From f1516b06ee7a9ba8244a3c73e7b9c24a4145dd6e Mon Sep 17 00:00:00 2001
From: o-psi <andymalsb@gmail.com>
Date: Thu, 21 Dec 2023 14:37:19 +0000
Subject: [PATCH] Refactor calculateInvoiceBalance function to sanitizr

This commit refactors the calculateInvoiceBalance function in functions.php. The invoice_id parameter is now properly sanitized using intval() to prevent SQL injection attacks. Additionally, the SQL query for retrieving the invoice and payments data has been formatted for better readability.
---
 functions.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/functions.php b/functions.php
index 958ff24b..cc5c5b45 100644
--- a/functions.php
+++ b/functions.php
@@ -892,12 +892,17 @@ function addToMailQueue($mysqli, $data) {
 }
 
 function calculateInvoiceBalance($mysqli, $invoice_id) {
-    $sql_invoice = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_id = $invoice_id");
+    $invoice_id_int = intval($invoice_id);
+    $sql_invoice = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_id = $invoice_id_int");
     $row = mysqli_fetch_array($sql_invoice);
     $invoice_amount = floatval($row['invoice_amount']);
-    $invoice_id = intval($row['invoice_id']);
 
-    $sql_payments = mysqli_query($mysqli, "SELECT SUM(payment_amount) AS total_payments FROM payments WHERE payment_invoice_id = $invoice_id");
+    $sql_payments = mysqli_query(
+        $mysqli,
+        "SELECT SUM(payment_amount) AS total_payments FROM payments
+        WHERE payment_invoice_id = $invoice_id
+        ");
+        
     $row = mysqli_fetch_array($sql_payments);
     $total_payments = floatval($row['total_payments']);