diff --git a/accounts.php b/accounts.php index 691a6002..efdd9594 100644 --- a/accounts.php +++ b/accounts.php @@ -49,10 +49,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $account_id = $row['account_id']; - $account_name = $row['account_name']; + $account_name = htmlentities($row['account_name']); $opening_balance = $row['opening_balance']; - $account_currency_code = $row['account_currency_code']; - $account_notes = $row['account_notes']; + $account_currency_code = htmlentities($row['account_currency_code']); + $account_notes = htmlentities($row['account_notes']); $sql_payments = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id"); $row = mysqli_fetch_array($sql_payments); diff --git a/calendar_event_add_modal.php b/calendar_event_add_modal.php index ac486a20..f4f5d72b 100644 --- a/calendar_event_add_modal.php +++ b/calendar_event_add_modal.php @@ -23,8 +23,8 @@ $sql = mysqli_query($mysqli,"SELECT * FROM calendars WHERE company_id = $session_company_id ORDER BY calendar_name ASC"); while($row = mysqli_fetch_array($sql)){ $calendar_id = $row['calendar_id']; - $calendar_name = $row['calendar_name']; - $calendar_color = $row['calendar_color']; + $calendar_name = htmlentities($row['calendar_name']); + $calendar_color = htmlentities($row['calendar_color']); ?> @@ -108,8 +108,8 @@ $sql = mysqli_query($mysqli,"SELECT * FROM clients LEFT JOIN contacts ON primary_contact = contact_id WHERE clients.company_id = $session_company_id ORDER BY client_name ASC"); while($row = mysqli_fetch_array($sql)){ $client_id = $row['client_id']; - $client_name = $row['client_name']; - $contact_email = $row['contact_email']; + $client_name = htmlentities($row['client_name']); + $contact_email = htmlentities($row['contact_email']); ?> diff --git a/calendar_event_edit_modal.php b/calendar_event_edit_modal.php index 6cf4d1eb..b93031e8 100644 --- a/calendar_event_edit_modal.php +++ b/calendar_event_edit_modal.php @@ -40,8 +40,8 @@ $sql_calendars_select = mysqli_query($mysqli,"SELECT * FROM calendars WHERE company_id = $session_company_id ORDER BY calendar_name ASC"); while($row = mysqli_fetch_array($sql_calendars_select)){ $calendar_id_select = $row['calendar_id']; - $calendar_name_select = $row['calendar_name']; - $calendar_color_select = $row['calendar_color']; + $calendar_name_select = htmlentities($row['calendar_name']); + $calendar_color_select = htmlentities($row['calendar_color']); ?> @@ -107,8 +107,8 @@ $sql_clients = mysqli_query($mysqli,"SELECT * FROM clients LEFT JOIN contacts ON primary_contact = contact_id WHERE clients.company_id = $session_company_id ORDER BY client_name ASC"); while($row = mysqli_fetch_array($sql_clients)){ $client_id_select = $row['client_id']; - $client_name_select = $row['client_name']; - $contact_email_select = $row['contact_email']; + $client_name_select = htmlentities($row['client_name']); + $contact_email_select = htmlentities($row['contact_email']); ?> diff --git a/calendar_events.php b/calendar_events.php index 66d715b8..17fb17a4 100644 --- a/calendar_events.php +++ b/calendar_events.php @@ -25,14 +25,14 @@ if(isset($_GET['calendar_id'])){ $sql = mysqli_query($mysqli,"SELECT * FROM events LEFT JOIN calendars ON event_calendar_id = calendar_id WHERE calendars.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql)){ $event_id = $row['event_id']; - $event_title = $row['event_title']; - $event_description = $row['event_description']; - $event_start = $row['event_start']; - $event_end = $row['event_end']; - $event_repeat = $row['event_repeat']; + $event_title = htmlentities($row['event_title']); + $event_description = htmlentities($row['event_description']); + $event_start = htmlentities($row['event_start']); + $event_end = htmlentities($row['event_end']); + $event_repeat = htmlentities($row['event_repeat']); $calendar_id = $row['calendar_id']; - $calendar_name = $row['calendar_name']; - $calendar_color = $row['calendar_color']; + $calendar_name = htmlentities($row['calendar_name']); + $calendar_color = htmlentities($row['calendar_color']); $client_id = $row['event_client_id']; include("calendar_event_edit_modal.php"); @@ -76,15 +76,15 @@ while($row = mysqli_fetch_array($sql)){ @@ -92,11 +92,11 @@ while($row = mysqli_fetch_array($sql)){ //Invoices Created $sql = mysqli_query($mysqli,"SELECT * FROM clients LEFT JOIN invoices ON client_id = invoice_client_id WHERE clients.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql)){ - $event_id = $row['invoice_id']; - $event_title = $row['invoice_prefix'] . $row['invoice_number'] . " " . $row['invoice_scope']; - $event_start = $row['invoice_date']; + $event_id = json_encode($row['invoice_id']); + $event_title = json_encode($row['invoice_prefix'] . $row['invoice_number'] . " " . $row['invoice_scope']); + $event_start = json_encode($row['invoice_date']); - echo "{ id: '$event_id', title: ". json_encode($event_title) .", start: '$event_start', color: 'blue', url: 'invoice.php?invoice_id=$event_id'},"; + echo "{ id: $event_id, title: $event_title, start: $event_start, color: 'blue', url: 'invoice.php?invoice_id=$event_id' },"; } ?> @@ -104,11 +104,11 @@ while($row = mysqli_fetch_array($sql)){ //Quotes Created $sql = mysqli_query($mysqli,"SELECT * FROM clients LEFT JOIN quotes ON client_id = quote_client_id WHERE clients.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql)){ - $event_id = $row['quote_id']; - $event_title = $row['quote_prefix'] . $row['quote_number'] . " " . $row['quote_scope']; - $event_start = $row['quote_date']; + $event_id = json_encode($row['quote_id']); + $event_title = json_encode($row['quote_prefix'] . $row['quote_number'] . " " . $row['quote_scope']); + $event_start = json_encode($row['quote_date']); - echo "{ id: '$event_id', title: ". json_encode($event_title) .", start: '$event_start', color: 'purple', url: 'quote.php?quote_id=$event_id'},"; + echo "{ id: $event_id, title: $event_title, start: $event_start, color: 'purple', url: 'quote.php?quote_id=$event_id' },"; } ?> @@ -116,11 +116,11 @@ while($row = mysqli_fetch_array($sql)){ //Tickets Created $sql = mysqli_query($mysqli,"SELECT * FROM clients LEFT JOIN tickets ON client_id = ticket_client_id WHERE clients.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql)){ - $event_id = $row['ticket_id']; - $event_title = $row['ticket_prefix'] . $row['ticket_number'] . " " . $row['ticket_subject']; - $event_start = $row['ticket_created_at']; + $event_id = json_encode($row['ticket_id']); + $event_title = json_encode($row['ticket_prefix'] . $row['ticket_number'] . " " . $row['ticket_subject']); + $event_start = json_encode($row['ticket_created_at']); - echo "{ id: '$event_id', title: ". json_encode($event_title) .", start: '$event_start', color: 'orange', url: 'ticket.php?ticket_id=$event_id'},"; + echo "{ id: $event_id, title: $event_title, start: $event_start, color: 'orange', url: 'ticket.php?ticket_id=$event_id' },"; } @@ -130,11 +130,11 @@ while($row = mysqli_fetch_array($sql)){ //Vendors Added Created $sql = mysqli_query($mysqli,"SELECT * FROM clients LEFT JOIN vendors ON client_id = vendor_client_id WHERE clients.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql)){ - $event_id = $row['vendor_id']; - $event_title = $row['vendor_name']; - $event_start = $row['vendor_created_at']; + $event_id = json_encode($row['vendor_id']); + $event_title = json_encode($row['vendor_name']); + $event_start = json_encode($row['vendor_created_at']); - echo "{ id: '$event_id', title: ". json_encode($event_title) .", start: '$event_start', color: 'brown', url: 'client_vendors.php?client_id=$event_id'},"; + echo "{ id: $event_id, title: $event_title, start: $event_start, color: 'brown', url: 'client_vendors.php?client_id=$event_id' },"; } ?> @@ -142,11 +142,11 @@ while($row = mysqli_fetch_array($sql)){ //Clients Added $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE clients.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql)){ - $event_id = $row['client_id']; - $event_title = $row['client_name']; - $event_start = $row['client_created_at']; + $event_id = json_encode($row['client_id']); + $event_title = json_encode($row['client_name']); + $event_start = json_encode($row['client_created_at']); - echo "{ id: '$event_id', title: ". json_encode($event_title) .", start: '$event_start', color: 'green', url: 'client.php?client_id=$event_id'},"; + echo "{ id: $event_id, title: $event_title, start: $event_start, color: 'green', url: 'client.php?client_id=$event_id' },"; } ?> @@ -160,4 +160,4 @@ while($row = mysqli_fetch_array($sql)){ calendar.render(); }); - + \ No newline at end of file diff --git a/categories.php b/categories.php index efd9732a..c633b2bb 100644 --- a/categories.php +++ b/categories.php @@ -84,8 +84,8 @@ $colors_diff = array_diff($colors_array,$colors_used_array); while($row = mysqli_fetch_array($sql)){ $category_id = $row['category_id']; - $category_name = $row['category_name']; - $category_color = $row['category_color']; + $category_name = htmlentities($row['category_name']); + $category_color = htmlentities($row['category_color']); //$colors_used_array[] = $row['category_color']; ?> diff --git a/client_add_modal.php b/client_add_modal.php index 3df00748..2e1348b9 100644 --- a/client_add_modal.php +++ b/client_add_modal.php @@ -66,7 +66,7 @@ $referral_sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Referral' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($referral_sql)){ - $referral = $row['category_name']; + $referral = htmlentities($row['category_name']); ?> @@ -279,9 +279,9 @@ while($row = mysqli_fetch_array($sql_tags_select)){ $tag_id_select = $row['tag_id']; - $tag_name_select = $row['tag_name']; - $tag_color_select = $row['tag_color']; - $tag_icon_select = $row['tag_icon']; + $tag_name_select = htmlentities($row['tag_name']); + $tag_color_select = htmlentities($row['tag_color']); + $tag_icon_select = htmlentities($row['tag_icon']); ?>
  • diff --git a/client_asset_add_modal.php b/client_asset_add_modal.php index 5bc43e08..3c16788b 100644 --- a/client_asset_add_modal.php +++ b/client_asset_add_modal.php @@ -125,7 +125,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_archived_at IS NULL AND location_client_id = $client_id ORDER BY location_name ASC"); while($row = mysqli_fetch_array($sql)){ $location_id = $row['location_id']; - $location_name = $row['location_name']; + $location_name = htmlentities($row['location_name']); ?> @@ -150,7 +150,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_archived_at IS NULL AND contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; + $contact_name = htmlentities($row['contact_name']); ?> @@ -190,8 +190,8 @@ $sql = mysqli_query($mysqli,"SELECT * FROM networks WHERE network_archived_at IS NULL AND network_client_id = $client_id ORDER BY network_name ASC"); while($row = mysqli_fetch_array($sql)){ $network_id = $row['network_id']; - $network_name = $row['network_name']; - $network = $row['network']; + $network_name = htmlentities($row['network_name']); + $network = htmlentities($row['network']); ?> @@ -240,7 +240,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_archived_at IS NULL AND vendor_client_id = $client_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql)){ $vendor_id = $row['vendor_id']; - $vendor_name = $row['vendor_name']; + $vendor_name = htmlentities($row['vendor_name']); ?> diff --git a/client_asset_copy_modal.php b/client_asset_copy_modal.php index 166e0d17..21942b37 100644 --- a/client_asset_copy_modal.php +++ b/client_asset_copy_modal.php @@ -123,7 +123,7 @@ $sql_locations = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_client_id = $client_id ORDER BY location_name ASC"); while($row = mysqli_fetch_array($sql_locations)){ $location_id_select = $row['location_id']; - $location_name_select = $row['location_name']; + $location_name_select = htmlentities($row['location_name']); ?> @@ -148,7 +148,7 @@ $sql_contacts = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_archived_at IS NULL AND contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql_contacts)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; + $contact_name = htmlentities($row['contact_name']); ?> @@ -187,8 +187,8 @@ $sql_networks = mysqli_query($mysqli,"SELECT * FROM networks WHERE (network_archived_at > '$asset_created_at' OR network_archived_at IS NULL) AND network_client_id = $client_id ORDER BY network_name ASC"); while($row = mysqli_fetch_array($sql_networks)){ $network_id_select = $row['network_id']; - $network_name_select = $row['network_name']; - $network_select = $row['network']; + $network_name_select = htmlentities($row['network_name']); + $network_select = htmlentities($row['network']); ?> @@ -237,7 +237,7 @@ $sql_vendors = mysqli_query($mysqli,"SELECT * FROM vendors WHERE (vendor_archived_at > '$asset_created_at' OR vendor_archived_at IS NULL) AND vendor_client_id = $client_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql_vendors)){ $vendor_id_select = $row['vendor_id']; - $vendor_name_select = $row['vendor_name']; + $vendor_name_select = htmlentities($row['vendor_name']); ?> diff --git a/client_asset_documents_modal.php b/client_asset_documents_modal.php index 3009b160..6cafbc87 100644 --- a/client_asset_documents_modal.php +++ b/client_asset_documents_modal.php @@ -12,7 +12,7 @@

    diff --git a/client_asset_edit_modal.php b/client_asset_edit_modal.php index fdd4cb2e..9b6b74df 100644 --- a/client_asset_edit_modal.php +++ b/client_asset_edit_modal.php @@ -124,7 +124,7 @@ $sql_locations = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_client_id = $client_id ORDER BY location_name ASC"); while($row = mysqli_fetch_array($sql_locations)){ $location_id_select = $row['location_id']; - $location_name_select = $row['location_name']; + $location_name_select = htmlentities($row['location_name']); ?> @@ -148,7 +148,7 @@ $sql_contacts = mysqli_query($mysqli,"SELECT * FROM contacts WHERE (contact_archived_at > '$asset_created_at' OR contact_archived_at IS NULL) AND contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql_contacts)){ $contact_id_select = $row['contact_id']; - $contact_name_select = $row['contact_name']; + $contact_name_select = htmlentities($row['contact_name']); ?> @@ -238,7 +238,7 @@ $sql_vendors = mysqli_query($mysqli,"SELECT * FROM vendors WHERE (vendor_archived_at > '$asset_created_at' OR vendor_archived_at IS NULL) AND vendor_client_id = $client_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql_vendors)){ $vendor_id_select = $row['vendor_id']; - $vendor_name_select = $row['vendor_name']; + $vendor_name_select = htmlentities($row['vendor_name']); ?> diff --git a/client_asset_tickets_modal.php b/client_asset_tickets_modal.php index 8fd33a46..2cdfbff8 100644 --- a/client_asset_tickets_modal.php +++ b/client_asset_tickets_modal.php @@ -13,10 +13,10 @@ // Query is run from client_assets.php while($row = mysqli_fetch_array($sql_tickets)){ $ticket_id = $row['ticket_id']; - $ticket_prefix = $row['ticket_prefix']; - $ticket_number = $row['ticket_number']; - $ticket_subject = $row['ticket_subject']; - $ticket_status = $row['ticket_status']; + $ticket_prefix = htmlentities($row['ticket_prefix']); + $ticket_number = htmlentities($row['ticket_number']); + $ticket_subject = htmlentities($row['ticket_subject']); + $ticket_status = htmlentities($row['ticket_status']); $ticket_created_at = $row['ticket_created_at']; $ticket_updated_at = $row['ticket_updated_at']; ?> diff --git a/client_assets.php b/client_assets.php index 20d4a008..f91d0e3b 100644 --- a/client_assets.php +++ b/client_assets.php @@ -164,30 +164,30 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $asset_id = $row['asset_id']; - $asset_type = $row['asset_type']; - $asset_name = $row['asset_name']; - $asset_make = $row['asset_make']; - $asset_model = $row['asset_model']; - $asset_serial = $row['asset_serial']; + $asset_type = htmlentities($row['asset_type']); + $asset_name = htmlentities($row['asset_name']); + $asset_make = htmlentities($row['asset_make']); + $asset_model = htmlentities($row['asset_model']); + $asset_serial = htmlentities($row['asset_serial']); if(empty($asset_serial)){ $asset_serial_display = "-"; }else{ $asset_serial_display = $asset_serial; } - $asset_os = $row['asset_os']; + $asset_os = htmlentities($row['asset_os']); if(empty($asset_os)){ $asset_os_display = "-"; }else{ $asset_os_display = $asset_os; } - $asset_ip = $row['asset_ip']; + $asset_ip = htmlentities($row['asset_ip']); if(empty($asset_ip)){ $asset_ip_display = "-"; }else{ $asset_ip_display = "$asset_ip"; } - $asset_mac = $row['asset_mac']; - $asset_status = $row['asset_status']; + $asset_mac = htmlentities($row['asset_mac']); + $asset_status = htmlentities($row['asset_status']); $asset_purchase_date = $row['asset_purchase_date']; $asset_warranty_expire = $row['asset_warranty_expire']; $asset_install_date = $row['asset_install_date']; @@ -196,7 +196,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); }else{ $asset_install_date_display = $asset_install_date; } - $asset_notes = $row['asset_notes']; + $asset_notes = htmlentities($row['asset_notes']); $asset_created_at = $row['asset_created_at']; $asset_vendor_id = $row['asset_vendor_id']; $asset_location_id = $row['asset_location_id']; @@ -242,8 +242,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); } $login_id = $row['login_id']; - $login_username = $row['login_username']; - $login_password = decryptLoginEntry($row['login_password']); + $login_username = htmlentities($row['login_username']); + $login_password = htmlentities(decryptLoginEntry($row['login_password'])); // Related tickets $sql_tickets = mysqli_query($mysqli,"SELECT * FROM tickets WHERE ticket_asset_id = $asset_id ORDER BY ticket_number DESC"); diff --git a/client_certificate_add_modal.php b/client_certificate_add_modal.php index e5c37415..09207012 100644 --- a/client_certificate_add_modal.php +++ b/client_certificate_add_modal.php @@ -76,7 +76,7 @@ $domains_sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id = '$client_id'"); while($domain_row = mysqli_fetch_array($domains_sql)){ $domain_id = $domain_row['domain_id']; - $domain_name = $domain_row['domain_name']; + $domain_name = htmlentities($domain_row['domain_name']); echo ""; } ?> diff --git a/client_certificates.php b/client_certificates.php index 8d7affeb..b94d2cfd 100644 --- a/client_certificates.php +++ b/client_certificates.php @@ -65,10 +65,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $certificate_id = $row['certificate_id']; - $certificate_name = $row['certificate_name']; - $certificate_domain = $row['certificate_domain']; - $certificate_issued_by = $row['certificate_issued_by']; - $certificate_expire = $row['certificate_expire']; + $certificate_name = htmlentities($row['certificate_name']); + $certificate_domain = htmlentities($row['certificate_domain']); + $certificate_issued_by = htmlentities($row['certificate_issued_by']); + $certificate_expire = htmlentities($row['certificate_expire']); ?> diff --git a/client_contact_add_modal.php b/client_contact_add_modal.php index e9ca2e3c..447d171c 100644 --- a/client_contact_add_modal.php +++ b/client_contact_add_modal.php @@ -117,7 +117,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_archived_at IS NULL AND location_client_id = $client_id ORDER BY location_name ASC"); while($row = mysqli_fetch_array($sql)){ $location_id = $row['location_id']; - $location_name = $row['location_name']; + $location_name = htmlentities($row['location_name']); ?> diff --git a/client_contact_details_modal.php b/client_contact_details_modal.php index ed2a0e7a..85d78547 100644 --- a/client_contact_details_modal.php +++ b/client_contact_details_modal.php @@ -35,11 +35,11 @@ while($row = mysqli_fetch_array($sql_related_assets)){ $asset_id = $row['asset_id']; - $asset_type = $row['asset_type']; - $asset_name = $row['asset_name']; - $asset_make = $row['asset_make']; - $asset_model = $row['asset_model']; - $asset_serial = $row['asset_serial']; + $asset_type = htmlentities($row['asset_type']); + $asset_name = htmlentities($row['asset_name']); + $asset_make = htmlentities($row['asset_make']); + $asset_model = htmlentities($row['asset_model']); + $asset_serial = htmlentities($row['asset_serial']); ?> @@ -58,11 +58,11 @@ while($row = mysqli_fetch_array($sql_related_logins)){ $login_id = $row['login_id']; - $login_name = $row['login_name']; - $login_uri = $row['login_uri']; - $login_username = $row['login_username']; - $login_password = $row['login_password']; - $login_note = $row['login_note']; + $login_name = htmlentities($row['login_name']); + $login_uri = htmlentities($row['login_uri']); + $login_username = htmlentities($row['login_username']); + $login_password = htmlentities($row['login_password']); + $login_note = htmlentities($row['login_note']); $vendor_id = $row['vendor_id']; $asset_id = $row['asset_id']; $software_id = $row['software_id']; @@ -84,9 +84,9 @@ while($row = mysqli_fetch_array($sql_related_software)){ $software_id = $row['software_id']; - $software_name = $row['software_name']; - $software_type = $row['software_type']; - $software_notes = $row['software_notes']; + $software_name = htmlentities($row['software_name']); + $software_type = htmlentities($row['software_type']); + $software_notes = htmlentities($row['software_notes']); ?> diff --git a/client_contact_edit_modal.php b/client_contact_edit_modal.php index ac007c2c..1c96f863 100644 --- a/client_contact_edit_modal.php +++ b/client_contact_edit_modal.php @@ -119,7 +119,7 @@ $sql_locations = mysqli_query($mysqli,"SELECT * FROM locations WHERE (location_archived_at > '$contact_created_at' OR location_archived_at IS NULL) AND location_client_id = $client_id ORDER BY location_name ASC"); while($row = mysqli_fetch_array($sql_locations)){ $location_id_select = $row['location_id']; - $location_name_select = $row['location_name']; + $location_name_select = htmlentities($row['location_name']); ?> diff --git a/client_contacts.php b/client_contacts.php index e7f0551c..688da7dd 100644 --- a/client_contacts.php +++ b/client_contacts.php @@ -83,14 +83,14 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; - $contact_title = $row['contact_title']; + $contact_name = htmlentities($row['contact_name']); + $contact_title = htmlentities($row['contact_title']); if(empty($contact_title)){ $contact_title_display = "-"; }else{ $contact_title_display = "$contact_title"; } - $contact_department = $row['contact_department']; + $contact_department =htmlentities($row['contact_department']); if(empty($contact_department)){ $contact_department_display = "-"; }else{ @@ -102,22 +102,22 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); }else{ $contact_phone_display = "$contact_phone"; } - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); if(empty($contact_mobile)){ $contact_mobile_display = "-"; }else{ $contact_mobile_display = "$contact_mobile"; } - $contact_email = $row['contact_email']; + $contact_email = htmlentities($row['contact_email']); if(empty($contact_email)){ $contact_email_display = "-"; }else{ $contact_email_display = "$contact_email"; } - $contact_photo = $row['contact_photo']; + $contact_photo = htmlentities($row['contact_photo']); $contact_initials = initials($contact_name); - $contact_notes = $row['contact_notes']; + $contact_notes = htmlentities($row['contact_notes']); $contact_created_at = $row['contact_created_at']; if($contact_id == $primary_contact){ $primary_contact_display = "Primary Contact"; @@ -125,13 +125,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); $primary_contact_display = FALSE; } $contact_location_id = $row['contact_location_id']; - $location_name = $row['location_name']; + $location_name = htmlentities($row['location_name']); if(empty($location_name)){ $location_name_display = "-"; }else{ $location_name_display = $location_name; } - $auth_method = $row['contact_auth_method']; + $auth_method = htmlentities($row['contact_auth_method']); // Related Assets Query $sql_related_assets = mysqli_query($mysqli,"SELECT * FROM assets WHERE asset_contact_id = $contact_id AND company_id = $session_company_id ORDER BY asset_id DESC"); diff --git a/client_document_add_modal.php b/client_document_add_modal.php index 8858bda7..ea94121e 100644 --- a/client_document_add_modal.php +++ b/client_document_add_modal.php @@ -46,7 +46,7 @@ $sql_folders = mysqli_query($mysqli,"SELECT * FROM folders WHERE folder_client_id = $client_id ORDER BY folder_name ASC"); while($row = mysqli_fetch_array($sql_folders)){ $folder_id = $row['folder_id']; - $folder_name = $row['folder_name']; + $folder_name = htmlentities($row['folder_name']); ?> diff --git a/client_document_details.php b/client_document_details.php index 1f7ce828..e44765a6 100644 --- a/client_document_details.php +++ b/client_document_details.php @@ -16,7 +16,7 @@ $sql_document = mysqli_query($mysqli,"SELECT * FROM documents LEFT JOIN folders $row = mysqli_fetch_array($sql_document); $folder_name = $row['folder_name']; -$document_name = $row['document_name']; +$document_name = htmlentities($row['document_name']); $document_content = $row['document_content']; $document_created_at = $row['document_created_at']; $document_updated_at = $row['document_updated_at']; diff --git a/client_document_edit_modal.php b/client_document_edit_modal.php index c142a246..b2d791ca 100644 --- a/client_document_edit_modal.php +++ b/client_document_edit_modal.php @@ -46,7 +46,7 @@ $sql_folders_select = mysqli_query($mysqli,"SELECT * FROM folders WHERE folder_client_id = $client_id ORDER BY folder_name ASC"); while($row = mysqli_fetch_array($sql_folders_select)){ $folder_id_select = $row['folder_id']; - $folder_name_select = $row['folder_name']; + $folder_name_select = htmlentities($row['folder_name']); ?> @@ -58,7 +58,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_archived_at IS NULL AND vendor_client_id = $client_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql)){ $vendor_id = $row['vendor_id']; - $vendor_name = $row['vendor_name']; + $vendor_name = htmlentities($row['vendor_name']); ?> diff --git a/client_domains.php b/client_domains.php index 07c5d750..9fbfe93f 100644 --- a/client_domains.php +++ b/client_domains.php @@ -66,18 +66,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $domain_id = $row['domain_id']; - $domain_name = $row['domain_name']; - $domain_registrar = $row['domain_registrar']; - $domain_webhost = $row['domain_webhost']; - $domain_expire = $row['domain_expire']; - $domain_registrar_name = $row['vendor_name']; + $domain_name = htmlentities($row['domain_name']); + $domain_registrar = htmlentities($row['domain_registrar']); + $domain_webhost = htmlentities($row['domain_webhost']); + $domain_expire = htmlentities($row['domain_expire']; + $domain_registrar_name = htmlentities($row['vendor_name']); if(empty($domain_registrar_name)){ $domain_registrar_name = "-"; } $sql_domain_webhost = mysqli_query($mysqli,"SELECT vendor_name FROM vendors WHERE vendor_id = $domain_webhost"); $row = mysqli_fetch_array($sql_domain_webhost); - $domain_webhost_name = $row['vendor_name']; + $domain_webhost_name = htmlentities($row['vendor_name']); if(empty($domain_webhost_name)){ $domain_webhost_name = "-"; } diff --git a/client_edit_modal.php b/client_edit_modal.php index 4feac55d..bffd584f 100644 --- a/client_edit_modal.php +++ b/client_edit_modal.php @@ -61,7 +61,7 @@ $referral_sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Referral' AND (category_archived_at > '$client_created_at' OR category_archived_at IS NULL) AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($referral_sql)){ - $referral = $row['category_name']; + $referral = htmlentities($row['category_name']); ?> @@ -142,9 +142,9 @@ while($row = mysqli_fetch_array($sql_tags_select)){ $tag_id_select = $row['tag_id']; - $tag_name_select = $row['tag_name']; - $tag_color_select = $row['tag_color']; - $tag_icon_select = $row['tag_icon']; + $tag_name_select = htmlentities($row['tag_name']); + $tag_color_select = htmlentities($row['tag_color']); + $tag_icon_select = htmlentities($row['tag_icon']); ?>

  • diff --git a/client_events.php b/client_events.php index 29d2cbfa..fb12c55c 100644 --- a/client_events.php +++ b/client_events.php @@ -25,14 +25,14 @@ if(isset($_GET['calendar_id'])){ $sql = mysqli_query($mysqli,"SELECT * FROM calendars LEFT JOIN events ON calendar_id = event_calendar_id WHERE event_client_id = $client_id AND calendars.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql)){ $event_id = $row['event_id']; - $event_title = $row['event_title']; - $event_description = $row['event_description']; - $event_start = $row['event_start']; - $event_end = $row['event_end']; - $event_repeat = $row['event_repeat']; + $event_title = htmlentities($row['event_title']); + $event_description = htmlentities($row['event_description']); + $event_start = htmlentities($row['event_start']); + $event_end = htmlentities($row['event_end']); + $event_repeat = htmlentities($row['event_repeat']); $calendar_id = $row['calendar_id']; - $calendar_name = $row['calendar_name']; - $calendar_color = $row['calendar_color']; + $calendar_name = htmlentities($row['calendar_name']); + $calendar_color = htmlentities($row['calendar_color']); include("calendar_event_edit_modal.php"); @@ -73,15 +73,15 @@ while($row = mysqli_fetch_array($sql)){ ], diff --git a/client_files.php b/client_files.php index bde1a71a..7157e146 100644 --- a/client_files.php +++ b/client_files.php @@ -33,9 +33,9 @@ $num_of_files = mysqli_num_rows($sql_files_images) + mysqli_num_rows($sql_files_ while($row = mysqli_fetch_array($sql_files_images)){ $file_id = $row['file_id']; - $file_name = $row['file_name']; - $file_reference_name = $row['file_reference_name']; - $file_ext = $row['file_ext']; + $file_name = htmlentities($row['file_name']); + $file_reference_name = htmlentities($row['file_reference_name']); + $file_ext = htmlentities($row['file_ext']); ?> @@ -70,9 +70,9 @@ $num_of_files = mysqli_num_rows($sql_files_images) + mysqli_num_rows($sql_files_ diff --git a/client_location_edit_modal.php b/client_location_edit_modal.php index 905b8a9e..bb6ba3c2 100644 --- a/client_location_edit_modal.php +++ b/client_location_edit_modal.php @@ -118,7 +118,7 @@ $sql_contacts = mysqli_query($mysqli,"SELECT * FROM contacts WHERE (contact_archived_at > '$location_created_at' OR contact_archived_at IS NULL) AND contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql_contacts)){ $contact_id_select = $row['contact_id']; - $contact_name_select = $row['contact_name']; + $contact_name_select = htmlentities($row['contact_name']); ?> diff --git a/client_locations.php b/client_locations.php index df125794..889af06e 100644 --- a/client_locations.php +++ b/client_locations.php @@ -80,26 +80,26 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $location_id = $row['location_id']; - $location_name = $row['location_name']; - $location_country = $row['location_country']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; + $location_name = htmlentities($row['location_name']); + $location_country = htmlentities($row['location_country']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); $location_phone = formatPhoneNumber($row['location_phone']); if(empty($location_phone)){ $location_phone_display = "-"; }else{ $location_phone_display = $location_phone; } - $location_hours = $row['location_hours']; + $location_hours = htmlentities($row['location_hours']); if(empty($location_hours)){ $location_hours_display = "-"; }else{ $location_hours_display = $location_hours; } - $location_photo = $row['location_photo']; - $location_notes = $row['location_notes']; + $location_photo = htmlentities($row['location_photo']); + $location_notes = htmlentities($row['location_notes']); $location_created_at = $row['location_created_at']; $location_contact_id = $row['location_contact_id']; if($location_id == $primary_location){ diff --git a/client_login_add_modal.php b/client_login_add_modal.php index 8a372e27..aa92daab 100644 --- a/client_login_add_modal.php +++ b/client_login_add_modal.php @@ -105,7 +105,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; + $contact_name = htmlentities($row['contact_name']); ?> @@ -129,7 +129,7 @@ $sql_vendors = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_client_id = $client_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql_vendors)){ $vendor_id = $row['vendor_id']; - $vendor_name = $row['vendor_name']; + $vendor_name = htmlentities($row['vendor_name']); ?> @@ -153,7 +153,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM assets WHERE asset_client_id = $client_id ORDER BY asset_name ASC"); while($row = mysqli_fetch_array($sql)){ $asset_id = $row['asset_id']; - $asset_name = $row['asset_name']; + $asset_name = htmlentities($row['asset_name']); ?> @@ -177,7 +177,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM software WHERE software_client_id = $client_id ORDER BY software_name ASC"); while($row = mysqli_fetch_array($sql)){ $software_id = $row['software_id']; - $software_name = $row['software_name']; + $software_name = htmlentities($row['software_name']); ?> diff --git a/client_login_edit_modal.php b/client_login_edit_modal.php index 57aa63a9..8991fb53 100644 --- a/client_login_edit_modal.php +++ b/client_login_edit_modal.php @@ -111,7 +111,7 @@ $sql_contacts = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql_contacts)){ $contact_id_select = $row['contact_id']; - $contact_name_select = $row['contact_name']; + $contact_name_select = htmlentities($row['contact_name']); ?> @@ -135,7 +135,7 @@ $sql_vendors = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_client_id = $client_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql_vendors)){ $vendor_id_select = $row['vendor_id']; - $vendor_name_select = $row['vendor_name']; + $vendor_name_select = htmlentities($row['vendor_name']); ?> @@ -159,7 +159,7 @@ $sql_assets = mysqli_query($mysqli,"SELECT * FROM assets WHERE asset_client_id = $client_id ORDER BY asset_name ASC"); while($row = mysqli_fetch_array($sql_assets)){ $asset_id_select = $row['asset_id']; - $asset_name_select = $row['asset_name']; + $asset_name_select = htmlentities($row['asset_name']); ?> @@ -183,7 +183,7 @@ $sql_software = mysqli_query($mysqli,"SELECT * FROM software WHERE software_client_id = $client_id ORDER BY software_name ASC"); while($row = mysqli_fetch_array($sql_software)){ $software_id_select = $row['software_id']; - $software_name_select = $row['software_name']; + $software_name_select = htmlentities($row['software_name']); ?> diff --git a/client_logins.php b/client_logins.php index 2caf197c..86e7a97d 100644 --- a/client_logins.php +++ b/client_logins.php @@ -68,28 +68,28 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $login_id = $row['login_id']; - $login_name = $row['login_name']; - $login_uri = $row['login_uri']; + $login_name = htmlentities($row['login_name']); + $login_uri = htmlentities($row['login_uri']); if(empty($login_uri)){ $login_uri_display = "-"; }else{ $login_uri_display = "$login_uri"; } - $login_username = $row['login_username']; + $login_username = htmlentities($row['login_username']); if(empty($login_username)){ $login_username_display = "-"; }else{ $login_username_display = "$login_username"; } $login_password = htmlentities(decryptLoginEntry($row['login_password'])); - $login_otp_secret = $row['login_otp_secret']; + $login_otp_secret = htmlentities($row['login_otp_secret']); $login_id_with_secret = '"' . $row['login_id'] . '","' . $row['login_otp_secret'] . '"'; if(empty($login_otp_secret)){ $otp_display = "-"; }else{ $otp_display = " Hover.."; } - $login_note = $row['login_note']; + $login_note = htmlentities($row['login_note']); $login_contact_id = $row['login_contact_id']; $login_vendor_id = $row['login_vendor_id']; $login_asset_id = $row['login_asset_id']; diff --git a/client_logs.php b/client_logs.php index eee04d65..f8365711 100644 --- a/client_logs.php +++ b/client_logs.php @@ -71,14 +71,14 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $log_id = $row['log_id']; - $log_type = $row['log_type']; - $log_action = $row['log_action']; + $log_type = htmlentities($row['log_type']); + $log_action = htmlentities($row['log_action']); $log_description = htmlentities($row['log_description']); $log_ip = htmlentities($row['log_ip']); - $log_user_agent = $row['log_user_agent']; + $log_user_agent = htmlentities($row['log_user_agent']); $log_created_at = $row['log_created_at']; $user_id = $row['user_id']; - $user_name = $row['user_name']; + $user_name = htmlentities($row['user_name']); if(empty($user_name)){ $user_name_display = "-"; }else{ diff --git a/client_network_add_modal.php b/client_network_add_modal.php index e043fbeb..38c8316c 100644 --- a/client_network_add_modal.php +++ b/client_network_add_modal.php @@ -74,7 +74,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM locations WHERE location_archived_at IS NULL AND location_client_id = $client_id ORDER BY location_name ASC"); while($row = mysqli_fetch_array($sql)){ $location_id = $row['location_id']; - $location_name = $row['location_name']; + $location_name = htmlentities($row['location_name']); ?> diff --git a/client_networks.php b/client_networks.php index 8be42c93..c2bcdba3 100644 --- a/client_networks.php +++ b/client_networks.php @@ -69,23 +69,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $network_id = $row['network_id']; - $network_name = $row['network_name']; - $network_vlan = $row['network_vlan']; + $network_name = htmlentities($row['network_name']); + $network_vlan = htmlentities($row['network_vlan']); if(empty($network_vlan)){ $network_vlan_display = "-"; }else{ $network_vlan_display = $network_vlan; } - $network = $row['network']; - $network_gateway = $row['network_gateway']; - $network_dhcp_range = $row['network_dhcp_range']; + $network = htmlentities($row['network']); + $network_gateway = htmlentities($row['network_gateway']); + $network_dhcp_range = htmlentities($row['network_dhcp_range']); if(empty($network_dhcp_range)){ $network_dhcp_range_display = "-"; }else{ $network_dhcp_range_display = $network_dhcp_range; } $network_location_id = $row['network_location_id']; - $location_name = $row['location_name']; + $location_name = htmlentities($row['location_name']); if(empty($location_name)){ $location_name_display = "-"; }else{ diff --git a/client_payments.php b/client_payments.php index 553b6252..bc321cfd 100644 --- a/client_payments.php +++ b/client_payments.php @@ -74,23 +74,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; - $invoice_number = $row['invoice_number']; - $invoice_status = $row['invoice_status']; - $invoice_amount = $row['invoice_amount']; - $invoice_currency_code = $row['invoice_currency_code']; + $invoice_prefix = htmlentities($row['invoice_prefix']); + $invoice_number = htmlentities($row['invoice_number']); + $invoice_status = htmlentities($row['invoice_status']); + $invoice_amount = htmlentities($row['invoice_amount']); + $invoice_currency_code = htmlentities($row['invoice_currency_code']); $invoice_date = $row['invoice_date']; $payment_date = $row['payment_date']; - $payment_method = $row['payment_method']; - $payment_reference = $row['payment_reference']; + $payment_method = htmlentities($row['payment_method']); + $payment_reference = htmlentities($row['payment_reference']); if(empty($payment_reference)){ $payment_reference_display = "-"; }else{ $payment_reference_display = $payment_reference; } - $payment_amount = $row['payment_amount']; - $payment_currency_code = $row['payment_currency_code']; - $account_name = $row['account_name']; + $payment_amount = htmlentities($row['payment_amount']); + $payment_currency_code = htmlentities($row['payment_currency_code']); + $account_name = htmlentities($row['account_name']); ?> diff --git a/client_quotes.php b/client_quotes.php index 77b5027a..9f1571bb 100644 --- a/client_quotes.php +++ b/client_quotes.php @@ -75,21 +75,21 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $quote_id = $row['quote_id']; - $quote_prefix = $row['quote_prefix']; - $quote_number = $row['quote_number']; - $quote_scope = $row['quote_scope']; + $quote_prefix = htmlentities($row['quote_prefix']); + $quote_number = htmlentities($row['quote_number']); + $quote_scope = htmlentities($row['quote_scope']); if(empty($quote_scope)){ $quote_scope_display = "-"; }else{ $quote_scope_display = $quote_scope; } - $quote_status = $row['quote_status']; + $quote_status = htmlentities($row['quote_status']); $quote_date = $row['quote_date']; - $quote_amount = $row['quote_amount']; - $quote_currency_code = $row['quote_currency_code']; + $quote_amount = htmlentities($row['quote_amount']); + $quote_currency_code = htmlentities($row['quote_currency_code']); $quote_created_at = $row['quote_created_at']; $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); //Set Badge color based off of quote status if($quote_status == "Sent"){ diff --git a/client_recurring_invoices.php b/client_recurring_invoices.php index 7d1ef8a9..1eec38cc 100644 --- a/client_recurring_invoices.php +++ b/client_recurring_invoices.php @@ -71,21 +71,21 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $recurring_id = $row['recurring_id']; - $recurring_prefix = $row['recurring_prefix']; - $recurring_number = $row['recurring_number']; - $recurring_scope = $row['recurring_scope']; - $recurring_frequency = $row['recurring_frequency']; - $recurring_status = $row['recurring_status']; + $recurring_prefix = htmlentities($row['recurring_prefix']); + $recurring_number = htmlentities($row['recurring_number']); + $recurring_scope = htmlentities($row['recurring_scope']); + $recurring_frequency = htmlentities($row['recurring_frequency']); + $recurring_status = htmlentities($row['recurring_status']); $recurring_last_sent = $row['recurring_last_sent']; if($recurring_last_sent == 0){ $recurring_last_sent = "-"; } $recurring_next_date = $row['recurring_next_date']; - $recurring_amount = $row['recurring_amount']; - $recurring_currency_code = $row['recurring_currency_code']; + $recurring_amount = htmlentities($row['recurring_amount']); + $recurring_currency_code = htmlentities($row['recurring_currency_code']); $recurring_created_at = $row['recurring_created_at']; $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); if($recurring_status == 1){ $status = "Active"; $status_badge_color = "success"; diff --git a/client_scheduled_tickets.php b/client_scheduled_tickets.php index 0b9c646f..8173b208 100644 --- a/client_scheduled_tickets.php +++ b/client_scheduled_tickets.php @@ -67,9 +67,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while ($row = mysqli_fetch_array($sql)) { $scheduled_ticket_id = $row['scheduled_ticket_id']; - $scheduled_ticket_subject = $row['scheduled_ticket_subject']; - $scheduled_ticket_priority = $row['scheduled_ticket_priority']; - $scheduled_ticket_frequency = $row['scheduled_ticket_frequency']; + $scheduled_ticket_subject = htmlentities($row['scheduled_ticket_subject']); + $scheduled_ticket_priority = htmlentities($row['scheduled_ticket_priority']); + $scheduled_ticket_frequency = htmlentities($row['scheduled_ticket_frequency']); $scheduled_ticket_next_run = $row['scheduled_ticket_next_run']; ?> diff --git a/client_service_add_modal.php b/client_service_add_modal.php index 5d818933..dfc76d5d 100644 --- a/client_service_add_modal.php +++ b/client_service_add_modal.php @@ -104,7 +104,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_client_id = '$client_id'"); while($row = mysqli_fetch_array($sql)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; + $contact_name = htmlentities($row['contact_name']); echo ""; } ?> @@ -120,7 +120,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM vendors WHERE vendor_client_id = '$client_id'"); while($row = mysqli_fetch_array($sql)){ $vendor_id = $row['vendor_id']; - $vendor_name = $row['vendor_name']; + $vendor_name = htmlentities($row['vendor_name']); echo ""; } ?> @@ -136,7 +136,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_client_id = '$client_id'"); while($row = mysqli_fetch_array($sql)){ $document_id = $row['document_id']; - $document_name = $row['document_name']; + $document_name = htmlentities($row['document_name']); echo ""; } ?> @@ -162,7 +162,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id = '$client_id'"); while($row = mysqli_fetch_array($sql)){ $asset_id = $row['asset_id']; - $asset_name = $row['asset_name']; + $asset_name = htmlentities($row['asset_name']); echo ""; } ?> @@ -180,7 +180,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_client_id = '$client_id'"); while($row = mysqli_fetch_array($sql)){ $login_id = $row['login_id']; - $login_name = $row['login_name']; + $login_name = htmlentities($row['login_name']); echo ""; } ?> @@ -203,7 +203,7 @@ $sql = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id = '$client_id'"); while($row = mysqli_fetch_array($sql)){ $domain_id = $row['domain_id']; - $domain_name = $row['domain_name']; + $domain_name = htmlentities($row['domain_name']); echo ""; } ?> @@ -221,8 +221,8 @@ $sql = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id'"); while($row = mysqli_fetch_array($sql)){ $cert_id = $row['certificate_id']; - $cert_name = $row['certificate_name']; - $cert_domain = $row['certificate_domain']; + $cert_name = htmlentities($row['certificate_name']); + $cert_domain = htmlentities($row['certificate_domain']); echo ""; } ?> diff --git a/client_service_edit_modal.php b/client_service_edit_modal.php index 092d958b..598dd136 100644 --- a/client_service_edit_modal.php +++ b/client_service_edit_modal.php @@ -111,7 +111,7 @@ while($row_all = mysqli_fetch_array($sql_all)){ $contact_id = $row_all['contact_id']; - $contact_name = $row_all['contact_name']; + $contact_name = htmlentities($row_all['contact_name']); if(in_array($contact_id, $selected_ids)){ echo ""; @@ -135,7 +135,7 @@ $sql_all = mysqli_query($mysqli, "SELECT * FROM vendors WHERE vendor_client_id = '$client_id'"); while($row_all = mysqli_fetch_array($sql_all)){ $vendor_id = $row_all['vendor_id']; - $vendor_name = $row_all['vendor_name']; + $vendor_name = htmlentities($row_all['vendor_name']); if(in_array($vendor_id, $selected_ids)){ echo ""; @@ -159,7 +159,7 @@ $sql_all = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_client_id = '$client_id'"); while($row_all = mysqli_fetch_array($sql_all)){ $document_id = $row_all['document_id']; - $document_name = $row_all['document_name']; + $document_name = htmlentities($row_all['document_name']); if(in_array($document_id, $selected_ids)){ echo ""; @@ -194,7 +194,7 @@ $sql_all = mysqli_query($mysqli, "SELECT * FROM assets WHERE asset_client_id = '$client_id'"); while($row_all = mysqli_fetch_array($sql_all)){ $asset_id = $row_all['asset_id']; - $asset_name = $row_all['asset_name']; + $asset_name = htmlentities($row_all['asset_name']); if(in_array($asset_id, $selected_ids)){ echo ""; @@ -220,7 +220,7 @@ $sql_all = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_client_id = '$client_id'"); while($row_all = mysqli_fetch_array($sql_all)){ $login_id = $row_all['login_id']; - $login_name = $row_all['login_name']; + $login_name = htmlentities($row_all['login_name']); if(in_array($login_id, $selected_ids)){ echo ""; @@ -251,7 +251,7 @@ $sql_all = mysqli_query($mysqli, "SELECT * FROM domains WHERE domain_client_id = '$client_id'"); while($row_all = mysqli_fetch_array($sql_all)){ $domain_id = $row_all['domain_id']; - $domain_name = $row_all['domain_name']; + $domain_name = htmlentities($row_all['domain_name']); if(in_array($domain_id, $selected_ids)){ echo ""; @@ -277,7 +277,7 @@ $sql_all = mysqli_query($mysqli, "SELECT * FROM certificates WHERE certificate_client_id = '$client_id'"); while($row_all = mysqli_fetch_array($sql_all)){ $cert_id = $row_all['certificate_id']; - $cert_name = $row_all['certificate_name']; + $cert_name = htmlentities($row_all['certificate_name']); if(in_array($cert_id, $selected_ids)){ echo ""; diff --git a/client_services.php b/client_services.php index fa3444df..6eacd6bc 100644 --- a/client_services.php +++ b/client_services.php @@ -59,12 +59,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $service_id = $row['service_id']; - $service_name = $row['service_name']; - $service_description = $row['service_description']; - $service_category = $row['service_category']; - $service_importance = $row['service_importance']; - $service_backup = $row['service_backup']; - $service_notes = $row['service_notes']; + $service_name = htmlentities($row['service_name']); + $service_description = htmlentities($row['service_description']); + $service_category = htmlentities($row['service_category']); + $service_importance = htmlentities($row['service_importance']); + $service_backup = htmlentities($row['service_backup']); + $service_notes = htmlentities($row['service_notes']); $service_updated_at = $row['service_updated_at']; $service_review_due = $row['service_review_due']; @@ -109,32 +109,36 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); // Associated Assets (and their logins/networks/locations) $sql_assets = mysqli_query($mysqli, "SELECT * FROM service_assets - LEFT JOIN assets - ON service_assets.asset_id = assets.asset_id - LEFT JOIN logins - ON service_assets.asset_id = logins.login_asset_id - LEFT JOIN networks - ON assets.asset_network_id = networks.network_id - LEFT JOIN locations - ON assets.asset_location_id = locations.location_id - WHERE service_id = '$service_id'"); + LEFT JOIN assets + ON service_assets.asset_id = assets.asset_id + LEFT JOIN logins + ON service_assets.asset_id = logins.login_asset_id + LEFT JOIN networks + ON assets.asset_network_id = networks.network_id + LEFT JOIN locations + ON assets.asset_location_id = locations.location_id + WHERE service_id = '$service_id'" + ); // Associated logins $sql_logins = mysqli_query($mysqli, "SELECT * FROM service_logins - LEFT JOIN logins - ON service_logins.login_id = logins.login_id - WHERE service_id = '$service_id'"); + LEFT JOIN logins + ON service_logins.login_id = logins.login_id + WHERE service_id = '$service_id'" + ); // Associated Domains $sql_domains = mysqli_query($mysqli, "SELECT * FROM service_domains - LEFT JOIN domains - ON service_domains.domain_id = domains.domain_id - WHERE service_id = '$service_id'"); + LEFT JOIN domains + ON service_domains.domain_id = domains.domain_id + WHERE service_id = '$service_id'" + ); // Associated Certificates $sql_certificates = mysqli_query($mysqli, "SELECT * FROM service_certificates - LEFT JOIN certificates - ON service_certificates.certificate_id = certificates.certificate_id - WHERE service_id = '$service_id'"); + LEFT JOIN certificates + ON service_certificates.certificate_id = certificates.certificate_id + WHERE service_id = '$service_id'" + ); // Associated URLs ---- REMOVED for now //$sql_urls = mysqli_query($mysqli, "SELECT * FROM service_urls @@ -142,21 +146,24 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); // Associated Vendors $sql_vendors = mysqli_query($mysqli, "SELECT * FROM service_vendors - LEFT JOIN vendors - ON service_vendors.vendor_id = vendors.vendor_id - WHERE service_id = '$service_id'"); + LEFT JOIN vendors + ON service_vendors.vendor_id = vendors.vendor_id + WHERE service_id = '$service_id'" + ); // Associated Contacts $sql_contacts = mysqli_query($mysqli, "SELECT * FROM service_contacts - LEFT JOIN contacts - ON service_contacts.contact_id = contacts.contact_id - WHERE service_id = '$service_id'"); + LEFT JOIN contacts + ON service_contacts.contact_id = contacts.contact_id + WHERE service_id = '$service_id'" + ); // Associated Documents $sql_docs = mysqli_query($mysqli, "SELECT * FROM service_documents - LEFT JOIN documents - ON service_documents.document_id = documents.document_id - WHERE service_id = '$service_id'"); + LEFT JOIN documents + ON service_documents.document_id = documents.document_id + WHERE service_id = '$service_id'" + ); include("client_service_edit_modal.php"); include("client_service_view_modal.php"); diff --git a/client_shared_items.php b/client_shared_items.php index 9ce7cc85..d425034e 100644 --- a/client_shared_items.php +++ b/client_shared_items.php @@ -69,30 +69,30 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $item_id = $row['item_id']; - $item_active = $row['item_active']; - $item_key = $row['item_key']; - $item_type = $row['item_type']; + $item_active = htmlentities($row['item_active']); + $item_key = htmlentities($row['item_key']); + $item_type = htmlentities($row['item_type']); $item_related_id = $row['item_related_id']; - $item_note = $row['item_note']; - $item_views = $row['item_views']; - $item_view_limit = $row['item_view_limit']; + $item_note = htmlentities($row['item_note']); + $item_views = htmlentities($row['item_views']); + $item_view_limit = htmlentities($row['item_view_limit']); $item_created_at = $row['item_created_at']; $item_expire_at = $row['item_expire_at']; if($item_type == 'Login'){ $share_item_sql = mysqli_query($mysqli, "SELECT login_name FROM logins WHERE login_id = '$item_related_id' AND login_client_id = '$client_id'"); $share_item = mysqli_fetch_array($share_item_sql); - $item_name = $share_item['login_name']; + $item_name = htmlentities($share_item['login_name']); } elseif($item_type == 'Document'){ $share_item_sql = mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_related_id' AND document_client_id = '$client_id'"); $share_item = mysqli_fetch_array($share_item_sql); - $item_name = $share_item['document_name']; + $item_name = htmlentities($share_item['document_name']); } elseif($item_type == 'File'){ $share_item_sql = mysqli_query($mysqli, "SELECT file_name FROM files WHERE file_id = '$item_related_id' AND file_client_id = '$client_id'"); $share_item = mysqli_fetch_array($share_item_sql); - $item_name = $share_item['file_name']; + $item_name = htmlentities($share_item['file_name']); } diff --git a/client_software.php b/client_software.php index 1e0470a6..16e89fb2 100644 --- a/client_software.php +++ b/client_software.php @@ -68,20 +68,20 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $software_id = $row['software_id']; - $software_name = $row['software_name']; - $software_version = $row['software_version']; - $software_type = $row['software_type']; - $software_license_type = $row['software_license_type']; - $software_key = $row['software_key']; - $software_seats = $row['software_seats']; + $software_name = htmlentities($row['software_name']); + $software_version = htmlentities($row['software_version']); + $software_type = htmlentities($row['software_type']); + $software_license_type = htmlentities($row['software_license_type']); + $software_key = htmlentities($row['software_key']); + $software_seats = htmlentities($row['software_seats']); $software_purchase = $row['software_purchase']; $software_expire = $row['software_expire']; - $software_notes = $row['software_notes']; + $software_notes = htmlentities($row['software_notes']); // Get Login $login_id = $row['login_id']; - $login_username = $row['login_username']; - $login_password = decryptLoginEntry($row['login_password']); + $login_username = htmlentities($row['login_username']); + $login_password = htmlentities(decryptLoginEntry($row['login_password'])); $seat_count = 0; diff --git a/client_software_add_modal.php b/client_software_add_modal.php index d3f7b46c..991b02dd 100644 --- a/client_software_add_modal.php +++ b/client_software_add_modal.php @@ -140,9 +140,9 @@ while($row = mysqli_fetch_array($sql)){ $asset_id = $row['asset_id']; - $asset_name = $row['asset_name']; - $asset_type = $row['asset_type']; - $contact_name = $row['contact_name']; + $asset_name = htmlentities($row['asset_name']); + $asset_type = htmlentities($row['asset_type']); + $contact_name = htmlentities($row['contact_name']); ?>
  • @@ -173,8 +173,8 @@ while($row = mysqli_fetch_array($sql)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; - $contact_email = $row['contact_email']; + $contact_name = htmlentities($row['contact_name']); + $contact_email = htmlentities($row['contact_email']); ?>
  • diff --git a/client_software_edit_modal.php b/client_software_edit_modal.php index a7b14ab4..c7e9cedb 100644 --- a/client_software_edit_modal.php +++ b/client_software_edit_modal.php @@ -140,9 +140,9 @@ while($row = mysqli_fetch_array($sql_assets_select)){ $asset_id_select = $row['asset_id']; - $asset_name_select = $row['asset_name']; - $asset_type_select = $row['asset_type']; - $contact_name_select = $row['contact_name']; + $asset_name_select = htmlentities($row['asset_name']); + $asset_type_select = htmlentities($row['asset_type']); + $contact_name_select = htmlentities($row['contact_name']); ?>
  • @@ -173,8 +173,8 @@ while($row = mysqli_fetch_array($sql_contacts_select)){ $contact_id_select = $row['contact_id']; - $contact_name_select = $row['contact_name']; - $contact_email_select = $row['contact_email']; + $contact_name_select = htmlentities($row['contact_name']); + $contact_email_select = htmlentities($row['contact_email']); ?>
  • diff --git a/client_tickets.php b/client_tickets.php index ab8e9245..5f4af54c 100644 --- a/client_tickets.php +++ b/client_tickets.php @@ -82,12 +82,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $ticket_id = $row['ticket_id']; - $ticket_prefix = $row['ticket_prefix']; - $ticket_number = $row['ticket_number']; - $ticket_subject = $row['ticket_subject']; + $ticket_prefix = htmlentities($row['ticket_prefix']); + $ticket_number = htmlentities($row['ticket_number']); + $ticket_subject = htmlentities($row['ticket_subject']); $ticket_details = $row['ticket_details']; - $ticket_priority = $row['ticket_priority']; - $ticket_status = $row['ticket_status']; + $ticket_priority = htmlentities($row['ticket_priority']); + $ticket_status = htmlentities($row['ticket_status']); $ticket_created_at = $row['ticket_created_at']; $ticket_updated_at = $row['ticket_updated_at']; if (empty($ticket_updated_at)) { @@ -128,26 +128,20 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); $ticket_assigned_to_display = "

    Not Assigned

    "; } } else { - $ticket_assigned_to_display = $row['user_name']; + $ticket_assigned_to_display = htmlentities($row['user_name']); } $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; + $contact_name = htmlentities($row['contact_name']); if(empty($contact_name)){ $contact_display = "-"; }else{ $contact_display = "$contact_name
    $contact_email"; } - $contact_title = $row['contact_title']; - $contact_email = $row['contact_email']; - $contact_phone = $row['contact_phone']; - if(strlen($contact_phone)>2){ - $contact_phone = substr($row['contact_phone'],0,3)."-".substr($row['contact_phone'],3,3)."-".substr($row['contact_phone'],6,4); - } - $contact_extension = $row['contact_extension']; - $contact_mobile = $row['contact_mobile']; - if(strlen($contact_mobile)>2){ - $contact_mobile = substr($row['contact_mobile'],0,3)."-".substr($row['contact_mobile'],3,3)."-".substr($row['contact_mobile'],6,4); - } + $contact_title = htmlentities($row['contact_title']); + $contact_email = htmlentities($row['contact_email']); + $contact_phone = formatPhoneNumber($row['contact_phone']); + $contact_extension = htmlentities($row['contact_extension']); + $contact_mobile = formatPhoneNumber($row['contact_mobile']); ?> diff --git a/client_trips.php b/client_trips.php index f6c82d03..995c2d4d 100644 --- a/client_trips.php +++ b/client_trips.php @@ -88,12 +88,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $trip_id = $row['trip_id']; $trip_date = $row['trip_date']; - $trip_purpose = $row['trip_purpose']; - $trip_source = $row['trip_source']; - $trip_destination = $row['trip_destination']; - $trip_miles = $row['trip_miles']; + $trip_purpose = htmlentities($row['trip_purpose']); + $trip_source = htmlentities($row['trip_source']); + $trip_destination = htmlentities($row['trip_destination']); + $trip_miles = htmlentities($row['trip_miles']); $trip_user_id = $row['trip_user_id']; - $round_trip = $row['round_trip']; + $round_trip = htmlentities($row['round_trip']); $client_id = $row['trip_client_id']; if($round_trip == 1){ @@ -101,7 +101,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); }else{ $round_trip_display = ""; } - $user_name = $row['user_name']; + $user_name = htmlentities($row['user_name']); if(empty($user_name)){ $user_name_display = "-"; }else{ diff --git a/client_vendors.php b/client_vendors.php index cebdbbde..8caebfff 100644 --- a/client_vendors.php +++ b/client_vendors.php @@ -77,28 +77,28 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $vendor_id = $row['vendor_id']; - $vendor_name = $row['vendor_name']; - $vendor_description = $row['vendor_description']; + $vendor_name = htmlentities($row['vendor_name']); + $vendor_description = htmlentities($row['vendor_description']); if(empty($vendor_description)){ $vendor_description_display = "-"; }else{ $vendor_description_display = $vendor_description; } - $vendor_account_number = $row['vendor_account_number']; - $vendor_contact_name = $row['vendor_contact_name']; + $vendor_account_number = htmlentities($row['vendor_account_number']); + $vendor_contact_name = htmlentities($row['vendor_contact_name']); if(empty($vendor_contact_name)){ $vendor_contact_name_display = "-"; }else{ $vendor_contact_name_display = $vendor_contact_name; } $vendor_phone = formatPhoneNumber($row['vendor_phone']); - $vendor_extension = $row['vendor_extension']; - $vendor_email = $row['vendor_email']; - $vendor_website = $row['vendor_website']; - $vendor_hours = $row['vendor_hours']; - $vendor_sla = $row['vendor_sla']; - $vendor_code = $row['vendor_code']; - $vendor_notes = $row['vendor_notes']; + $vendor_extension = htmlentities($row['vendor_extension']); + $vendor_email = htmlentities($row['vendor_email']); + $vendor_website = htmlentities($row['vendor_website']); + $vendor_hours = htmlentities($row['vendor_hours']); + $vendor_sla = htmlentities($row['vendor_sla']); + $vendor_code = htmlentities($row['vendor_code']); + $vendor_notes = htmlentities($row['vendor_notes']); $vendor_template_id = $row['vendor_template_id']; ?> diff --git a/clients.php b/clients.php index c7645110..b62b2f50 100644 --- a/clients.php +++ b/clients.php @@ -177,31 +177,31 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $client_id = $row['client_id']; - $client_name = $row['client_name']; - $client_type = $row['client_type']; + $client_name = htmlentities($row['client_name']); + $client_type = htmlentities($row['client_type']); $location_id = $row['location_id']; - $location_country = $row['location_country']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; + $location_country = htmlentities($row['location_country']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); if(empty($location_address) && empty($location_city) && empty($location_state) && empty($location_zip)){ $location_address_display = "-"; }else{ $location_address_display = "$location_address
    $location_city $location_state $location_zip"; } $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; - $contact_title = $row['contact_title']; + $contact_name = htmlentities($row['contact_name']); + $contact_title = htmlentities($row['contact_title']); $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $contact_email = $row['contact_email']; - $client_website = $row['client_website']; - $client_currency_code = $row['client_currency_code']; - $client_net_terms = $row['client_net_terms']; - $client_referral = $row['client_referral']; - $client_notes = $row['client_notes']; + $contact_email = htmlentities($row['contact_email']); + $client_website = htmlentities($row['client_website']); + $client_currency_code = htmlentities($row['client_currency_code']); + $client_net_terms = htmlentities($row['client_net_terms']); + $client_referral = htmlentities($row['client_referral']); + $client_notes = htmlentities($row['client_notes']); $client_created_at = $row['client_created_at']; $client_updated_at = $row['client_updated_at']; $client_archive_at = $row['client_archived_at']; @@ -214,9 +214,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql_client_tags)){ $client_tag_id = $row['tag_id']; - $client_tag_name = $row['tag_name']; - $client_tag_color = $row['tag_color']; - $client_tag_icon = $row['tag_icon']; + $client_tag_name = htmlentities($row['tag_name']); + $client_tag_color = htmlentities($row['tag_color']); + $client_tag_icon = htmlentities($row['tag_icon']); if(empty($client_tag_icon)){ $client_tag_icon = "tag"; } diff --git a/companies.php b/companies.php index 0b68bb7a..7d3502db 100644 --- a/companies.php +++ b/companies.php @@ -52,20 +52,20 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $company_id = $row['company_id']; - $company_name = $row['company_name']; - $company_country = $row['company_country']; - $company_address = $row['company_address']; - $company_city = $row['company_city']; - $company_state = $row['company_state']; - $company_zip = $row['company_zip']; + $company_name = htmlentities($row['company_name']); + $company_country = htmlentities($row['company_country']); + $company_address = htmlentities($row['company_address']); + $company_city = htmlentities($row['company_city']); + $company_state = htmlentities($row['company_state']); + $company_zip = htmlentities($row['company_zip']); $company_phone = formatPhoneNumber($row['company_phone']); - $company_email = $row['company_email']; - $company_website = $row['company_website']; - $company_logo = $row['company_logo']; - $company_locale = $row['company_locale']; - $company_currency = $row['company_currency']; + $company_email = htmlentities($row['company_email']); + $company_website = htmlentities($row['company_website']); + $company_logo = htmlentities($row['company_logo']); + $company_locale = htmlentities($row['company_locale']); + $company_currency = htmlentities($row['company_currency']); - $company_initials = initials($company_name); + $company_initials = htmlentities(initials($company_name)); diff --git a/dashboard_financial.php b/dashboard_financial.php index 068b9f01..f541f49a 100644 --- a/dashboard_financial.php +++ b/dashboard_financial.php @@ -334,7 +334,7 @@ $vendors_added = $row['vendors_added']; @@ -394,10 +394,10 @@ $vendors_added = $row['vendors_added']; @@ -437,9 +437,9 @@ $vendors_added = $row['vendors_added']; @@ -741,8 +741,8 @@ var myPieChart = new Chart(ctx, { @@ -768,8 +768,8 @@ var myPieChart = new Chart(ctx, { @@ -798,8 +798,8 @@ var myPieChart = new Chart(ctx, { 0 AND YEAR(expense_date) = $year AND categories.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql_categories)){ - $category_name = $row['category_name']; - echo "\"$category_name\","; + $category_name = json_encode($row['category_name']); + echo "$category_name,"; } ?> @@ -825,8 +825,8 @@ var myPieChart = new Chart(ctx, { 0 AND YEAR(expense_date) = $year AND categories.company_id = $session_company_id"); while($row = mysqli_fetch_array($sql_categories)){ - $category_color = $row['category_color']; - echo "\"$category_color\","; + $category_color = json_encode($row['category_color']); + echo "$category_color,"; } ?> @@ -851,8 +851,8 @@ var myPieChart = new Chart(ctx, { @@ -878,8 +878,8 @@ var myPieChart = new Chart(ctx, { diff --git a/expense_add_modal.php b/expense_add_modal.php index 99adc277..303f9587 100644 --- a/expense_add_modal.php +++ b/expense_add_modal.php @@ -46,8 +46,8 @@ $sql = mysqli_query($mysqli,"SELECT * FROM accounts WHERE account_archived_at IS NULL AND company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql)){ $account_id = $row['account_id']; - $account_name = $row['account_name']; - $opening_balance = $row['opening_balance']; + $account_name = htmlentities($row['account_name']); + $opening_balance = htmlentities($row['opening_balance']); $sql_payments = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id"); $row = mysqli_fetch_array($sql_payments); @@ -86,7 +86,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_client_id = 0 AND vendor_archived_at IS NULL AND company_id = $session_company_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql)){ $vendor_id = $row['vendor_id']; - $vendor_name = $row['vendor_name']; + $vendor_name = htmlentities($row['vendor_name']); ?> @@ -121,7 +121,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Expense' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> diff --git a/expense_copy_modal.php b/expense_copy_modal.php index cf258bd8..8c53c1e3 100644 --- a/expense_copy_modal.php +++ b/expense_copy_modal.php @@ -47,8 +47,8 @@ $sql_accounts = mysqli_query($mysqli,"SELECT * FROM accounts WHERE company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql_accounts)){ $account_id_select = $row['account_id']; - $account_name_select = $row['account_name']; - $opening_balance = $row['opening_balance']; + $account_name_select = htmlentities($row['account_name']); + $opening_balance = htmlentities($row['opening_balance']); $sql_payments = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id_select"); $row = mysqli_fetch_array($sql_payments); @@ -85,7 +85,7 @@ $sql_vendors = mysqli_query($mysqli,"SELECT * FROM vendors WHERE company_id = $session_company_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql_vendors)){ $vendor_id_select = $row['vendor_id']; - $vendor_name_select = $row['vendor_name']; + $vendor_name_select = htmlentities($row['vendor_name']); ?> '$expense_created_at' OR account_archived_at IS NULL) AND company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql_accounts)){ $account_id_select = $row['account_id']; - $account_name_select = $row['account_name']; - $opening_balance = $row['opening_balance']; + $account_name_select = htmlentities($row['account_name']); + $opening_balance = htmlentities($row['opening_balance']); $sql_payments = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id_select"); $row = mysqli_fetch_array($sql_payments); @@ -88,7 +88,7 @@ $sql_select = mysqli_query($mysqli,"SELECT * FROM vendors WHERE vendor_client_id = 0 AND (vendor_archived_at > '$expense_created_at' OR vendor_archived_at IS NULL) AND company_id = $session_company_id ORDER BY vendor_name ASC"); while($row = mysqli_fetch_array($sql_select)){ $vendor_id_select = $row['vendor_id']; - $vendor_name_select = $row['vendor_name']; + $vendor_name_select = htmlentities($row['vendor_name']); ?> '$expense_created_at' OR category_archived_at IS NULL) AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql_select)){ $category_id_select = $row['category_id']; - $category_name_select = $row['category_name']; + $category_name_select = htmlentities($row['category_name']); ?> @@ -94,15 +94,15 @@ if(isset($_GET['query'])){ while($row = mysqli_fetch_array($sql_contacts)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; - $contact_title = $row['contact_title']; + $contact_name = htmlentities($row['contact_name']); + $contact_title = htmlentities($row['contact_title']); $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $contact_email = $row['contact_email']; + $contact_email = htmlentities($row['contact_email']); $client_id = $row['client_id']; - $client_name = $row['client_name']; - $contact_department = $row['contact_department']; + $client_name = htmlentities($row['client_name']); + $contact_department = htmlentities($row['contact_department']); ?> @@ -147,8 +147,8 @@ if(isset($_GET['query'])){ @@ -189,8 +189,8 @@ if(isset($_GET['query'])){ @@ -230,9 +230,9 @@ if(isset($_GET['query'])){ @@ -276,9 +276,9 @@ if(isset($_GET['query'])){ while($row = mysqli_fetch_array($sql_tickets)){ $ticket_id = $row['ticket_id']; - $ticket_subject = $row['ticket_subject']; - $ticket_client = $row['client_name']; - $ticket_status = $row['ticket_status']; + $ticket_subject = htmlentities($row['ticket_subject']); + $ticket_client = htmlentities($row['client_name']); + $ticket_status = htmlentities($row['ticket_status']); ?> @@ -321,10 +321,10 @@ if(isset($_GET['query'])){ diff --git a/guest_view_invoice.php b/guest_view_invoice.php index 372eb968..de85fa40 100644 --- a/guest_view_invoice.php +++ b/guest_view_invoice.php @@ -21,45 +21,45 @@ if(isset($_GET['invoice_id'], $_GET['url_key'])){ $row = mysqli_fetch_array($sql); $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; - $invoice_number = $row['invoice_number']; - $invoice_status = $row['invoice_status']; + $invoice_prefix = htmlentities($row['invoice_prefix']); + $invoice_number = htmlentities($row['invoice_number']); + $invoice_status = htmlentities($row['invoice_status']); $invoice_date = $row['invoice_date']; $invoice_due = $row['invoice_due']; - $invoice_amount = $row['invoice_amount']; - $invoice_currency_code = $row['invoice_currency_code']; - $invoice_note = $row['invoice_note']; + $invoice_amount = htmlentities($row['invoice_amount']); + $invoice_currency_code = htmlentities($row['invoice_currency_code']); + $invoice_note = htmlentities($row['invoice_note']); $invoice_category_id = $row['invoice_category_id']; $client_id = $row['client_id']; - $client_name = $row['client_name']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; - $contact_email = $row['contact_email']; + $client_name = htmlentities($row['client_name']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); + $contact_email = htmlentities($row['contact_email']); $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $client_website = $row['client_website']; - $client_currency_code = $row['client_currency_code']; - $client_net_terms = $row['client_net_terms']; + $client_website = htmlentities($row['client_website']); + $client_currency_code = htmlentities($row['client_currency_code']); + $client_net_terms = htmlentities($row['client_net_terms']); if($client_net_terms == 0){ $client_net_terms = $config_default_net_terms; } $company_id = $row['company_id']; - $company_name = $row['company_name']; - $company_address = $row['company_address']; - $company_city = $row['company_city']; - $company_state = $row['company_state']; - $company_zip = $row['company_zip']; + $company_name = htmlentities($row['company_name']); + $company_address = htmlentities($row['company_address']); + $company_city = htmlentities($row['company_city']); + $company_state = htmlentities($row['company_state']); + $company_zip = htmlentities($row['company_zip']); $company_phone = formatPhoneNumber($row['company_phone']); - $company_email = $row['company_email']; - $company_logo = $row['company_logo']; + $company_email = htmlentities($row['company_email']); + $company_logo = htmlentities($row['company_logo']); if(!empty($company_logo)){ $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); } - $company_locale = $row['company_locale']; - $config_invoice_footer = $row['config_invoice_footer']; + $company_locale = htmlentities($row['company_locale']); + $config_invoice_footer = htmlentities($row['config_invoice_footer']); $config_stripe_enable = $row['config_stripe_enable']; $config_stripe_publishable = $row['config_stripe_publishable']; $config_stripe_secret = $row['config_stripe_secret']; @@ -216,8 +216,8 @@ if(isset($_GET['invoice_id'], $_GET['url_key'])){ while($row = mysqli_fetch_array($sql_invoice_items)){ $item_id = $row['item_id']; - $item_name = $row['item_name']; - $item_description = $row['item_description']; + $item_name = htmlentities($row['item_name']); + $item_description = htmlentities($row['item_description']); $item_quantity = $row['item_quantity']; $item_price = $row['item_price']; $item_subtotal = $row['item_price']; @@ -300,8 +300,8 @@ if(isset($_GET['invoice_id'], $_GET['url_key'])){ var docDefinition = { info: { - title: '', - author: '' + title: , + author: }, //watermark: {text: '', color: 'lightgrey', opacity: 0.3, bold: true, italics: false}, @@ -312,7 +312,7 @@ var docDefinition = { columns: [ { - image: '', + image: , width: 120 }, @@ -324,7 +324,7 @@ var docDefinition = { width: '*' }, { - text: '', + text: , style: 'invoiceNumber', width: '*' }, @@ -335,12 +335,12 @@ var docDefinition = { { columns: [ { - text: , - style:'invoiceBillingTitle', + text: , + style: 'invoiceBillingTitle', }, { - text: , - style:'invoiceBillingTitleClient', + text: , + style: 'invoiceBillingTitleClient', }, ] }, @@ -348,11 +348,11 @@ var docDefinition = { { columns: [ { - text: , + text: , style: 'invoiceBillingAddress' }, { - text: , + text: , style: 'invoiceBillingAddressClient' }, ] @@ -369,7 +369,7 @@ var docDefinition = { // Total [ { - text:'', + text: '', rowSpan: 3 }, {}, @@ -378,23 +378,23 @@ var docDefinition = { [ {}, { - text:'Invoice Date', - style:'invoiceDateTitle', + text: 'Invoice Date', + style: 'invoiceDateTitle' }, { - text:'', - style:'invoiceDateValue', + text: , + style: 'invoiceDateValue' }, ], [ {}, { - text:'Due Date', - style:'invoiceDateTitle', + text: 'Due Date', + style: 'invoiceDateTitle' }, { - text:'', - style:'invoiceDateValue', + text: , + style: 'invoiceDateValue' }, ], ] @@ -459,29 +459,29 @@ var docDefinition = { [ [ { - text: , + text: , style:'itemTitle' }, { - text: , + text: , style:'itemDescription' } ], { - text:'', - style:'itemQty' + text: , + style: 'itemQty' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' }, { - text: '', - style:'itemNumber' + text: , + style: 'itemNumber' } ], @@ -506,7 +506,7 @@ var docDefinition = { [ { text: 'Notes', - style:'notesTitle' + style: 'notesTitle' }, {}, {} @@ -514,61 +514,61 @@ var docDefinition = { [ { rowSpan: 5, - text: , - style:'notesText' + text: , + style: 'notesText' }, { - text:'Subtotal', - style:'itemsFooterSubTitle' + text: 'Subtotal', + style: 'itemsFooterSubTitle' }, { - text:'', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Tax', - style:'itemsFooterSubTitle' + text: 'Tax', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Total', - style:'itemsFooterSubTitle' + text: 'Total', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Paid', - style:'itemsFooterSubTitle' + text: 'Paid', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Balance', - style:'itemsFooterTotalTitle' + text: 'Balance', + style: 'itemsFooterTotalTitle' }, { - text: '', + text: , - style:'itemsFooterTotalTitle' + style: 'itemsFooterTotalTitle' } ], ] @@ -577,7 +577,7 @@ var docDefinition = { }, // TERMS / FOOTER { - text: , + text: , style: 'documentFooterCenter' } ], //End Content, @@ -586,32 +586,32 @@ var docDefinition = { documentFooterCenter: { fontSize: 9, margin: [10,50,10,10], - alignment:'center' + alignment: 'center' }, // Invoice Title invoiceTitle: { fontSize: 18, bold: true, - alignment:'right', - margin:[0,0,0,3] + alignment: 'right', + margin: [0,0,0,3] }, // Invoice Number invoiceNumber: { fontSize: 14, - alignment:'right' + alignment: 'right' }, // Billing Headers invoiceBillingTitle: { fontSize: 14, bold: true, - alignment:'left', - margin:[0,20,0,5] + alignment: 'left', + margin: [0,20,0,5] }, invoiceBillingTitleClient: { fontSize: 14, bold: true, - alignment:'right', - margin:[0,20,0,5] + alignment: 'right', + margin: [0,20,0,5] }, // Billing Details invoiceBillingAddress: { @@ -621,26 +621,26 @@ var docDefinition = { invoiceBillingAddressClient: { fontSize: 10, lineHeight: 1.2, - alignment:'right', - margin:[0,0,0,30] + alignment: 'right', + margin: [0,0,0,30] }, // Invoice Dates invoiceDateTitle: { fontSize: 10, - alignment:'left', - margin:[0,5,0,5] + alignment: 'left', + margin: [0,5,0,5] }, invoiceDateValue: { fontSize: 10, - alignment:'right', - margin:[0,5,0,5] + alignment: 'right', + margin: [0,5,0,5] }, // Items Header itemsHeader: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right' + alignment: 'right' }, // Item Title itemTitle: { @@ -657,61 +657,61 @@ var docDefinition = { itemQty: { fontSize: 10, margin: [0,5,0,5], - alignment: 'center', + alignment: 'center' }, itemNumber: { fontSize: 10, margin: [0,5,0,5], - alignment: 'right', + alignment: 'right' }, itemTotal: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment: 'right', + alignment: 'right' }, // Items Footer (Subtotal, Total, Tax, etc) itemsFooterSubTitle: { fontSize: 10, margin: [0,5,0,5], - alignment:'right', + alignment: 'right' }, itemsFooterSubValue: { fontSize: 10, margin: [0,5,0,5], bold: false, - alignment:'right', + alignment: 'right' }, itemsFooterTotalTitle: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right', + alignment: 'right' }, itemsFooterTotalValue: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right', + alignment: 'right' }, notesTitle: { fontSize: 10, bold: true, - margin: [0,5,0,5], + margin: [0,5,0,5] }, notesText: { fontSize: 9, margin: [0,5,50,5] }, left: { - alignment:'left', + alignment: 'left' }, center: { - alignment:'center', + alignment: 'center' }, }, defaultStyle: { - columnGap: 20, + columnGap: 20 } } @@ -744,13 +744,13 @@ var docDefinition = { while($row = mysqli_fetch_array($sql)){ $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; - $invoice_number = $row['invoice_number']; + $invoice_prefix = htmlentities($row['invoice_prefix']); + $invoice_number = htmlentities($row['invoice_number']); $invoice_date = $row['invoice_date']; $invoice_due = $row['invoice_due']; - $invoice_amount = $row['invoice_amount']; - $invoice_currency_code = $row['invoice_currency_code']; - $invoice_url_key = $row['invoice_url_key']; + $invoice_amount = htmlentities($row['invoice_amount']); + $invoice_currency_code = htmlentities($row['invoice_currency_code']); + $invoice_url_key = htmlentities($row['invoice_url_key']); $invoice_tally_total = $invoice_amount + $invoice_tally_total; $difference = time() - strtotime($invoice_due); $days = floor($difference / (60*60*24) ); @@ -804,13 +804,13 @@ var docDefinition = { while($row = mysqli_fetch_array($sql)){ $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; - $invoice_number = $row['invoice_number']; + $invoice_prefix = htmlentities($row['invoice_prefix']); + $invoice_number = htmlentities($row['invoice_number']); $invoice_date = $row['invoice_date']; $invoice_due = $row['invoice_due']; - $invoice_amount = $row['invoice_amount']; - $invoice_currency_code = $row['invoice_currency_code']; - $invoice_url_key = $row['invoice_url_key']; + $invoice_amount = htmlentities($row['invoice_amount']); + $invoice_currency_code = htmlentities($row['invoice_currency_code']); + $invoice_url_key = htmlentities($row['invoice_url_key']); $invoice_tally_total = $invoice_amount + $invoice_tally_total; $difference = strtotime($invoice_due) - time(); $days = floor($difference / (60*60*24) ); @@ -865,13 +865,13 @@ var docDefinition = { while($row = mysqli_fetch_array($sql)){ $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; - $invoice_number = $row['invoice_number']; + $invoice_prefix = htmlentities($row['invoice_prefix']); + $invoice_number = htmlentities($row['invoice_number']); $invoice_date = $row['invoice_date']; $invoice_due = $row['invoice_due']; - $invoice_amount = $row['invoice_amount']; - $invoice_currency_code = $row['invoice_currency_code']; - $invoice_url_key = $row['invoice_url_key']; + $invoice_amount = htmlentities($row['invoice_amount']); + $invoice_currency_code = htmlentities($row['invoice_currency_code']); + $invoice_url_key = htmlentities($row['invoice_url_key']); $invoice_tally_total = $invoice_amount + $invoice_tally_total; ?> @@ -894,10 +894,10 @@ var docDefinition = { while($row = mysqli_fetch_array($sql_payments)){ $payment_id = $row['payment_id']; $payment_date = $row['payment_date']; - $payment_amount = $row['payment_amount']; - $payment_currency_code = $row['payment_currency_code']; - $payment_method = $row['payment_method']; - $payment_reference = $row['payment_reference']; + $payment_amount = htmlentities($row['payment_amount']); + $payment_currency_code = htmlentities($row['payment_currency_code']); + $payment_method = htmlentities($row['payment_method']); + $payment_reference = htmlentities($row['payment_reference']); if(strtotime($payment_date) > strtotime($invoice_due)){ $payment_note = "Late"; $difference = strtotime($payment_date) - strtotime($invoice_due); diff --git a/guest_view_item.php b/guest_view_item.php index 674474f0..f8b2e514 100644 --- a/guest_view_item.php +++ b/guest_view_item.php @@ -41,10 +41,10 @@ if($row['item_active'] !== "1" || $row['item_views'] >= $row['item_view_limit']) echo "
    You may only be able to view this information for a limited time! Be sure to copy/download what you need.
    "; -$item_type = $row['item_type']; +$item_type = htmlentities($row['item_type']); $item_related_id = $row['item_related_id']; -$item_encrypted_credential = $row['item_encrypted_credential']; -$item_note = $row['item_note']; +$item_encrypted_credential = htmlentities($row['item_encrypted_credential']); +$item_note = htmlentities($row['item_note']); $item_views = intval($row['item_views']); $item_created = $row['item_created_at']; $item_expire = $row['item_expire_at']; @@ -60,7 +60,7 @@ if($item_type == "Document"){ exit(); } - $doc_title = $doc_row['document_name']; + $doc_title = htmlentities($doc_row['document_name']); $doc_content = $doc_row['document_content']; echo "

    A document has been shared with you

    "; @@ -89,7 +89,7 @@ elseif($item_type == "File"){ exit(); } - $file_name = $file_row['file_name']; + $file_name = htmlentities($file_row['file_name']); echo "

    A file has been shared with you

    "; if(!empty($item_note)){ @@ -110,14 +110,14 @@ elseif($item_type == "Login"){ exit(); } - $login_name = $login_row['login_name']; - $login_uri = $login_row['login_uri']; - $login_username = $login_row['login_username']; + $login_name = htmlentities($login_row['login_name']); + $login_uri = htmlentities($login_row['login_uri']); + $login_username = htmlentities($login_row['login_username']); $login_iv = substr($row['item_encrypted_credential'], 0, 16); $login_ciphertext = substr($row['item_encrypted_credential'], 16); $login_password = openssl_decrypt($login_ciphertext, 'aes-128-cbc', $encryption_key,0, $login_iv); $login_otp = $login_row['login_otp_secret']; - $login_notes = $login_row['login_note']; + $login_notes = htmlentities($login_row['login_note']); echo "

    A login entry has been shared with you

    "; if(!empty($item_note)){ diff --git a/guest_view_quote.php b/guest_view_quote.php index 0d4882a4..6baa03bd 100644 --- a/guest_view_quote.php +++ b/guest_view_quote.php @@ -22,44 +22,44 @@ if(isset($_GET['quote_id'], $_GET['url_key'])){ $row = mysqli_fetch_array($sql); $quote_id = $row['quote_id']; - $quote_prefix = $row['quote_prefix']; - $quote_number = $row['quote_number']; - $quote_status = $row['quote_status']; + $quote_prefix = htmlentities($row['quote_prefix']); + $quote_number = htmlentities($row['quote_number']); + $quote_status = htmlentities($row['quote_status']); $quote_date = $row['quote_date']; - $quote_amount = $row['quote_amount']; - $quote_currency_code = $row['quote_currency_code']; - $quote_note = $row['quote_note']; + $quote_amount = htmlentities($row['quote_amount']); + $quote_currency_code = htmlentities($row['quote_currency_code']); + $quote_note = htmlentities($row['quote_note']); $category_id = $row['category_id']; $client_id = $row['client_id']; - $client_name = $row['client_name']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; - $contact_email = $row['contact_email']; + $client_name = htmlentities($row['client_name']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); + $contact_email = htmlentities($row['contact_email']); $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $client_website = $row['client_website']; - $client_currency_code = $row['client_currency_code']; - $client_net_terms = $row['client_net_terms']; + $client_website = htmlentities($row['client_website']); + $client_currency_code = htmlentities($row['client_currency_code']); + $client_net_terms = htmlentities($row['client_net_terms']); if($client_net_terms == 0){ $client_net_terms = $config_default_net_terms; } $company_id = $row['company_id']; - $company_name = $row['company_name']; - $company_address = $row['company_address']; - $company_city = $row['company_city']; - $company_state = $row['company_state']; - $company_zip = $row['company_zip']; + $company_name = htmlentities($row['company_name']); + $company_address = htmlentities($row['company_address']); + $company_city = htmlentities($row['company_city']); + $company_state = htmlentities($row['company_state']); + $company_zip = htmlentities($row['company_zip']); $company_phone = formatPhoneNumber($row['company_phone']); - $company_email = $row['company_email']; - $company_logo = $row['company_logo']; + $company_email = htmlentities($row['company_email']); + $company_logo = htmlentities($row['company_logo']); if(!empty($company_logo)){ $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); } - $company_locale = $row['company_locale']; - $config_quote_footer = $row['config_quote_footer']; + $company_locale = htmlentities($row['company_locale']); + $config_quote_footer = htmlentities($row['config_quote_footer']); //Set Currency Format $currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY); @@ -170,8 +170,8 @@ if(isset($_GET['quote_id'], $_GET['url_key'])){ while($row = mysqli_fetch_array($sql_items)){ $item_id = $row['item_id']; - $item_name = $row['item_name']; - $item_description = $row['item_description']; + $item_name = htmlentities($row['item_name']); + $item_description = htmlentities($row['item_description']); $item_quantity = $row['item_quantity']; $item_price = $row['item_price']; $item_subtotal = $row['item_price']; @@ -255,8 +255,8 @@ if(isset($_GET['quote_id'], $_GET['url_key'])){ var docDefinition = { info: { - title: '', - author: '' + title: , + author: }, //watermark: {text: '', color: 'lightgrey', opacity: 0.3, bold: true, italics: false}, @@ -267,7 +267,7 @@ var docDefinition = { columns: [ { - image: '', + image: , width: 120 }, @@ -279,7 +279,7 @@ var docDefinition = { width: '*' }, { - text: '', + text: , style: 'invoiceNumber', width: '*' }, @@ -290,12 +290,12 @@ var docDefinition = { { columns: [ { - text: , - style:'invoiceBillingTitle', + text: , + style: 'invoiceBillingTitle' }, { - text: , - style:'invoiceBillingTitleClient', + text: , + style: 'invoiceBillingTitleClient' }, ] }, @@ -303,11 +303,11 @@ var docDefinition = { { columns: [ { - text: , + text: , style: 'invoiceBillingAddress' }, { - text: , + text: , style: 'invoiceBillingAddressClient' }, ] @@ -324,7 +324,7 @@ var docDefinition = { // Total [ { - text:'', + text: '', rowSpan: 2 }, {}, @@ -333,12 +333,12 @@ var docDefinition = { [ {}, { - text:'Quote Date', - style:'invoiceDateTitle', + text: 'Quote Date', + style: 'invoiceDateTitle' }, { - text:'', - style:'invoiceDateValue', + text: , + style: 'invoiceDateValue' }, ], ] @@ -403,29 +403,29 @@ var docDefinition = { [ [ { - text: , - style:'itemTitle' + text: , + style: 'itemTitle' }, { - text: , - style:'itemDescription' + text: , + style: 'itemDescription' } ], { - text:'', - style:'itemQty' + text: , + style: 'itemQty' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' }, { - text: '', - style:'itemNumber' + text: , + style: 'itemNumber' } ], @@ -458,38 +458,38 @@ var docDefinition = { [ { rowSpan: 3, - text: , - style:'notesText' + text: , + style: 'notesText' }, { - text:'Subtotal', - style:'itemsFooterSubTitle' + text: 'Subtotal', + style: 'itemsFooterSubTitle' }, { - text:'', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Tax', - style:'itemsFooterSubTitle' + text: 'Tax', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Total', - style:'itemsFooterSubTitle' + text: 'Total', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], ] @@ -507,32 +507,32 @@ var docDefinition = { documentFooterCenter: { fontSize: 9, margin: [10,50,10,10], - alignment:'center' + alignment: 'center' }, // Invoice Title invoiceTitle: { fontSize: 18, bold: true, - alignment:'right', - margin:[0,0,0,3] + alignment: 'right', + margin: [0,0,0,3] }, // Invoice Number invoiceNumber: { fontSize: 14, - alignment:'right' + alignment: 'right' }, // Billing Headers invoiceBillingTitle: { fontSize: 14, bold: true, - alignment:'left', - margin:[0,20,0,5] + alignment: 'left', + margin: [0,20,0,5] }, invoiceBillingTitleClient: { fontSize: 14, bold: true, - alignment:'right', - margin:[0,20,0,5] + alignment: 'right', + margin: [0,20,0,5] }, // Billing Details invoiceBillingAddress: { @@ -542,26 +542,26 @@ var docDefinition = { invoiceBillingAddressClient: { fontSize: 10, lineHeight: 1.2, - alignment:'right', - margin:[0,0,0,30] + alignment: 'right', + margin: [0,0,0,30] }, // Invoice Dates invoiceDateTitle: { fontSize: 10, - alignment:'left', - margin:[0,5,0,5] + alignment: 'left', + margin: [0,5,0,5] }, invoiceDateValue: { fontSize: 10, - alignment:'right', - margin:[0,5,0,5] + alignment: 'right', + margin: [0,5,0,5] }, // Items Header itemsHeader: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right' + alignment: 'right' }, // Item Title itemTitle: { @@ -578,57 +578,57 @@ var docDefinition = { itemQty: { fontSize: 10, margin: [0,5,0,5], - alignment: 'center', + alignment: 'center' }, itemNumber: { fontSize: 10, margin: [0,5,0,5], - alignment: 'right', + alignment: 'right' }, itemTotal: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment: 'right', + alignment: 'right' }, // Items Footer (Subtotal, Total, Tax, etc) itemsFooterSubTitle: { fontSize: 10, margin: [0,5,0,5], - alignment:'right', + alignment: 'right' }, itemsFooterSubValue: { fontSize: 10, margin: [0,5,0,5], bold: false, - alignment:'right', + alignment: 'right' }, itemsFooterTotalTitle: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right', + alignment: 'right' }, itemsFooterTotalValue: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right', + alignment: 'right' }, notesTitle: { fontSize: 10, bold: true, - margin: [0,5,0,5], + margin: [0,5,0,5] }, notesText: { fontSize: 9, margin: [0,5,50,5] }, left: { - alignment:'left', + alignment: 'left' }, center: { - alignment:'center', + alignment: 'center' }, }, defaultStyle: { diff --git a/inc_all_client.php b/inc_all_client.php index 1d5d0087..11ff419b 100644 --- a/inc_all_client.php +++ b/inc_all_client.php @@ -27,33 +27,33 @@ if(isset($_GET['client_id'])){ }else{ $row = mysqli_fetch_array($sql); - $client_name = $row['client_name']; - $client_type = $row['client_type']; - $client_website = $row['client_website']; - $client_referral = $row['client_referral']; - $client_currency_code = $row['client_currency_code']; + $client_name = htmlentities($row['client_name']); + $client_type = htmlentities($row['client_type']); + $client_website = htmlentities($row['client_website']); + $client_referral = htmlentities($row['client_referral']); + $client_currency_code = htmlentities($row['client_currency_code']); $client_net_terms = $row['client_net_terms']; if($client_net_terms == 0){ $client_net_terms = $config_default_net_terms; } - $client_notes = $row['client_notes']; + $client_notes = htmlentities($row['client_notes']); $client_created_at = $row['client_created_at']; $primary_contact = $row['primary_contact']; $primary_location = $row['primary_location']; $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; - $contact_title = $row['contact_title']; - $contact_email = $row['contact_email']; + $contact_name = htmlentities($row['contact_name']); + $contact_title = htmlentities($row['contact_title']); + $contact_email = htmlentities($row['contact_email']); $contact_phone = $row['contact_phone']; $contact_extension = $row['contact_extension']; $contact_mobile = $row['contact_mobile']; $location_id = $row['location_id']; - $location_name = $row['location_name']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; - $location_country = $row['location_country']; + $location_name = htmlentities($row['location_name']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); + $location_country = htmlentities($row['location_country']); $location_phone = $row['location_phone']; //Client Tags @@ -64,9 +64,9 @@ if(isset($_GET['client_id'])){ while($row = mysqli_fetch_array($sql_client_tags)){ $client_tag_id = $row['tag_id']; - $client_tag_name = $row['tag_name']; - $client_tag_color = $row['tag_color']; - $client_tag_icon = $row['tag_icon']; + $client_tag_name = htmlentities($row['tag_name']); + $client_tag_color = htmlentities($row['tag_color']); + $client_tag_icon = htmlentities($row['tag_icon']); if(empty($client_tag_icon)){ $client_tag_icon = "tag"; } diff --git a/inc_client_top_head.php b/inc_client_top_head.php index 5b1e6b3c..881733a5 100644 --- a/inc_client_top_head.php +++ b/inc_client_top_head.php @@ -103,15 +103,14 @@ $location_phone = formatPhoneNumber($location_phone);
    - Print - Export PDF
    (without passwords)     - Export PDF
    (with passwords)     + Export Data PDF
    (without passwords)     + Export Data PDF
    (with passwords)
    - Edit + Edit Client
    - Archive + Archive Client
    - Delete + Delete Client
    diff --git a/invoice.php b/invoice.php index 22c8c3e3..4fa395a5 100644 --- a/invoice.php +++ b/invoice.php @@ -20,45 +20,45 @@ if(isset($_GET['invoice_id'])){ $row = mysqli_fetch_array($sql); $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; - $invoice_number = $row['invoice_number']; - $invoice_scope = $row['invoice_scope']; - $invoice_status = $row['invoice_status']; + $invoice_prefix = htmlentities($row['invoice_prefix']); + $invoice_number = htmlentities($row['invoice_number']); + $invoice_scope = htmlentities($row['invoice_scope']); + $invoice_status = htmlentities($row['invoice_status']); $invoice_date = $row['invoice_date']; $invoice_due = $row['invoice_due']; - $invoice_amount = $row['invoice_amount']; - $invoice_currency_code = $row['invoice_currency_code']; - $invoice_note = $row['invoice_note']; - $invoice_url_key = $row['invoice_url_key']; + $invoice_amount = htmlentities($row['invoice_amount']); + $invoice_currency_code = htmlentities($row['invoice_currency_code']); + $invoice_note = htmlentities($row['invoice_note']); + $invoice_url_key = htmlentities($row['invoice_url_key']); $invoice_created_at = $row['invoice_created_at']; $category_id = $row['invoice_category_id']; $client_id = $row['client_id']; - $client_name = $row['client_name']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; - $contact_email = $row['contact_email']; + $client_name = htmlentities($row['client_name']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); + $contact_email = htmlentities($row['contact_email']); $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $client_website = $row['client_website']; - $client_currency_code = $row['client_currency_code']; - $client_net_terms = $row['client_net_terms']; + $client_website = htmlentities($row['client_website']); + $client_currency_code = htmlentities($row['client_currency_code']); + $client_net_terms = htmlentities($row['client_net_terms']); if($client_net_terms == 0){ $client_net_terms = $config_default_net_terms; } $company_id = $row['company_id']; - $company_name = $row['company_name']; - $company_country = $row['company_country']; - $company_address = $row['company_address']; - $company_city = $row['company_city']; - $company_state = $row['company_state']; - $company_zip = $row['company_zip']; + $company_name = htmlentities($row['company_name']); + $company_country = htmlentities($row['company_country']); + $company_address = htmlentities($row['company_address']); + $company_city = htmlentities($row['company_city']); + $company_state = htmlentities($row['company_state']); + $company_zip = htmlentities($row['company_zip']); $company_phone = formatPhoneNumber($row['company_phone']); - $company_email = $row['company_email']; - $company_website = $row['company_website']; - $company_logo = $row['company_logo']; + $company_email = htmlentities($row['company_email']); + $company_website = htmlentities($row['company_website']); + $company_logo = htmlentities($row['company_logo']); if(!empty($company_logo)){ $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); } @@ -257,13 +257,13 @@ if(isset($_GET['invoice_id'])){ while($row = mysqli_fetch_array($sql_invoice_items)){ $item_id = $row['item_id']; - $item_name = $row['item_name']; - $item_description = $row['item_description']; - $item_quantity = $row['item_quantity']; - $item_price = $row['item_price']; - $item_subtotal = $row['item_price']; - $item_tax = $row['item_tax']; - $item_total = $row['item_total']; + $item_name = htmlentities($row['item_name']); + $item_description = htmlentities($row['item_description']); + $item_quantity = htmlentities($row['item_quantity']); + $item_price = htmlentities($row['item_price']); + $item_subtotal = htmlentities($row['item_price']); + $item_tax = htmlentities($row['item_tax']); + $item_total = htmlentities($row['item_total']); $item_created_at = $row['item_created_at']; $tax_id = $row['item_tax_id']; $total_tax = $item_tax + $total_tax; @@ -308,8 +308,8 @@ if(isset($_GET['invoice_id'])){ $taxes_sql = mysqli_query($mysqli,"SELECT * FROM taxes WHERE company_id = $session_company_id ORDER BY tax_name ASC"); while($row = mysqli_fetch_array($taxes_sql)){ $tax_id = $row['tax_id']; - $tax_name = $row['tax_name']; - $tax_percent = $row['tax_percent']; + $tax_name = htmlentities($row['tax_name']); + $tax_percent = htmlentities($row['tax_percent']); ?> @@ -378,7 +378,7 @@ if(isset($_GET['invoice_id'])){
    -
    +
    @@ -410,8 +410,8 @@ if(isset($_GET['invoice_id'])){ while($row = mysqli_fetch_array($sql_history)){ $history_created_at = $row['history_created_at']; - $history_status = $row['history_status']; - $history_description = $row['history_description']; + $history_status = htmlentities($row['history_status']); + $history_description = htmlentities($row['history_description']); ?> @@ -459,10 +459,10 @@ if(isset($_GET['invoice_id'])){ while($row = mysqli_fetch_array($sql_payments)){ $payment_id = $row['payment_id']; $payment_date = $row['payment_date']; - $payment_amount = $row['payment_amount']; - $payment_currency_code = $row['payment_currency_code']; - $payment_reference = $row['payment_reference']; - $account_name = $row['account_name']; + $payment_amount = htmlentities($row['payment_amount']); + $payment_currency_code = htmlentities($row['payment_currency_code']); + $payment_reference = htmlentities($row['payment_reference']); + $account_name = htmlentities($row['account_name']); ?> @@ -524,8 +524,8 @@ include("footer.php"); var docDefinition = { info: { - title: '', - author: '' + title: , + author: }, //watermark: {text: '', color: 'lightgrey', opacity: 0.3, bold: true, italics: false}, @@ -536,7 +536,7 @@ var docDefinition = { columns: [ { - image: '', + image: , width: 120 }, @@ -548,7 +548,7 @@ var docDefinition = { width: '*' }, { - text: , + text: , style: 'invoiceNumber', width: '*' }, @@ -559,12 +559,12 @@ var docDefinition = { { columns: [ { - text: , - style:'invoiceBillingTitle', + text: , + style: 'invoiceBillingTitle', }, { - text: , - style:'invoiceBillingTitleClient', + text: , + style: 'invoiceBillingTitleClient', }, ] }, @@ -572,11 +572,11 @@ var docDefinition = { { columns: [ { - text: , + text: , style: 'invoiceBillingAddress' }, { - text: , + text: , style: 'invoiceBillingAddressClient' }, ] @@ -593,7 +593,7 @@ var docDefinition = { // Total [ { - text:'', + text: '', rowSpan: 3 }, {}, @@ -602,23 +602,23 @@ var docDefinition = { [ {}, { - text:'Invoice Date', - style:'invoiceDateTitle', + text: 'Invoice Date', + style: 'invoiceDateTitle' }, { - text:, - style:'invoiceDateValue', + text: , + style: 'invoiceDateValue' }, ], [ {}, { - text:'Due Date', - style:'invoiceDateTitle', + text: 'Due Date', + style: 'invoiceDateTitle' }, { - text:, - style:'invoiceDateValue', + text: , + style: 'invoiceDateValue' }, ], ] @@ -683,29 +683,29 @@ var docDefinition = { [ [ { - text: , - style:'itemTitle' + text: , + style: 'itemTitle' }, { - text: , - style:'itemDescription' + text: , + style: 'itemDescription' } ], { - text:'', - style:'itemQty' + text: , + style: 'itemQty' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' }, { - text: '', - style:'itemNumber' + text: , + style: 'itemNumber' } ], @@ -730,7 +730,7 @@ var docDefinition = { [ { text: 'Notes', - style:'notesTitle' + style: 'notesTitle' }, {}, {} @@ -738,61 +738,61 @@ var docDefinition = { [ { rowSpan: 5, - text: , - style:'notesText' + text: , + style: 'notesText' }, { - text:'Subtotal', - style:'itemsFooterSubTitle' + text: 'Subtotal', + style: 'itemsFooterSubTitle' }, { - text:'', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Tax', - style:'itemsFooterSubTitle' + text: 'Tax', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Total', - style:'itemsFooterSubTitle' + text: 'Total', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Paid', - style:'itemsFooterSubTitle' + text: 'Paid', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Balance', - style:'itemsFooterTotalTitle' + text: 'Balance', + style: 'itemsFooterTotalTitle' }, { - text: '', + text: , - style:'itemsFooterTotalTitle' + style: 'itemsFooterTotalTitle' } ], ] @@ -801,7 +801,7 @@ var docDefinition = { }, // TERMS / FOOTER { - text: , + text: , style: 'documentFooterCenter' } ], //End Content, @@ -810,32 +810,32 @@ var docDefinition = { documentFooterCenter: { fontSize: 9, margin: [10,50,10,10], - alignment:'center', + alignment: 'center', }, // Invoice Title invoiceTitle: { fontSize: 18, bold: true, - alignment:'right', - margin:[0,0,0,3] + alignment: 'right', + margin: [0,0,0,3] }, // Invoice Number invoiceNumber: { fontSize: 14, - alignment:'right' + alignment: 'right' }, // Billing Headers invoiceBillingTitle: { fontSize: 14, bold: true, - alignment:'left', - margin:[0,20,0,5] + alignment: 'left', + margin: [0,20,0,5] }, invoiceBillingTitleClient: { fontSize: 14, bold: true, - alignment:'right', - margin:[0,20,0,5] + alignment: 'right', + margin: [0,20,0,5] }, // Billing Details invoiceBillingAddress: { @@ -845,26 +845,26 @@ var docDefinition = { invoiceBillingAddressClient: { fontSize: 10, lineHeight: 1.2, - alignment:'right', - margin:[0,0,0,30] + alignment: 'right', + margin: [0,0,0,30] }, // Invoice Dates invoiceDateTitle: { fontSize: 10, - alignment:'left', - margin:[0,5,0,5] + alignment: 'left', + margin: [0,5,0,5] }, invoiceDateValue: { fontSize: 10, - alignment:'right', - margin:[0,5,0,5] + alignment: 'right', + margin: [0,5,0,5] }, // Items Header itemsHeader: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right' + alignment: 'right' }, // Item Title itemTitle: { @@ -881,61 +881,61 @@ var docDefinition = { itemQty: { fontSize: 10, margin: [0,5,0,5], - alignment: 'center', + alignment: 'center' }, itemNumber: { fontSize: 10, margin: [0,5,0,5], - alignment: 'right', + alignment: 'right' }, itemTotal: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment: 'right', + alignment: 'right' }, // Items Footer (Subtotal, Total, Tax, etc) itemsFooterSubTitle: { fontSize: 10, margin: [0,5,0,5], - alignment:'right', + alignment:'right' }, itemsFooterSubValue: { fontSize: 10, margin: [0,5,0,5], bold: false, - alignment:'right', + alignment: 'right' }, itemsFooterTotalTitle: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right', + alignment: 'right' }, itemsFooterTotalValue: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right', + alignment: 'right' }, notesTitle: { fontSize: 10, bold: true, - margin: [0,5,0,5], + margin: [0,5,0,5] }, notesText: { fontSize: 9, margin: [0,5,50,5] }, left: { - alignment:'left', + alignment: 'left' }, center: { - alignment:'center', + alignment: 'center' }, }, defaultStyle: { - columnGap: 20, + columnGap: 20 } } - \ No newline at end of file + diff --git a/invoice_add_modal.php b/invoice_add_modal.php index b1a9e2ed..1395f2c3 100644 --- a/invoice_add_modal.php +++ b/invoice_add_modal.php @@ -27,7 +27,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC"); while($row = mysqli_fetch_array($sql)){ $client_id = $row['client_id']; - $client_name = $row['client_name']; + $client_name = htmlentities($row['client_name']); ?> @@ -63,7 +63,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> diff --git a/invoice_edit_modal.php b/invoice_edit_modal.php index 946e1fb4..6182786e 100644 --- a/invoice_edit_modal.php +++ b/invoice_edit_modal.php @@ -45,7 +45,7 @@ $sql_income_category = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND (category_archived_at > '$invoice_created_at' OR category_archived_at IS NULL) AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql_income_category)){ $category_id_select= $row['category_id']; - $category_name_select = $row['category_name']; + $category_name_select = htmlentities($row['category_name']); ?> diff --git a/invoices.php b/invoices.php index 7ad7f9cf..35be00d5 100644 --- a/invoices.php +++ b/invoices.php @@ -267,26 +267,26 @@ while($row = mysqli_fetch_array($sql)){ $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; - $invoice_number = $row['invoice_number']; - $invoice_scope = $row['invoice_scope']; + $invoice_prefix = htmlentities($row['invoice_prefix']); + $invoice_number = htmlentities($row['invoice_number']); + $invoice_scope = htmlentities($row['invoice_scope']); if(empty($invoice_scope)){ $invoice_scope_display = "-"; }else{ $invoice_scope_display = $invoice_scope; } - $invoice_status = $row['invoice_status']; + $invoice_status = htmlentities($row['invoice_status']); $invoice_date = $row['invoice_date']; $invoice_due = $row['invoice_due']; - $invoice_amount = $row['invoice_amount']; - $invoice_currency_code = $row['invoice_currency_code']; + $invoice_amount = htmlentities($row['invoice_amount']); + $invoice_currency_code = htmlentities($row['invoice_currency_code']); $invoice_created_at = $row['invoice_created_at']; $client_id = $row['client_id']; - $client_name = $row['client_name']; + $client_name = htmlentities($row['client_name']); $category_id = $row['category_id']; - $category_name = $row['category_name']; - $client_currency_code = $row['client_currency_code']; - $client_net_terms = $row['client_net_terms']; + $category_name = htmlentities($row['category_name']); + $client_currency_code = htmlentities($row['client_currency_code']); + $client_net_terms = htmlentities($row['client_net_terms']); if($client_net_terms == 0){ $client_net_terms = $config_default_net_terms; } diff --git a/logs.php b/logs.php index 966b96a8..265f6ab4 100644 --- a/logs.php +++ b/logs.php @@ -136,20 +136,20 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $log_id = $row['log_id']; - $log_type = $row['log_type']; - $log_action = $row['log_action']; + $log_type = htmlentities($row['log_type']); + $log_action = htmlentities($row['log_action']); $log_description = htmlentities($row['log_description']); $log_ip = htmlentities($row['log_ip']); - $log_user_agent = $row['log_user_agent']; + $log_user_agent = htmlentities($row['log_user_agent']); $log_created_at = $row['log_created_at']; $user_id = $row['user_id']; - $user_name = $row['user_name']; + $user_name = htmlentities($row['user_name']); if(empty($user_name)){ $user_name_display = "-"; }else{ $user_name_display = $user_name; } - $client_name = $row['client_name']; + $client_name = htmlentities($row['client_name']); $client_id = $row['client_id']; if(empty($client_name)){ $client_name_display = "-"; diff --git a/notifications.php b/notifications.php index e1dbc102..abe117d0 100644 --- a/notifications.php +++ b/notifications.php @@ -34,10 +34,10 @@ $sql = mysqli_query($mysqli,"SELECT * FROM notifications LEFT JOIN clients ON no while($row = mysqli_fetch_array($sql)){ $notification_id = $row['notification_id']; - $notification_type = $row['notification_type']; - $notification = $row['notification']; + $notification_type = htmlentities($row['notification_type']); + $notification = htmlentities($row['notification']); $notification_timestamp = $row['notification_timestamp']; - $client_name = $row['client_name']; + $client_name = htmlentities($row['client_name']); $client_id = $row['client_id']; if(empty($client_name)){ $client_name_display = "-"; diff --git a/notifications_dismissed.php b/notifications_dismissed.php index 7c80c875..9fb7de69 100644 --- a/notifications_dismissed.php +++ b/notifications_dismissed.php @@ -90,11 +90,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $notification_id = $row['notification_id']; $notification_timestamp = $row['notification_timestamp']; - $notification_type = $row['notification_type']; - $notification = $row['notification']; + $notification_type = htmlentities($row['notification_type']); + $notification = htmlentities($row['notification']); $notification_dismissed_at = $row['notification_dismissed_at']; - $user_name = $row['user_name']; - $client_name = $row['client_name']; + $user_name = htmlentities($row['user_name']); + $client_name = htmlentities($row['client_name']); $client_id = $row['client_id']; if(empty($client_name)){ $client_name_display = "-"; diff --git a/payments.php b/payments.php index 3ab3d2e9..66c8cf89 100644 --- a/payments.php +++ b/payments.php @@ -139,23 +139,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; - $invoice_number = $row['invoice_number']; - $invoice_status = $row['invoice_status']; + $invoice_prefix = htmlentities($row['invoice_prefix']); + $invoice_number = htmlentities($row['invoice_number']); + $invoice_status = htmlentities($row['invoice_status']); $invoice_date = $row['invoice_date']; $payment_date = $row['payment_date']; - $payment_method = $row['payment_method']; - $payment_amount = $row['payment_amount']; - $payment_currency_code = $row['payment_currency_code']; - $payment_reference = $row['payment_reference']; + $payment_method = htmlentities($row['payment_method']); + $payment_amount = htmlentities($row['payment_amount']); + $payment_currency_code = htmlentities($row['payment_currency_code']); + $payment_reference = htmlentities($row['payment_reference']); if(empty($payment_reference)){ $payment_reference_display = "-"; }else{ $payment_reference_display = $payment_reference; } $client_id = $row['client_id']; - $client_name = $row['client_name']; - $account_name = $row['account_name']; + $client_name = htmlentities($row['client_name']); + $account_name = htmlentities($row['account_name']); ?> diff --git a/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.14.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.14.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser new file mode 100644 index 00000000..098257e1 Binary files /dev/null and b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.14.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser differ diff --git a/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI/4.14.0,b359e061fc6632c745df51b43504cb541c9339de,1.ser b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI/4.14.0,b359e061fc6632c745df51b43504cb541c9339de,1.ser new file mode 100644 index 00000000..b97b9748 Binary files /dev/null and b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI/4.14.0,b359e061fc6632c745df51b43504cb541c9339de,1.ser differ diff --git a/product_add_modal.php b/product_add_modal.php index 37179dbf..a6f13a9d 100644 --- a/product_add_modal.php +++ b/product_add_modal.php @@ -27,7 +27,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND category_archived_at IS NULL AND company_id = $session_company_id"); while($row = mysqli_fetch_array($sql)){ $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> @@ -64,8 +64,8 @@ $taxes_sql = mysqli_query($mysqli,"SELECT * FROM taxes WHERE tax_archived_at IS NULL AND company_id = $session_company_id ORDER BY tax_name ASC"); while($row = mysqli_fetch_array($taxes_sql)){ $tax_id = $row['tax_id']; - $tax_name = $row['tax_name']; - $tax_percent = $row['tax_percent']; + $tax_name = htmlentities($row['tax_name']); + $tax_percent = htmlentities($row['tax_percent']); ?> diff --git a/product_edit_modal.php b/product_edit_modal.php index de73c91d..efdec2c9 100644 --- a/product_edit_modal.php +++ b/product_edit_modal.php @@ -27,7 +27,7 @@ $sql_select = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND (category_archived_at > '$product_created_at' OR category_archived_at IS NULL) AND company_id = $session_company_id"); while($row = mysqli_fetch_array($sql_select)){ $category_id_select = $row['category_id']; - $category_name_select = $row['category_name']; + $category_name_select = htmlentities($row['category_name']); ?> '$product_created_at' OR tax_archived_at IS NULL) AND company_id = $session_company_id ORDER BY tax_name ASC"); while($row = mysqli_fetch_array($taxes_sql)){ $tax_id_select = $row['tax_id']; - $tax_name = $row['tax_name']; - $tax_percent = $row['tax_percent']; + $tax_name = htmlentities($row['tax_name']); + $tax_percent = htmlentities($row['tax_percent']); ?> diff --git a/products.php b/products.php index 529c48f7..20c7d9b1 100644 --- a/products.php +++ b/products.php @@ -64,11 +64,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); }else{ $product_description_display = "
    $product_description
    "; } - $product_price = $row['product_price']; - $product_currency_code = $row['product_currency_code']; + $product_price = htmlentities($row['product_price']); + $product_currency_code = htmlentities($row['product_currency_code']); $product_created_at = $row['product_created_at']; $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); $product_tax_id = $row['product_tax_id']; ?> diff --git a/quote.php b/quote.php index 12b291a2..561008c1 100644 --- a/quote.php +++ b/quote.php @@ -16,44 +16,44 @@ if(isset($_GET['quote_id'])){ $row = mysqli_fetch_array($sql); $quote_id = $row['quote_id']; - $quote_prefix = $row['quote_prefix']; - $quote_number = $row['quote_number']; - $quote_scope = $row['quote_scope']; - $quote_status = $row['quote_status']; + $quote_prefix = htmlentities($row['quote_prefix']); + $quote_number = htmlentities($row['quote_number']); + $quote_scope = htmlentities($row['quote_scope']); + $quote_status = htmlentities($row['quote_status']); $quote_date = $row['quote_date']; - $quote_amount = $row['quote_amount']; - $quote_currency_code = $row['quote_currency_code']; - $quote_note = $row['quote_note']; - $quote_url_key = $row['quote_url_key']; + $quote_amount = htmlentities($row['quote_amount']); + $quote_currency_code = htmlentities($row['quote_currency_code']); + $quote_note = htmlentities($row['quote_note']); + $quote_url_key = htmlentities($row['quote_url_key']); $quote_created_at = $row['quote_created_at']; $category_id = $row['quote_category_id']; $client_id = $row['client_id']; - $client_name = $row['client_name']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; - $contact_email = $row['contact_email']; + $client_name = htmlentities($row['client_name']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); + $contact_email = htmlentities($row['contact_email']); $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $client_website = $row['client_website']; - $client_currency_code = $row['client_currency_code']; - $client_net_terms = $row['client_net_terms']; + $client_website = htmlentities($row['client_website']); + $client_currency_code = htmlentities($row['client_currency_code']); + $client_net_terms = htmlentities($row['client_net_terms']); if($client_net_terms == 0){ $client_net_terms = $config_default_net_terms; } $company_id = $row['company_id']; - $company_name = $row['company_name']; - $company_country = $row['company_country']; - $company_address = $row['company_address']; - $company_city = $row['company_city']; - $company_state = $row['company_state']; - $company_zip = $row['company_zip']; + $company_name = htmlentities($row['company_name']); + $company_country = htmlentities($row['company_country']); + $company_address = htmlentities($row['company_address']); + $company_city = htmlentities($row['company_city']); + $company_state = htmlentities($row['company_state']); + $company_zip = htmlentities($row['company_zip']); $company_phone = formatPhoneNumber($row['company_phone']); - $company_email = $row['company_email']; - $company_website = $row['company_website']; - $company_logo = $row['company_logo']; + $company_email = htmlentities($row['company_email']); + $company_website = htmlentities($row['company_website']); + $company_logo = htmlentities($row['company_logo']); if(!empty($company_logo)){ $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); } @@ -221,13 +221,13 @@ if(isset($_GET['quote_id'])){ while($row = mysqli_fetch_array($sql_items)){ $item_id = $row['item_id']; - $item_name = $row['item_name']; - $item_description = $row['item_description']; - $item_quantity = $row['item_quantity']; - $item_price = $row['item_price']; - $item_subtotal = $row['item_price']; - $item_tax = $row['item_tax']; - $item_total = $row['item_total']; + $item_name = htmlentities($row['item_name']); + $item_description = htmlentities($row['item_description']); + $item_quantity = htmlentities($row['item_quantity']); + $item_price = htmlentities($row['item_price']); + $item_subtotal = htmlentities($row['item_price']); + $item_tax = htmlentities($row['item_tax']); + $item_total = htmlentities($row['item_total']); $item_created_at = $row['item_created_at']; $tax_id = $row['item_tax_id']; $total_tax = $item_tax + $total_tax; @@ -272,8 +272,8 @@ if(isset($_GET['quote_id'])){ $taxes_sql = mysqli_query($mysqli,"SELECT * FROM taxes WHERE company_id = $session_company_id ORDER BY tax_name ASC"); while($row = mysqli_fetch_array($taxes_sql)){ $tax_id = $row['tax_id']; - $tax_name = $row['tax_name']; - $tax_percent = $row['tax_percent']; + $tax_name = htmlentities($row['tax_name']); + $tax_percent = htmlentities($row['tax_percent']); ?> @@ -337,7 +337,7 @@ if(isset($_GET['quote_id'])){
    -
    +
    @@ -369,8 +369,8 @@ if(isset($_GET['quote_id'])){ while($row = mysqli_fetch_array($sql_history)){ $history_created_at = $row['history_created_at']; - $history_status = $row['history_status']; - $history_description = $row['history_description']; + $history_status = htmlentities($row['history_status']); + $history_description = htmlentities($row['history_description']); ?> @@ -429,8 +429,8 @@ include("footer.php"); var docDefinition = { info: { - title: '', - author: '' + title: , + author: }, //watermark: {text: '', color: 'lightgrey', opacity: 0.3, bold: true, italics: false}, @@ -441,7 +441,7 @@ var docDefinition = { columns: [ { - image: '', + image: , width: 120 }, @@ -453,7 +453,7 @@ var docDefinition = { width: '*' }, { - text: '', + text: , style: 'invoiceNumber', width: '*' }, @@ -464,12 +464,12 @@ var docDefinition = { { columns: [ { - text: , - style:'invoiceBillingTitle', + text: , + style: 'invoiceBillingTitle' }, { - text: , - style:'invoiceBillingTitleClient', + text: , + style: 'invoiceBillingTitleClient' }, ] }, @@ -477,11 +477,11 @@ var docDefinition = { { columns: [ { - text: , + text: , style: 'invoiceBillingAddress' }, { - text: , + text: , style: 'invoiceBillingAddressClient' }, ] @@ -498,7 +498,7 @@ var docDefinition = { // Total [ { - text:'', + text: '', rowSpan: 2 }, {}, @@ -507,12 +507,12 @@ var docDefinition = { [ {}, { - text:'Quote Date', - style:'invoiceDateTitle', + text: 'Quote Date', + style: 'invoiceDateTitle' }, { - text:'', - style:'invoiceDateValue', + text: , + style: 'invoiceDateValue' }, ], ] @@ -577,29 +577,29 @@ var docDefinition = { [ [ { - text: , - style:'itemTitle' + text: , + style: 'itemTitle' }, { - text: , - style:'itemDescription' + text: , + style: 'itemDescription' } ], { - text:'', - style:'itemQty' + text: , + style: 'itemQty' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' }, { - text:'', - style:'itemNumber' + text: , + style: 'itemNumber' } ], @@ -624,7 +624,7 @@ var docDefinition = { [ { text: 'Notes', - style:'notesTitle' + style: 'notesTitle' }, {}, {} @@ -632,38 +632,38 @@ var docDefinition = { [ { rowSpan: 3, - text: , - style:'notesText' + text: , + style: 'notesText' }, { - text:'Subtotal', - style:'itemsFooterSubTitle' + text: 'Subtotal', + style: 'itemsFooterSubTitle' }, { - text:'', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Tax', - style:'itemsFooterSubTitle' + text: 'Tax', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], [ {}, { - text:'Total', - style:'itemsFooterSubTitle' + text: 'Total', + style: 'itemsFooterSubTitle' }, { - text: '', - style:'itemsFooterSubValue' + text: , + style: 'itemsFooterSubValue' } ], ] @@ -672,7 +672,7 @@ var docDefinition = { }, // TERMS / FOOTER { - text: , + text: , style: 'documentFooterCenter' } ], //End Content, @@ -681,14 +681,14 @@ var docDefinition = { documentFooterCenter: { fontSize: 9, margin: [10,50,10,10], - alignment:'center' + alignment: 'center' }, // Invoice Title invoiceTitle: { fontSize: 18, bold: true, - alignment:'right', - margin:[0,0,0,3] + alignment: 'right', + margin: [0,0,0,3] }, // Invoice Number invoiceNumber: { @@ -699,14 +699,14 @@ var docDefinition = { invoiceBillingTitle: { fontSize: 14, bold: true, - alignment:'left', - margin:[0,20,0,5] + alignment: 'left', + margin: [0,20,0,5] }, invoiceBillingTitleClient: { fontSize: 14, bold: true, - alignment:'right', - margin:[0,20,0,5] + alignment: 'right', + margin: [0,20,0,5] }, // Billing Details invoiceBillingAddress: { @@ -716,26 +716,26 @@ var docDefinition = { invoiceBillingAddressClient: { fontSize: 10, lineHeight: 1.2, - alignment:'right', - margin:[0,0,0,30] + alignment: 'right', + margin: [0,0,0,30] }, // Invoice Dates invoiceDateTitle: { fontSize: 10, - alignment:'left', - margin:[0,5,0,5] + alignment: 'left', + margin: [0,5,0,5] }, invoiceDateValue: { fontSize: 10, - alignment:'right', - margin:[0,5,0,5] + alignment: 'right', + margin: [0,5,0,5] }, // Items Header itemsHeader: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right' + alignment: 'right' }, // Item Title itemTitle: { @@ -752,61 +752,61 @@ var docDefinition = { itemQty: { fontSize: 10, margin: [0,5,0,5], - alignment: 'center', + alignment: 'center' }, itemNumber: { fontSize: 10, margin: [0,5,0,5], - alignment: 'right', + alignment: 'right' }, itemTotal: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment: 'right', + alignment: 'right' }, // Items Footer (Subtotal, Total, Tax, etc) itemsFooterSubTitle: { fontSize: 10, margin: [0,5,0,5], - alignment:'right', + alignment: 'right' }, itemsFooterSubValue: { fontSize: 10, margin: [0,5,0,5], bold: false, - alignment:'right', + alignment: 'right' }, itemsFooterTotalTitle: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right', + alignment: 'right' }, itemsFooterTotalValue: { fontSize: 10, margin: [0,5,0,5], bold: true, - alignment:'right', + alignment: 'right' }, notesTitle: { fontSize: 10, bold: true, - margin: [0,5,0,5], + margin: [0,5,0,5] }, notesText: { fontSize: 9, margin: [0,5,50,5] }, left: { - alignment:'left', + alignment: 'left' }, center: { - alignment:'center', + alignment: 'center' }, }, defaultStyle: { - columnGap: 20, + columnGap: 20 } } diff --git a/quote_add_modal.php b/quote_add_modal.php index 284ea9b6..f0d0399c 100644 --- a/quote_add_modal.php +++ b/quote_add_modal.php @@ -28,7 +28,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC"); while($row = mysqli_fetch_array($sql)){ $client_id = $row['client_id']; - $client_name = $row['client_name']; + $client_name = htmlentities($row['client_name']); ?> @@ -64,7 +64,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> diff --git a/quote_edit_modal.php b/quote_edit_modal.php index 9dd0af3d..10e355fa 100644 --- a/quote_edit_modal.php +++ b/quote_edit_modal.php @@ -35,7 +35,7 @@ $sql_income_category = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND (category_archived_at > '$quote_created_at' OR category_archived_at IS NULL) AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql_income_category)){ $category_id_select = $row['category_id']; - $category_name_select = $row['category_name']; + $category_name_select = htmlentities($row['category_name']); ?> diff --git a/quotes.php b/quotes.php index aa807260..bb272114 100644 --- a/quotes.php +++ b/quotes.php @@ -140,25 +140,25 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $quote_id = $row['quote_id']; - $quote_prefix = $row['quote_prefix']; - $quote_number = $row['quote_number']; - $quote_scope = $row['quote_scope']; + $quote_prefix = htmlentities($row['quote_prefix']); + $quote_number = htmlentities($row['quote_number']); + $quote_scope = htmlentities($row['quote_scope']); if(empty($quote_scope)){ $quote_scope_display = "-"; }else{ $quote_scope_display = $quote_scope; } - $quote_status = $row['quote_status']; + $quote_status = htmlentities($row['quote_status']); $quote_date = $row['quote_date']; - $quote_amount = $row['quote_amount']; - $quote_currency_code = $row['quote_currency_code']; + $quote_amount = htmlentities($row['quote_amount']); + $quote_currency_code = htmlentities($row['quote_currency_code']); $quote_created_at = $row['quote_created_at']; $client_id = $row['client_id']; $client_name = htmlentities($row['client_name']); - $client_currency_code = $row['client_currency_code']; + $client_currency_code = htmlentities($row['client_currency_code']); $category_id = $row['category_id']; - $category_name = $row['category_name']; - $client_net_terms = $row['client_net_terms']; + $category_name = htmlentities($row['category_name']); + $client_net_terms = htmlentities($row['client_net_terms']); if($client_net_terms == 0){ $client_net_terms = $config_default_net_terms; } diff --git a/recurring_invoice.php b/recurring_invoice.php index 6dfd2e9b..360fdebe 100644 --- a/recurring_invoice.php +++ b/recurring_invoice.php @@ -16,35 +16,35 @@ if(isset($_GET['recurring_id'])){ $row = mysqli_fetch_array($sql); $recurring_id = $row['recurring_id']; - $recurring_prefix = $row['recurring_prefix']; - $recurring_number = $row['recurring_number']; - $recurring_scope = $row['recurring_scope']; - $recurring_frequency = $row['recurring_frequency']; - $recurring_status = $row['recurring_status']; + $recurring_prefix = htmlentities($row['recurring_prefix']); + $recurring_number = htmlentities($row['recurring_number']); + $recurring_scope = htmlentities($row['recurring_scope']); + $recurring_frequency = htmlentities($row['recurring_frequency']); + $recurring_status = htmlentities($row['recurring_status']); $recurring_created_at = $row['recurring_created_at']; $recurring_last_sent = $row['recurring_last_sent']; if($recurring_last_sent == 0){ $recurring_last_sent = '-'; } $recurring_next_date = $row['recurring_next_date']; - $recurring_amount = $row['recurring_amount']; - $recurring_currency_code = $row['recurring_currency_code']; - $recurring_note = $row['recurring_note']; + $recurring_amount = htmlentities($row['recurring_amount']); + $recurring_currency_code = htmlentities($row['recurring_currency_code']); + $recurring_note = htmlentities($row['recurring_note']); $recurring_created_at = $row['recurring_created_at']; $category_id = $row['recurring_category_id']; $client_id = $row['client_id']; - $client_name = $row['client_name']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; - $contact_email = $row['contact_email']; + $client_name = htmlentities($row['client_name']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); + $contact_email = htmlentities($row['contact_email']); $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); - $client_website = $row['client_website']; - $client_currency_code = $row['client_currency_code']; - $client_net_terms = $row['client_net_terms']; + $client_website = htmlentities($row['client_website']); + $client_currency_code = htmlentities($row['client_currency_code']); + $client_net_terms = htmlentities($row['client_net_terms']); if($recurring_status == 1){ $status = "Active"; @@ -54,16 +54,16 @@ if(isset($_GET['recurring_id'])){ $status_badge_color = "secondary"; } $company_id = $row['company_id']; - $company_name = $row['company_name']; - $company_country = $row['company_country']; - $company_address = $row['company_address']; - $company_city = $row['company_city']; - $company_state = $row['company_state']; - $company_zip = $row['company_zip']; + $company_name = htmlentities($row['company_name']); + $company_country = htmlentities($row['company_country']); + $company_address = htmlentities($row['company_address']); + $company_city = htmlentities($row['company_city']); + $company_state = htmlentities($row['company_state']); + $company_zip = htmlentities($row['company_zip']); $company_phone = formatPhoneNumber($row['company_phone']); - $company_email = $row['company_email']; - $company_website = $row['company_website']; - $company_logo = $row['company_logo']; + $company_email = htmlentities($row['company_email']); + $company_website = htmlentities($row['company_website']); + $company_logo = htmlentities($row['company_logo']); $sql_history = mysqli_query($mysqli,"SELECT * FROM history WHERE history_recurring_id = $recurring_id ORDER BY history_id DESC"); @@ -192,13 +192,13 @@ if(isset($_GET['recurring_id'])){ while($row = mysqli_fetch_array($sql_items)){ $item_id = $row['item_id']; - $item_name = $row['item_name']; - $item_description = $row['item_description']; - $item_quantity = $row['item_quantity']; - $item_price = $row['item_price']; - $item_subtotal = $row['item_price']; - $item_tax = $row['item_tax']; - $item_total = $row['item_total']; + $item_name = htmlentities($row['item_name']); + $item_description = htmlentities($row['item_description']); + $item_quantity = htmlentities($row['item_quantity']); + $item_price = htmlentities($row['item_price']); + $item_subtotal = htmlentities($row['item_price']); + $item_tax = htmlentities($row['item_tax']); + $item_total = htmlentities($row['item_total']); $item_created_at = $row['item_created_at']; $tax_id = $row['item_tax_id']; $total_tax = $item_tax + $total_tax; @@ -243,8 +243,8 @@ if(isset($_GET['recurring_id'])){ $taxes_sql = mysqli_query($mysqli,"SELECT * FROM taxes WHERE company_id = $session_company_id ORDER BY tax_name ASC"); while($row = mysqli_fetch_array($taxes_sql)){ $tax_id = $row['tax_id']; - $tax_name = $row['tax_name']; - $tax_percent = $row['tax_percent']; + $tax_name = htmlentities($row['tax_name']); + $tax_percent = htmlentities($row['tax_percent']); ?> @@ -288,17 +288,17 @@ if(isset($_GET['recurring_id'])){ Subtotal - + 0){ ?> Tax - + Amount - + @@ -334,8 +334,8 @@ if(isset($_GET['recurring_id'])){ while($row = mysqli_fetch_array($sql_history)){ $history_created_at = $row['history_created_at']; - $history_status = $row['history_status']; - $history_description = $row['history_description']; + $history_status = htmlentities($row['history_status']); + $history_description = htmlentities($row['history_description']); ?> diff --git a/recurring_invoice_add_modal.php b/recurring_invoice_add_modal.php index bbef7d4e..f49ee10d 100644 --- a/recurring_invoice_add_modal.php +++ b/recurring_invoice_add_modal.php @@ -27,7 +27,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC"); while($row = mysqli_fetch_array($sql)){ $client_id = $row['client_id']; - $client_name = $row['client_name']; + $client_name = htmlentities($row['client_name']); ?> @@ -78,7 +78,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> diff --git a/recurring_invoice_edit_modal.php b/recurring_invoice_edit_modal.php index 9663ba58..853bcbbe 100644 --- a/recurring_invoice_edit_modal.php +++ b/recurring_invoice_edit_modal.php @@ -42,7 +42,7 @@ $sql_income_category = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND (category_archived_at > '$recurring_created_at' OR category_archived_at IS NULL) AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql_income_category)){ $category_id_select= $row['category_id']; - $category_name_select = $row['category_name']; + $category_name_select = htmlentities($row['category_name']); ?> diff --git a/recurring_invoices.php b/recurring_invoices.php index 170af544..52801f46 100644 --- a/recurring_invoices.php +++ b/recurring_invoices.php @@ -143,24 +143,24 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $recurring_id = $row['recurring_id']; - $recurring_prefix = $row['recurring_prefix']; - $recurring_number = $row['recurring_number']; - $recurring_scope = $row['recurring_scope']; - $recurring_frequency = $row['recurring_frequency']; - $recurring_status = $row['recurring_status']; + $recurring_prefix = htmlentities($row['recurring_prefix']); + $recurring_number = htmlentities($row['recurring_number']); + $recurring_scope = htmlentities($row['recurring_scope']); + $recurring_frequency = htmlentities($row['recurring_frequency']); + $recurring_status = htmlentities($row['recurring_status']); $recurring_last_sent = $row['recurring_last_sent']; if($recurring_last_sent == 0){ $recurring_last_sent = "-"; } $recurring_next_date = $row['recurring_next_date']; - $recurring_amount = $row['recurring_amount']; - $recurring_currency_code = $row['recurring_currency_code']; + $recurring_amount = htmlentities($row['recurring_amount']); + $recurring_currency_code = htmlentities($row['recurring_currency_code']); $recurring_created_at = $row['recurring_created_at']; $client_id = $row['client_id']; - $client_name = $row['client_name']; - $client_currency_code = $row['client_currency_code']; + $client_name = htmlentities($row['client_name']); + $client_currency_code = htmlentities($row['client_currency_code']); $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); if($recurring_status == 1){ $status = "Active"; $status_badge_color = "success"; diff --git a/report_expense_by_vendor.php b/report_expense_by_vendor.php index 70d1fd45..f20ecd10 100644 --- a/report_expense_by_vendor.php +++ b/report_expense_by_vendor.php @@ -55,7 +55,7 @@ $sql_vendors = mysqli_query($mysqli,"SELECT * FROM vendors WHERE company_id = $s diff --git a/report_income_by_client.php b/report_income_by_client.php index 753f21ee..e14d3a31 100644 --- a/report_income_by_client.php +++ b/report_income_by_client.php @@ -55,7 +55,7 @@ $sql_clients = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $s diff --git a/report_profit_loss.php b/report_profit_loss.php index a9214c91..e49131ea 100644 --- a/report_profit_loss.php +++ b/report_profit_loss.php @@ -61,7 +61,7 @@ $sql_categories_expense = mysqli_query($mysqli,"SELECT * FROM categories WHERE c @@ -268,7 +268,7 @@ $sql_categories_expense = mysqli_query($mysqli,"SELECT * FROM categories WHERE c diff --git a/report_tax_summary.php b/report_tax_summary.php index 77bf534c..cdfe5d13 100644 --- a/report_tax_summary.php +++ b/report_tax_summary.php @@ -54,7 +54,7 @@ $sql_tax = mysqli_query($mysqli,"SELECT * FROM taxes WHERE company_id = $session diff --git a/revenue_add_modal.php b/revenue_add_modal.php index ee4d6d6f..8144fdab 100644 --- a/revenue_add_modal.php +++ b/revenue_add_modal.php @@ -64,8 +64,8 @@ $sql = mysqli_query($mysqli,"SELECT * FROM accounts WHERE account_archived_at IS NULL AND company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql)){ $account_id = $row['account_id']; - $account_name = $row['account_name']; - $opening_balance = $row['opening_balance']; + $account_name = htmlentities($row['account_name']); + $opening_balance = htmlentities($row['opening_balance']); $sql_payments = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id"); $row = mysqli_fetch_array($sql_payments); @@ -104,7 +104,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> @@ -139,7 +139,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Payment Method' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> diff --git a/revenue_edit_modal.php b/revenue_edit_modal.php index 2cbf9bab..8fcf9398 100644 --- a/revenue_edit_modal.php +++ b/revenue_edit_modal.php @@ -65,8 +65,8 @@ $sql_accounts = mysqli_query($mysqli,"SELECT * FROM accounts WHERE (account_archived_at > '$revenue_created_at' OR account_archived_at IS NULL) AND company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql_accounts)){ $account_id_select = $row['account_id']; - $account_name_select = $row['account_name']; - $opening_balance = $row['opening_balance']; + $account_name_select = htmlentities($row['account_name']); + $opening_balance = htmlentities($row['opening_balance']); $sql_payments = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_account_id = $account_id_select"); $row = mysqli_fetch_array($sql_payments); @@ -105,7 +105,7 @@ $sql_category = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND (category_archived_at > '$revenue_created_at' OR category_archived_at IS NULL) AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql_category)){ $category_id_select = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> @@ -140,7 +140,7 @@ $sql_categories = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Payment Method' AND (category_archived_at > '$revenue_created_at' OR category_archived_at IS NULL) AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql_categories)){ - $category_name_select = $row['category_name']; + $category_name_select = htmlentities($row['category_name']); ?> diff --git a/revenues.php b/revenues.php index 21775094..a73bcccc 100644 --- a/revenues.php +++ b/revenues.php @@ -139,22 +139,22 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while($row = mysqli_fetch_array($sql)){ $revenue_id = $row['revenue_id']; - $revenue_description = $row['revenue_description']; - $revenue_reference = $row['revenue_reference']; + $revenue_description = htmlentities($row['revenue_description']); + $revenue_reference = htmlentities($row['revenue_reference']); if(empty($revenue_reference)){ $revenue_reference_display = "-"; }else{ $revenue_reference_display = $revenue_reference; } $revenue_date = $row['revenue_date']; - $revenue_payment_method = $row['revenue_payment_method']; - $revenue_amount = $row['revenue_amount']; - $revenue_currency_code = $row['revenue_currency_code']; + $revenue_payment_method = htmlentities($row['revenue_payment_method']); + $revenue_amount = htmlentities($row['revenue_amount']); + $revenue_currency_code = htmlentities($row['revenue_currency_code']); $revenue_created_at = $row['revenue_created_at']; $account_id = $row['account_id']; - $account_name = $row['account_name']; + $account_name = htmlentities($row['account_name']); $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> diff --git a/scheduled_ticket_add_modal.php b/scheduled_ticket_add_modal.php index 05572a25..93253423 100644 --- a/scheduled_ticket_add_modal.php +++ b/scheduled_ticket_add_modal.php @@ -24,7 +24,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; + $contact_name = htmlentities($row['contact_name']); ?> @@ -48,7 +48,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC"); while($row = mysqli_fetch_array($sql)){ $client_id = $row['client_id']; - $client_name = $row['client_name']; + $client_name = htmlentities($row['client_name']); ?> @@ -123,7 +123,7 @@ $sql_assets = mysqli_query($mysqli,"SELECT * FROM assets WHERE asset_client_id = $client_id ORDER BY asset_name ASC"); while($row = mysqli_fetch_array($sql_assets)){ $asset_id_select = $row['asset_id']; - $asset_name_select = $row['asset_name']; + $asset_name_select = htmlentities($row['asset_name']); ?> diff --git a/scheduled_ticket_edit_modal.php b/scheduled_ticket_edit_modal.php index b6f0a13a..263c908b 100644 --- a/scheduled_ticket_edit_modal.php +++ b/scheduled_ticket_edit_modal.php @@ -9,7 +9,7 @@
    - +
    diff --git a/scheduled_tickets.php b/scheduled_tickets.php index d5127f18..3dfb20ca 100644 --- a/scheduled_tickets.php +++ b/scheduled_tickets.php @@ -66,11 +66,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); while ($row = mysqli_fetch_array($sql)) { $scheduled_ticket_id = $row['scheduled_ticket_id']; $scheduled_ticket_client_id = $row['client_id']; - $scheduled_ticket_subject = $row['scheduled_ticket_subject']; - $scheduled_ticket_priority = $row['scheduled_ticket_priority']; - $scheduled_ticket_frequency = $row['scheduled_ticket_frequency']; + $scheduled_ticket_subject = htmlentities($row['scheduled_ticket_subject']); + $scheduled_ticket_priority = htmlentities($row['scheduled_ticket_priority']); + $scheduled_ticket_frequency = htmlentities($row['scheduled_ticket_frequency']); $scheduled_ticket_next_run = $row['scheduled_ticket_next_run']; - $scheduled_ticket_client_name = $row['client_name']; + $scheduled_ticket_client_name = htmlentities($row['client_name']); ?> diff --git a/settings_alerts.php b/settings_alerts.php index 9ed3d6fa..9e13c9df 100644 --- a/settings_alerts.php +++ b/settings_alerts.php @@ -30,7 +30,7 @@
    - +
    diff --git a/settings_api.php b/settings_api.php index 61c42cc3..4e69f822 100644 --- a/settings_api.php +++ b/settings_api.php @@ -53,8 +53,8 @@ while($row = mysqli_fetch_array($sql)){ $api_key_id = $row['api_key_id']; - $api_key_name = $row['api_key_name']; - $api_key_secret = "************" . substr($row['api_key_secret'], -4); + $api_key_name = htmlentities($row['api_key_name']); + $api_key_secret = htmlentities("************" . substr($row['api_key_secret'], -4)); $api_key_created_at = $row['api_key_created_at']; $api_key_expire = $row['api_key_expire']; if($api_key_expire < date("Y-m-d H:i:s")){ @@ -65,7 +65,7 @@ $api_key_client = "All Clients"; } else{ - $api_key_client = $row['client_name']; + $api_key_client = htmlentities($row['client_name']); } ?> diff --git a/settings_defaults.php b/settings_defaults.php index 67be35a9..d7299eb4 100644 --- a/settings_defaults.php +++ b/settings_defaults.php @@ -20,7 +20,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM accounts WHERE company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql)){ $account_id = $row['account_id']; - $account_name = $row['account_name']; + $account_name = htmlentities($row['account_name']); ?> @@ -45,7 +45,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM accounts WHERE company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql)){ $account_id = $row['account_id']; - $account_name = $row['account_name']; + $account_name = htmlentities($row['account_name']); ?> @@ -70,7 +70,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM accounts WHERE company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql)){ $account_id = $row['account_id']; - $account_name = $row['account_name']; + $account_name = htmlentities($row['account_name']); ?> @@ -95,7 +95,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM accounts WHERE company_id = $session_company_id ORDER BY account_name ASC"); while($row = mysqli_fetch_array($sql)){ $account_id = $row['account_id']; - $account_name = $row['account_name']; + $account_name = htmlentities($row['account_name']); ?> @@ -119,7 +119,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Payment Method' AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ - $payment_method = $row['category_name']; + $payment_method = htmlentities($row['category_name']); ?> @@ -143,7 +143,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Payment Method' AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ - $payment_method = $row['category_name']; + $payment_method = htmlentities($row['category_name']); ?> @@ -168,7 +168,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM calendars WHERE company_id = $session_company_id ORDER BY calendar_name ASC"); while($row = mysqli_fetch_array($sql)){ $calendar_id = $row['calendar_id']; - $calendar_name = $row['calendar_name']; + $calendar_name = htmlentities($row['calendar_name']); ?> diff --git a/settings_integrations.php b/settings_integrations.php index 34b3b267..bb6d7858 100644 --- a/settings_integrations.php +++ b/settings_integrations.php @@ -14,7 +14,7 @@
    - + @@ -24,7 +24,7 @@
    - + diff --git a/settings_invoice.php b/settings_invoice.php index 926b56c1..16f8af31 100644 --- a/settings_invoice.php +++ b/settings_invoice.php @@ -15,7 +15,7 @@
    - + @@ -25,13 +25,13 @@
    - +
    - +
    @@ -40,7 +40,7 @@
    - +
    @@ -50,7 +50,7 @@
    - + @@ -62,7 +62,7 @@
    - + @@ -72,7 +72,7 @@
    - + diff --git a/settings_mail.php b/settings_mail.php index 34860908..c674996b 100644 --- a/settings_mail.php +++ b/settings_mail.php @@ -13,7 +13,7 @@
    - + @@ -23,7 +23,7 @@
    - + @@ -47,7 +47,7 @@
    - + @@ -57,7 +57,7 @@
    - +
    @@ -70,7 +70,7 @@
    - + @@ -80,7 +80,7 @@
    - + diff --git a/settings_online_payment.php b/settings_online_payment.php index 4a091123..523fc397 100644 --- a/settings_online_payment.php +++ b/settings_online_payment.php @@ -24,7 +24,7 @@
    - + @@ -34,7 +34,7 @@
    - + diff --git a/settings_quote.php b/settings_quote.php index 8cb2f8b7..9fca55c7 100644 --- a/settings_quote.php +++ b/settings_quote.php @@ -15,7 +15,7 @@
    - + @@ -25,13 +25,13 @@
    - +
    - +
    @@ -40,7 +40,7 @@
    - +
    @@ -50,7 +50,7 @@
    - + diff --git a/settings_tags.php b/settings_tags.php index 99fa44ca..5385867e 100644 --- a/settings_tags.php +++ b/settings_tags.php @@ -78,10 +78,10 @@ $colors_diff = array_diff($colors_array,$colors_used_array); while($row = mysqli_fetch_array($sql)){ $tag_id = $row['tag_id']; - $tag_name = $row['tag_name']; - $tag_type = $row['tag_type']; - $tag_color = $row['tag_color']; - $tag_icon = $row['tag_icon']; + $tag_name = htmlentities($row['tag_name']); + $tag_type = htmlentities($row['tag_type']); + $tag_color = htmlentities($row['tag_color']); + $tag_icon = htmlentities($row['tag_icon']); ?> diff --git a/settings_taxes.php b/settings_taxes.php index f2adc477..1c7be89f 100644 --- a/settings_taxes.php +++ b/settings_taxes.php @@ -41,7 +41,7 @@ $num_rows = mysqli_num_rows($sql); while($row = mysqli_fetch_array($sql)){ $tax_id = $row['tax_id']; - $tax_name = $row['tax_name']; + $tax_name = htmlentities($row['tax_name']); $tax_percent = $row['tax_percent']; ?> diff --git a/settings_ticket.php b/settings_ticket.php index d36c3e11..9509f140 100644 --- a/settings_ticket.php +++ b/settings_ticket.php @@ -13,7 +13,7 @@
    - + @@ -23,7 +23,7 @@
    - + @@ -33,7 +33,7 @@
    - + @@ -43,7 +43,7 @@
    - + diff --git a/side_nav.php b/side_nav.php index c5f68c5b..01ce0295 100644 --- a/side_nav.php +++ b/side_nav.php @@ -25,7 +25,7 @@ while($row = mysqli_fetch_array($sql)){ $company_id = $row['company_id']; - $company_name = $row['company_name']; + $company_name = htmlentities($row['company_name']); ?> @@ -42,7 +42,7 @@ -

    +

    diff --git a/ticket.php b/ticket.php index 6c6bb5b9..087edbe2 100644 --- a/ticket.php +++ b/ticket.php @@ -11,7 +11,8 @@ if(isset($_GET['ticket_id'])){ LEFT JOIN users ON ticket_assigned_to = user_id LEFT JOIN locations ON ticket_location_id = location_id LEFT JOIN assets ON ticket_asset_id = asset_id - WHERE ticket_id = $ticket_id AND tickets.company_id = $session_company_id"); + WHERE ticket_id = $ticket_id AND tickets.company_id = $session_company_id" + ); if(mysqli_num_rows($sql) == 0){ echo "

    Nothing to see here

    Go Back
    "; @@ -22,22 +23,22 @@ if(isset($_GET['ticket_id'])){ $row = mysqli_fetch_array($sql); $client_id = $row['client_id']; - $client_name = $row['client_name']; - $client_type = $row['client_type']; - $client_website = $row['client_website']; - $client_net_terms = $row['client_net_terms']; + $client_name = htmlentities($row['client_name']); + $client_type = htmlentities($row['client_type']); + $client_website = htmlentities($row['client_website']); + $client_net_terms = htmlentities($row['client_net_terms']); if($client_net_terms == 0){ $client_net_terms = $config_default_net_terms; } - $ticket_prefix = $row['ticket_prefix']; - $ticket_number = $row['ticket_number']; - $ticket_category = $row['ticket_category']; - $ticket_subject = $row['ticket_subject']; + $ticket_prefix = htmlentities($row['ticket_prefix']); + $ticket_number = htmlentities($row['ticket_number']); + $ticket_category = htmlentities($row['ticket_category']); + $ticket_subject = htmlentities($row['ticket_subject']); $ticket_details = $row['ticket_details']; - $ticket_priority = $row['ticket_priority']; - $ticket_feedback = $row['ticket_feedback']; - $ticket_status = $row['ticket_status']; + $ticket_priority = htmlentities($row['ticket_priority']); + $ticket_feedback = htmlentities($row['ticket_feedback']); + $ticket_status = htmlentities($row['ticket_status']); $ticket_created_at = $row['ticket_created_at']; $ticket_date = date('Y-m-d',strtotime($ticket_created_at)); $ticket_updated_at = $row['ticket_updated_at']; @@ -64,11 +65,11 @@ if(isset($_GET['ticket_id'])){ } $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; - $contact_title = $row['contact_title']; - $contact_email = $row['contact_email']; + $contact_name = htmlentities($row['contact_name']); + $contact_title = htmlentities($row['contact_title']); + $contact_email = htmlentities($row['contact_email']); $contact_phone = formatPhoneNumber($row['contact_phone']); - $contact_extension = $row['contact_extension']; + $contact_extension = htmlentities($row['contact_extension']); $contact_mobile = formatPhoneNumber($row['contact_mobile']); $asset_id = $row['asset_id']; @@ -81,30 +82,30 @@ if(isset($_GET['ticket_id'])){ $asset_os = htmlentities($row['asset_os']); $asset_warranty_expire = $row['asset_warranty_expire']; - $location_name = $row['location_name']; - $location_address = $row['location_address']; - $location_city = $row['location_city']; - $location_state = $row['location_state']; - $location_zip = $row['location_zip']; + $location_name = htmlentities($row['location_name']); + $location_address = htmlentities($row['location_address']); + $location_city = htmlentities($row['location_city']); + $location_state = htmlentities($row['location_state']); + $location_zip = htmlentities($row['location_zip']); $location_phone = formatPhoneNumber($row['location_phone']); $ticket_assigned_to = $row['ticket_assigned_to']; if(empty($ticket_assigned_to)){ $ticket_assigned_to_display = "Not Assigned"; }else{ - $ticket_assigned_to_display = $row['user_name']; + $ticket_assigned_to_display = htmlentities($row['user_name']); } //Ticket Created By $ticket_created_by = $row['ticket_created_by']; $ticket_created_by_sql = mysqli_query($mysqli,"SELECT user_name FROM users WHERE user_id = $ticket_created_by"); $row = mysqli_fetch_array($ticket_created_by_sql); - $ticket_created_by_display = $row['user_name']; + $ticket_created_by_display = htmlentities($row['user_name']); //Ticket Assigned To if(empty($ticket_assigned_to)){ $ticket_assigned_to_display = "Not Assigned"; }else{ - $ticket_assigned_to_display = $row['user_name']; + $ticket_assigned_to_display = htmlentities($row['user_name']); } // if($contact_id == $primary_contact){ @@ -140,9 +141,9 @@ if(isset($_GET['ticket_id'])){ while($row = mysqli_fetch_array($sql_client_tags)){ $client_tag_id = $row['tag_id']; - $client_tag_name = $row['tag_name']; - $client_tag_color = $row['tag_color']; - $client_tag_icon = $row['tag_icon']; + $client_tag_name = htmlentities($row['tag_name']); + $client_tag_color = htmlentities($row['tag_color']); + $client_tag_icon = htmlentities($row['tag_icon']); if(empty($client_tag_icon)){ $client_tag_icon = "tag"; } @@ -278,19 +279,19 @@ if(isset($_GET['ticket_id'])){ while($row = mysqli_fetch_array($sql)){; $ticket_reply_id = $row['ticket_reply_id']; $ticket_reply = $row['ticket_reply']; - $ticket_reply_type = $row['ticket_reply_type']; + $ticket_reply_type = htmlentities($row['ticket_reply_type']); $ticket_reply_created_at = $row['ticket_reply_created_at']; $ticket_reply_updated_at = $row['ticket_reply_updated_at']; $ticket_reply_by = $row['ticket_reply_by']; if($ticket_reply_type == "Client"){ - $ticket_reply_by_display = $row['contact_name']; + $ticket_reply_by_display = htmlentities($row['contact_name']); $user_initials = initials($row['contact_name']); } else{ - $ticket_reply_by_display = $row['user_name']; + $ticket_reply_by_display = htmlentities($row['user_name']); $user_id = $row['user_id']; - $user_avatar = $row['user_avatar']; + $user_avatar = htmlentities($row['user_avatar']); $user_initials = initials($row['user_name']); $ticket_reply_time_worked = date_create($row['ticket_reply_time_worked']); } @@ -438,7 +439,7 @@ if(isset($_GET['ticket_id'])){ if($ticket_status == "Closed"){ $sql_closed_by = mysqli_query($mysqli,"SELECT * FROM tickets, users WHERE ticket_closed_by = user_id"); $row = mysqli_fetch_array($sql_closed_by); - $ticket_closed_by_display = $row['user_name']; + $ticket_closed_by_display = htmlentities($row['user_name']); ?>
    Closed by:
    Feedback:
    @@ -514,10 +515,10 @@ if(isset($_GET['ticket_id'])){ // Query is run from client_assets.php while($row = mysqli_fetch_array($sql_asset_tickets)){ $service_ticket_id = $row['ticket_id']; - $service_ticket_prefix = $row['ticket_prefix']; + $service_ticket_prefix = htmlentities($row['ticket_prefix']); $service_ticket_number = $row['ticket_number']; - $service_ticket_subject = $row['ticket_subject']; - $service_ticket_status = $row['ticket_status']; + $service_ticket_subject = htmlentities($row['ticket_subject']); + $service_ticket_status = htmlentities($row['ticket_status']); $service_ticket_created_at = $row['ticket_created_at']; $service_ticket_updated_at = $row['ticket_updated_at']; ?> @@ -561,13 +562,14 @@ if(isset($_GET['ticket_id'])){ 1 AND user_archived_at IS NULL ORDER BY user_name ASC"); + LEFT JOIN user_companies ON users.user_id = user_companies.user_id + LEFT JOIN user_settings on users.user_id = user_settings.user_id + WHERE user_companies.company_id = $session_company_id + AND user_role > 1 AND user_archived_at IS NULL ORDER BY user_name ASC" + ); while($row = mysqli_fetch_array($sql_assign_to_select)){ $user_id = $row['user_id']; - $user_name = $row['user_name']; + $user_name = htmlentities($row['user_name']); ?> diff --git a/ticket_add_modal.php b/ticket_add_modal.php index afadfc76..94da504c 100644 --- a/ticket_add_modal.php +++ b/ticket_add_modal.php @@ -24,7 +24,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql)){ $contact_id = $row['contact_id']; - $contact_name = $row['contact_name']; + $contact_name = htmlentities($row['contact_name']); ?> @@ -48,7 +48,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC"); while($row = mysqli_fetch_array($sql)){ $client_id = $row['client_id']; - $client_name = $row['client_name']; + $client_name = htmlentities($row['client_name']); ?> @@ -78,7 +78,7 @@ AND user_role > 1 AND user_archived_at IS NULL ORDER BY user_name ASC"); while($row = mysqli_fetch_array($sql)){ $user_id = $row['user_id']; - $user_name = $row['user_name']; + $user_name = htmlentities($row['user_name']); ?> @@ -127,7 +127,7 @@ $sql_assets = mysqli_query($mysqli,"SELECT * FROM assets WHERE asset_client_id = $client_id ORDER BY asset_name ASC"); while($row = mysqli_fetch_array($sql_assets)){ $asset_id_select = $row['asset_id']; - $asset_name_select = $row['asset_name']; + $asset_name_select = htmlentities($row['asset_name']); ?> diff --git a/ticket_edit_modal.php b/ticket_edit_modal.php index 2738bdb5..dff3626c 100644 --- a/ticket_edit_modal.php +++ b/ticket_edit_modal.php @@ -22,13 +22,14 @@ 1 AND user_archived_at IS NULL ORDER BY user_name ASC"); + LEFT JOIN user_companies ON users.user_id = user_companies.user_id + LEFT JOIN user_settings on users.user_id = user_settings.user_id + WHERE user_companies.company_id = $session_company_id + AND user_role > 1 AND user_archived_at IS NULL ORDER BY user_name ASC" + ); while($row = mysqli_fetch_array($sql_assign_to_select)){ $user_id = $row['user_id']; - $user_name = $row['user_name']; + $user_name = htmlentities($row['user_name']); ?> @@ -76,7 +77,7 @@ $sql_client_contacts_select = mysqli_query($mysqli,"SELECT * FROM contacts WHERE contact_client_id = $client_id ORDER BY contact_name ASC"); while($row = mysqli_fetch_array($sql_client_contacts_select)){ $contact_id_select = $row['contact_id']; - $contact_name_select = $row['contact_name']; + $contact_name_select = htmlentities($row['contact_name']); ?> @@ -100,7 +101,7 @@ $sql_assets = mysqli_query($mysqli,"SELECT * FROM assets WHERE asset_client_id = $client_id ORDER BY asset_name ASC"); while($row = mysqli_fetch_array($sql_assets)){ $asset_id_select = $row['asset_id']; - $asset_name_select = $row['asset_name']; + $asset_name_select = htmlentities($row['asset_name']); ?> diff --git a/ticket_invoice_add_modal.php b/ticket_invoice_add_modal.php index 97778f3f..de294edf 100644 --- a/ticket_invoice_add_modal.php +++ b/ticket_invoice_add_modal.php @@ -26,10 +26,10 @@ $sql_invoices = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_status NOT LIKE 'Paid' AND invoice_client_id = $client_id AND company_id = $session_company_id ORDER BY invoice_number ASC"); while($row = mysqli_fetch_array($sql_invoices)){ $invoice_id = $row['invoice_id']; - $invoice_prefix = $row['invoice_prefix']; + $invoice_prefix = htmlentities($row['invoice_prefix']); $invoice_number = $row['invoice_number']; - $invoice_scope = $row['invoice_scope']; - $invoice_satus = $row['invoice_status']; + $invoice_scope = htmlentities($row['invoice_scope']); + $invoice_satus = htmlentities($row['invoice_status']); $invoice_date = $row['invoice_date']; $invoice_due = $row['invoice_due']; $invoice_amount = $row['invoice_amount']; @@ -67,7 +67,7 @@ $sql = mysqli_query($mysqli,"SELECT * FROM categories WHERE category_type = 'Income' AND category_archived_at IS NULL AND company_id = $session_company_id ORDER BY category_name ASC"); while($row = mysqli_fetch_array($sql)){ $category_id = $row['category_id']; - $category_name = $row['category_name']; + $category_name = htmlentities($row['category_name']); ?> @@ -154,7 +154,7 @@ $taxes_sql = mysqli_query($mysqli,"SELECT * FROM taxes WHERE (tax_archived_at > '$item_created_at' OR tax_archived_at IS NULL) AND company_id = $session_company_id ORDER BY tax_name ASC"); while($row = mysqli_fetch_array($taxes_sql)){ $tax_id_select = $row['tax_id']; - $tax_name = $row['tax_name']; + $tax_name = htmlentities($row['tax_name']); $tax_percent = $row['tax_percent']; ?> diff --git a/tickets.php b/tickets.php index 42f1794b..a1a688fb 100644 --- a/tickets.php +++ b/tickets.php @@ -282,7 +282,7 @@ $user_active_assigned_tickets = $row['total_tickets_assigned']; $sql_assign_to = mysqli_query($mysqli,"SELECT * FROM users WHERE user_archived_at IS NULL ORDER BY user_name ASC"); while($row = mysqli_fetch_array($sql_assign_to)){ $user_id = $row['user_id']; - $user_name = $row['user_name']; + $user_name = htmlentities($row['user_name']); ?> 2) { - $contact_phone = substr($row['contact_phone'], 0, 3) . "-" . substr($row['contact_phone'], 3, 3) . "-" . substr($row['contact_phone'], 6, 4); - } - $contact_extension = $row['contact_extension']; - $contact_mobile = $row['contact_mobile']; - if (strlen($contact_mobile) > 2) { - $contact_mobile = substr($row['contact_mobile'], 0, 3) . "-" . substr($row['contact_mobile'], 3, 3) . "-" . substr($row['contact_mobile'], 6, 4); - } - + $contact_name = htmlentities($row['contact_name']); + $contact_title = htmlentities($row['contact_title']); + $contact_email = htmlentities($row['contact_email']); + $contact_phone = formatPhoneNumber($row['contact_phone']); + $contact_extension = htmlentities($row['contact_extension']); + $contact_mobile = formatPhoneNumber($row['contact_mobile']); if ($ticket_status == "Open") { $ticket_status_display = "$ticket_status"; } elseif ($ticket_status == "Working") { diff --git a/top_nav.php b/top_nav.php index 93736868..683e82f5 100644 --- a/top_nav.php +++ b/top_nav.php @@ -27,7 +27,7 @@ " class="user-image img-circle"> - +