diff --git a/api/v1/contacts/read.php b/api/v1/contacts/read.php index 5b4409ea..7f7b4903 100644 --- a/api/v1/contacts/read.php +++ b/api/v1/contacts/read.php @@ -17,7 +17,7 @@ if(isset($_GET['contact_id'])){ // Specific contact via email (single) elseif(isset($_GET['contact_email'])){ - $email = trim($_GET['contact_email']); + $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['contact_email']))); $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND company_id = '$company_id'"); } diff --git a/client_asset_add_modal.php b/client_asset_add_modal.php index a21c9069..ee3764a8 100644 --- a/client_asset_add_modal.php +++ b/client_asset_add_modal.php @@ -2,7 +2,7 @@
-
New
+
New
diff --git a/client_assets.php b/client_assets.php index 0fead289..abf0e202 100644 --- a/client_assets.php +++ b/client_assets.php @@ -103,19 +103,19 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));

Assets

- +
- - + +
- s"> + s">
@@ -154,7 +154,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_certificates.php b/client_certificates.php index 19f00f85..fc71297b 100644 --- a/client_certificates.php +++ b/client_certificates.php @@ -57,12 +57,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -71,7 +71,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_contacts.php b/client_contacts.php index b883b1e4..965eb4db 100644 --- a/client_contacts.php +++ b/client_contacts.php @@ -68,12 +68,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -82,7 +82,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export Import
diff --git a/client_departments.php b/client_departments.php index db3aeca7..3c02af01 100644 --- a/client_departments.php +++ b/client_departments.php @@ -58,12 +58,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
diff --git a/client_documents.php b/client_documents.php index 86afb59f..5b1e9c70 100644 --- a/client_documents.php +++ b/client_documents.php @@ -115,9 +115,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
diff --git a/client_domains.php b/client_domains.php index 3ddd7dc3..30fe12db 100644 --- a/client_domains.php +++ b/client_domains.php @@ -58,12 +58,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -72,7 +72,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_invoices.php b/client_invoices.php index 645096dd..dc9e94e1 100644 --- a/client_invoices.php +++ b/client_invoices.php @@ -59,12 +59,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -73,7 +73,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_locations.php b/client_locations.php index 656f4365..ab9f0d70 100644 --- a/client_locations.php +++ b/client_locations.php @@ -64,12 +64,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -78,7 +78,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export Import
diff --git a/client_logins.php b/client_logins.php index 477e45be..83c037b9 100644 --- a/client_logins.php +++ b/client_logins.php @@ -60,12 +60,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -74,7 +74,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export Import
diff --git a/client_logs.php b/client_logs.php index 7ffae4e5..f2d182df 100644 --- a/client_logs.php +++ b/client_logs.php @@ -58,7 +58,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
diff --git a/client_networks.php b/client_networks.php index 4e599a46..39f19e30 100644 --- a/client_networks.php +++ b/client_networks.php @@ -59,12 +59,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -73,7 +73,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_payments.php b/client_payments.php index 59b65d7a..716664fe 100644 --- a/client_payments.php +++ b/client_payments.php @@ -57,12 +57,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -71,7 +71,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_quotes.php b/client_quotes.php index ac88e9ec..1e8b3a49 100644 --- a/client_quotes.php +++ b/client_quotes.php @@ -59,12 +59,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -73,7 +73,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_recurring_invoices.php b/client_recurring_invoices.php index c86d66c6..b3980b45 100644 --- a/client_recurring_invoices.php +++ b/client_recurring_invoices.php @@ -59,12 +59,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -73,7 +73,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_software.php b/client_software.php index 740b6bbc..aeec9213 100644 --- a/client_software.php +++ b/client_software.php @@ -58,12 +58,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -72,7 +72,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_tickets.php b/client_tickets.php index 534df573..39e6df9b 100644 --- a/client_tickets.php +++ b/client_tickets.php @@ -63,12 +63,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -77,7 +77,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export
diff --git a/client_trips.php b/client_trips.php index 38c5a49d..d170fadc 100644 --- a/client_trips.php +++ b/client_trips.php @@ -70,12 +70,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -84,7 +84,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export Import
diff --git a/client_vendors.php b/client_vendors.php index ae9dcfab..77407685 100644 --- a/client_vendors.php +++ b/client_vendors.php @@ -63,12 +63,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- +
- +
@@ -77,7 +77,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
- Export + Export Import
diff --git a/invoices.php b/invoices.php index 9e8f806b..e361eafc 100644 --- a/invoices.php +++ b/invoices.php @@ -69,7 +69,7 @@ } if(!empty($_GET['sb'])){ - $sb = $_GET['sb']; + $sb = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sb'])); }else{ $sb = "invoice_number"; } diff --git a/portal/portal_post.php b/portal/portal_post.php index ccfa4653..95077f0d 100644 --- a/portal/portal_post.php +++ b/portal/portal_post.php @@ -111,13 +111,15 @@ if(isset($_POST['add_ticket'])){ $client_id = $session_client_id; $contact = $session_contact_id; $subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']))); - $priority = $_POST['priority']; $details = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode(nl2br($_POST['details']))))); // Ensure priority is low/med/high (as can be user defined) - if($priority !== "Low" OR $priority !== "Medium" OR $priority !== "High"){ + if($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High"){ $priority = "Low"; } + else{ + $priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority']))); + } // Get the next Ticket Number and add 1 for the new ticket number $ticket_number = $config_ticket_next_number; diff --git a/post.php b/post.php index c0ef8434..58cbb827 100644 --- a/post.php +++ b/post.php @@ -329,7 +329,7 @@ if(isset($_POST['edit_user_companies'])){ mysqli_query($mysqli,"DELETE FROM user_companies WHERE user_id = $user_id"); foreach($_POST['companies'] as $company){ - intval($company); + $company = intval($company); mysqli_query($mysqli,"INSERT INTO user_companies SET user_id = $user_id, company_id = $company"); } @@ -1349,7 +1349,7 @@ if(isset($_POST['add_client'])){ //Add Tags if(isset($_POST['tags'])){ foreach($_POST['tags'] as $tag){ - intval($tag); + $tag = intval($tag); mysqli_query($mysqli,"INSERT INTO client_tags SET client_id = $client_id, tag_id = $tag"); } } @@ -1885,7 +1885,7 @@ if(isset($_POST['add_campaign'])){ //Create Recipient List based off tags selected if(isset($_POST['tags'])){ foreach($_POST['tags'] as $tag){ - intval($tag); + $tag = intval($tag); $sql = mysqli_query($mysqli,"SELECT * FROM clients LEFT JOIN contacts ON contacts.contact_id = clients.primary_contact @@ -5113,7 +5113,7 @@ if(isset($_POST['add_software'])){ // Add Asset Licenses if(!empty($_POST['assets'])){ foreach($_POST['assets'] as $asset){ - intval($asset); + $asset = intval($asset); mysqli_query($mysqli,"INSERT INTO software_assets SET software_id = $software_id, asset_id = $asset"); } } @@ -5121,7 +5121,7 @@ if(isset($_POST['add_software'])){ // Add Contact Licenses if(!empty($_POST['contacts'])){ foreach($_POST['contacts'] as $contact){ - intval($contact); + $contact = intval($contact); mysqli_query($mysqli,"INSERT INTO software_contacts SET software_id = $software_id, contact_id = $contact"); } } @@ -5180,7 +5180,7 @@ if(isset($_POST['edit_software'])){ mysqli_query($mysqli,"DELETE FROM software_assets WHERE software_id = $software_id"); if(!empty($_POST['assets'])){ foreach($_POST['assets'] as $asset){ - intval($asset); + $asset = intval($asset); mysqli_query($mysqli,"INSERT INTO software_assets SET software_id = $software_id, asset_id = $asset"); } } @@ -5189,7 +5189,7 @@ if(isset($_POST['edit_software'])){ mysqli_query($mysqli,"DELETE FROM software_contacts WHERE software_id = $software_id"); if(!empty($_POST['contacts'])){ foreach($_POST['contacts'] as $contact){ - intval($contact); + $contact = intval($contact); mysqli_query($mysqli,"INSERT INTO software_contacts SET software_id = $software_id, contact_id = $contact"); } } @@ -6504,7 +6504,8 @@ if(isset($_POST['add_service'])){ if(!empty($_POST['contacts'])){ $service_contact_ids = $_POST['contacts']; foreach($service_contact_ids as $contact_id){ - if(intval($contact_id)){ + $contact_id = intval($contact_id); + if($contact_id > 0){ mysqli_query($mysqli, "INSERT INTO service_contacts SET service_id = '$service_id', contact_id = '$contact_id'"); } } @@ -6513,7 +6514,8 @@ if(isset($_POST['add_service'])){ if(!empty($_POST['vendors'])){ $service_vendor_ids = $_POST['vendors']; foreach($service_vendor_ids as $vendor_id){ - if(intval($vendor_id)){ + $vendor_id = intval($vendor_id); + if($vendor_id > 0){ mysqli_query($mysqli, "INSERT INTO service_vendors SET service_id = '$service_id', vendor_id = '$vendor_id'"); } } @@ -6522,7 +6524,8 @@ if(isset($_POST['add_service'])){ if(!empty($_POST['documents'])){ $service_document_ids = $_POST['documents']; foreach($service_document_ids as $document_id){ - if(intval($document_id)){ + $document_id = intval($document_id); + if($document_id > 0){ mysqli_query($mysqli, "INSERT INTO service_documents SET service_id = '$service_id', document_id = '$document_id'"); } } @@ -6531,7 +6534,8 @@ if(isset($_POST['add_service'])){ if(!empty($_POST['assets'])){ $service_asset_ids = $_POST['assets']; foreach($service_asset_ids as $asset_id){ - if(intval($asset_id)){ + $asset_id = intval($asset_id); + if($asset_id > 0){ mysqli_query($mysqli, "INSERT INTO service_assets SET service_id = '$service_id', asset_id = '$asset_id'"); } } @@ -6540,7 +6544,8 @@ if(isset($_POST['add_service'])){ if(!empty($_POST['logins'])){ $service_login_ids = $_POST['logins']; foreach($service_login_ids as $login_id){ - if(intval($login_id)){ + $login_id = intval($login_id); + if($login_id > 0){ mysqli_query($mysqli, "INSERT INTO service_logins SET service_id = '$service_id', login_id = '$login_id'"); } } @@ -6549,7 +6554,8 @@ if(isset($_POST['add_service'])){ if(!empty($_POST['domains'])){ $service_domain_ids = $_POST['domains']; foreach($service_domain_ids as $domain_id){ - if(intval($domain_id)){ + $domain_id = intval($domain_id); + if($domain_id > 0){ mysqli_query($mysqli, "INSERT INTO service_domains SET service_id = '$service_id', domain_id = '$domain_id'"); } } @@ -6558,7 +6564,8 @@ if(isset($_POST['add_service'])){ if(!empty($_POST['certificates'])){ $service_cert_ids = $_POST['certificates']; foreach($service_cert_ids as $cert_id){ - if(intval($cert_id)){ + $cert_id = intval($cert_id); + if($cert_id > 0){ mysqli_query($mysqli, "INSERT INTO service_certificates SET service_id = '$service_id', certificate_id = '$cert_id'"); } } @@ -6611,7 +6618,8 @@ if(isset($_POST['edit_service'])){ if(!empty($_POST['contacts'])){ $service_contact_ids = $_POST['contacts']; foreach($service_contact_ids as $contact_id){ - if(intval($contact_id)){ + $contact_id = intval($contact_id); + if($contact_id > 0){ mysqli_query($mysqli, "INSERT INTO service_contacts SET service_id = '$service_id', contact_id = '$contact_id'"); } } @@ -6620,7 +6628,8 @@ if(isset($_POST['edit_service'])){ if(!empty($_POST['vendors'])){ $service_vendor_ids = $_POST['vendors']; foreach($service_vendor_ids as $vendor_id){ - if(intval($vendor_id)){ + $vendor_id = intval($vendor_id); + if($vendor_id > 0){ mysqli_query($mysqli, "INSERT INTO service_vendors SET service_id = '$service_id', vendor_id = '$vendor_id'"); } } @@ -6629,7 +6638,8 @@ if(isset($_POST['edit_service'])){ if(!empty($_POST['documents'])){ $service_document_ids = $_POST['documents']; foreach($service_document_ids as $document_id){ - if(intval($document_id)){ + $document_id = intval($document_id); + if($document_id > 0){ mysqli_query($mysqli, "INSERT INTO service_documents SET service_id = '$service_id', document_id = '$document_id'"); } } @@ -6638,7 +6648,8 @@ if(isset($_POST['edit_service'])){ if(!empty($_POST['assets'])){ $service_asset_ids = $_POST['assets']; foreach($service_asset_ids as $asset_id){ - if(intval($asset_id)){ + $asset_id = intval($asset_id); + if($asset_id > 0){ mysqli_query($mysqli, "INSERT INTO service_assets SET service_id = '$service_id', asset_id = '$asset_id'"); } } @@ -6647,7 +6658,8 @@ if(isset($_POST['edit_service'])){ if(!empty($_POST['logins'])){ $service_login_ids = $_POST['logins']; foreach($service_login_ids as $login_id){ - if(intval($login_id)){ + $login_id = intval($login_id); + if($login_id > 0){ mysqli_query($mysqli, "INSERT INTO service_logins SET service_id = '$service_id', login_id = '$login_id'"); } } @@ -6656,7 +6668,8 @@ if(isset($_POST['edit_service'])){ if(!empty($_POST['domains'])){ $service_domain_ids = $_POST['domains']; foreach($service_domain_ids as $domain_id){ - if(intval($domain_id)){ + $domain_id = intval($domain_id); + if($domain_id > 0){ mysqli_query($mysqli, "INSERT INTO service_domains SET service_id = '$service_id', domain_id = '$domain_id'"); } } @@ -6665,7 +6678,8 @@ if(isset($_POST['edit_service'])){ if(!empty($_POST['certificates'])){ $service_cert_ids = $_POST['certificates']; foreach($service_cert_ids as $cert_id){ - if(intval($cert_id)){ + $cert_id = intval($cert_id); + if($cert_id > 0){ mysqli_query($mysqli, "INSERT INTO service_certificates SET service_id = '$service_id', certificate_id = '$cert_id'"); } } @@ -6834,8 +6848,9 @@ if(isset($_POST['add_document'])){ mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Document', log_action = 'Create', log_description = '$details', log_created_at = NOW(), company_id = $session_company_id, log_user_id = $session_user_id"); // Add tags - foreach($tags_ids as $tag_id){ - if(intval($tag_id)){ + foreach($tags_ids as $tag_id) { + $tag_id = intval($tag_id); + if ($tag_id > 0) { mysqli_query($mysqli, "INSERT INTO documents_tagged SET document_id = '$document_id', tag_id = '$tag_id'"); } } @@ -6879,7 +6894,8 @@ if(isset($_POST['edit_document'])){ // Add tags foreach($tags_ids as $tag_id) { - if (intval($tag_id)) { + $tag_id = intval($tag_id); + if ($tag_id > 0) { mysqli_query($mysqli, "INSERT INTO documents_tagged SET document_id = '$document_id', tag_id = '$tag_id'"); } }