From e8b13c6058a155fbc988eeea6cdc37e44d49a4b9 Mon Sep 17 00:00:00 2001 From: "johnny@pittpc.com" Date: Sat, 4 Jan 2020 19:52:41 -0500 Subject: [PATCH] Added AES Encryption to client Logins Password Fields, updated DB modified field login_password from VARCHAR to VARBINARY to store password as encrypted, added additonal field to settings called config_aes_key the key is used to decrypt client login passwords, removed invoice, vendor, locaiton linkage in trips, other small cleanups fixups and UI updates, NOTE this will break existing install due to the db being updated --- add_calendar_event_modal.php | 2 +- add_client_modal.php | 9 +--- add_trip_copy_modal.php | 77 --------------------------- add_trip_modal.php | 77 --------------------------- client_assets.php | 2 +- client_logins.php | 6 +-- client_payments.php | 12 +++-- client_print.php | 17 ++++-- clients.php | 2 +- dashboard.php | 97 ++++++++++++++++++++++++++++++++++- db.sql | 16 +++--- edit_calendar_event_modal.php | 5 +- edit_client_modal.php | 13 +---- edit_trip_modal.php | 78 +--------------------------- expenses.php | 8 +-- get_settings.php | 22 +------- pagination.php | 2 +- post.php | 31 +++++++---- settings-general.php | 11 ++++ trips.php | 3 -- 20 files changed, 171 insertions(+), 319 deletions(-) diff --git a/add_calendar_event_modal.php b/add_calendar_event_modal.php index 221b1941..83d16eb7 100644 --- a/add_calendar_event_modal.php +++ b/add_calendar_event_modal.php @@ -79,7 +79,7 @@ $client_name = $row['client_name']; $client_email = $row['client_email']; ?> - +
- +
- +
diff --git a/add_trip_copy_modal.php b/add_trip_copy_modal.php index ce22f09a..c390b67a 100644 --- a/add_trip_copy_modal.php +++ b/add_trip_copy_modal.php @@ -82,34 +82,6 @@
-
- -
-
- -
- -
-
-
@@ -134,55 +106,6 @@
-
- -
-
- -
- -
-
- -
- -
-
- -
- -
-
-
diff --git a/add_trip_modal.php b/add_trip_modal.php index 41f2fd1b..ef77053b 100644 --- a/add_trip_modal.php +++ b/add_trip_modal.php @@ -75,34 +75,6 @@ diff --git a/client_assets.php b/client_assets.php index 9b79eea4..ecbb7c24 100644 --- a/client_assets.php +++ b/client_assets.php @@ -126,7 +126,7 @@ $total_pages = ceil($total_found_rows / 10); $device_icon = "tag"; } - $sql_logins = mysqli_query($mysqli,"SELECT * FROM logins WHERE asset_id = $asset_id"); + $sql_logins = mysqli_query($mysqli,"SELECT *, AES_DECRYPT(login_password, '$config_aes_key') AS login_password FROM logins WHERE asset_id = $asset_id"); $row = mysqli_fetch_array($sql_logins); $login_id = $row['login_id']; $login_username = $row['login_username']; diff --git a/client_logins.php b/client_logins.php index e0129584..8f52551f 100644 --- a/client_logins.php +++ b/client_logins.php @@ -40,9 +40,9 @@ if(isset($_GET['o'])){ } -$sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM logins +$sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS *, AES_DECRYPT(login_password, '$config_aes_key') AS login_password FROM logins WHERE client_id = $client_id - AND (login_description LIKE '%$q%' OR login_username LIKE '%$q%' OR login_password LIKE '%$q%') + AND (login_description LIKE '%$q%' OR login_username LIKE '%$q%') ORDER BY $sb $o LIMIT $record_from, $record_to"); $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); @@ -74,7 +74,7 @@ $total_pages = ceil($total_found_rows / 10); Description Username - Password + Password Action diff --git a/client_payments.php b/client_payments.php index 5d621960..ff97f15e 100644 --- a/client_payments.php +++ b/client_payments.php @@ -40,7 +40,7 @@ if(isset($_GET['o'])){ } -$sql = mysqli_query($mysqli,"SELECT * FROM payments, invoices, accounts +$sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM payments, invoices, accounts WHERE invoices.client_id = $client_id AND payments.invoice_id = invoices.invoice_id AND payments.account_id = accounts.account_id @@ -73,11 +73,13 @@ $total_pages = ceil($total_found_rows / 10); "> - + - + + + @@ -87,8 +89,10 @@ $total_pages = ceil($total_found_rows / 10); $invoice_id = $row['invoice_id']; $invoice_number = $row['invoice_number']; $invoice_status = $row['invoice_status']; + $invoice_amount = $row['invoice_amount']; $payment_date = $row['payment_date']; $payment_method = $row['payment_method']; + $payment_reference = $row['payment_reference']; $payment_amount = $row['payment_amount']; $account_name = $row['account_name']; @@ -97,9 +101,11 @@ $total_pages = ceil($total_found_rows / 10); + + - + + - - + + + @@ -553,19 +555,24 @@ if(isset($_GET['client_id'])){ $invoice_id = $row['invoice_id']; $invoice_number = $row['invoice_number']; $invoice_status = $row['invoice_status']; + $invoice_amount = $row['invoice_amount']; + $invoice_due = $row['invoice_due']; $payment_date = $row['payment_date']; - $payment_method = $row['payment_method']; $payment_amount = $row['payment_amount']; + $payment_method = $row['payment_method']; $payment_reference = $row['payment_reference']; $account_name = $row['account_name']; + $invoice_balance = $invoice_amount - $payment_amount; ?> + + - + diff --git a/clients.php b/clients.php index 6a23b323..a4e13e5c 100644 --- a/clients.php +++ b/clients.php @@ -78,7 +78,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); -
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/dashboard.php b/dashboard.php index 0e865ad7..394bd38e 100644 --- a/dashboard.php +++ b/dashboard.php @@ -226,6 +226,25 @@ $total_recurring_invoice_amount = $row['total_recurring_invoice_amount'];
+
+
+
+

Trip Flow

+
+ + + + +
+
+
+ +
+
+
+
@@ -510,8 +529,8 @@ var myLineChart = new Chart(ctx, { datasets: [{ label: "Expense", lineTension: 0.3, - backgroundColor: "rgba(2,117,216,0.2)", - borderColor: "rgba(2,117,216,1)", + backgroundColor: "rgba(2,2,216,0.2)", + borderColor: "rgba(2,2,216,1)", pointRadius: 5, pointBackgroundColor: "rgba(2,117,216,1)", pointBorderColor: "rgba(255,255,255,0.8)", @@ -573,7 +592,81 @@ var myLineChart = new Chart(ctx, { } }); +// Set new default font family and font color to mimic Bootstrap's default styling +Chart.defaults.global.defaultFontFamily = '-apple-system,system-ui,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,sans-serif'; +Chart.defaults.global.defaultFontColor = '#292b2c'; +// Area Chart Example +var ctx = document.getElementById("tripFlow"); +var myLineChart = new Chart(ctx, { + type: 'line', + data: { + labels: ["Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"], + datasets: [{ + label: "Trip", + lineTension: 0.3, + backgroundColor: "red", + borderColor: "darkred", + pointRadius: 5, + pointBackgroundColor: "red", + pointBorderColor: "red", + pointHoverRadius: 5, + pointHoverBackgroundColor: "darkred", + pointHitRadius: 50, + pointBorderWidth: 2, + data: [ + 0 AND $trip_miles_for_month > $largest_trip_miles_month){ + $largest_trip_miles_month = $trip_miles_for_month; + } + + + ?> + + + + + ], + }], + }, + options: { + scales: { + xAxes: [{ + time: { + unit: 'date' + }, + gridLines: { + display: false + }, + ticks: { + maxTicksLimit: 12 + } + }], + yAxes: [{ + ticks: { + min: 0, + max: , + maxTicksLimit: 5 + }, + gridLines: { + color: "rgba(0, 0, 0, .125)", + } + }], + }, + legend: { + display: false + } + } +}); // Set new default font family and font color to mimic Bootstrap's default styling Chart.defaults.global.defaultFontFamily = '-apple-system,system-ui,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,sans-serif'; diff --git a/db.sql b/db.sql index c4dd27af..b5654e85 100644 --- a/db.sql +++ b/db.sql @@ -1,8 +1,8 @@ --- MariaDB dump 10.17 Distrib 10.4.8-MariaDB, for debian-linux-gnu (x86_64) +-- MariaDB dump 10.17 Distrib 10.4.10-MariaDB, for debian-linux-gnu (x86_64) -- --- Host: localhost Database: admin_crm +-- Host: 127.0.0.1 Database: admin_crm -- ------------------------------------------------------ --- Server version 10.4.8-MariaDB-1:10.4.8+maria~bionic +-- Server version 10.4.10-MariaDB-1:10.4.10+maria~bionic /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; @@ -388,7 +388,7 @@ CREATE TABLE `logins` ( `login_description` varchar(200) NOT NULL, `login_web_link` varchar(200) DEFAULT NULL, `login_username` varchar(200) NOT NULL, - `login_password` varchar(200) NOT NULL, + `login_password` varbinary(200) DEFAULT NULL, `login_note` text DEFAULT NULL, `login_created_at` datetime NOT NULL, `login_updated_at` datetime DEFAULT NULL, @@ -619,6 +619,7 @@ CREATE TABLE `settings` ( `config_invoice_next_number` int(11) DEFAULT NULL, `config_recurring_auto_send_invoice` int(1) DEFAULT NULL, `config_api_key` varchar(200) DEFAULT NULL, + `config_aes_key` varchar(250) DEFAULT NULL, `config_invoice_prefix` varchar(200) DEFAULT NULL, `config_send_invoice_reminders` int(1) DEFAULT NULL, `config_invoice_overdue_reminders` varchar(200) DEFAULT NULL, @@ -632,6 +633,7 @@ CREATE TABLE `settings` ( `config_stripe_enable` int(1) DEFAULT NULL, `config_stripe_publishable` varchar(255) DEFAULT NULL, `config_stripe_secret` varchar(255) DEFAULT NULL, + `config_base_url` varchar(200) DEFAULT NULL, PRIMARY KEY (`company_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; /*!40101 SET character_set_client = @saved_cs_client */; @@ -740,9 +742,6 @@ CREATE TABLE `trips` ( `trip_created_at` datetime NOT NULL DEFAULT current_timestamp(), `trip_updated_at` datetime DEFAULT NULL, `client_id` int(11) DEFAULT NULL, - `invoice_id` int(11) DEFAULT NULL, - `location_id` int(11) DEFAULT NULL, - `vendor_id` int(11) DEFAULT NULL, `company_id` int(11) NOT NULL, PRIMARY KEY (`trip_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; @@ -777,7 +776,6 @@ CREATE TABLE `users` ( `avatar` varchar(200) DEFAULT NULL, `created_at` datetime NOT NULL, `updated_at` datetime DEFAULT NULL, - `client_id` int(11) NOT NULL DEFAULT 0, PRIMARY KEY (`user_id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; /*!40101 SET character_set_client = @saved_cs_client */; @@ -819,4 +817,4 @@ CREATE TABLE `vendors` ( /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; --- Dump completed on 2019-09-28 14:15:08 +-- Dump completed on 2020-01-04 19:47:01 diff --git a/edit_calendar_event_modal.php b/edit_calendar_event_modal.php index 3a458f10..7a9f8c04 100644 --- a/edit_calendar_event_modal.php +++ b/edit_calendar_event_modal.php @@ -76,9 +76,8 @@ while($row = mysqli_fetch_array($sql_clients)){ $client_id_select = $row['client_id']; $client_name_select = $row['client_name']; - $client_email_select = $row['client_email']; ?> - +
- Delete +
diff --git a/edit_client_modal.php b/edit_client_modal.php index 82970936..abf86119 100644 --- a/edit_client_modal.php +++ b/edit_client_modal.php @@ -43,21 +43,12 @@
- +
- +
diff --git a/edit_trip_modal.php b/edit_trip_modal.php index 9ea2f213..a27c4628 100644 --- a/edit_trip_modal.php +++ b/edit_trip_modal.php @@ -83,34 +83,6 @@
-
- -
-
- -
- -
-
-
@@ -134,55 +106,7 @@
- -
- -
-
- -
- -
-
- -
- -
-
- -
- -
-
+
diff --git a/expenses.php b/expenses.php index 184fe205..18b3a2f1 100644 --- a/expenses.php +++ b/expenses.php @@ -39,12 +39,6 @@ $disp = "ASC"; } - if(isset($_GET['category'])){ - $category = $_GET['category']; - }else{ - $category = '%'; - } - //Date From and Date To Filter if(!empty($_GET['dtf'])){ $dtf = $_GET['dtf']; @@ -89,7 +83,7 @@
-
" id="advancedFilter"> +
" id="advancedFilter">
diff --git a/get_settings.php b/get_settings.php index 39ffc81f..6b1d5459 100644 --- a/get_settings.php +++ b/get_settings.php @@ -57,29 +57,10 @@ $config_stripe_publishable = $row['config_stripe_publishable']; $config_stripe_secret = $row['config_stripe_secret']; $config_api_key = $row['config_api_key']; +$config_aes_key = $row['config_aes_key']; $config_base_url = $row['config_base_url']; $config_enable_cron = $row['config_enable_cron']; -$client_types_array = array( - 'Residential', - 'Law', - 'Tax and Accounting', - 'General Contractor', - 'Medical', - 'Non Profit', - 'Industrial', - 'Automotive', - 'Retail', - 'Staffing Agency', - 'Photography', - 'Restaurant', - 'Bar', - 'Real Estate', - 'Dental', - 'Farm', - 'Other' -); - $net_terms_array = array( '0'=>'On Reciept', '7'=>'7 Days', @@ -177,4 +158,5 @@ $software_types_array = array( 'Desktop App', 'Other' ); + ?> \ No newline at end of file diff --git a/pagination.php b/pagination.php index 911a2ed9..da2b6613 100644 --- a/pagination.php +++ b/pagination.php @@ -64,7 +64,7 @@ if ($total_found_rows > 10) { } if($total_found_rows == 0){ -echo "

No Records Here

"; + echo "

No Records Here

"; }else{ echo "

Records: $total_found_rows
"; } diff --git a/post.php b/post.php index 8657e2d3..5016e36f 100644 --- a/post.php +++ b/post.php @@ -177,6 +177,8 @@ if(isset($_POST['verify'])){ if(isset($_POST['edit_general_settings'])){ $config_api_key = strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_api_key'])); + $old_aes_key = $config_aes_key; + $config_aes_key = strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_aes_key'])); $config_base_url = strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_base_url'])); $path = "$config_invoice_logo"; @@ -191,7 +193,20 @@ if(isset($_POST['edit_general_settings'])){ move_uploaded_file($_FILES['file']['tmp_name'], $path); } - mysqli_query($mysqli,"UPDATE settings SET config_invoice_logo = '$path', config_api_key = '$config_api_key', config_base_url = '$config_base_url' WHERE company_id = $session_company_id"); + mysqli_query($mysqli,"UPDATE settings SET config_invoice_logo = '$path', config_api_key = '$config_api_key', config_aes_key = '$config_aes_key', config_base_url = '$config_base_url' WHERE company_id = $session_company_id"); + + //Update AES key on client_logins if changed + if($old_aes_key != $config_aes_key){ + $sql = mysqli_query($mysqli,"SELECT login_id, AES_DECRYPT(login_password, '$old_aes_key') AS old_login_password FROM logins + WHERE company_id = $session_company_id"); + + while($row = mysqli_fetch_array($sql)){ + $login_id = $row['login_id']; + $old_login_password = $row['old_login_password']; + + mysqli_query($mysqli,"UPDATE logins SET login_password = AES_ENCRYPT('$old_login_password','$config_aes_key') WHERE login_id = $login_id"); + } + } //logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Modified', log_description = 'General', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id"); @@ -903,11 +918,8 @@ if(isset($_POST['add_trip'])){ $roundtrip = intval($_POST['roundtrip']); $purpose = strip_tags(mysqli_real_escape_string($mysqli,$_POST['purpose'])); $client_id = intval($_POST['client']); - $invoice_id = intval($_POST['invoice']); - $location_id = intval($_POST['location']); - $vendor_id = intval($_POST['vendor']); - mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_starting_location = '$starting_location', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_created_at = NOW(), client_id = $client_id, invoice_id = $invoice_id, location_id = $location_id, vendor_id = $vendor_id, company_id = $session_company_id"); + mysqli_query($mysqli,"INSERT INTO trips SET trip_date = '$date', trip_starting_location = '$starting_location', trip_destination = '$destination', trip_miles = $miles, round_trip = $roundtrip, trip_purpose = '$purpose', trip_created_at = NOW(), client_id = $client_id, company_id = $session_company_id"); //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Trip', log_action = 'Created', log_description = '$date', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id"); @@ -928,11 +940,8 @@ if(isset($_POST['edit_trip'])){ $roundtrip = intval($_POST['roundtrip']); $purpose = strip_tags(mysqli_real_escape_string($mysqli,$_POST['purpose'])); $client_id = intval($_POST['client']); - $invoice_id = intval($_POST['invoice']); - $location_id = intval($_POST['location']); - $vendor_id = intval($_POST['vendor']); - mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_starting_location = '$starting_location', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_updated_at = NOW(), client_id = $client_id, invoice_id = $invoice_id, location_id = $location_id, vendor_id = $vendor_id WHERE trip_id = $trip_id AND company_id = $session_company_id"); + mysqli_query($mysqli,"UPDATE trips SET trip_date = '$date', trip_starting_location = '$starting_location', trip_destination = '$destination', trip_miles = $miles, trip_purpose = '$purpose', round_trip = $roundtrip, trip_updated_at = NOW(), client_id = $client_id WHERE trip_id = $trip_id AND company_id = $session_company_id"); //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Trip', log_action = 'Modified', log_description = '$date', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id"); @@ -3009,7 +3018,7 @@ if(isset($_POST['add_login'])){ $asset_id = intval($_POST['asset']); $software_id = intval($_POST['software']); - mysqli_query($mysqli,"INSERT INTO logins SET login_description = '$description', login_web_link = '$web_link', login_username = '$username', login_password = '$password', login_note = '$note', login_created_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id, client_id = $client_id, company_id = $session_company_id"); + mysqli_query($mysqli,"INSERT INTO logins SET login_description = '$description', login_web_link = '$web_link', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_note = '$note', login_created_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id, client_id = $client_id, company_id = $session_company_id"); //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Created', log_description = '$description', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id"); @@ -3032,7 +3041,7 @@ if(isset($_POST['edit_login'])){ $asset_id = intval($_POST['asset']); $software_id = intval($_POST['software']); - mysqli_query($mysqli,"UPDATE logins SET login_description = '$description', login_web_link = '$web_link', login_username = '$username', login_password = '$password', login_note = '$note', login_updated_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id WHERE login_id = $login_id AND company_id = $session_company_id"); + mysqli_query($mysqli,"UPDATE logins SET login_description = '$description', login_web_link = '$web_link', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_note = '$note', login_updated_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id WHERE login_id = $login_id AND company_id = $session_company_id"); //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Modified', log_description = '$description', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id"); diff --git a/settings-general.php b/settings-general.php index e14edc8f..dcfabdc1 100644 --- a/settings-general.php +++ b/settings-general.php @@ -19,6 +19,17 @@
+
+ +
+
+ +
+ +
+ This will also update the key on all client logins +
+
diff --git a/trips.php b/trips.php index 05152d0e..a671101a 100644 --- a/trips.php +++ b/trips.php @@ -99,9 +99,6 @@ $trip_miles = $row['trip_miles']; $round_trip = $row['round_trip']; $client_id = $row['client_id']; - $invoice_id = $row['invoice_id']; - $location_id = $row['location_id']; - $vendor_id = $row['vendor_id']; if($round_trip == 1){ $round_tip_display = "";
DateDate Recieved InvoiceAmountInvoice AmountPayment Amount Account MethodReference
$ $
DateDate RecievedDate Due InvoiceAmountAccountinitial Invoice AmountAmount PayedInvoice Balance Method Check #
$ $$