_id ORDER BY asset_name ASC"); while ($row = mysqli_fetch_array($sql_assets)) { - $asset_id_select = $row['asset_id']; + $asset_id_select = intval($row['asset_id']); $asset_name_select = htmlentities($row['asset_name']); ?> @@ -165,7 +165,7 @@ $sql_vendors = mysqli_query($mysqli, "SELECT * FROM vendors WHERE vendor_client_id = $client_id AND vendor_template = 0 ORDER BY vendor_name ASC"); while ($row = mysqli_fetch_array($sql_vendors)) { - $vendor_id_select = $row['vendor_id']; + $vendor_id_select = intval($row['vendor_id']); $vendor_name_select = htmlentities($row['vendor_name']); ?> @@ -184,8 +184,8 @@
- - + +
diff --git a/ticket_invoice_add_modal.php b/ticket_invoice_add_modal.php index 8f14f643..9207b0b2 100644 --- a/ticket_invoice_add_modal.php +++ b/ticket_invoice_add_modal.php @@ -2,7 +2,7 @@
-
Invoice ticket
+
Invoice ticket
@@ -25,14 +25,14 @@ $sql_invoices = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_status NOT LIKE 'Paid' AND invoice_client_id = $client_id AND company_id = $session_company_id ORDER BY invoice_number ASC"); while ($row = mysqli_fetch_array($sql_invoices)) { - $invoice_id = $row['invoice_id']; + $invoice_id = intval($row['invoice_id']); $invoice_prefix = htmlentities($row['invoice_prefix']); - $invoice_number = $row['invoice_number']; + $invoice_number = intval($row['invoice_number']); $invoice_scope = htmlentities($row['invoice_scope']); $invoice_satus = htmlentities($row['invoice_status']); - $invoice_date = $row['invoice_date']; - $invoice_due = $row['invoice_due']; - $invoice_amount = $row['invoice_amount']; + $invoice_date = htmlentities($row['invoice_date']); + $invoice_due = htmlentities($row['invoice_due']); + $invoice_amount = floatval($row['invoice_amount']); ?> @@ -66,7 +66,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM categories WHERE category_type = 'Income' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while ($row = mysqli_fetch_array($sql)) { - $category_id = $row['category_id']; + $category_id = intval($row['category_id']); $category_name = htmlentities($row['category_name']); ?> @@ -153,9 +153,9 @@ $taxes_sql = mysqli_query($mysqli, "SELECT * FROM taxes WHERE (tax_archived_at > '$item_created_at' OR tax_archived_at IS NULL) AND company_id = $session_company_id ORDER BY tax_name ASC"); while ($row = mysqli_fetch_array($taxes_sql)) { - $tax_id_select = $row['tax_id']; + $tax_id_select = intval($row['tax_id']); $tax_name = htmlentities($row['tax_name']); - $tax_percent = $row['tax_percent']; + $tax_percent = floatval($row['tax_percent']); ?> @@ -169,8 +169,8 @@
- - + +
diff --git a/ticket_merge_modal.php b/ticket_merge_modal.php index 203d6ccb..b05d29fc 100644 --- a/ticket_merge_modal.php +++ b/ticket_merge_modal.php @@ -2,7 +2,7 @@
-
Merge & Close into another ticket
+
Merge & Close into another ticket
@@ -50,8 +50,8 @@
- - + +
diff --git a/ticket_reply_edit_modal.php b/ticket_reply_edit_modal.php index bf4c7e6d..65254056 100644 --- a/ticket_reply_edit_modal.php +++ b/ticket_reply_edit_modal.php @@ -2,7 +2,7 @@
-
Editing Ticket Reply
+
Editing Ticket Reply
@@ -18,9 +18,10 @@
- Time worked +
+
@@ -28,8 +29,8 @@
- - + +
diff --git a/tickets.php b/tickets.php index 53978234..2a80c621 100644 --- a/tickets.php +++ b/tickets.php @@ -12,13 +12,13 @@ if (isset($_GET['p'])) { } if (isset($_GET['q'])) { - $q = strip_tags(mysqli_real_escape_string($mysqli, $_GET['q'])); + $q = sanitizeInput($_GET['q']); } else { $q = ""; } if (!empty($_GET['sb'])) { - $sb = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sb'])); + $sb = sanitizeInput($_GET['sb']); } else { $sb = "ticket_number"; } @@ -59,8 +59,7 @@ if (isset($_GET['assigned']) & !empty($_GET['assigned'])) { } else { $ticket_assigned_filter = intval($_GET['assigned']); } -} -else{ +} else { // Default - any $ticket_assigned_filter = ''; } @@ -74,8 +73,8 @@ if (empty($_GET['canned_date'])) { } if ($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])) { - $dtf = strip_tags(mysqli_real_escape_string($mysqli, $_GET['dtf'])); - $dtt = strip_tags(mysqli_real_escape_string($mysqli, $_GET['dtt'])); + $dtf = sanitizeInput($_GET['dtf']); + $dtt = sanitizeInput($_GET['dtt']); } elseif ($_GET['canned_date'] == "today") { $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); @@ -132,22 +131,22 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); //Get Total tickets open $sql_total_tickets_open = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_open FROM tickets WHERE ticket_status != 'Closed' AND company_id = $session_company_id"); $row = mysqli_fetch_array($sql_total_tickets_open); -$total_tickets_open = $row['total_tickets_open']; +$total_tickets_open = intval($row['total_tickets_open']); //Get Total tickets closed $sql_total_tickets_closed = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_closed FROM tickets WHERE ticket_status = 'Closed' AND company_id = $session_company_id"); $row = mysqli_fetch_array($sql_total_tickets_closed); -$total_tickets_closed = $row['total_tickets_closed']; +$total_tickets_closed = intval($row['total_tickets_closed']); //Get Unassigned tickets $sql_total_tickets_unassigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_unassigned FROM tickets WHERE ticket_assigned_to = '0' AND ticket_status != 'Closed' AND company_id = $session_company_id"); $row = mysqli_fetch_array($sql_total_tickets_unassigned); -$total_tickets_unassigned = $row['total_tickets_unassigned']; +$total_tickets_unassigned = intval($row['total_tickets_unassigned']); //Get Total tickets assigned to me $sql_total_tickets_assigned = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_assigned FROM tickets WHERE ticket_assigned_to = $session_user_id AND ticket_status != 'Closed' AND company_id = $session_company_id"); $row = mysqli_fetch_array($sql_total_tickets_assigned); -$user_active_assigned_tickets = $row['total_tickets_assigned']; +$user_active_assigned_tickets = intval($row['total_tickets_assigned']); ?>
-

Tickets +

Tickets Open | Closed @@ -171,7 +170,7 @@ $user_active_assigned_tickets = $row['total_tickets_assigned'];
@@ -182,7 +181,7 @@ $user_active_assigned_tickets = $row['total_tickets_assigned'];