From f2a45ce518a1f6141faca79411c56b8d95ca9466 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sun, 19 Feb 2023 21:37:24 -0500
Subject: [PATCH] UI/sanitizeInput work on Trips

---
 client_trips.php    | 40 ++++++++++++++++++++++++----------------
 trip_add_modal.php  | 10 +++++-----
 trip_copy_modal.php | 10 +++++-----
 trip_edit_modal.php | 10 +++++-----
 trips.php           | 38 +++++++++++++++++++++++---------------
 5 files changed, 62 insertions(+), 46 deletions(-)

diff --git a/client_trips.php b/client_trips.php
index 51456060..d6010fa2 100644
--- a/client_trips.php
+++ b/client_trips.php
@@ -3,7 +3,7 @@
 require_once("inc_all_client.php");
 
 if (!empty($_GET['sb'])) {
-    $sb = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sb']));
+    $sb = sanitizeInput($_GET['sb']);
 } else {
     $sb = "trip_date";
 }
@@ -16,8 +16,8 @@ if (!isset($_GET['o'])) {
 
 //Date From and Date To Filter
 if (isset($_GET['dtf'])) {
-    $dtf = strip_tags(mysqli_real_escape_string($mysqli, $_GET['dtf']));
-    $dtt = strip_tags(mysqli_real_escape_string($mysqli, $_GET['dtt']));
+    $dtf = sanitizeInput($_GET['dtf']);
+    $dtt = sanitizeInput($_GET['dtt']);
 } else {
     $dtf = "0000-00-00";
     $dtt = "9999-00-00";
@@ -42,9 +42,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
 
     <div class="card card-dark">
         <div class="card-header py-2">
-            <h3 class="card-title mt-2"><i class="fa fa-fw fa-route"></i> Trips</h3>
+            <h3 class="card-title mt-2"><i class="fas fa-route mr-2"></i>Trips</h3>
             <div class="card-tools">
-                <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addTripModal"><i class="fas fa-fw fa-plus"></i> New Trip</button>
+                <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addTripModal"><i class="fas fa-plus mr-2"></i>New Trip</button>
             </div>
         </div>
         <div class="card-body">
@@ -54,7 +54,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
 
                     <div class="col-md-4">
                         <div class="input-group mb-3 mb-md-0">
-                            <input type="search" class="form-control" name="q" value="<?php if (isset($q)) { echo strip_tags(htmlentities($q)); } ?>" placeholder="Search Trips">
+                            <input type="search" class="form-control" name="q" value="<?php if (isset($q)) { echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Trips">
                             <div class="input-group-append">
                                 <button class="btn btn-dark"><i class="fa fa-search"></i></button>
                             </div>
@@ -63,8 +63,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
 
                     <div class="col-md-8">
                         <div class="float-right">
-                            <a href="post.php?export_client_trips_csv=<?php echo $client_id; ?>" class="btn btn-default"><i class="fa fa-fw fa-download"></i> Export</a>
-                            <a href="#" class="btn btn-default"><i class="fa fa-fw fa-upload"></i> Import</a>
+                            <a href="post.php?export_client_trips_csv=<?php echo $client_id; ?>" class="btn btn-default"><i class="fa fa-fw fa-download mr-2"></i>Export</a>
+                            <a href="#" class="btn btn-default"><i class="fa fa-fw fa-upload mr-2"></i>Import</a>
                         </div>
                     </div>
 
@@ -88,15 +88,15 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                     <?php
 
                     while ($row = mysqli_fetch_array($sql)) {
-                        $trip_id = $row['trip_id'];
-                        $trip_date = $row['trip_date'];
+                        $trip_id = intval($row['trip_id']);
+                        $trip_date = htmlentities($row['trip_date']);
                         $trip_purpose = htmlentities($row['trip_purpose']);
                         $trip_source = htmlentities($row['trip_source']);
                         $trip_destination = htmlentities($row['trip_destination']);
                         $trip_miles = htmlentities($row['trip_miles']);
-                        $trip_user_id = $row['trip_user_id'];
+                        $trip_user_id = intval($row['trip_user_id']);
                         $round_trip = htmlentities($row['round_trip']);
-                        $client_id = $row['trip_client_id'];
+                        $client_id = intval($row['trip_client_id']);
 
                         if ($round_trip == 1) {
                             $round_trip_display = "<i class='fa fa-fw fa-sync-alt text-secondary'></i>";
@@ -124,12 +124,20 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                         <i class="fas fa-ellipsis-h"></i>
                                     </button>
                                     <div class="dropdown-menu">
-                                        <a class="dropdown-item" href="//maps.google.com?q=<?php echo $trip_source; ?> to <?php echo $trip_destination; ?>" target="_blank">Map it</a>
+                                        <a class="dropdown-item" href="//maps.google.com?q=<?php echo $trip_source; ?> to <?php echo $trip_destination; ?>" target="_blank">
+                                            <i class="fa fa-fw fa-map-marker mr-2"></i>Map it
+                                        </a>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editTripModal<?php echo $trip_id; ?>">Edit</a>
-                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#addTripCopyModal<?php echo $trip_id; ?>">Copy</a>
+                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editTripModal<?php echo $trip_id; ?>">
+                                            <i class="fa fa-fw fa-edit mr-2"></i>Edit
+                                        </a>
+                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#addTripCopyModal<?php echo $trip_id; ?>">
+                                            <i class="fa fa-fw fa-copy mr-2"></i>Copy
+                                        </a>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger" href="post.php?delete_trip=<?php echo $trip_id; ?>">Delete</a>
+                                        <a class="dropdown-item text-danger" href="post.php?delete_trip=<?php echo $trip_id; ?>">
+                                            <i class="fa fa-fw fa-trash mr-2"></i>Delete
+                                        </a>
                                     </div>
                                 </div>
                             </td>
diff --git a/trip_add_modal.php b/trip_add_modal.php
index 983977b1..b2edb92b 100644
--- a/trip_add_modal.php
+++ b/trip_add_modal.php
@@ -2,7 +2,7 @@
     <div class="modal-dialog">
         <div class="modal-content bg-dark">
             <div class="modal-header">
-                <h5 class="modal-title"><i class="fa fa-fw fa-route"></i> New Trip</h5>
+                <h5 class="modal-title"><i class="fa fa-route mr-2"></i>New Trip</h5>
                 <button type="button" class="close text-white" data-dismiss="modal">
                     <span>&times;</span>
                 </button>
@@ -75,7 +75,7 @@
                                 // WIP Need to only show users within the session company
                                 $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id IN('$session_user_company_access') ORDER BY user_name ASC");
                                 while ($row = mysqli_fetch_array($sql)) {
-                                    $user_id = $row['user_id'];
+                                    $user_id = intval($row['user_id']);
                                     $user_name = htmlentities($row['user_name']);
                                     ?>
                                     <option <?php if ($session_user_id == $user_id) { echo "selected"; } ?> value="<?php echo $user_id; ?>"><?php echo $user_name; ?></option>
@@ -103,7 +103,7 @@
 
                                     $sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC");
                                     while ($row = mysqli_fetch_array($sql)) {
-                                        $client_id = $row['client_id'];
+                                        $client_id = intval($row['client_id']);
                                         $client_name = htmlentities($row['client_name']);
                                         ?>
                                         <option value="<?php echo $client_id; ?>"><?php echo $client_name; ?></option>
@@ -120,8 +120,8 @@
                 </div>
 
                 <div class="modal-footer bg-white">
-                    <button type="button" class="btn btn-outline-secondary" data-dismiss="modal">Cancel</button>
-                    <button type="submit" name="add_trip" class="btn btn-primary text-bold"><i class="fa fa-fw fa-check"></i> Create</button>
+                    <button type="submit" name="add_trip" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Create</button>
+                    <button type="button" class="btn btn-light" data-dismiss="modal"><i class="fa fa-times mr-2"></i>Cancel</button>
                 </div>
             </form>
         </div> <!-- Modal Content -->
diff --git a/trip_copy_modal.php b/trip_copy_modal.php
index 460c2b37..4b8a66d5 100644
--- a/trip_copy_modal.php
+++ b/trip_copy_modal.php
@@ -2,7 +2,7 @@
     <div class="modal-dialog">
         <div class="modal-content bg-dark">
             <div class="modal-header">
-                <h5 class="modal-title"><i class="fa fa-fw fa-route"></i> Copying Trip</h5>
+                <h5 class="modal-title"><i class="fa fa-route mr-2"></i>Copying Trip</h5>
                 <button type="button" class="close text-white" data-dismiss="modal">
                     <span>&times;</span>
                 </button>
@@ -76,7 +76,7 @@
                                 // WIP Need to only show users within the session company
                                 $sql_trips = mysqli_query($mysqli, "SELECT * FROM users ORDER BY user_name ASC");
                                 while ($row = mysqli_fetch_array($sql_trips)) {
-                                    $user_id_select = $row['user_id'];
+                                    $user_id_select = intval($row['user_id']);
                                     $user_name_select = htmlentities($row['user_name']);
                                     ?>
                                     <option <?php if ($trip_user_id == $user_id_select) { echo "selected"; } ?> value="<?php echo $user_id_select; ?>"><?php echo $user_name_select; ?></option>
@@ -102,7 +102,7 @@
 
                                     $sql_clients = mysqli_query($mysqli, "SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC");
                                     while ($row = mysqli_fetch_array($sql_clients)) {
-                                        $client_id_select = $row['client_id'];
+                                        $client_id_select = intval($row['client_id']);
                                         $client_name_select = htmlentities($row['client_name']);
                                         ?>
                                         <option <?php if ($client_id == $client_id_select) { echo "selected"; } ?> value="<?php echo $client_id_select; ?>"><?php echo $client_name_select; ?></option>
@@ -116,8 +116,8 @@
 
                 </div>
                 <div class="modal-footer bg-white">
-                    <button type="button" class="btn btn-outline-secondary" data-dismiss="modal">Cancel</button>
-                    <button type="submit" name="add_trip" class="btn btn-primary text-bold"><i class="fa fa-fw fa-check"></i> Copy</button>
+                    <button type="submit" name="add_trip" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Copy</button>
+                    <button type="button" class="btn btn-light" data-dismiss="modal"><i class="fa fa-times mr-2"></i>Cancel</button>
                 </div>
             </form>
         </div>
diff --git a/trip_edit_modal.php b/trip_edit_modal.php
index a4b33fd6..07bb1d3f 100644
--- a/trip_edit_modal.php
+++ b/trip_edit_modal.php
@@ -2,7 +2,7 @@
     <div class="modal-dialog">
         <div class="modal-content bg-dark">
             <div class="modal-header">
-                <h5 class="modal-title"><i class="fa fa-fw fa-route"></i> Edit Trip</h5>
+                <h5 class="modal-title"><i class="fa fa-route mr-2"></i>Edit Trip</h5>
                 <button type="button" class="close text-white" data-dismiss="modal">
                     <span>&times;</span>
                 </button>
@@ -78,7 +78,7 @@
                                 // WIP Need to only show users within the session company
                                 $sql_trips = mysqli_query($mysqli, "SELECT * FROM users ORDER BY user_name ASC");
                                 while ($row = mysqli_fetch_array($sql_trips)) {
-                                    $user_id_select = $row['user_id'];
+                                    $user_id_select = intval($row['user_id']);
                                     $user_name_select = htmlentities($row['user_name']);
                                     ?>
                                     <option <?php if ($trip_user_id == $user_id_select) { echo "selected"; } ?> value="<?php echo $user_id_select; ?>"><?php echo $user_name_select; ?></option>
@@ -105,7 +105,7 @@
 
                                     $sql_clients = mysqli_query($mysqli, "SELECT * FROM clients WHERE company_id = $session_company_id ORDER BY client_name ASC");
                                     while ($row = mysqli_fetch_array($sql_clients)) {
-                                        $client_id_select = $row['client_id'];
+                                        $client_id_select = intval($row['client_id']);
                                         $client_name_select = htmlentities($row['client_name']);
                                         ?>
                                         <option <?php if ($client_id == $client_id_select) { echo "selected"; } ?> value="<?php echo $client_id_select; ?>"><?php echo $client_name_select; ?></option>
@@ -122,8 +122,8 @@
                 </div>
 
                 <div class="modal-footer bg-white">
-                    <button type="button" class="btn btn-outline-secondary" data-dismiss="modal">Cancel</button>
-                    <button type="submit" name="edit_trip" class="btn btn-primary text-bold"><i class="fa fa-fw fa-check"></i> Save</button>
+                    <button type="submit" name="edit_trip" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Save</button>
+                    <button type="button" class="btn btn-light" data-dismiss="modal"><i class="fa fa-times mr-2"></i>Cancel</button>
                 </div>
             </form>
         </div>
diff --git a/trips.php b/trips.php
index 66b87dd3..3a747219 100644
--- a/trips.php
+++ b/trips.php
@@ -2,7 +2,7 @@
 require_once("inc_all.php");
 
 if (!empty($_GET['sb'])) {
-    $sb = strip_tags(mysqli_real_escape_string($mysqli, $_GET['sb']));
+    $sb = sanitizeInput($_GET['sb']);
 } else {
     $sb = "trip_date";
 }
@@ -21,8 +21,8 @@ if (empty($_GET['canned_date'])) {
 
 //Date Filter
 if ($_GET['canned_date'] == "custom" && !empty($_GET['dtf'])) {
-    $dtf = strip_tags(mysqli_real_escape_string($mysqli, $_GET['dtf']));
-    $dtt = strip_tags(mysqli_real_escape_string($mysqli, $_GET['dtt']));
+    $dtf = sanitizeInput($_GET['dtf']);
+    $dtt = sanitizeInput($_GET['dtt']);
 } elseif ($_GET['canned_date'] == "today") {
     $dtf = date('Y-m-d');
     $dtt = date('Y-m-d');
@@ -76,9 +76,9 @@ $total_pages = ceil($total_found_rows / 10);
 
     <div class="card card-dark">
         <div class="card-header py-2">
-            <h3 class="card-title mt-2"><i class="fa fa-fw fa-route"></i> Trips</h3>
+            <h3 class="card-title mt-2"><i class="fa fa-route mr-2"></i>Trips</h3>
             <div class="card-tools">
-                <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addTripModal"><i class="fas fa-fw fa-plus"></i> New Trip</button>
+                <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addTripModal"><i class="fas fa-plus mr-2"></i>New Trip</button>
             </div>
         </div>
 
@@ -87,7 +87,7 @@ $total_pages = ceil($total_found_rows / 10);
                 <div class="row">
                     <div class="col-sm-4">
                         <div class="input-group">
-                            <input type="search" class="form-control" name="q" value="<?php if (isset($q)) { echo strip_tags(htmlentities($q)); } ?>" placeholder="Search Trips">
+                            <input type="search" class="form-control" name="q" value="<?php if (isset($q)) { echo stripslashes(htmlentities($q)); } ?>" placeholder="Search Trips">
                             <div class="input-group-append">
                                 <button class="btn btn-secondary" type="button" data-toggle="collapse" data-target="#advancedFilter"><i class="fas fa-filter"></i></button>
                                 <button class="btn btn-primary"><i class="fa fa-search"></i></button>
@@ -96,7 +96,7 @@ $total_pages = ceil($total_found_rows / 10);
                     </div>
                     <div class="col-sm-8">
                         <div class="float-right">
-                            <button type="button" class="btn btn-default btn-lg" data-toggle="modal" data-target="#exportTripsModal"><i class="fa fa-fw fa-download"></i> Export</button>
+                            <button type="button" class="btn btn-default btn-lg" data-toggle="modal" data-target="#exportTripsModal"><i class="fa fa-fw fa-download mr-2"></i>Export</button>
                         </div>
                     </div>
                 </div>
@@ -152,15 +152,15 @@ $total_pages = ceil($total_found_rows / 10);
                     <?php
 
                     while ($row = mysqli_fetch_array($sql)) {
-                        $trip_id = $row['trip_id'];
-                        $trip_date = $row['trip_date'];
+                        $trip_id = intval($row['trip_id']);
+                        $trip_date = htmlentities($row['trip_date']);
                         $trip_purpose = htmlentities($row['trip_purpose']);
                         $trip_source = htmlentities($row['trip_source']);
                         $trip_destination = htmlentities($row['trip_destination']);
                         $trip_miles = htmlentities($row['trip_miles']);
-                        $trip_user_id = $row['trip_user_id'];
+                        $trip_user_id = intval($row['trip_user_id']);
                         $round_trip = htmlentities($row['round_trip']);
-                        $client_id = $row['client_id'];
+                        $client_id = intval($row['client_id']);
                         $client_name = htmlentities($row['client_name']);
                         if (empty($client_name)) {
                             $client_name_display = "-";
@@ -194,12 +194,20 @@ $total_pages = ceil($total_found_rows / 10);
                                         <i class="fas fa-ellipsis-h"></i>
                                     </button>
                                     <div class="dropdown-menu">
-                                        <a class="dropdown-item" href="//maps.google.com?q=<?php echo $trip_source; ?> to <?php echo $trip_destination; ?>" target="_blank">Map it</a>
+                                        <a class="dropdown-item" href="//maps.google.com?q=<?php echo $trip_source; ?> to <?php echo $trip_destination; ?>" target="_blank">
+                                            <i class="fa fa-fw fa-map-marker mr-2"></i>Map it
+                                        </a>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editTripModal<?php echo $trip_id; ?>">Edit</a>
-                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#addTripCopyModal<?php echo $trip_id; ?>">Copy</a>
+                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editTripModal<?php echo $trip_id; ?>">
+                                            <i class="fa fa-fw fa-edit mr-2"></i>Edit
+                                        </a>
+                                        <a class="dropdown-item" href="#" data-toggle="modal" data-target="#addTripCopyModal<?php echo $trip_id; ?>">
+                                            <i class="fa fa-fw fa-copy mr-2"></i>Copy
+                                        </a>
                                         <div class="dropdown-divider"></div>
-                                        <a class="dropdown-item text-danger" href="post.php?delete_trip=<?php echo $trip_id; ?>">Delete</a>
+                                        <a class="dropdown-item text-danger" href="post.php?delete_trip=<?php echo $trip_id; ?>">
+                                            <i class="fa fa-fw fa-trash mr-2"></i>Delete
+                                        </a>
                                     </div>
                                 </div>
                             </td>