diff --git a/functions.php b/functions.php index 14d12b9f..70c9117a 100644 --- a/functions.php +++ b/functions.php @@ -1694,4 +1694,34 @@ function redirect($url = null, $permanent = false) { function flash_alert(string $message, string $type = 'success'): void { $_SESSION['alert_type'] = $type; $_SESSION['alert_message'] = $message; +} + +// Sanitize File Names +function sanitize_filename($filename, $strict = false) { + // Remove path information and dots around the filename + $filename = basename($filename); + + // Replace spaces and underscores with dashes + $filename = str_replace([' ', '_'], '-', $filename); + + // Remove anything which isn't a word, number, dot, or dash + $filename = preg_replace('/[^A-Za-z0-9\.\-]/', '', $filename); + + // Optionally make filename strict alphanumeric (keep dot and dash) + if ($strict) { + $filename = preg_replace('/[^A-Za-z0-9\.\-]/', '', $filename); + } + + // Avoid multiple consecutive dashes + $filename = preg_replace('/-+/', '-', $filename); + + // Remove leading/trailing dots and dashes + $filename = trim($filename, '.-'); + + // Ensure it’s not empty + if (empty($filename)) { + $filename = 'file'; + } + + return $filename; } \ No newline at end of file diff --git a/user/modals/software/software_export.php b/user/modals/software/software_export.php index 01207b66..c9a5760d 100644 --- a/user/modals/software/software_export.php +++ b/user/modals/software/software_export.php @@ -15,7 +15,7 @@
- +
diff --git a/user/post/asset.php b/user/post/asset.php index 98e310ae..ca6b15f5 100644 --- a/user/post/asset.php +++ b/user/post/asset.php @@ -953,8 +953,6 @@ if (isset($_POST['export_assets_csv'])) { validateCSRFToken($_POST['csrf_token']); enforceUserPermission('module_support'); - - $client_name = 'All'; // default if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); @@ -962,9 +960,11 @@ if (isset($_POST['export_assets_csv'])) { $client_row = mysqli_fetch_array(mysqli_query($mysqli,"SELECT client_name FROM clients WHERE client_id = $client_id")); $client_name = $client_row['client_name']; + $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_id = 0; // for Logging + $file_name_prepend = "$session_company_name-"; } // Get records from database @@ -975,7 +975,7 @@ if (isset($_POST['export_assets_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = strtoAZaz09($client_name) . "-Assets-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Assets-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/certificate.php b/user/post/certificate.php index 3d6b0e24..60b4e4e7 100644 --- a/user/post/certificate.php +++ b/user/post/certificate.php @@ -217,9 +217,12 @@ if (isset($_POST['export_certificates_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND certificate_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_id = 0; + $file_name_prepend = "$session_company_name-"; } $sql = mysqli_query($mysqli,"SELECT * FROM certificates WHERE certificate_archived_at IS NULL $client_query ORDER BY certificate_name ASC"); @@ -230,7 +233,7 @@ if (isset($_POST['export_certificates_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Certificates-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Certificates-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/client.php b/user/post/client.php index 45bbcb3c..e5ac145d 100644 --- a/user/post/client.php +++ b/user/post/client.php @@ -324,7 +324,7 @@ if (isset($_POST['export_clients_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = $session_company_name . "-Clients-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($session_company_name . "-Clients-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/contact.php b/user/post/contact.php index 9ddd754a..00dec018 100644 --- a/user/post/contact.php +++ b/user/post/contact.php @@ -1153,9 +1153,12 @@ if (isset($_POST['export_contacts_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND contact_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; - $client_id = 0; //Logging + $client_id = 0; //Logging; + $file_name_prepend = "$session_company_name-"; } //Contacts @@ -1166,7 +1169,7 @@ if (isset($_POST['export_contacts_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Contacts-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Contacts-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/credential.php b/user/post/credential.php index c2ec8c09..392aab9d 100644 --- a/user/post/credential.php +++ b/user/post/credential.php @@ -307,9 +307,12 @@ if (isset($_POST['export_credentials_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND credential_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_id = 0; + $file_name_prepend = "$session_company_name-"; } //get records from database @@ -322,7 +325,7 @@ if (isset($_POST['export_credentials_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Credentials-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Credentials-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/domain.php b/user/post/domain.php index 093bf524..c405e76c 100644 --- a/user/post/domain.php +++ b/user/post/domain.php @@ -330,9 +330,12 @@ if (isset($_POST['export_domains_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "WHERE domain_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_id = 0; + $file_name_prepend = "$session_company_name-"; } $sql = mysqli_query($mysqli,"SELECT * FROM domains $client_query ORDER BY domain_name ASC"); @@ -343,7 +346,7 @@ if (isset($_POST['export_domains_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Domains-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Domains-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/expense.php b/user/post/expense.php index 5e809428..c6ace19a 100644 --- a/user/post/expense.php +++ b/user/post/expense.php @@ -305,7 +305,7 @@ if (isset($_POST['export_expenses_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "$session_company_name-Expenses-$file_name_date.csv"; + $filename = sanitize_filename("$session_company_name-Expenses-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/invoice.php b/user/post/invoice.php index 9daae9ce..3ff69f17 100644 --- a/user/post/invoice.php +++ b/user/post/invoice.php @@ -1935,8 +1935,12 @@ if (isset($_POST['export_invoices_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND invoice_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; + $client_name = ''; + $file_name_prepend = "$session_company_name-"; } $date_from = sanitizeInput($_POST['date_from']); @@ -1946,21 +1950,18 @@ if (isset($_POST['export_invoices_csv'])) { $file_name_date = "$date_from-to-$date_to"; }else{ $date_query = ""; - $file_name_date = date('Y-m-d'); + $file_name_date = date('Y-m-d_H-i-s'); } $sql = mysqli_query($mysqli,"SELECT * FROM invoices LEFT JOIN clients ON invoice_client_id = client_id WHERE $date_query $client_query ORDER BY invoice_number ASC"); - $row = mysqli_fetch_array($sql); - $client_name = $row['client_name']; - $num_rows = mysqli_num_rows($sql); if ($num_rows > 0) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "$session_company_name-Invoices-$file_name_date.csv"; + $filename = sanitize_filename($file_name_prepend . "Invoices-$file_name_date.csv"); //create a file pointer $f = fopen('php://memory', 'w'); @@ -2045,8 +2046,12 @@ if (isset($_POST['export_payments_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND invoice_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; + $client_name = ''; + $file_name_prepend = "$session_company_name-"; } $sql = mysqli_query($mysqli,"SELECT * FROM payments, invoices WHERE payment_invoice_id = invoice_id $client_query ORDER BY payment_date ASC"); @@ -2057,7 +2062,7 @@ if (isset($_POST['export_payments_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Payments-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Payments-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/location.php b/user/post/location.php index 4f3616b8..f29cce4e 100644 --- a/user/post/location.php +++ b/user/post/location.php @@ -359,9 +359,12 @@ if(isset($_POST['export_locations_csv'])){ if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND location_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_id = 0; + $file_name_prepend = "$session_company_name-"; } //Locations @@ -373,7 +376,7 @@ if(isset($_POST['export_locations_csv'])){ $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Locations-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Locations-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/network.php b/user/post/network.php index b04fc25f..d507cebe 100644 --- a/user/post/network.php +++ b/user/post/network.php @@ -152,9 +152,12 @@ if (isset($_POST['export_networks_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND network_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_id = 0; + $file_name_prepend = "$session_company_name-"; } $sql = mysqli_query($mysqli,"SELECT * FROM networks WHERE network_archived_at IS NULL $client_query ORDER BY network_name ASC"); @@ -165,7 +168,7 @@ if (isset($_POST['export_networks_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Networks-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Networks-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/product.php b/user/post/product.php index e76e1aa2..765735fa 100644 --- a/user/post/product.php +++ b/user/post/product.php @@ -248,7 +248,7 @@ if (isset($_POST['export_products_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "$session_company_name-Products.csv"; + $filename = sanitize_filename("$session_company_name-Products-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/quote.php b/user/post/quote.php index b38fc8d4..0b9e2a4c 100644 --- a/user/post/quote.php +++ b/user/post/quote.php @@ -540,12 +540,12 @@ if(isset($_POST['export_quotes_csv'])){ $client_id = intval($_POST['client_id']); $client_query = "WHERE quote_client_id = $client_id"; // Get Client Name for logging - $client_name = getFieldByID('clients', $client_id, 'client_name'); + $client_name = getFieldById('clients', $client_id, 'client_name'); $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_name = ''; - $file_name_prepend = ''; + $file_name_prepend = "$session_company_name"; } $sql = mysqli_query($mysqli,"SELECT * FROM quotes $client_query ORDER BY quote_number ASC"); @@ -556,7 +556,7 @@ if(isset($_POST['export_quotes_csv'])){ $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = $file_name_prepend . "Quotes-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Quotes-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/software.php b/user/post/software.php index 73e384b0..b3412d64 100644 --- a/user/post/software.php +++ b/user/post/software.php @@ -204,16 +204,19 @@ if (isset($_GET['delete_software'])) { } -if (isset($_POST['export_client_software_csv'])) { +if (isset($_POST['export_software_csv'])) { enforceUserPermission('module_support'); if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "WHERE software_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; $client_id = 0; //Logging + $file_name_prepend = "$session_company_name-"; } $sql = mysqli_query($mysqli,"SELECT * FROM software $client_query ORDER BY software_name ASC"); @@ -224,7 +227,7 @@ if (isset($_POST['export_client_software_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Software-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Software-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/ticket.php b/user/post/ticket.php index d27bd175..5141804f 100644 --- a/user/post/ticket.php +++ b/user/post/ticket.php @@ -2170,8 +2170,12 @@ if (isset($_POST['export_tickets_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "WHERE ticket_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; + $client_name = ''; + $file_name_prepend = "$session_company_name-"; } $sql = mysqli_query( @@ -2185,7 +2189,7 @@ if (isset($_POST['export_tickets_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Tickets-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Tickets-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/trip.php b/user/post/trip.php index c9faef80..24d3c03b 100644 --- a/user/post/trip.php +++ b/user/post/trip.php @@ -63,8 +63,12 @@ if (isset($_POST['export_trips_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND trip_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = ''; + $client_name = ''; + $file_name_prepend = "$session_company_name-"; } $date_from = sanitizeInput($_POST['date_from']); @@ -91,7 +95,7 @@ if (isset($_POST['export_trips_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Trips-$file_name_date.csv"; + $filename = sanitize_filename($file_name_prepend . "Trips-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w'); diff --git a/user/post/vendor.php b/user/post/vendor.php index 8d737d6d..5df0422c 100644 --- a/user/post/vendor.php +++ b/user/post/vendor.php @@ -274,8 +274,12 @@ if (isset($_POST['export_vendors_csv'])) { if (isset($_POST['client_id'])) { $client_id = intval($_POST['client_id']); $client_query = "AND vendor_client_id = $client_id"; + $client_name = getFieldById('clients', $client_id, 'client_name'); + $file_name_prepend = "$client_name-"; } else { $client_query = "AND vendor_client_id = 0"; + $client_name = ''; + $file_name_prepend = "$session_company_name-"; } $sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_template = 0 $client_query ORDER BY vendor_name ASC"); @@ -286,7 +290,7 @@ if (isset($_POST['export_vendors_csv'])) { $delimiter = ","; $enclosure = '"'; $escape = '\\'; // backslash - $filename = "Vendors-" . date('Y-m-d') . ".csv"; + $filename = sanitize_filename($file_name_prepend . "Vendors-" . date('Y-m-d_H-i-s') . ".csv"); //create a file pointer $f = fopen('php://memory', 'w');