From efcc0fd5cb5c6d1b8fcb459252a4ef12fb5c095a Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sun, 16 Nov 2025 15:33:45 -0500
Subject: [PATCH] Add Where clause to only accept saved payment by logged in
 session_client_id in Client Portal

---
 client/post.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/post.php b/client/post.php
index ce0f4a38..c61bff63 100644
--- a/client/post.php
+++ b/client/post.php
@@ -440,7 +440,7 @@ if (isset($_GET['add_payment_by_provider'])) {
     $sql = mysqli_query($mysqli,"SELECT * FROM invoices
             LEFT JOIN clients ON invoice_client_id = client_id
             LEFT JOIN contacts ON client_id = contact_client_id AND contact_primary = 1
-            WHERE invoice_id = $invoice_id"
+            WHERE invoice_id = $invoice_id AND client_id = $session_client_id"
     );
     $row = mysqli_fetch_array($sql);
     $invoice_number = intval($row['invoice_number']);