From bbf875688292a56e8326379f81c31daa4150f79c Mon Sep 17 00:00:00 2001
From: "johnny@pittpc.com" <admin@app.pittpc.com>
Date: Wed, 28 Aug 2019 21:54:27 -0400
Subject: [PATCH] Security Added some mysql escapes to some get vars in api and
 guest view invoice and quote

---
 api.php                | 2 +-
 guest_view_invoice.php | 2 +-
 guest_view_quote.php   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/api.php b/api.php
index f1f44739..d34d7258 100644
--- a/api.php
+++ b/api.php
@@ -3,7 +3,7 @@
 <?php
 //Check Key 
 if(isset($_GET['api_key'])){
-    $config_api_key = $_GET['api_key'];
+    $config_api_key = mysqli_real_escape_string($mysqli,$_GET['api_key']);
 
     $sql = mysqli_query($mysqli,"SELECT * FROM settings, companies WHERE settings.company_id = companies.company_id AND settings.config_api_key = '$config_api_key'");
 
diff --git a/guest_view_invoice.php b/guest_view_invoice.php
index 7c4e03eb..75fb835f 100644
--- a/guest_view_invoice.php
+++ b/guest_view_invoice.php
@@ -4,7 +4,7 @@
 
 if(isset($_GET['invoice_id'], $_GET['url_key'])){
 
-  $url_key = $_GET['url_key'];
+  $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']);
   $invoice_id = intval($_GET['invoice_id']);
 
   $sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients
diff --git a/guest_view_quote.php b/guest_view_quote.php
index 15110605..45c8bda3 100644
--- a/guest_view_quote.php
+++ b/guest_view_quote.php
@@ -4,7 +4,7 @@
 
 if(isset($_GET['quote_id'], $_GET['url_key'])){
 
-  $url_key = $_GET['url_key'];
+  $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']);
   $quote_id = intval($_GET['quote_id']);
 
   $sql = mysqli_query($mysqli,"SELECT * FROM quotes, clients