diff --git a/post/invoice.php b/post/invoice.php
index 6e964d16..41321cb5 100644
--- a/post/invoice.php
+++ b/post/invoice.php
@@ -631,39 +631,35 @@ if (isset($_POST['add_payment'])) {
$row = mysqli_fetch_array($sql);
$invoice_amount = floatval($row['invoice_amount']);
- $invoice_prefix = $row['invoice_prefix'];
+ $invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']);
- $invoice_url_key = $row['invoice_url_key'];
- $invoice_currency_code = $row['invoice_currency_code'];
+ $invoice_url_key = sanitizeInput($row['invoice_url_key']);
+ $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);
$client_id = intval($row['client_id']);
- $client_name = $row['client_name'];
- $contact_name = $row['contact_name'];
- $contact_email = $row['contact_email'];
- $contact_phone = formatPhoneNumber($row['contact_phone']);
+ $client_name = sanitizeInput($row['client_name']);
+ $contact_name = sanitizeInput($row['contact_name']);
+ $contact_email = sanitizeInput($row['contact_email']);
+ $contact_phone = sanitizeInput(formatPhoneNumber($row['contact_phone']));
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
- $contact_mobile = formatPhoneNumber($row['contact_mobile']);
-
- $invoice_prefix_escaped = sanitizeInput($row['invoice_prefix']);
- $contact_name_escaped = sanitizeInput($row['contact_name']);
- $contact_email_escaped = sanitizeInput($row['contact_email']);
+ $contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile']));
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
- $company_name = $row['company_name'];
- $company_country = $row['company_country'];
- $company_address = $row['company_address'];
- $company_city = $row['company_city'];
- $company_state = $row['company_state'];
- $company_zip = $row['company_zip'];
- $company_phone = formatPhoneNumber($row['company_phone']);
- $company_email = $row['company_email'];
- $company_website = $row['company_website'];
- $company_logo = $row['company_logo'];
+ $company_name = sanitizeInput($row['company_name']);
+ $company_country = sanitizeInput($row['company_country']);
+ $company_address = sanitizeInput($row['company_address']);
+ $company_city = sanitizeInput($row['company_city']);
+ $company_state = sanitizeInput($row['company_state']);
+ $company_zip = sanitizeInput($row['company_zip']);
+ $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
+ $company_email = sanitizeInput($row['company_email']);
+ $company_website = sanitizeInput($row['company_website']);
+ $company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config vars from get_settings.php
- $config_invoice_from_name_escaped = sanitizeInput($config_invoice_from_name);
- $config_invoice_from_email_escaped = sanitizeInput($config_invoice_from_email);
+ $config_invoice_from_name = sanitizeInput($config_invoice_from_name);
+ $config_invoice_from_email = sanitizeInput($config_invoice_from_email);
//Calculate the Invoice balance
$invoice_balance = $invoice_amount - $total_payments_amount;
@@ -677,15 +673,15 @@ if (isset($_POST['add_payment'])) {
if ($email_receipt == 1) {
- $subject = sanitizeInput("Payment Received - Invoice $invoice_prefix$invoice_number");
- $body = mysqli_real_escape_string($mysqli, "Hello $contact_name,
We have received your payment in the amount of " . numfmt_format_currency($currency_format, $amount, $invoice_currency_code) . " for invoice $invoice_prefix$invoice_number. Please keep this email as a receipt for your records.
Amount: " . numfmt_format_currency($currency_format, $amount, $invoice_currency_code) . "
Balance: " . numfmt_format_currency($currency_format, $invoice_balance, $invoice_currency_code) . "
Thank you for your business!
~
$company_name
Billing Department
$config_invoice_from_email
$company_phone");
+ $subject = "Payment Received - Invoice $invoice_prefix$invoice_number";
+ $body = "Hello $contact_name\,
We have received your payment in the amount of " . numfmt_format_currency($currency_format, $amount, $invoice_currency_code) . " for invoice $invoice_prefix$invoice_number. Please keep this email as a receipt for your records.
Amount: " . numfmt_format_currency($currency_format, $amount, $invoice_currency_code) . "
Balance: " . numfmt_format_currency($currency_format, $invoice_balance, $invoice_currency_code) . "
Thank you for your business!
--
$company_name - Billing Department
$config_invoice_from_email
$company_phone";
// Queue Mail
$email = [
'from' => $config_invoice_from_email,
'from_name' => $config_invoice_from_name,
- 'recipient' => $contact_email_escaped,
- 'recipient_name' => $contact_name_escaped,
+ 'recipient' => $contact_email,
+ 'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body
];
@@ -710,15 +706,15 @@ if (isset($_POST['add_payment'])) {
if ($email_receipt == 1) {
- $subject = sanitizeInput("Partial Payment Recieved - Invoice $invoice_prefix$invoice_number");
- $body = mysqli_real_escape_string($mysqli, "Hello $contact_name,
We have recieved partial payment in the amount of " . numfmt_format_currency($currency_format, $amount, $invoice_currency_code) . " and it has been applied to invoice $invoice_prefix$invoice_number. Please keep this email as a receipt for your records.
Amount: " . numfmt_format_currency($currency_format, $amount, $invoice_currency_code) . "
Balance: " . numfmt_format_currency($currency_format, $invoice_balance, $invoice_currency_code) . "
Thank you for your business!
~
$company_name
Billing Department
$config_invoice_from_email
$company_phone");
+ $subject = "Partial Payment Recieved - Invoice $invoice_prefix$invoice_number";
+ $body = "Hello $contact_name\,
We have recieved partial payment in the amount of " . numfmt_format_currency($currency_format, $amount, $invoice_currency_code) . " and it has been applied to invoice $invoice_prefix$invoice_number. Please keep this email as a receipt for your records.
Amount: " . numfmt_format_currency($currency_format, $amount, $invoice_currency_code) . "
Balance: " . numfmt_format_currency($currency_format, $invoice_balance, $invoice_currency_code) . "
Thank you for your business!
~
$company_name - Billing
$config_invoice_from_email
$company_phone";
// Queue Mail
$email = [
'from' => $config_invoice_from_email,
'from_name' => $config_invoice_from_name,
- 'recipient' => $contact_email_escaped,
- 'recipient_name' => $contact_name_escaped,
+ 'recipient' => $contact_email,
+ 'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body
];
@@ -753,7 +749,7 @@ if (isset($_POST['add_payment'])) {
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Payment', log_action = 'Create', log_description = '$payment_amount', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $payment_id");
if ($email_receipt == 1) {
- mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Payment', log_action = 'Email', log_description = 'Payment receipt for invoice $invoice_prefix_escaped$invoice_number queued to $contact_email_escaped Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $payment_id");
+ mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Payment', log_action = 'Email', log_description = 'Payment receipt for invoice $invoice_prefix$invoice_number queued to $contact_email Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $payment_id");
}
$_SESSION['alert_message'] .= "Payment added";
@@ -839,7 +835,7 @@ if (isset($_POST['add_bulk_payment'])) {
// Add to Email Body Invoice Portion
- $email_body_invoices .= mysqli_real_escape_string($mysqli, "
Invoice $invoice_prefix$invoice_number - Outstanding Amount: " . numfmt_format_currency($currency_format, $invoice_balance, $currency_code) . " - Payment Applied: " . numfmt_format_currency($currency_format, $payment_amount, $currency_code) . " - New Balance: " . numfmt_format_currency($currency_format, $remaining_invoice_balance, $currency_code));
+ $email_body_invoices .= "
Invoice $invoice_prefix$invoice_number - Outstanding Amount: " . numfmt_format_currency($currency_format, $invoice_balance, $currency_code) . " - Payment Applied: " . numfmt_format_currency($currency_format, $payment_amount, $currency_code) . " - New Balance: " . numfmt_format_currency($currency_format, $remaining_invoice_balance, $currency_code);
} // End Invoice Loop
@@ -855,34 +851,31 @@ if (isset($_POST['add_bulk_payment'])) {
);
$row = mysqli_fetch_array($sql_client);
- $client_name = $row['client_name'];
- $contact_name = $row['contact_name'];
- $contact_email = $row['contact_email'];
+ $client_name = sanitizeInput($row['client_name']);
+ $contact_name = sanitizeInput($row['contact_name']);
+ $contact_email = sanitizeInput($row['contact_email']);
- $contact_name_escaped = sanitizeInput($row['contact_name']);
- $contact_email_escaped = sanitizeInput($row['contact_email']);
-
- $sql_company = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
+ $sql_company = mysqli_query($mysqli,"SELECT company_name, company_phone FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql_company);
- $company_name = $row['company_name'];
- $company_phone = formatPhoneNumber($row['company_phone']);
+ $company_name = sanitizeInput($row['company_name']);
+ $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
// Sanitize Config vars from get_settings.php
- $config_invoice_from_name_escaped = sanitizeInput($config_invoice_from_name);
- $config_invoice_from_email_escaped = sanitizeInput($config_invoice_from_email);
+ $config_invoice_from_name = sanitizeInput($config_invoice_from_name);
+ $config_invoice_from_email = sanitizeInput($config_invoice_from_email);
- $subject = sanitizeInput("Payment Received - Multiple Invoices");
- $body = mysqli_real_escape_string($mysqli, "Hello $contact_name,
Thank you for your payment of " . numfmt_format_currency($currency_format, $bulk_payment_amount_static, $currency_code) . " We've applied your payment to the following invoices, updating their balances accordingly:
$email_body_invoices
We appreciate your continued business!
Sincerely,
$company_name Billing Department
$config_invoice_from_email
$company_phone");
+ $subject = "Payment Received - Multiple Invoices";
+ $body = "Hello $contact_name\,
Thank you for your payment of " . numfmt_format_currency($currency_format, $bulk_payment_amount_static, $currency_code) . " We\'ve applied your payment to the following invoices\, updating their balances accordingly:
$email_body_invoices
We appreciate your continued business!
Sincerely\,
$company_name - Billing
$config_invoice_from_email
$company_phone";
// Queue Mail
- mysqli_query($mysqli, "INSERT INTO email_queue SET email_recipient = '$contact_email_escaped', email_recipient_name = '$contact_name_escaped', email_from = '$config_invoice_from_email_escaped', email_from_name = '$config_invoice_from_name_escaped', email_subject = '$subject', email_content = '$body'");
+ mysqli_query($mysqli, "INSERT INTO email_queue SET email_recipient = '$contact_email', email_recipient_name = '$contact_name', email_from = '$config_invoice_from_email', email_from_name = '$config_invoice_from_name', email_subject = '$subject', email_content = '$body'");
// Get Email ID for reference
$email_id = mysqli_insert_id($mysqli);
// Email Logging
- mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Payment', log_action = 'Email', log_description = 'Bulk Payment receipt for multiple Invoices queued to $contact_email_escaped Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $payment_id");
+ mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Payment', log_action = 'Email', log_description = 'Bulk Payment receipt for multiple Invoices queued to $contact_email Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $payment_id");
$_SESSION['alert_message'] .= "Email receipt sent and ";
@@ -954,39 +947,36 @@ if (isset($_GET['email_invoice'])) {
$row = mysqli_fetch_array($sql);
$invoice_id = intval($row['invoice_id']);
- $invoice_prefix = $row['invoice_prefix'];
+ $invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']);
- $invoice_status = $row['invoice_status'];
- $invoice_date = $row['invoice_date'];
- $invoice_due = $row['invoice_due'];
+ $invoice_status = sanitizeInput($row['invoice_status']);
+ $invoice_date = sanitizeInput($row['invoice_date']);
+ $invoice_due = sanitizeInput($row['invoice_due']);
$invoice_amount = floatval($row['invoice_amount']);
- $invoice_url_key = $row['invoice_url_key'];
- $invoice_currency_code = $row['invoice_currency_code'];
+ $invoice_url_key = sanitizeInput($row['invoice_url_key']);
+ $invoice_currency_code = sanitizeInput($row['invoice_currency_code']);
$client_id = intval($row['client_id']);
- $client_name = $row['client_name'];
- $contact_name = $row['contact_name'];
- $contact_email = $row['contact_email'];
- $invoice_prefix_escaped = sanitizeInput($row['invoice_prefix']);
- $contact_name_escaped = sanitizeInput($row['contact_name']);
- $contact_email_escaped = sanitizeInput($row['contact_email']);
+ $client_name = sanitizeInput($row['client_name']);
+ $contact_name = sanitizeInput($row['contact_name']);
+ $contact_email = sanitizeInput($row['contact_email']);
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
- $company_name = $row['company_name'];
- $company_country = $row['company_country'];
- $company_address = $row['company_address'];
- $company_city = $row['company_city'];
- $company_state = $row['company_state'];
- $company_zip = $row['company_zip'];
- $company_phone = formatPhoneNumber($row['company_phone']);
- $company_email = $row['company_email'];
- $company_website = $row['company_website'];
- $company_logo = $row['company_logo'];
+ $company_name = sanitizeInput($row['company_name']);
+ $company_country = sanitizeInput($row['company_country']);
+ $company_address = sanitizeInput($row['company_address']);
+ $company_city = sanitizeInput($row['company_city']);
+ $company_state = sanitizeInput($row['company_state']);
+ $company_zip = sanitizeInput($row['company_zip']);
+ $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
+ $company_email = sanitizeInput($row['company_email']);
+ $company_website = sanitizeInput($row['company_website']);
+ $company_logo = sanitizeInput($row['company_logo']);
// Sanitize Config vars from get_settings.php
- $config_invoice_from_name_escaped = sanitizeInput($config_invoice_from_name);
- $config_invoice_from_email_escaped = sanitizeInput($config_invoice_from_email);
+ $config_invoice_from_name = sanitizeInput($config_invoice_from_name);
+ $config_invoice_from_email = sanitizeInput($config_invoice_from_email);
$sql_payments = mysqli_query($mysqli,"SELECT * FROM payments, accounts WHERE payment_account_id = account_id AND payment_invoice_id = $invoice_id ORDER BY payment_id DESC");
@@ -998,20 +988,20 @@ if (isset($_GET['email_invoice'])) {
$balance = $invoice_amount - $amount_paid;
if ($invoice_status == 'Paid') {
- $subject = sanitizeInput("Invoice $invoice_prefix$invoice_number Receipt");
- $body = mysqli_real_escape_string($mysqli, "Hello $contact_name,
Please click on the link below to see your invoice marked paid.
Invoice Link
~
$company_name
Billing Department
$config_invoice_from_email
$company_phone");
+ $subject = "Invoice $invoice_prefix$invoice_number Receipt";
+ $body = "Hello $contact_name\,
Please click on the link below to see your invoice marked paid.
Invoice Link
--
$company_name - Billing
$config_invoice_from_email
$company_phone";
} else {
- $subject = sanitizeInput("Invoice $invoice_prefix$invoice_number");
- $body = mysqli_real_escape_string($mysqli, "Hello $contact_name,
Please view the details of the invoice below.
Invoice: $invoice_prefix$invoice_number
Issue Date: $invoice_date
Total: " . numfmt_format_currency($currency_format, $invoice_amount, $invoice_currency_code) . "
Balance Due: " . numfmt_format_currency($currency_format, $balance, $invoice_currency_code) . "
Due Date: $invoice_due
To view your invoice click here
~
$company_name
Billing Department
$config_invoice_from_email
$company_phone");
+ $subject = "Invoice $invoice_prefix$invoice_number";
+ $body = "Hello $contact_name\,
Please view the details of the invoice below.
Invoice: $invoice_prefix$invoice_number
Issue Date: $invoice_date
Total: " . numfmt_format_currency($currency_format, $invoice_amount, $invoice_currency_code) . "
Balance Due: " . numfmt_format_currency($currency_format, $balance, $invoice_currency_code) . "
Due Date: $invoice_due
To view your invoice click here
--
$company_name - Billing
$config_invoice_from_email
$company_phone";
}
// Queue Mail
$data = [
[
- 'from' => $config_invoice_from_email_escaped,
- 'from_name' => $config_invoice_from_name_escaped,
- 'recipient' => $contact_email_escaped,
- 'recipient_name' => $contact_name_escaped,
+ 'from' => $config_invoice_from_email,
+ 'from_name' => $config_invoice_from_name,
+ 'recipient' => $contact_email,
+ 'recipient_name' => $contact_name,
'subject' => $subject,
'body' => $body
]
@@ -1031,7 +1021,7 @@ if (isset($_GET['email_invoice'])) {
}
// Logging
- mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Invoice', log_action = 'Email', log_description = 'Invoice $invoice_prefix_escaped$invoice_number queued to $contact_email_escaped Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $invoice_id");
+ mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Invoice', log_action = 'Email', log_description = 'Invoice $invoice_prefix$invoice_number queued to $contact_email Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $invoice_id");
// Send copies of the invoice to any additional billing contacts
$sql_billing_contacts = mysqli_query(
@@ -1061,7 +1051,7 @@ if (isset($_GET['email_invoice'])) {
];
// Logging
- mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Invoice', log_action = 'Email', log_description = 'Invoice $invoice_prefix_escaped$invoice_number queued to $billing_contact_email Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $invoice_id");
+ mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Invoice', log_action = 'Email', log_description = 'Invoice $invoice_prefix$invoice_number queued to $billing_contact_email Email ID: $email_id', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, log_user_id = $session_user_id, log_entity_id = $invoice_id");
}
addToMailQueue($mysqli, $data);
@@ -1152,32 +1142,32 @@ if (isset($_GET['force_recurring'])) {
);
$row = mysqli_fetch_array($sql);
- $invoice_prefix = $row['invoice_prefix'];
+ $invoice_prefix = sanitizeInput($row['invoice_prefix']);
$invoice_number = intval($row['invoice_number']);
- $invoice_scope = $row['invoice_scope'];
- $invoice_date = $row['invoice_date'];
- $invoice_due = $row['invoice_due'];
+ $invoice_scope = sanitizeInput($row['invoice_scope']);
+ $invoice_date = sanitizeInput($row['invoice_date']);
+ $invoice_due = sanitizeInput($row['invoice_due']);
$invoice_amount = floatval($row['invoice_amount']);
- $invoice_url_key = $row['invoice_url_key'];
+ $invoice_url_key = sanitizeInput($row['invoice_url_key']);
$client_id = intval($row['client_id']);
- $client_name = $row['client_name'];
- $contact_name = $row['contact_name'];
- $contact_email = $row['contact_email'];
- $contact_phone = formatPhoneNumber($row['contact_phone']);
- $contact_extension = $row['contact_extension'];
- $contact_mobile = formatPhoneNumber($row['contact_mobile']);
+ $client_name = sanitizeInput($row['client_name']);
+ $contact_name = sanitizeInput($row['contact_name']);
+ $contact_email = sanitizeInput($row['contact_email']);
+ $contact_phone = sanitizeInput(formatPhoneNumber($row['contact_phone']));
+ $contact_extension = intval($row['contact_extension']);
+ $contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile']));
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
- $company_name = $row['company_name'];
- $company_phone = formatPhoneNumber($row['company_phone']);
- $company_email = $row['company_email'];
- $company_website = $row['company_website'];
+ $company_name = sanitizeInput($row['company_name']);
+ $company_phone = sanitizeInput(formatPhoneNumber($row['company_phone']));
+ $company_email = sanitizeInput($row['company_email']);
+ $company_website = sanitizeInput($row['company_website']);
// Email to client
- $subject = mysqli_real_escape_string($mysqli, "Invoice $invoice_prefix$invoice_number");
- $body = mysqli_real_escape_string($mysqli, "Hello $contact_name,
Please view the details of the invoice below.
Invoice: $invoice_prefix$invoice_number
Issue Date: $invoice_date
Total: $$invoice_amount
Due Date: $invoice_due
To view your invoice click here
~
$company_name
$company_phone");
+ $subject = "Invoice $invoice_prefix$invoice_number";
+ $body = "Hello $contact_name\,
Please view the details of the invoice below.
Invoice: $invoice_prefix$invoice_number
Issue Date: $invoice_date
Total: $$invoice_amount
Due Date: $invoice_due
To view your invoice click here
--
$company_name - Billing
$company_phone";
$data = [