From e47853f9cd77501e0f4de1ba34be11b23b24c0c2 Mon Sep 17 00:00:00 2001
From: "johnny@pittpc.com" <admin@app.pittpc.com>
Date: Thu, 5 Sep 2019 23:27:11 -0400
Subject: [PATCH] Add User to company now works, Security: all edits and
 deletes now check to make sure they belong to the session_company_id.
 Security: started work on checking session_company when data is pulled from
 Get VARS, added clickable invoice status, dashboard session_company_id fixes

---
 add_user_modal.php |   2 +-
 dashboard.php      |  24 ++--
 invoice.php        |  18 ++-
 invoices.php       |  60 +++++-----
 post.php           | 271 ++++++++++++++++++++++++---------------------
 top_nav.php        |   4 +-
 vendors.php        | 152 +++++++++++++++++++++++++
 7 files changed, 356 insertions(+), 175 deletions(-)

diff --git a/add_user_modal.php b/add_user_modal.php
index 783ffd6d..d6c19e88 100644
--- a/add_user_modal.php
+++ b/add_user_modal.php
@@ -72,7 +72,7 @@
               ?>
 
                 <div class="form-check">
-                  <input type="checkbox" class="form-check-input" name="company" value="<?php echo $company_id; ?>">
+                  <input type="checkbox" class="form-check-input" name="company[]" value="<?php echo $company_id; ?>">
                   <label class="form-check-label"><?php echo $company_name; ?></label>
                 </div>
 
diff --git a/dashboard.php b/dashboard.php
index 65b006f5..e8e45617 100644
--- a/dashboard.php
+++ b/dashboard.php
@@ -314,11 +314,11 @@ var myLineChart = new Chart(ctx, {
       data: [
       <?php
       for($month = 1; $month<=12; $month++) {
-          $sql_payments = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS payment_amount_for_month FROM payments, invoices WHERE payments.invoice_id = invoices.invoice_id AND YEAR(payment_date) = $year AND MONTH(payment_date) = $month");
+          $sql_payments = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS payment_amount_for_month FROM payments, invoices WHERE payments.invoice_id = invoices.invoice_id AND YEAR(payment_date) = $year AND MONTH(payment_date) = $month AND payments.company_id = $session_company_id");
           $row = mysqli_fetch_array($sql_payments);
           $payments_for_month = $row['payment_amount_for_month'];
 
-          $sql_revenues = mysqli_query($mysqli,"SELECT SUM(revenue_amount) AS revenue_amount_for_month FROM revenues WHERE category_id > 0 AND YEAR(revenue_date) = $year AND MONTH(revenue_date) = $month");
+          $sql_revenues = mysqli_query($mysqli,"SELECT SUM(revenue_amount) AS revenue_amount_for_month FROM revenues WHERE category_id > 0 AND YEAR(revenue_date) = $year AND MONTH(revenue_date) = $month AND company_id = $session_company_id");
           $row = mysqli_fetch_array($sql_revenues);
           $revenues_for_month = $row['revenue_amount_for_month'];
 
@@ -382,7 +382,7 @@ var myPieChart = new Chart(ctx, {
   data: {
     labels: [
       <?php
-        $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id FROM categories, invoices WHERE invoices.category_id = categories.category_id AND invoice_status = 'Paid' AND YEAR(invoice_date) = $year");
+        $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id FROM categories, invoices WHERE invoices.category_id = categories.category_id AND invoice_status = 'Paid' AND YEAR(invoice_date) = $year AND categories.company_id = $session_company_id");
         while($row = mysqli_fetch_array($sql_categories)){
           $category_name = $row['category_name'];
           echo "\"$category_name\",";
@@ -394,11 +394,11 @@ var myPieChart = new Chart(ctx, {
     datasets: [{
       data: [
         <?php
-          $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id FROM categories, invoices WHERE invoices.category_id = categories.category_id AND invoice_status = 'Paid' AND YEAR(invoice_date) = $year");
+          $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id FROM categories, invoices WHERE invoices.category_id = categories.category_id AND invoice_status = 'Paid' AND YEAR(invoice_date) = $year AND categories.company_id = $session_company_id");
           while($row = mysqli_fetch_array($sql_categories)){
             $category_id = $row['category_id'];
 
-            $sql_invoices = mysqli_query($mysqli,"SELECT SUM(invoice_amount) AS income_amount_for_year FROM invoices WHERE category_id = $category_id AND YEAR(invoice_date) = $year");
+            $sql_invoices = mysqli_query($mysqli,"SELECT SUM(invoice_amount) AS income_amount_for_year FROM invoices WHERE category_id = $category_id AND YEAR(invoice_date) = $year AND company_id = $session_company_id");
             $row = mysqli_fetch_array($sql_invoices);
             $income_amount_for_year = $row['income_amount_for_year'];
             echo "$income_amount_for_year,";
@@ -409,7 +409,7 @@ var myPieChart = new Chart(ctx, {
       ],
       backgroundColor: [
         <?php
-           $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id, category_color FROM categories, invoices WHERE invoices.category_id = categories.category_id AND YEAR(invoice_date) = $year");
+           $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id, category_color FROM categories, invoices WHERE invoices.category_id = categories.category_id AND YEAR(invoice_date) = $year AND categories.company_id = $session_company_id");
           while($row = mysqli_fetch_array($sql_categories)){
             $category_color = $row['category_color'];
             echo "\"$category_color\",";
@@ -433,7 +433,7 @@ var myPieChart = new Chart(ctx, {
   data: {
     labels: [
       <?php
-        $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id FROM categories, expenses WHERE expenses.category_id = categories.category_id AND YEAR(expense_date) = $year");
+        $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id FROM categories, expenses WHERE expenses.category_id = categories.category_id AND YEAR(expense_date) = $year AND categories.company_id = $session_company_id");
         while($row = mysqli_fetch_array($sql_categories)){
           $category_name = $row['category_name'];
           echo "\"$category_name\",";
@@ -445,7 +445,7 @@ var myPieChart = new Chart(ctx, {
     datasets: [{
       data: [
         <?php
-          $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id FROM categories, expenses WHERE expenses.category_id = categories.category_id AND YEAR(expense_date) = $year");
+          $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, categories.category_id FROM categories, expenses WHERE expenses.category_id = categories.category_id AND YEAR(expense_date) = $year AND categories.company_id = $session_company_id");
           while($row = mysqli_fetch_array($sql_categories)){
             $category_id = $row['category_id'];
 
@@ -460,7 +460,7 @@ var myPieChart = new Chart(ctx, {
       ],
       backgroundColor: [
         <?php
-          $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, category_color FROM categories, expenses WHERE expenses.category_id = categories.category_id AND YEAR(expense_date) = $year");
+          $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, category_color FROM categories, expenses WHERE expenses.category_id = categories.category_id AND YEAR(expense_date) = $year AND categories.company_id = $session_company_id");
           while($row = mysqli_fetch_array($sql_categories)){
             $category_color = $row['category_color'];
             echo "\"$category_color\",";
@@ -480,7 +480,7 @@ var myPieChart = new Chart(ctx, {
   data: {
     labels: [
       <?php
-        $sql_vendors = mysqli_query($mysqli,"SELECT DISTINCT vendor_name, vendors.vendor_id FROM vendors, expenses WHERE expenses.vendor_id = vendors.vendor_id AND YEAR(expense_date) = $year");
+        $sql_vendors = mysqli_query($mysqli,"SELECT DISTINCT vendor_name, vendors.vendor_id FROM vendors, expenses WHERE expenses.vendor_id = vendors.vendor_id AND YEAR(expense_date) = $year AND vendors.company_id = $session_company_id");
         while($row = mysqli_fetch_array($sql_vendors)){
           $vendor_name = $row['vendor_name'];
           echo "\"$vendor_name\",";
@@ -492,7 +492,7 @@ var myPieChart = new Chart(ctx, {
     datasets: [{
       data: [
         <?php
-          $sql_vendors = mysqli_query($mysqli,"SELECT DISTINCT vendor_name, vendors.vendor_id FROM vendors, expenses WHERE expenses.vendor_id = vendors.vendor_id AND YEAR(expense_date) = $year");
+          $sql_vendors = mysqli_query($mysqli,"SELECT DISTINCT vendor_name, vendors.vendor_id FROM vendors, expenses WHERE expenses.vendor_id = vendors.vendor_id AND YEAR(expense_date) = $year AND vendors.company_id = $session_company_id");
           while($row = mysqli_fetch_array($sql_vendors)){
             $vendor_id = $row['vendor_id'];
 
@@ -507,7 +507,7 @@ var myPieChart = new Chart(ctx, {
       ],
       backgroundColor: [
         <?php
-          $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, category_color FROM categories, expenses WHERE expenses.category_id = categories.category_id AND YEAR(expense_date) = $year");
+          $sql_categories = mysqli_query($mysqli,"SELECT DISTINCT category_name, category_color FROM categories, expenses WHERE expenses.category_id = categories.category_id AND YEAR(expense_date) = $year AND categories.company_id = $session_company_id");
           while($row = mysqli_fetch_array($sql_categories)){
             $category_color = $row['category_color'];
             echo "\"$category_color\",";
diff --git a/invoice.php b/invoice.php
index 4be1badc..0a783b4d 100644
--- a/invoice.php
+++ b/invoice.php
@@ -8,9 +8,14 @@ if(isset($_GET['invoice_id'])){
 
   $sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients
     WHERE invoices.client_id = clients.client_id
-    AND invoices.invoice_id = $invoice_id"
+    AND invoices.invoice_id = $invoice_id
+    AND invoices.company_id = $session_company_id"
   );
 
+  if(mysqli_num_rows($sql) == 0){
+    echo "<center><h1 class='text-secondary mt-5'>Nothing to see here</h1></center>";
+  }else{
+
   $row = mysqli_fetch_array($sql);
   $invoice_id = $row['invoice_id'];
   $invoice_number = $row['invoice_number'];
@@ -379,7 +384,10 @@ if(isset($_GET['invoice_id'])){
 <?php include("edit_invoice_modal.php"); ?>
 <?php include("add_invoice_copy_modal.php"); ?>
 <?php include("add_invoice_recurring_modal.php"); ?>
-<?php } ?>
+<?php  
+  } 
+}
+?>
 
 <?php include("footer.php"); ?>
 
@@ -387,7 +395,7 @@ if(isset($_GET['invoice_id'])){
 
 var products = [
   <?php 
-  $sql = mysqli_query($mysqli,"SELECT product_name FROM products");
+  $sql = mysqli_query($mysqli,"SELECT product_name FROM products WHERE company_id = $session_company_id");
   while($row = mysqli_fetch_array($sql)){
     $product_name = $row['product_name'];
     echo "\"$product_name\",";
@@ -398,7 +406,7 @@ var products = [
 
 var productCosts2 = [
   <?php 
-  $sql = mysqli_query($mysqli,"SELECT product_id, product_name, product_cost FROM products");
+  $sql = mysqli_query($mysqli,"SELECT product_id, product_name, product_cost FROM products WHERE company_id = $session_company_id");
   while($row = mysqli_fetch_array($sql)){
     $product_id = $row['product_id'];
     $product_name = $row['product_name'];
@@ -412,7 +420,7 @@ var productCosts2 = [
 
 var productCosts = [
   <?php 
-  $sql = mysqli_query($mysqli,"SELECT product_id, product_name, product_cost FROM products");
+  $sql = mysqli_query($mysqli,"SELECT product_id, product_name, product_cost FROM products WHERE company_id = $session_company_id");
   while($row = mysqli_fetch_array($sql)){
     $product_id = $row['product_id'];
     $product_name = $row['product_name'];
diff --git a/invoices.php b/invoices.php
index 11e048ef..b4c2a3c4 100644
--- a/invoices.php
+++ b/invoices.php
@@ -98,48 +98,56 @@
 
 <div class="row">
   <div class="col-xl-3 col-sm-6 mb-3">
-    <div class="card text-white bg-secondary o-hidden">
-      <div class="card-body">
-        <div class="card-body-icon">
-          <i class="fas fa-fw fa-pencil-ruler"></i>
+    <a class="text-white" href="?q=Draft">
+      <div class="card text-white bg-secondary o-hidden">
+        <div class="card-body">
+          <div class="card-body-icon">
+            <i class="fas fa-fw fa-pencil-ruler"></i>
+          </div>
+          <div class="mr-5"><?php echo $draft_count; ?> Draft <h1>$<?php echo number_format($total_draft,2); ?></h1></div>
         </div>
-        <div class="mr-5"><?php echo $draft_count; ?> Draft <h1>$<?php echo number_format($total_draft,2); ?></h1></div>
       </div>
-    </div>
+    </a>
   </div>
 
   <div class="col-xl-3 col-sm-6 mb-3">
-    <div class="card text-white bg-warning o-hidden">
-      <div class="card-body">
-        <div class="card-body-icon">
-          <i class="fas fa-fw fa-paper-plane"></i>
+    <a class="text-white" href="?q=Sent">
+      <div class="card text-white bg-warning o-hidden">
+        <div class="card-body">
+          <div class="card-body-icon">
+            <i class="fas fa-fw fa-paper-plane"></i>
+          </div>
+          <div class="mr-5"><?php echo $sent_count; ?> Sent <h1>$<?php echo number_format($total_sent,2); ?></h1></div>
         </div>
-        <div class="mr-5"><?php echo $sent_count; ?> Sent <h1>$<?php echo number_format($total_sent,2); ?></h1></div>
       </div>
-    </div>
+    </a>
   </div>
   
   <div class="col-xl-3 col-sm-6 mb-3">
-    <div class="card text-white bg-primary o-hidden">
-      <div class="card-body">
-        <div class="card-body-icon">
-          <i class="fas fa-fw fa-wine-glass-alt"></i>
-        </div>
-        <div class="mr-5"><?php echo $partial_count; ?> Partial <h1>$<?php echo number_format($total_partial,2); ?></h1></div>        
-      </div>      
-    </div>
+    <a class="text-white" href="?q=Partial">
+      <div class="card text-white bg-primary o-hidden">
+        <div class="card-body">
+          <div class="card-body-icon">
+            <i class="fas fa-fw fa-wine-glass-alt"></i>
+          </div>
+          <div class="mr-5"><?php echo $partial_count; ?> Partial <h1>$<?php echo number_format($total_partial,2); ?></h1></div>        
+        </div>      
+      </div>
+    </a>
   </div>
   
   <div class="col-xl-3 col-sm-6 mb-3">
-    <div class="card text-white bg-danger o-hidden">
-      <div class="card-body">
-        <div class="card-body-icon">
-          <i class="fas fa-fw fa-ban"></i>
+    <a class="text-white" href="?q=Cancelled">
+      <div class="card text-white bg-danger o-hidden">
+        <div class="card-body">
+          <div class="card-body-icon">
+            <i class="fas fa-fw fa-ban"></i>
+          </div>
+          <div class="mr-5"><?php echo $cancelled_count; ?> Cancelled <h1>$<?php echo number_format($total_cancelled,2); ?></h1></div>
         </div>
-        <div class="mr-5"><?php echo $cancelled_count; ?> Cancelled <h1>$<?php echo number_format($total_cancelled,2); ?></h1></div>
       </div>
     </div>
-  </div> 
+  </a>
 </div>
 
 <div class="card mb-3">
diff --git a/post.php b/post.php
index 05af1835..3ef85234 100644
--- a/post.php
+++ b/post.php
@@ -35,6 +35,14 @@ if(isset($_POST['add_user'])){
 
     mysqli_query($mysqli,"UPDATE users SET avatar = '$path' WHERE user_id = $user_id");
 
+    if(isset($_POST['company'])){
+      if(is_array($_POST['company'])) {
+        foreach($_POST['company'] as $company_id){
+          mysqli_query($mysqli,"INSERT INTO user_companies SET user_id = $user_id, company_id = $company_id");
+        }
+      }
+    }
+
     $_SESSION['alert_message'] = "User <strong>$name</strong> created!";
     
     header("Location: users.php");
@@ -170,6 +178,7 @@ if(isset($_POST['edit_company_settings'])){
     $config_company_state = strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_company_state']));
     $config_company_zip = strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_company_zip']));
     $config_company_phone = strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_company_phone']));
+    $config_company_phone = preg_replace("/[^0-9]/", '',$config_company_phone);
     $config_company_site = strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_company_site']));
 
     mysqli_query($mysqli,"UPDATE settings SET config_company_name = '$config_company_name', config_company_address = '$config_company_address', config_company_city = '$config_company_city', config_company_state = '$config_company_state', config_company_zip = '$config_company_zip', config_company_phone = '$config_company_phone', config_company_site = '$config_company_site' WHERE company_id = $session_company_id");
@@ -411,7 +420,7 @@ if(isset($_POST['edit_client'])){
     $net_terms = intval($_POST['net_terms']);
     $hours = strip_tags(mysqli_real_escape_string($mysqli,$_POST['hours']));
 
-    mysqli_query($mysqli,"UPDATE clients SET client_name = '$name', client_type = '$type', client_address = '$address', client_city = '$city', client_state = '$state', client_zip = '$zip', client_phone = '$phone', client_email = '$email', client_website = '$website', client_net_terms = $net_terms, client_hours = '$hours', client_updated_at = NOW() WHERE client_id = $client_id");
+    mysqli_query($mysqli,"UPDATE clients SET client_name = '$name', client_type = '$type', client_address = '$address', client_city = '$city', client_state = '$state', client_zip = '$zip', client_phone = '$phone', client_email = '$email', client_website = '$website', client_net_terms = $net_terms, client_hours = '$hours', client_updated_at = NOW() WHERE client_id = $client_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Client $name updated";
     
@@ -422,7 +431,7 @@ if(isset($_POST['edit_client'])){
 if(isset($_GET['delete_client'])){
     $client_id = intval($_GET['delete_client']);
 
-    mysqli_query($mysqli,"DELETE FROM clients WHERE client_id = $client_id");
+    mysqli_query($mysqli,"DELETE FROM clients WHERE client_id = $client_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Client deleted";
     
@@ -466,7 +475,7 @@ if(isset($_POST['edit_event'])){
     $start = strip_tags(mysqli_real_escape_string($mysqli,$_POST['start']));
     $end = strip_tags(mysqli_real_escape_string($mysqli,$_POST['end']));
 
-    mysqli_query($mysqli,"UPDATE events SET event_title = '$title', event_start = '$start', event_end = '$end', event_updated_at = NOW(), calendar_id = $calendar_id WHERE event_id = $event_id");
+    mysqli_query($mysqli,"UPDATE events SET event_title = '$title', event_start = '$start', event_end = '$end', event_updated_at = NOW(), calendar_id = $calendar_id WHERE event_id = $event_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Event modified on the calendar";
     
@@ -477,7 +486,7 @@ if(isset($_POST['edit_event'])){
 if(isset($_GET['delete_event'])){
     $event_id = intval($_GET['delete_event']);
 
-    mysqli_query($mysqli,"DELETE FROM events WHERE event_id = $event_id");
+    mysqli_query($mysqli,"DELETE FROM events WHERE event_id = $event_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Event deleted on the calendar";
     
@@ -510,7 +519,7 @@ if(isset($_POST['edit_ticket'])){
     $subject = strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']));
     $details = strip_tags(mysqli_real_escape_string($mysqli,$_POST['details']));
 
-    mysqli_query($mysqli,"UPDATE tickets SET ticket_subject = '$subject', ticket_details = '$details' ticket_updated_at = NOW() WHERE ticket_id = $ticket_id");
+    mysqli_query($mysqli,"UPDATE tickets SET ticket_subject = '$subject', ticket_details = '$details' ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Ticket updated";
     
@@ -521,7 +530,7 @@ if(isset($_POST['edit_ticket'])){
 if(isset($_GET['delete_ticket'])){
     $ticket_id = intval($_GET['delete_ticket']);
 
-    mysqli_query($mysqli,"DELETE FROM tickets WHERE ticket_id = $ticket_id");
+    mysqli_query($mysqli,"DELETE FROM tickets WHERE ticket_id = $ticket_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Ticket deleted";
     
@@ -546,7 +555,7 @@ if(isset($_POST['close_ticket'])){
 
     $ticket_id = intval($_POST['ticket_id']);
 
-    mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW(), ticket_closed_by = $session_user_id WHERE ticket_id = $ticket_id") or die(mysqli_error($mysqli));
+    mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW(), ticket_closed_by = $session_user_id WHERE ticket_id = $ticket_id AND company_id = $session_company_id") or die(mysqli_error($mysqli));
 
     $_SESSION['alert_message'] = "Ticket Closed, this cannot not be reopened but you may start another one";
     
@@ -596,7 +605,7 @@ if(isset($_POST['edit_vendor'])){
     $email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
     $website = strip_tags(mysqli_real_escape_string($mysqli,$_POST['website']));
 
-    mysqli_query($mysqli,"UPDATE vendors SET vendor_name = '$name', vendor_description = '$description', vendor_address = '$address', vendor_city = '$city', vendor_state = '$state', vendor_zip = '$zip', vendor_contact_name = '$contact_name', vendor_phone = '$phone', vendor_email = '$email', vendor_website = '$website', vendor_account_number = '$account_number', vendor_updated_at = NOW() WHERE vendor_id = $vendor_id");
+    mysqli_query($mysqli,"UPDATE vendors SET vendor_name = '$name', vendor_description = '$description', vendor_address = '$address', vendor_city = '$city', vendor_state = '$state', vendor_zip = '$zip', vendor_contact_name = '$contact_name', vendor_phone = '$phone', vendor_email = '$email', vendor_website = '$website', vendor_account_number = '$account_number', vendor_updated_at = NOW() WHERE vendor_id = $vendor_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Vendor modified";
     
@@ -607,7 +616,7 @@ if(isset($_POST['edit_vendor'])){
 if(isset($_GET['delete_vendor'])){
     $vendor_id = intval($_GET['delete_vendor']);
 
-    mysqli_query($mysqli,"DELETE FROM vendors WHERE vendor_id = $vendor_id");
+    mysqli_query($mysqli,"DELETE FROM vendors WHERE vendor_id = $vendor_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Vendor deleted";
     
@@ -636,7 +645,7 @@ if(isset($_POST['edit_product'])){
     $description = strip_tags(mysqli_real_escape_string($mysqli,$_POST['description']));
     $cost = floatval($_POST['cost']);
 
-    mysqli_query($mysqli,"UPDATE products SET product_name = '$name', product_description = '$description', product_cost = '$cost', product_updated_at = NOW() WHERE product_id = $product_id");
+    mysqli_query($mysqli,"UPDATE products SET product_name = '$name', product_description = '$description', product_cost = '$cost', product_updated_at = NOW() WHERE product_id = $product_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Product modified";
     
@@ -647,7 +656,7 @@ if(isset($_POST['edit_product'])){
 if(isset($_GET['delete_product'])){
     $product_id = intval($_GET['delete_product']);
 
-    mysqli_query($mysqli,"DELETE FROM products WHERE product_id = $product_id");
+    mysqli_query($mysqli,"DELETE FROM products WHERE product_id = $product_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Product deleted";
     
@@ -690,7 +699,7 @@ if(isset($_POST['edit_trip'])){
     $location_id = intval($_POST['location']);
     $vendor_id = intval($_POST['vendor']);
 
-    mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_starting_location = '$starting_location', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_updated_at = NOW(), client_id = $client_id, invoice_id = $invoice_id, location_id = $location_id, vendor_id = $vendor_id WHERE trip_id = $trip_id");
+    mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_starting_location = '$starting_location', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_updated_at = NOW(), client_id = $client_id, invoice_id = $invoice_id, location_id = $location_id, vendor_id = $vendor_id WHERE trip_id = $trip_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Trip modified";
     
@@ -701,7 +710,7 @@ if(isset($_POST['edit_trip'])){
 if(isset($_GET['delete_trip'])){
     $trip_id = intval($_GET['delete_trip']);
 
-    mysqli_query($mysqli,"DELETE FROM trips WHERE trip_id = $trip_id");
+    mysqli_query($mysqli,"DELETE FROM trips WHERE trip_id = $trip_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Trip deleted";
     
@@ -727,7 +736,7 @@ if(isset($_POST['edit_account'])){
     $account_id = intval($_POST['account_id']);
     $name = strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']));
 
-    mysqli_query($mysqli,"UPDATE accounts SET account_name = '$name', account_updated_at = NOW() WHERE account_id = $account_id");
+    mysqli_query($mysqli,"UPDATE accounts SET account_name = '$name', account_updated_at = NOW() WHERE account_id = $account_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Account modified";
     
@@ -738,7 +747,7 @@ if(isset($_POST['edit_account'])){
 if(isset($_GET['delete_account'])){
     $account_id = intval($_GET['delete_account']);
 
-    mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id");
+    mysqli_query($mysqli,"DELETE FROM accounts WHERE account_id = $account_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Account deleted";
     
@@ -767,7 +776,7 @@ if(isset($_POST['edit_category'])){
     $type = strip_tags(mysqli_real_escape_string($mysqli,$_POST['type']));
     $color = strip_tags(mysqli_real_escape_string($mysqli,$_POST['color']));
 
-    mysqli_query($mysqli,"UPDATE categories SET category_name = '$name', category_type = '$type', category_color = '$color', category_updated_at = NOW() WHERE category_id = $category_id");
+    mysqli_query($mysqli,"UPDATE categories SET category_name = '$name', category_type = '$type', category_color = '$color', category_updated_at = NOW() WHERE category_id = $category_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Category modified";
     
@@ -778,7 +787,7 @@ if(isset($_POST['edit_category'])){
 if(isset($_GET['delete_category'])){
     $category_id = intval($_GET['delete_category']);
 
-    mysqli_query($mysqli,"DELETE FROM categories WHERE category_id = $category_id");
+    mysqli_query($mysqli,"DELETE FROM categories WHERE category_id = $category_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Category deleted";
     $_SESSION['alert_type'] = "danger";
@@ -791,7 +800,7 @@ if(isset($_GET['alert_ack'])){
 
     $alert_id = intval($_GET['alert_ack']);
 
-    mysqli_query($mysqli,"UPDATE alerts SET alert_ack_date = CURDATE() WHERE alert_id = $alert_id");
+    mysqli_query($mysqli,"UPDATE alerts SET alert_ack_date = CURDATE() WHERE alert_id = $alert_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Alert Acknowledged";
     
@@ -801,14 +810,14 @@ if(isset($_GET['alert_ack'])){
 
 if(isset($_GET['ack_all_alerts'])){
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM alerts ORDER BY alert_id DESC");
+    $sql = mysqli_query($mysqli,"SELECT * FROM alerts WHERE company_id = $session_company_id ORDER BY alert_id DESC");
     
     while($row = mysqli_fetch_array($sql)){
         $alert_id = $row['alert_id'];
         $alert_ack_date = $row['alert_ack_date'];
 
         if($alert_ack_date = 0 ){
-            mysqli_query($mysqli,"UPDATE alerts SET alert_ack_date = CURDATE() WHERE alert_id = $alert_id");
+            mysqli_query($mysqli,"UPDATE alerts SET alert_ack_date = CURDATE() WHERE alert_id = $alert_id AND company_id = $session_company_id");
         }
     }
     
@@ -864,7 +873,7 @@ if(isset($_POST['edit_expense'])){
         move_uploaded_file($_FILES['file']['tmp_name'], $path);
     }
 
-    mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = '$amount', account_id = $account, vendor_id = $vendor, category_id = $category, expense_description = '$description', expense_reference = '$reference', expense_receipt = '$path', expense_updated_at = NOW() WHERE expense_id = $expense_id");
+    mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = '$amount', account_id = $account, vendor_id = $vendor, category_id = $category, expense_description = '$description', expense_reference = '$reference', expense_receipt = '$path', expense_updated_at = NOW() WHERE expense_id = $expense_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Expense modified";
     
@@ -875,13 +884,13 @@ if(isset($_POST['edit_expense'])){
 if(isset($_GET['delete_expense'])){
     $expense_id = intval($_GET['delete_expense']);
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM expenses WHERE expense_id = $expense_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $expense_receipt = $row['expense_receipt'];
 
     unlink($expense_receipt);
 
-    mysqli_query($mysqli,"DELETE FROM expenses WHERE expense_id = $expense_id");
+    mysqli_query($mysqli,"DELETE FROM expenses WHERE expense_id = $expense_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Expense deleted";
     
@@ -920,11 +929,11 @@ if(isset($_POST['edit_transfer'])){
     $account_from = intval($_POST['account_from']);
     $account_to = intval($_POST['account_to']);
 
-    mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = '$amount', account_id = $account_from, expense_updated_at = NOW() WHERE expense_id = $expense_id");
+    mysqli_query($mysqli,"UPDATE expenses SET expense_date = '$date', expense_amount = '$amount', account_id = $account_from, expense_updated_at = NOW() WHERE expense_id = $expense_id AND company_id = $session_company_id");
 
-    mysqli_query($mysqli,"UPDATE revenues SET revenue_date = '$date', revenue_amount = '$amount', account_id = $account_to, revenue_updated_at = NOW() WHERE revenue_id = $revenue_id");
+    mysqli_query($mysqli,"UPDATE revenues SET revenue_date = '$date', revenue_amount = '$amount', account_id = $account_to, revenue_updated_at = NOW() WHERE revenue_id = $revenue_id AND company_id = $session_company_id");
 
-    mysqli_query($mysqli,"UPDATE transfers SET transfer_date = '$date', transfer_amount = '$amount', transfer_account_from = $account_from, transfer_account_to = $account_to, transfer_updated_at = NOW() WHERE transfer_id = $transfer_id");
+    mysqli_query($mysqli,"UPDATE transfers SET transfer_date = '$date', transfer_amount = '$amount', transfer_account_from = $account_from, transfer_account_to = $account_to, transfer_updated_at = NOW() WHERE transfer_id = $transfer_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Transfer modified";
     
@@ -936,16 +945,16 @@ if(isset($_GET['delete_transfer'])){
     $transfer_id = intval($_GET['delete_transfer']);
 
     //Query the transfer ID to get the Pyament and Expense IDs so we can delete those as well
-    $sql = mysqli_query($mysqli,"SELECT * FROM transfers WHERE transfer_id = $transfer_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM transfers WHERE transfer_id = $transfer_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $expense_id = $row['expense_id'];
     $revenue_id = $row['revenue_id'];
 
-    mysqli_query($mysqli,"DELETE FROM expenses WHERE expense_id = $expense_id");
+    mysqli_query($mysqli,"DELETE FROM expenses WHERE expense_id = $expense_id AND company_id = $session_company_id");
 
-    mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id");
+    mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id AND company_id = $session_company_id");
 
-    mysqli_query($mysqli,"DELETE FROM transfers WHERE transfer_id = $transfer_id");
+    mysqli_query($mysqli,"DELETE FROM transfers WHERE transfer_id = $transfer_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Transfer deleted";
     
@@ -959,7 +968,7 @@ if(isset($_POST['add_invoice'])){
     $category = intval($_POST['category']);
     
     //Get Net Terms
-    $sql = mysqli_query($mysqli,"SELECT client_net_terms FROM clients WHERE client_id = $client"); 
+    $sql = mysqli_query($mysqli,"SELECT client_net_terms FROM clients WHERE client_id = $client AND company_id = $session_company_id"); 
     $row = mysqli_fetch_array($sql);
     $client_net_terms = $row['client_net_terms'];
     
@@ -987,7 +996,7 @@ if(isset($_POST['edit_invoice'])){
     $due = strip_tags(mysqli_real_escape_string($mysqli,$_POST['due']));
     $category = intval($_POST['category']);
 
-    mysqli_query($mysqli,"UPDATE invoices SET invoice_date = '$date', invoice_due = '$due', invoice_updated_at = NOW(), category_id = $category WHERE invoice_id = $invoice_id");
+    mysqli_query($mysqli,"UPDATE invoices SET invoice_date = '$date', invoice_due = '$due', invoice_updated_at = NOW(), category_id = $category WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Invoice modified";
     
@@ -1001,7 +1010,7 @@ if(isset($_POST['add_invoice_copy'])){
     $date = strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']));
 
     //Get Net Terms
-    $sql = mysqli_query($mysqli,"SELECT client_net_terms FROM clients, invoices WHERE clients.client_id = invoices.client_id AND invoices.invoice_id = $invoice_id");
+    $sql = mysqli_query($mysqli,"SELECT client_net_terms FROM clients, invoices WHERE clients.client_id = invoices.client_id AND invoices.invoice_id = $invoice_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $client_net_terms = $row['client_net_terms'];
 
@@ -1009,7 +1018,7 @@ if(isset($_POST['add_invoice_copy'])){
     $new_config_invoice_next_number = $config_invoice_next_number + 1;
     mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $session_company_id");
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $invoice_amount = $row['invoice_amount'];
     $invoice_note = $row['invoice_note'];
@@ -1047,7 +1056,7 @@ if(isset($_POST['add_invoice_recurring'])){
     $invoice_id = intval($_POST['invoice_id']);
     $recurring_frequency = strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency']));
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $invoice_date = $row['invoice_date'];
     $invoice_amount = $row['invoice_amount'];
@@ -1061,7 +1070,7 @@ if(isset($_POST['add_invoice_recurring'])){
 
     mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = 'Draft', history_description = 'Recurring Created from INVOICE!', history_created_at = NOW(), recurring_id = $recurring_id, company_id = $session_company_id");
 
-    $sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE invoice_id = $invoice_id");
+    $sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     while($row = mysqli_fetch_array($sql_items)){
         $item_id = $row['item_id'];
         $item_name = $row['item_name'];
@@ -1118,7 +1127,7 @@ if(isset($_POST['add_quote_copy'])){
     $new_config_quote_next_number = $config_quote_next_number + 1;
     mysqli_query($mysqli,"UPDATE settings SET config_quote_next_number = $new_config_quote_next_number WHERE company_id = $session_company_id");
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $quote_amount = $row['quote_amount'];
     $quote_note = $row['quote_note'];
@@ -1161,7 +1170,7 @@ if(isset($_POST['add_quote_to_invoice'])){
     $new_config_invoice_next_number = $config_invoice_next_number + 1;
     mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $session_company_id");
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $quote_amount = $row['quote_amount'];
     $quote_note = $row['quote_note'];
@@ -1216,12 +1225,12 @@ if(isset($_POST['save_quote'])){
 
         //Update Invoice Balances
 
-        $sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
+        $sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id AND company_id = $session_company_id");
         $row = mysqli_fetch_array($sql);
 
         $new_quote_amount = $row['quote_amount'] + $total;
 
-        mysqli_query($mysqli,"UPDATE quotes SET quote_amount = '$new_quote_amount', quote_updated_at = NOW() WHERE quote_id = $quote_id");
+        mysqli_query($mysqli,"UPDATE quotes SET quote_amount = '$new_quote_amount', quote_updated_at = NOW() WHERE quote_id = $quote_id AND company_id = $session_company_id");
 
         $_SESSION['alert_message'] = "Item added";
 
@@ -1231,7 +1240,7 @@ if(isset($_POST['save_quote'])){
     if(isset($_POST['quote_note'])){
         $quote_note = strip_tags(mysqli_real_escape_string($mysqli,$_POST['quote_note']));
 
-        mysqli_query($mysqli,"UPDATE quotes SET quote_note = '$quote_note', quote_updated_at = NOW() WHERE quote_id = $quote_id");
+        mysqli_query($mysqli,"UPDATE quotes SET quote_note = '$quote_note', quote_updated_at = NOW() WHERE quote_id = $quote_id AND company_id = $session_company_id");
 
         $_SESSION['alert_message'] = "Notes added";
     }
@@ -1246,7 +1255,7 @@ if(isset($_POST['edit_quote'])){
     $date = strip_tags(mysqli_real_escape_string($mysqli,$_POST['date']));
     $category = intval($_POST['category']);
 
-     mysqli_query($mysqli,"UPDATE quotes SET quote_date = '$date', category_id = $category, quote_updated_at = NOW() WHERE quote_id = $quote_id");
+     mysqli_query($mysqli,"UPDATE quotes SET quote_date = '$date', category_id = $category, quote_updated_at = NOW() WHERE quote_id = $quote_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Quote modified";
     
@@ -1257,20 +1266,20 @@ if(isset($_POST['edit_quote'])){
 if(isset($_GET['delete_quote'])){
     $quote_id = intval($_GET['delete_quote']);
 
-    mysqli_query($mysqli,"DELETE FROM quotes WHERE quote_id = $quote_id");
+    mysqli_query($mysqli,"DELETE FROM quotes WHERE quote_id = $quote_id AND company_id = $session_company_id");
 
     //Delete Items Associated with the Quote
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE quote_id = $quote_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE quote_id = $quote_id AND company_id = $session_company_id");
     while($row = mysqli_fetch_array($sql)){;
         $item_id = $row['item_id'];
-        mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
+        mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
     }
 
     //Delete History Associated with the Quote
-    $sql = mysqli_query($mysqli,"SELECT * FROM history WHERE quote_id = $quote_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM history WHERE quote_id = $quote_id AND company_id = $session_company_id");
     while($row = mysqli_fetch_array($sql)){;
         $history_id = $row['history_id'];
-        mysqli_query($mysqli,"DELETE FROM history WHERE history_id = $history_id");
+        mysqli_query($mysqli,"DELETE FROM history WHERE history_id = $history_id AND company_id = $session_company_id");
     }
 
     $_SESSION['alert_message'] = "Quotes deleted";
@@ -1282,21 +1291,21 @@ if(isset($_GET['delete_quote'])){
 if(isset($_GET['delete_quote_item'])){
     $item_id = intval($_GET['delete_quote_item']);
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $quote_id = $row['quote_id'];
     $item_subtotal = $row['item_subtotal'];
     $item_tax = $row['item_tax'];
     $item_total = $row['item_total'];
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM quotes WHERE quote_id = $quote_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     
     $new_quote_amount = $row['quote_amount'] - $item_total;
 
-    mysqli_query($mysqli,"UPDATE quotes SET quote_amount = '$new_quote_amount', quote_updated_at = NOW() WHERE quote_id = $quote_id");
+    mysqli_query($mysqli,"UPDATE quotes SET quote_amount = '$new_quote_amount', quote_updated_at = NOW() WHERE quote_id = $quote_id AND company_id = $session_company_id");
 
-    mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
+    mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Item deleted";
     
@@ -1308,7 +1317,7 @@ if(isset($_GET['approve_quote'])){
 
     $quote_id = intval($_GET['approve_quote']);
 
-    mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Approved', quote_updated_at = NOW() WHERE quote_id = $quote_id");
+    mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Approved', quote_updated_at = NOW() WHERE quote_id = $quote_id AND company_id = $session_company_id");
 
     mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = 'Approved', history_description = 'Quote approved!', history_created_at = NOW(), quote_id = $quote_id, company_id = $session_company_id");
 
@@ -1322,7 +1331,7 @@ if(isset($_GET['reject_quote'])){
 
     $quote_id = intval($_GET['reject_quote']);
 
-    mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Rejected', quote_updated_at = NOW() WHERE quote_id = $quote_id");
+    mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Rejected', quote_updated_at = NOW() WHERE quote_id = $quote_id AND company_id = $session_company_id");
 
     mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = 'Cancelled', history_description = 'Quote rejected!', history_created_at = NOW(), quote_id = $quote_id, company_id = $session_company_id");
 
@@ -1338,7 +1347,8 @@ if(isset($_GET['pdf_quote'])){
 
     $sql = mysqli_query($mysqli,"SELECT * FROM quotes, clients
     WHERE quotes.client_id = clients.client_id
-    AND quotes.quote_id = $quote_id"
+    AND quotes.quote_id = $quote_id
+    AND quotes.company_id = $session_company_id"
     );
 
     $row = mysqli_fetch_array($sql);
@@ -1362,7 +1372,7 @@ if(isset($_GET['pdf_quote'])){
     }
     $client_website = $row['client_website'];
 
-    $sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE quote_id = $quote_id ORDER BY item_id ASC");
+    $sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE quote_id = $quote_id AND company_id = $session_company_id ORDER BY item_id ASC");
 
     while($row = mysqli_fetch_array($sql_items)){
         $item_id = $row['item_id'];
@@ -1511,7 +1521,8 @@ if(isset($_GET['email_quote'])){
 
     $sql = mysqli_query($mysqli,"SELECT * FROM quotes, clients
     WHERE quotes.client_id = clients.client_id
-    AND quotes.quote_id = $quote_id"
+    AND quotes.quote_id = $quote_id
+    AND quotes.company_id = $session_company_id"
     );
 
     $row = mysqli_fetch_array($sql);
@@ -1574,7 +1585,7 @@ if(isset($_GET['email_quote'])){
         //Don't change the status to sent if the status is anything but draft
         if($quote_status == 'Draft'){
 
-            mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Sent', quote_updated_at = NOW() WHERE quote_id = $quote_id");
+            mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Sent', quote_updated_at = NOW() WHERE quote_id = $quote_id AND company_id = $session_company_id");
 
         }
 
@@ -1610,20 +1621,20 @@ if(isset($_POST['add_recurring'])){
 if(isset($_GET['delete_recurring'])){
     $recurring_id = intval($_GET['delete_recurring']);
 
-    mysqli_query($mysqli,"DELETE FROM recurring WHERE recurring_id = $recurring_id");
+    mysqli_query($mysqli,"DELETE FROM recurring WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
     
     //Delete Items Associated with the Recurring
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE recurring_id = $recurring_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
     while($row = mysqli_fetch_array($sql)){;
         $item_id = $row['item_id'];
-        mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
+        mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
     }
 
     //Delete History Associated with the Invoice
-    $sql = mysqli_query($mysqli,"SELECT * FROM history WHERE recurring_id = $recurring_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM history WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
     while($row = mysqli_fetch_array($sql)){;
         $history_id = $row['history_id'];
-        mysqli_query($mysqli,"DELETE FROM history WHERE history_id = $history_id");
+        mysqli_query($mysqli,"DELETE FROM history WHERE history_id = $history_id AND company_id = $session_company_id");
     }
 
     $_SESSION['alert_message'] = "Recurring Invoice deleted";
@@ -1636,7 +1647,7 @@ if(isset($_GET['recurring_activate'])){
 
     $recurring_id = intval($_GET['recurring_activate']);
 
-    mysqli_query($mysqli,"UPDATE recurring SET recurring_status = 1 WHERE recurring_id = $recurring_id");
+    mysqli_query($mysqli,"UPDATE recurring SET recurring_status = 1 WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Recurring Invoice Activated";
     
@@ -1648,7 +1659,7 @@ if(isset($_GET['recurring_deactivate'])){
 
     $recurring_id = intval($_GET['recurring_deactivate']);
 
-    mysqli_query($mysqli,"UPDATE recurring SET recurring_status = 0 WHERE recurring_id = $recurring_id");
+    mysqli_query($mysqli,"UPDATE recurring SET recurring_status = 0 WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Recurring Invoice Deactivated";
     
@@ -1675,12 +1686,12 @@ if(isset($_POST['save_recurring'])){
 
         //Update Invoice Balances
 
-        $sql = mysqli_query($mysqli,"SELECT * FROM recurring WHERE recurring_id = $recurring_id");
+        $sql = mysqli_query($mysqli,"SELECT * FROM recurring WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
         $row = mysqli_fetch_array($sql);
 
         $new_recurring_amount = $row['recurring_amount'] + $total;
 
-        mysqli_query($mysqli,"UPDATE recurring SET recurring_amount = '$new_recurring_amount', recurring_updated_at = NOW()WHERE recurring_id = $recurring_id");
+        mysqli_query($mysqli,"UPDATE recurring SET recurring_amount = '$new_recurring_amount', recurring_updated_at = NOW() WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
 
     }
 
@@ -1688,7 +1699,7 @@ if(isset($_POST['save_recurring'])){
 
         $recurring_note = strip_tags(mysqli_real_escape_string($mysqli,$_POST['recurring_note']));
 
-        mysqli_query($mysqli,"UPDATE recurring SET recurring_note = '$recurring_note', recurring_updated_at = NOW() WHERE recurring_id = $recurring_id");
+        mysqli_query($mysqli,"UPDATE recurring SET recurring_note = '$recurring_note', recurring_updated_at = NOW() WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
 
     }
 
@@ -1701,21 +1712,21 @@ if(isset($_POST['save_recurring'])){
 if(isset($_GET['delete_recurring_item'])){
     $item_id = intval($_GET['delete_recurring_item']);
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $recurring_id = $row['recurring_id'];
     $item_subtotal = $row['item_subtotal'];
     $item_tax = $row['item_tax'];
     $item_total = $row['item_total'];
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM recurring WHERE recurring_id = $recurring_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM recurring WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     
     $new_recurring_amount = $row['recurring_amount'] - $item_total;
 
-    mysqli_query($mysqli,"UPDATE recurring SET recurring_amount = '$new_recurring_amount', recurring_updated_at = NOW() WHERE recurring_id = $recurring_id");
+    mysqli_query($mysqli,"UPDATE recurring SET recurring_amount = '$new_recurring_amount', recurring_updated_at = NOW() WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
 
-    mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
+    mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Item deleted";
     
@@ -1728,7 +1739,7 @@ if(isset($_GET['mark_invoice_sent'])){
 
     $invoice_id = intval($_GET['mark_invoice_sent']);
 
-    mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Sent', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id");
+    mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Sent', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
     mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = 'Sent', history_description = 'INVOICE marked sent', history_created_at = NOW(), invoice_id = $invoice_id, company_id = $session_company_id");
 
@@ -1742,7 +1753,7 @@ if(isset($_GET['cancel_invoice'])){
 
     $invoice_id = intval($_GET['cancel_invoice']);
 
-    mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Cancelled', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id");
+    mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Cancelled', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
     mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = 'Cancelled', history_description = 'INVOICE cancelled!', history_created_at = NOW(), invoice_id = $invoice_id, company_id = $session_company_id");
 
@@ -1755,27 +1766,27 @@ if(isset($_GET['cancel_invoice'])){
 if(isset($_GET['delete_invoice'])){
     $invoice_id = intval($_GET['delete_invoice']);
 
-    mysqli_query($mysqli,"DELETE FROM invoices WHERE invoice_id = $invoice_id");
+    mysqli_query($mysqli,"DELETE FROM invoices WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
     //Delete Items Associated with the Invoice
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE invoice_id = $invoice_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     while($row = mysqli_fetch_array($sql)){;
         $item_id = $row['item_id'];
-        mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
+        mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
     }
 
     //Delete History Associated with the Invoice
-    $sql = mysqli_query($mysqli,"SELECT * FROM history WHERE invoice_id = $invoice_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM history WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     while($row = mysqli_fetch_array($sql)){;
         $history_id = $row['history_id'];
-        mysqli_query($mysqli,"DELETE FROM history WHERE history_id = $history_id");
+        mysqli_query($mysqli,"DELETE FROM history WHERE history_id = $history_id AND company_id = $session_company_id");
     }
 
     //Delete Payments Associated with the Invoice
-    $sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE invoice_id = $invoice_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     while($row = mysqli_fetch_array($sql)){;
         $payment_id = $row['payment_id'];
-        mysqli_query($mysqli,"DELETE FROM payments WHERE payment_id = $payment_id");
+        mysqli_query($mysqli,"DELETE FROM payments WHERE payment_id = $payment_id AND company_id = $session_company_id");
     }
 
     $_SESSION['alert_message'] = "Invoice deleted";
@@ -1803,12 +1814,12 @@ if(isset($_POST['save_invoice'])){
 
         //Update Invoice Balances
 
-        $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id");
+        $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
         $row = mysqli_fetch_array($sql);
 
         $new_invoice_amount = $row['invoice_amount'] + $total;
 
-        mysqli_query($mysqli,"UPDATE invoices SET invoice_amount = '$new_invoice_amount', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id");
+        mysqli_query($mysqli,"UPDATE invoices SET invoice_amount = '$new_invoice_amount', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
         $_SESSION['alert_message'] = "Item added";
 
@@ -1819,7 +1830,7 @@ if(isset($_POST['save_invoice'])){
 
         $invoice_note = strip_tags(mysqli_real_escape_string($mysqli,$_POST['invoice_note']));
 
-        mysqli_query($mysqli,"UPDATE invoices SET invoice_note = '$invoice_note', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id");
+        mysqli_query($mysqli,"UPDATE invoices SET invoice_note = '$invoice_note', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
         $_SESSION['alert_message'] = "Notes added";
 
@@ -1832,21 +1843,21 @@ if(isset($_POST['save_invoice'])){
 if(isset($_GET['delete_invoice_item'])){
     $item_id = intval($_GET['delete_invoice_item']);
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $invoice_id = $row['invoice_id'];
     $item_subtotal = $row['item_subtotal'];
     $item_tax = $row['item_tax'];
     $item_total = $row['item_total'];
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     
     $new_invoice_amount = $row['invoice_amount'] - $item_total;
 
-    mysqli_query($mysqli,"UPDATE invoices SET invoice_amount = '$new_invoice_amount', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id");
+    mysqli_query($mysqli,"UPDATE invoices SET invoice_amount = '$new_invoice_amount', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
-    mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id");
+    mysqli_query($mysqli,"DELETE FROM invoice_items WHERE item_id = $item_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Item deleted";
     
@@ -1874,12 +1885,12 @@ if(isset($_POST['add_payment'])){
         mysqli_query($mysqli,"INSERT INTO payments SET payment_date = '$date', payment_amount = '$amount', account_id = $account, payment_method = '$payment_method', payment_reference = '$reference', payment_created_at = NOW(), invoice_id = $invoice_id, company_id = $session_company_id");
 
         //Add up all the payments for the invoice and get the total amount paid to the invoice
-        $sql_total_payments_amount = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS payments_amount FROM payments WHERE invoice_id = $invoice_id");
+        $sql_total_payments_amount = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS payments_amount FROM payments WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
         $row = mysqli_fetch_array($sql_total_payments_amount);
         $total_payments_amount = $row['payments_amount'];
         
         //Get the invoice total
-        $sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients WHERE invoices.client_id = clients.client_id AND invoices.invoice_id = $invoice_id");
+        $sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients WHERE invoices.client_id = clients.client_id AND invoices.invoice_id = $invoice_id AND invoices.company_id = $session_company_id");
         $row = mysqli_fetch_array($sql);
         $invoice_amount = $row['invoice_amount'];
         $invoice_number = $row['invoice_number'];
@@ -1971,7 +1982,7 @@ if(isset($_POST['add_payment'])){
         }
 
         //Update Invoice Status
-        mysqli_query($mysqli,"UPDATE invoices SET invoice_status = '$invoice_status', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id");
+        mysqli_query($mysqli,"UPDATE invoices SET invoice_status = '$invoice_status', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
         //Add Payment to History
         mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = '$invoice_status', history_description = 'INVOICE payment added', history_created_at = NOW(), invoice_id = $invoice_id, company_id = $session_company_id");
@@ -1985,18 +1996,18 @@ if(isset($_POST['add_payment'])){
 if(isset($_GET['delete_payment'])){
     $payment_id = intval($_GET['delete_payment']);
 
-    $sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE payment_id = $payment_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM payments WHERE payment_id = $payment_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $invoice_id = $row['invoice_id'];
     $deleted_payment_amount = $row['payment_amount'];
 
     //Add up all the payments for the invoice and get the total amount paid to the invoice
-    $sql_total_payments_amount = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments_amount FROM payments WHERE invoice_id = $invoice_id");
+    $sql_total_payments_amount = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS total_payments_amount FROM payments WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql_total_payments_amount);
     $total_payments_amount = $row['total_payments_amount'];
     
     //Get the invoice total
-    $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id");
+    $sql = mysqli_query($mysqli,"SELECT * FROM invoices WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql);
     $invoice_amount = $row['invoice_amount'];
 
@@ -2011,12 +2022,12 @@ if(isset($_GET['delete_payment'])){
     }
 
     //Update Invoice Status
-    mysqli_query($mysqli,"UPDATE invoices SET invoice_status = '$invoice_status', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id");
+    mysqli_query($mysqli,"UPDATE invoices SET invoice_status = '$invoice_status', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
     //Add Payment to History
     mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = '$invoice_status', history_description = 'INVOICE payment deleted', history_created_at = NOW(), invoice_id = $invoice_id, company_id = $session_company_id");
 
-    mysqli_query($mysqli,"DELETE FROM payments WHERE payment_id = $payment_id");
+    mysqli_query($mysqli,"DELETE FROM payments WHERE payment_id = $payment_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Payment deleted";
     
@@ -2054,10 +2065,10 @@ if(isset($_GET['email_invoice'])){
     $client_website = $row['client_website'];
     $base_url = $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
 
-    $sql_payments = mysqli_query($mysqli,"SELECT * FROM payments, accounts WHERE payments.account_id = accounts.account_id AND payments.invoice_id = $invoice_id ORDER BY payments.payment_id DESC");
+    $sql_payments = mysqli_query($mysqli,"SELECT * FROM payments, accounts WHERE payments.account_id = accounts.account_id AND payments.invoice_id = $invoice_id AND payments.company_id = $session_company_id ORDER BY payments.payment_id DESC");
 
     //Add up all the payments for the invoice and get the total amount paid to the invoice
-    $sql_amount_paid = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS amount_paid FROM payments WHERE invoice_id = $invoice_id");
+    $sql_amount_paid = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS amount_paid FROM payments WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql_amount_paid);
     $amount_paid = $row['amount_paid'];
 
@@ -2105,7 +2116,7 @@ if(isset($_GET['email_invoice'])){
         //Don't chnage the status to sent if the status is anything but draf
         if($invoice_status == 'Draft'){
 
-            mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Sent', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id");
+            mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Sent', invoice_updated_at = NOW() WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
 
         }
 
@@ -2148,7 +2159,7 @@ if(isset($_POST['edit_revenue'])){
     $description = strip_tags(mysqli_real_escape_string($mysqli,$_POST['description']));
     $reference = strip_tags(mysqli_real_escape_string($mysqli,$_POST['reference']));
 
-    mysqli_query($mysqli,"UPDATE revenues SET revenue_date = '$date', revenue_amount = '$amount', revenue_payment_method = '$payment_method', revenue_reference = '$reference', revenue_description = '$description', revenue_updated_at = NOW(), category_id = $category, account_id = $account WHERE revenue_id = $revenue_id");
+    mysqli_query($mysqli,"UPDATE revenues SET revenue_date = '$date', revenue_amount = '$amount', revenue_payment_method = '$payment_method', revenue_reference = '$reference', revenue_description = '$description', revenue_updated_at = NOW(), category_id = $category, account_id = $account WHERE revenue_id = $revenue_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Revenue modified!";
     
@@ -2159,7 +2170,7 @@ if(isset($_POST['edit_revenue'])){
 if(isset($_GET['delete_revenue'])){
     $revenue_id = intval($_GET['delete_revenue']);
 
-    mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id");
+    mysqli_query($mysqli,"DELETE FROM revenues WHERE revenue_id = $revenue_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Revenue deleted";
     
@@ -2173,7 +2184,8 @@ if(isset($_GET['pdf_invoice'])){
 
     $sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients
     WHERE invoices.client_id = clients.client_id
-    AND invoices.invoice_id = $invoice_id"
+    AND invoices.invoice_id = $invoice_id
+    AND invoices.company_id = $session_company_id"
     );
 
     $row = mysqli_fetch_array($sql);
@@ -2198,16 +2210,16 @@ if(isset($_GET['pdf_invoice'])){
     }
     $client_website = $row['client_website'];
 
-    $sql_payments = mysqli_query($mysqli,"SELECT * FROM payments, accounts WHERE payments.account_id = accounts.account_id AND payments.invoice_id = $invoice_id ORDER BY payments.payment_id DESC");
+    $sql_payments = mysqli_query($mysqli,"SELECT * FROM payments, accounts WHERE payments.account_id = accounts.account_id AND payments.invoice_id = $invoice_id AND payments.company_id = $session_company_id ORDER BY payments.payment_id DESC");
 
     //Add up all the payments for the invoice and get the total amount paid to the invoice
-    $sql_amount_paid = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS amount_paid FROM payments WHERE invoice_id = $invoice_id");
+    $sql_amount_paid = mysqli_query($mysqli,"SELECT SUM(payment_amount) AS amount_paid FROM payments WHERE invoice_id = $invoice_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql_amount_paid);
     $amount_paid = $row['amount_paid'];
 
     $balance = $invoice_amount - $amount_paid;
 
-    $sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE invoice_id = $invoice_id ORDER BY item_id ASC");
+    $sql_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE invoice_id = $invoice_id AND company_id = $session_company_id ORDER BY item_id ASC");
 
     while($row = mysqli_fetch_array($sql_items)){
         $item_id = $row['item_id'];
@@ -2417,7 +2429,7 @@ if(isset($_POST['edit_contact'])){
         move_uploaded_file($_FILES['file']['tmp_name'], $path);
     }
 
-    mysqli_query($mysqli,"UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_mobile = '$mobile', contact_email = '$email', contact_photo = '$path', contact_updated_at = NOW() WHERE contact_id = $contact_id");
+    mysqli_query($mysqli,"UPDATE contacts SET contact_name = '$name', contact_title = '$title', contact_phone = '$phone', contact_mobile = '$mobile', contact_email = '$email', contact_photo = '$path', contact_updated_at = NOW() WHERE contact_id = $contact_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Contact updated";
     
@@ -2428,7 +2440,7 @@ if(isset($_POST['edit_contact'])){
 if(isset($_GET['delete_contact'])){
     $contact_id = intval($_GET['delete_contact']);
 
-    mysqli_query($mysqli,"DELETE FROM contacts WHERE contact_id = $contact_id");
+    mysqli_query($mysqli,"DELETE FROM contacts WHERE contact_id = $contact_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Contact deleted";
     
@@ -2468,7 +2480,7 @@ if(isset($_POST['edit_location'])){
     $phone = preg_replace("/[^0-9]/", '',$phone);
     $hours = strip_tags(mysqli_real_escape_string($mysqli,$_POST['hours']));
 
-    mysqli_query($mysqli,"UPDATE locations SET location_name = '$name', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone = '$phone', location_hours = '$hours', location_updated_at = NOW() WHERE location_id = $location_id");
+    mysqli_query($mysqli,"UPDATE locations SET location_name = '$name', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone = '$phone', location_hours = '$hours', location_updated_at = NOW() WHERE location_id = $location_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Location updated";
     
@@ -2479,7 +2491,7 @@ if(isset($_POST['edit_location'])){
 if(isset($_GET['delete_location'])){
     $location_id = intval($_GET['delete_location']);
 
-    mysqli_query($mysqli,"DELETE FROM locations WHERE location_id = $location_id");
+    mysqli_query($mysqli,"DELETE FROM locations WHERE location_id = $location_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Location deleted";
     
@@ -2554,11 +2566,11 @@ if(isset($_POST['edit_asset'])){
     $username = strip_tags(mysqli_real_escape_string($mysqli,$_POST['username']));
     $password = strip_tags(mysqli_real_escape_string($mysqli,$_POST['password']));
 
-    mysqli_query($mysqli,"UPDATE assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_ip = '$ip', location_id = $location, vendor_id = $vendor, contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_note = '$note', asset_updated_at = NOW(), network_id = $network WHERE asset_id = $asset_id");
+    mysqli_query($mysqli,"UPDATE assets SET asset_name = '$name', asset_type = '$type', asset_make = '$make', asset_model = '$model', asset_serial = '$serial', asset_ip = '$ip', location_id = $location, vendor_id = $vendor, contact_id = $contact, asset_purchase_date = '$purchase_date', asset_warranty_expire = '$warranty_expire', asset_note = '$note', asset_updated_at = NOW(), network_id = $network WHERE asset_id = $asset_id AND company_id = $session_company_id");
 
     //If login exists then update the login
     if($login_id > 0){
-        mysqli_query($mysqli,"UPDATE logins SET login_description = '$name', login_username = '$username', login_password = '$password', login_updated_at = NOW() WHERE login_id = $login_id");
+        mysqli_query($mysqli,"UPDATE logins SET login_description = '$name', login_username = '$username', login_password = '$password', login_updated_at = NOW() WHERE login_id = $login_id AND company_id = $session_company_id");
     }else{
     //If Username is filled in then add a login
         if(!empty($username)) {
@@ -2577,7 +2589,7 @@ if(isset($_POST['edit_asset'])){
 if(isset($_GET['delete_asset'])){
     $asset_id = intval($_GET['delete_asset']);
 
-    mysqli_query($mysqli,"DELETE FROM assets WHERE asset_id = $asset_id");
+    mysqli_query($mysqli,"DELETE FROM assets WHERE asset_id = $asset_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Asset deleted";
     
@@ -2617,7 +2629,7 @@ if(isset($_POST['edit_login'])){
     $asset_id = intval($_POST['asset']);
     $software_id = intval($_POST['software']);
 
-    mysqli_query($mysqli,"UPDATE logins SET login_description = '$description', login_web_link = '$web_link', login_username = '$username', login_password = '$password', login_note = '$note', login_updated_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id WHERE login_id = $login_id");
+    mysqli_query($mysqli,"UPDATE logins SET login_description = '$description', login_web_link = '$web_link', login_username = '$username', login_password = '$password', login_note = '$note', login_updated_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id WHERE login_id = $login_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Login updated";
     
@@ -2628,7 +2640,7 @@ if(isset($_POST['edit_login'])){
 if(isset($_GET['delete_login'])){
     $login_id = intval($_GET['delete_login']);
 
-    mysqli_query($mysqli,"DELETE FROM logins WHERE login_id = $login_id");
+    mysqli_query($mysqli,"DELETE FROM logins WHERE login_id = $login_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Login deleted";
     
@@ -2665,13 +2677,13 @@ if(isset($_POST['add_file'])){
 if(isset($_GET['delete_file'])){
     $file_id = intval($_GET['delete_file']);
 
-    $sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id");
+    $sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id AND company_id = $session_company_id");
     $row = mysqli_fetch_array($sql_file);
     $file_name = $row['file_name'];
 
     unlink($file_name);
 
-    mysqli_query($mysqli,"DELETE FROM files WHERE file_id = $file_id");
+    mysqli_query($mysqli,"DELETE FROM files WHERE file_id = $file_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "File deleted";
     
@@ -2699,7 +2711,7 @@ if(isset($_POST['edit_note'])){
     $subject = strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']));
     $note = strip_tags(mysqli_real_escape_string($mysqli,$_POST['note']));
 
-    mysqli_query($mysqli,"UPDATE notes SET note_subject = '$subject', note_body = '$note', note_updated_at = NOW() WHERE note_id = $note_id");
+    mysqli_query($mysqli,"UPDATE notes SET note_subject = '$subject', note_body = '$note', note_updated_at = NOW() WHERE note_id = $note_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Note updated";
     
@@ -2710,7 +2722,7 @@ if(isset($_POST['edit_note'])){
 if(isset($_GET['delete_note'])){
     $note_id = intval($_GET['delete_note']);
 
-    mysqli_query($mysqli,"DELETE FROM notes WHERE note_id = $note_id");
+    mysqli_query($mysqli,"DELETE FROM notes WHERE note_id = $note_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Note deleted";
     
@@ -2744,7 +2756,7 @@ if(isset($_POST['edit_network'])){
     $dhcp_range = strip_tags(mysqli_real_escape_string($mysqli,$_POST['dhcp_range']));
     $location_id = intval($_POST['location']);
 
-    mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network = '$network', network_gateway = '$gateway', network_dhcp_range = '$dhcp_range', network_updated_at = NOW(), location_id = $location_id WHERE network_id = $network_id");
+    mysqli_query($mysqli,"UPDATE networks SET network_name = '$name', network = '$network', network_gateway = '$gateway', network_dhcp_range = '$dhcp_range', network_updated_at = NOW(), location_id = $location_id WHERE network_id = $network_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Network updated";
     
@@ -2755,7 +2767,7 @@ if(isset($_POST['edit_network'])){
 if(isset($_GET['delete_network'])){
     $network_id = intval($_GET['delete_network']);
 
-    mysqli_query($mysqli,"DELETE FROM networks WHERE network_id = $network_id");
+    mysqli_query($mysqli,"DELETE FROM networks WHERE network_id = $network_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Network deleted";
     
@@ -2793,7 +2805,7 @@ if(isset($_POST['edit_domain'])){
         $expire = "0000-00-00";
     }
 
-    mysqli_query($mysqli,"UPDATE domains SET domain_name = '$name', domain_registrar = $registrar,  domain_webhost = $webhost, domain_expire = '$expire', domain_updated_at = NOW() WHERE domain_id = $domain_id");
+    mysqli_query($mysqli,"UPDATE domains SET domain_name = '$name', domain_registrar = $registrar,  domain_webhost = $webhost, domain_expire = '$expire', domain_updated_at = NOW() WHERE domain_id = $domain_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Domain updated";
     
@@ -2804,7 +2816,7 @@ if(isset($_POST['edit_domain'])){
 if(isset($_GET['delete_domain'])){
     $domain_id = intval($_GET['delete_domain']);
 
-    mysqli_query($mysqli,"DELETE FROM domains WHERE domain_id = $domain_id");
+    mysqli_query($mysqli,"DELETE FROM domains WHERE domain_id = $domain_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Domain deleted";
     
@@ -2846,11 +2858,11 @@ if(isset($_POST['edit_software'])){
     $username = strip_tags(mysqli_real_escape_string($mysqli,$_POST['username']));
     $password = strip_tags(mysqli_real_escape_string($mysqli,$_POST['password']));
 
-    mysqli_query($mysqli,"UPDATE software SET software_name = '$name', software_type = '$type', software_license = '$license', software_updated_at = NOW() WHERE software_id = $software_id");
+    mysqli_query($mysqli,"UPDATE software SET software_name = '$name', software_type = '$type', software_license = '$license', software_updated_at = NOW() WHERE software_id = $software_id AND company_id = $session_company_id");
 
     //If login exists then update the login
     if($login_id > 0){
-        mysqli_query($mysqli,"UPDATE logins SET login_description = '$name', login_username = '$username', login_password = '$password', login_updated_at = NOW() WHERE login_id = $login_id");
+        mysqli_query($mysqli,"UPDATE logins SET login_description = '$name', login_username = '$username', login_password = '$password', login_updated_at = NOW() WHERE login_id = $login_id AND company_id = $session_company_id");
     }else{
     //If Username is filled in then add a login
         if(!empty($username)) {
@@ -2869,7 +2881,7 @@ if(isset($_POST['edit_software'])){
 if(isset($_GET['delete_software'])){
     $software_id = intval($_GET['delete_software']);
 
-    mysqli_query($mysqli,"DELETE FROM software WHERE software_id = $software_id");
+    mysqli_query($mysqli,"DELETE FROM software WHERE software_id = $software_id AND company_id = $session_company_id");
 
     $_SESSION['alert_message'] = "Software deleted";
     
@@ -2880,7 +2892,7 @@ if(isset($_GET['delete_software'])){
 if(isset($_GET['force_recurring'])){
     $recurring_id = intval($_GET['force_recurring']);
 
-    $sql_recurring = mysqli_query($mysqli,"SELECT * FROM recurring, clients WHERE clients.client_id = recurring.client_id AND recurring.recurring_id = $recurring_id");
+    $sql_recurring = mysqli_query($mysqli,"SELECT * FROM recurring, clients WHERE clients.client_id = recurring.client_id AND recurring.recurring_id = $recurring_id AND recurring.company_id = $session_company_id");
 
     $row = mysqli_fetch_array($sql_recurring);
     $recurring_id = $row['recurring_id'];
@@ -2908,7 +2920,7 @@ if(isset($_GET['force_recurring'])){
     $new_invoice_id = mysqli_insert_id($mysqli);
 
     //Copy Items from original invoice to new invoice
-    $sql_invoice_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE recurring_id = $recurring_id ORDER BY item_id ASC");
+    $sql_invoice_items = mysqli_query($mysqli,"SELECT * FROM invoice_items WHERE recurring_id = $recurring_id AND company_id = $session_company_id ORDER BY item_id ASC");
 
     while($row = mysqli_fetch_array($sql_invoice_items)){
         $item_id = $row['item_id'];
@@ -2926,12 +2938,13 @@ if(isset($_GET['force_recurring'])){
     mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = 'Sent', history_description = 'Invoice Generated from Recurring!', history_created_at = NOW(), invoice_id = $new_invoice_id, company_id = $session_company_id");
 
     //update the recurring invoice with the new dates
-    mysqli_query($mysqli,"UPDATE recurring SET recurring_last_sent = CURDATE(), recurring_next_date = DATE_ADD(CURDATE(), INTERVAL 1 $recurring_frequency), recurring_updated_at = NOW() WHERE recurring_id = $recurring_id");
+    mysqli_query($mysqli,"UPDATE recurring SET recurring_last_sent = CURDATE(), recurring_next_date = DATE_ADD(CURDATE(), INTERVAL 1 $recurring_frequency), recurring_updated_at = NOW() WHERE recurring_id = $recurring_id AND company_id = $session_company_id");
 
     if($config_recurring_auto_send_invoice == 1){
         $sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients
             WHERE invoices.client_id = clients.client_id
-            AND invoices.invoice_id = $new_invoice_id"
+            AND invoices.invoice_id = $new_invoice_id
+            AND invoices.company_id = $session_company_id"
         );
 
         $row = mysqli_fetch_array($sql);
@@ -2983,7 +2996,7 @@ if(isset($_GET['force_recurring'])){
             mysqli_query($mysqli,"INSERT INTO history SET history_date = CURDATE(), history_status = 'Sent', history_description = 'Auto Emailed Invoice!', history_created_at = NOW(), invoice_id = $new_invoice_id, company_id = $session_company_id");
 
             //Update Invoice Status to Sent
-            mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Sent', invoice_updated_at = NOW(), client_id = $client_id WHERE invoice_id = $new_invoice_id");
+            mysqli_query($mysqli,"UPDATE invoices SET invoice_status = 'Sent', invoice_updated_at = NOW(), client_id = $client_id WHERE invoice_id = $new_invoice_id AND company_id = $session_company_id");
 
         }catch(Exception $e){
             echo "Message could not be sent. Mailer Error: {$mail->ErrorInfo}";
diff --git a/top_nav.php b/top_nav.php
index 2b25340b..adf94bf4 100644
--- a/top_nav.php
+++ b/top_nav.php
@@ -1,6 +1,6 @@
 <nav class="navbar navbar-expand navbar-dark bg-primary static-top">
 
-  <a class="navbar-brand mr-1" href="index.php"><i class="fa fa-fw fa-network-wired mr-2"></i><?php echo $config_app_name; ?></a>
+  <a class="navbar-brand mr-1" href="index.php"><i class="fa fa-fw fa-network-wired mr-2"></i><?php echo $config_company_name; ?></a>
 
   <button class="btn btn-link btn-sm text-white order-1 order-sm-0" id="sidebarToggle" href="#">
     <i class="fas fa-bars"></i>
@@ -40,7 +40,7 @@
           <?php }else{ ?>
           <i class="fa fa-fw fa-user mt-1"></i>
           <?php } ?>
-          <strong><?php echo "$session_name@$session_company_name"; ?></strong>
+          <strong><?php echo $session_name; ?></strong>
       </a>
       <div class="dropdown-menu dropdown-menu-right" aria-labelledby="userDropdown">   
         <center>
diff --git a/vendors.php b/vendors.php
index e69de29b..d43a526c 100644
--- a/vendors.php
+++ b/vendors.php
@@ -0,0 +1,152 @@
+<?php include("header.php");
+  
+  //Rebuild URL
+  $url_query_strings_sb = http_build_query(array_merge($_GET,array('sb' => $sb, 'o' => $o)));
+  if(isset($_GET['p'])){
+    $p = intval($_GET['p']);
+    $record_from = (($p)-1)*10;
+    $record_to =  10;
+  }else{
+    $record_from = 0;
+    $record_to = 10;
+    $p = 1;
+  }
+    
+  if(isset($_GET['q'])){
+    $q = mysqli_real_escape_string($mysqli,$_GET['q']);
+  }else{
+    $q = "";
+  }
+  if(!empty($_GET['sb'])){
+    $sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
+  }else{
+    $sb = "vendor_name";
+  }
+  if(isset($_GET['o'])){
+    if($_GET['o'] == 'ASC'){
+      $o = "ASC";
+      $disp = "DESC";
+    }else{
+      $o = "DESC";
+      $disp = "ASC";
+    }
+  }else{
+    $o = "DESC";
+    $disp = "ASC";
+  }
+  $sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM vendors WHERE client_id = 0 AND company_id = $session_company_id AND (vendor_name LIKE '%$q%' OR vendor_description LIKE '%$q%' OR vendor_account_number LIKE '%$q%')
+    ORDER BY $sb $o LIMIT $record_from, $record_to");
+  $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
+  $total_found_rows = $num_rows[0];
+  $total_pages = ceil($total_found_rows / 10);
+  ?>
+
+
+<div class="card mb-3">
+  <div class="card-header bg-dark text-white">
+    <h6 class="float-left mt-2"><i class="fa fa-fw fa-building mr-2"></i>Vendors</h6>
+    <button type="button" class="btn btn-primary btn-sm float-right" data-toggle="modal" data-target="#addVendorModal"><i class="fas fa-fw fa-plus"></i></button>
+  </div>
+  <div class="card-body">
+    <form autocomplete="off">
+      <div class="input-group">
+        <input type="search" class="form-control col-md-4" name="q" value="<?php if(isset($q)){echo stripslashes($q);} ?>" placeholder="Search Invoices">
+        <div class="input-group-append">
+          <button class="btn btn-primary"><i class="fa fa-search"></i></button>
+        </div>
+      </div>
+    </form>
+    <hr>
+    <div class="table-responsive">
+      <table class="table table-striped table-borderless table-hover">
+        <thead class="text-dark <?php if($num_rows[0] == 0){ echo "d-none"; } ?>">
+          <tr>
+            <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=vendor_name&o=<?php echo $disp; ?>">Vendor</a></th>
+            <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=vendor_description&o=<?php echo $disp; ?>">Description</a></th>
+            <th>Contact</th>
+            <th><a class="text-dark" href="?<?php echo $url_query_strings_sb; ?>&sb=vendor_account_number&o=<?php echo $disp; ?>">Account Number</a></th>
+            <th class="text-center">Action</th>
+          </tr>
+        </thead>
+        <tbody>
+          <?php
+      
+          while($row = mysqli_fetch_array($sql)){
+            $vendor_id = $row['vendor_id'];
+            $vendor_name = $row['vendor_name'];
+            $vendor_description = $row['vendor_description'];
+            $vendor_account_number = $row['vendor_account_number'];
+            $vendor_address = $row['vendor_address'];
+            $vendor_city = $row['vendor_city'];
+            $vendor_state = $row['vendor_state'];
+            $vendor_zip = $row['vendor_zip'];
+            $vendor_contact_name = $row['vendor_contact_name'];
+            $vendor_phone = $row['vendor_phone'];
+            if(strlen($vendor_phone)>2){ 
+              $vendor_phone = substr($row['vendor_phone'],0,3)."-".substr($row['vendor_phone'],3,3)."-".substr($row['vendor_phone'],6,4);
+            }
+            $vendor_email = $row['vendor_email'];
+            $vendor_website = $row['vendor_website'];
+          ?>
+          <tr>
+            <td><a class="text-dark" href="#" data-toggle="modal" data-target="#editVendorModal<?php echo $vendor_id; ?>"><?php echo $vendor_name; ?></a></td>
+            <td><?php echo $vendor_description; ?></td>
+            <td>
+              <?php
+              if(!empty($vendor_contact_name)){
+              ?>
+              <i class="fa fa-fw fa-user text-secondary mr-2 mb-2"></i><?php echo $vendor_contact_name; ?>
+              <br>
+              <?php
+              }
+              ?>
+              <?php
+              if(!empty($vendor_phone)){
+              ?>
+              <i class="fa fa-fw fa-phone text-secondary mr-2 mb-2"></i><?php echo $vendor_phone; ?>
+              <br>
+              <?php
+              }
+              ?>
+              <?php
+              if(!empty($vendor_email)){
+              ?>
+              <i class="fa fa-fw fa-envelope text-secondary mr-2 mb-2"></i><?php echo $vendor_email; ?>
+              <br>
+              <?php
+              }
+              ?>
+            </td>
+            <td><?php echo $vendor_account_number; ?></td>
+            <td>
+              <div class="dropdown dropleft text-center">
+                <button class="btn btn-secondary btn-sm" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+                  <i class="fas fa-ellipsis-h"></i>
+                </button>
+                <div class="dropdown-menu" aria-labelledby="dropdownMenuButton">
+                  <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editVendorModal<?php echo $vendor_id; ?>">Edit</a>
+                  <a class="dropdown-item" href="post.php?delete_vendor=<?php echo $vendor_id; ?>">Delete</a>
+                </div>
+              </div>
+              <?php include("edit_vendor_modal.php"); ?>      
+            </td>
+          </tr>
+
+          <?php
+          
+          }
+          
+          ?>
+
+        </tbody>
+      </table>
+
+      <?php include("pagination.php"); ?>
+
+    </div>
+  </div>
+</div>
+
+<?php include("add_vendor_modal.php"); ?>
+
+<?php include("footer.php"); 
\ No newline at end of file