AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-05-25 04:08:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Stripe saved cards - lock down invoice and client IDs

Browse Source 
- Stop app log handling from breaking due to quotes
This commit is contained in:
wrongecho
2026-05-20 17:51:54 +01:00
parent c5d67cd4f9
commit bd15cbe375
2 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
client/post.php
View File

@@ -524,12 +524,6 @@ if (isset($_GET['add_payment_by_provider'])) {
$contact_extension = preg_replace("/[^0-9]/", '',$row['contact_extension']);
$contact_mobile = sanitizeInput(formatPhoneNumber($row['contact_mobile'], $row['contact_mobile_country_code']));
// Check to make sure saved payment method belongs to logged in client
if ($client_id !== $session_client_id) {
flash_alert("Saved Payment method does not belong to you!", 'danger');
redirect();
}
// Get ITFlow company details
$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = 1");
$row = mysqli_fetch_assoc($sql);
@@ -548,7 +542,7 @@ if (isset($_GET['add_payment_by_provider'])) {
$config_invoice_from_email = sanitizeInput($config_invoice_from_email);
// Get Client Payment Details
$sql = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods LEFT JOIN payment_providers ON saved_payment_provider_id = payment_provider_id LEFT JOIN client_payment_provider ON saved_payment_client_id = client_id WHERE saved_payment_id = $saved_payment_id LIMIT 1");
$sql = mysqli_query($mysqli, "SELECT * FROM client_saved_payment_methods LEFT JOIN payment_providers ON saved_payment_provider_id = payment_provider_id LEFT JOIN client_payment_provider ON saved_payment_client_id = client_id WHERE saved_payment_id = $saved_payment_id AND saved_payment_client_id = $session_client_id LIMIT 1");
$row = mysqli_fetch_assoc($sql);
$public_key = sanitizeInput($row['payment_provider_public_key']);
@@ -561,9 +555,17 @@ if (isset($_GET['add_payment_by_provider'])) {
$payment_provider_client = sanitizeInput($row['payment_provider_client']);
$saved_payment_method = sanitizeInput($row['saved_payment_provider_method']);
$saved_payment_description = sanitizeInput($row['saved_payment_description']);
$payment_client_id = intval($row['saved_payment_client_id']);
// Sanity checks
if (!$payment_provider_client || !$saved_payment_method) {
// Check to make invoice belongs to logged in client
if ($client_id !== $session_client_id) {
flash_alert("Invoice does not belong to you!", 'danger');
redirect();
} elseif ($payment_client_id !== $session_client_id) {
flash_alert("Saved Payment method does not belong to you!", 'danger');
redirect();
} elseif (!$payment_provider_client || !$saved_payment_method) {
flash_alert("Stripe not enabled or no client card saved", 'error');
redirect();
} elseif ($invoice_status !== 'Sent' && $invoice_status !== 'Viewed') {

4
functions.php
View File

@@ -1512,8 +1512,8 @@ function logAction($type, $action, $description, $client_id = 0, $entity_id = 0)
function logApp($category, $type, $details) {
global $mysqli;
$category = substr($category, 0, 200);
$details = substr($details, 0, 1000);
$category = mysqli_real_escape_string($mysqli, substr($category, 0, 200));
$details = mysqli_real_escape_string($mysqli, substr($details, 0, 1000));
mysqli_query($mysqli, "INSERT INTO app_logs SET app_log_category = '$category', app_log_type = '$type', app_log_details = '$details'");
}