AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-22 05:25:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Finished up santizeInput Conv and UI updates

Browse Source
This commit is contained in:
johnnyq
2023-02-23 16:09:37 -05:00
parent 2b50302cf9
commit f7552cd25a
179 changed files with 1572 additions and 1349 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
portal/check_login.php
View File

@@ -21,14 +21,14 @@ if (!isset($_SESSION['client_logged_in']) || !$_SESSION['client_logged_in']) {
}
// User IP & UA
$session_ip = strip_tags(mysqli_real_escape_string($mysqli, getIP()));
$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$session_ip = sanitizeInput(getIP());
$session_user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
// Get info from session
$session_client_id = $_SESSION['client_id'];
$session_contact_id = $_SESSION['contact_id'];
$session_company_id = $_SESSION['company_id'];
$session_client_id = intval($_SESSION['client_id']);
$session_contact_id = intval($_SESSION['contact_id']);
$session_company_id = intval($_SESSION['company_id']);
// Get company info from database
@@ -46,11 +46,11 @@ $currency_format = numfmt_create($session_company_locale, NumberFormatter::CURRE
$contact_sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
$contact = mysqli_fetch_array($contact_sql);
$session_contact_name = strip_tags(mysqli_real_escape_string($mysqli, $contact['contact_name']));
$session_contact_name = sanitizeInput($contact['contact_name']);
$session_contact_initials = initials($session_contact_name);
$session_contact_title = strip_tags(mysqli_real_escape_string($mysqli, $contact['contact_title']));
$session_contact_email = strip_tags(mysqli_real_escape_string($mysqli, $contact['contact_email']));
$session_contact_photo = $contact['contact_photo'];
$session_contact_title = sanitizeInput($contact['contact_title']);
$session_contact_email = sanitizeInput($contact['contact_email']);
$session_contact_photo = sanitizeInput($contact['contact_photo']);
$session_contact_is_technical_contact = false;
$session_contact_is_billing_contact = false;
@@ -64,8 +64,8 @@ if ($contact['contact_billing'] == 1) {
// Get client info
$client_sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = '$session_client_id'");
$client_sql = mysqli_query($mysqli, "SELECT * FROM clients WHERE client_id = $session_client_id");
$client = mysqli_fetch_array($client_sql);
$session_client_name = $client['client_name'];
$session_client_primary_contact_id = $client['primary_contact'];
$session_client_primary_contact_id = intval($client['primary_contact']);

8
portal/invoices.php
View File

@@ -54,13 +54,13 @@ $invoices_sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_clie
<?php
while ($row = mysqli_fetch_array($invoices_sql)) {
$invoice_id = $row['invoice_id'];
$invoice_id = intval($row['invoice_id']);
$invoice_prefix = htmlentities($row['invoice_prefix']);
$invoice_number = htmlentities($row['invoice_number']);
$invoice_number = intval($row['invoice_number']);
$invoice_scope = htmlentities($row['invoice_scope']);
$invoice_status = htmlentities($row['invoice_status']);
$invoice_date = $row['invoice_date'];
$invoice_due = $row['invoice_due'];
$invoice_date = htmlentities($row['invoice_date']);
$invoice_due = htmlentities($row['invoice_due']);
$invoice_amount = floatval($row['invoice_amount']);
$invoice_url_key = htmlentities($row['invoice_url_key']);

22
portal/login.php
View File

@@ -21,21 +21,21 @@ if (!isset($_SESSION)) {
session_start();
}
$ip = strip_tags(mysqli_real_escape_string($mysqli, getIP()));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$ip = sanitizeInput(getIP());
$user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
$sql_settings = mysqli_query($mysqli, "SELECT config_azure_client_id FROM settings WHERE company_id = '1'");
$sql_settings = mysqli_query($mysqli, "SELECT config_azure_client_id FROM settings WHERE company_id = 1");
$settings = mysqli_fetch_array($sql_settings);
$azure_client_id = $settings['config_azure_client_id'];
$company_sql = mysqli_query($mysqli, "SELECT company_name, company_logo FROM companies WHERE company_id = '1'");
$company_sql = mysqli_query($mysqli, "SELECT company_name, company_logo FROM companies WHERE company_id = 1");
$company_results = mysqli_fetch_array($company_sql);
$company_name = $company_results['company_name'];
$company_logo = $company_results['company_logo'];
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$email = sanitizeInput($_POST['email']);
$password = $_POST['password'];
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
@@ -47,22 +47,22 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
if (password_verify($password, $row['contact_password_hash'])) {
$_SESSION['client_logged_in'] = true;
$_SESSION['client_id'] = $row['contact_client_id'];
$_SESSION['contact_id'] = $row['contact_id'];
$_SESSION['company_id'] = $row['company_id'];
$_SESSION['client_id'] = intval($row['contact_client_id']);
$_SESSION['contact_id'] = intval($row['contact_id']);
$_SESSION['company_id'] = intval($row['company_id']);
$_SESSION['login_method'] = "local";
header("Location: index.php");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $row[contact_email] successfully logged in locally', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $row[contact_client_id]");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Success', log_description = 'Client contact $row[contact_email] successfully logged in locally', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $row[contact_client_id]");
} else {
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent'");
$_SESSION['login_message'] = 'Incorrect username or password.';
}
} else {
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Client Login', log_action = 'Failed', log_description = 'Failed client portal login attempt using $email', log_ip = '$ip', log_user_agent = '$user_agent'");
$_SESSION['login_message'] = 'Incorrect username or password.';
}
}

40
portal/login_reset.php
View File

@@ -24,10 +24,10 @@ if (!isset($_SESSION)) {
session_start();
}
$ip = strip_tags(mysqli_real_escape_string($mysqli, getIP()));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$ip = sanitizeInput(getIP());
$user_agent = sanitizeInput($_SERVER['HTTP_USER_AGENT']);
$company_sql = mysqli_query($mysqli, "SELECT company_name FROM companies WHERE company_id = '1'");
$company_sql = mysqli_query($mysqli, "SELECT company_name FROM companies WHERE company_id = 1");
$company_results = mysqli_fetch_array($company_sql);
$company_name = $company_results['company_name'];
@@ -40,21 +40,21 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
*/
if (isset($_POST['password_reset_email_request'])) {
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$email = sanitizeInput($_POST['email']);
$sql = mysqli_query($mysqli, "SELECT contact_id, contact_name, contact_email, contact_client_id, company_id FROM contacts WHERE contact_email = '$email' AND contact_auth_method = 'local' LIMIT 1");
$row = mysqli_fetch_assoc($sql);
$id = $row['contact_id'];
$id = intval($row['contact_id']);
$name = $row['contact_name'];
$client = $row['contact_client_id'];
$company = $row['company_id'];
$client = intval($row['contact_client_id']);
$company = intval($row['company_id']);
if ($row['contact_email'] == $email) {
$token = randomString(156);
$url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client";
mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client, company_id = $company");
// Send reset email
@@ -77,7 +77,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
// Error handling
if ($mail !== true) {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', company_id = $company");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
@@ -97,16 +97,16 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
$_SESSION['login_message'] = WORDING_ERROR;
}
$token = strip_tags(mysqli_real_escape_string($mysqli, $_POST['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_POST['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_POST['client'])));
$token = sanitizeInput($_POST['token']);
$email = sanitizeInput($_POST['email']);
$client = intval($_POST['client']);
// Query user
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client AND contact_auth_method = 'local' LIMIT 1");
$contact_row = mysqli_fetch_array($sql);
$contact_id = $contact_row['contact_id'];
$contact_id = intval($contact_row['contact_id']);
$name = $contact_row['contact_name'];
$company = $contact_row['company_id'];
$company = intval($contact_row['company_id']);
// Ensure the token is correct
if (sha1($contact_row['contact_password_reset_token']) == sha1($token)) {
@@ -114,7 +114,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
// Set password, invalidate token, logging
$password = mysqli_real_escape_string($mysqli, password_hash($_POST['new_password'], PASSWORD_DEFAULT));
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password', contact_password_reset_token = NULL WHERE contact_id = $contact_id LIMIT 1");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Reset portal password for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_client_id = $client, company_id = $company");
// Send confirmation email
$subject = "Password reset confirmation for $company_name ITFlow Portal";
@@ -137,7 +137,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
// Error handling
if ($mail !== true) {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', notification_timestamp = NOW(), company_id = $company");
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Mail', notification = 'Failed to send email to $email', company_id = $company");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Mail', log_action = 'Error', log_description = 'Failed to send email to $email regarding $subject. $mail', company_id = $company");
}
@@ -192,9 +192,9 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
*/
if (isset($_GET['token']) && isset($_GET['email']) && isset($_GET['client'])) {
$token = strip_tags(mysqli_real_escape_string($mysqli, $_GET['token']));
$email = strip_tags(mysqli_real_escape_string($mysqli, $_GET['email']));
$client = intval(strip_tags(mysqli_real_escape_string($mysqli, $_GET['client'])));
$token = sanitizeInput($_GET['token']);
$email = sanitizeInput($_GET['email']);
$client = intval($_GET['client']);
$sql = mysqli_query($mysqli, "SELECT * FROM contacts WHERE contact_email = '$email' AND contact_password_reset_token = '$token' AND contact_client_id = $client LIMIT 1");
$contact_row = mysqli_fetch_array($sql);
@@ -250,7 +250,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
<?php
// Show feedback from session
if (!empty($_SESSION['login_message'])) {
echo $_SESSION['login_message'];
echo htmlentities($_SESSION['login_message']);
unset($_SESSION['login_message']);
}
?>

2
portal/portal_functions.php
View File

@@ -23,7 +23,7 @@ function verifyContactTicketAccess($requested_ticket_id, $expected_ticket_state)
}
// Verify the contact has access to the provided ticket ID
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$requested_ticket_id' AND $ticket_state_snippet AND ticket_client_id = '$session_client_id' LIMIT 1");
$sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = $requested_ticket_id AND $ticket_state_snippet AND ticket_client_id = $session_client_id LIMIT 1");
$row = mysqli_fetch_array($sql);
$ticket_id = $row['ticket_id'];

30
portal/portal_post.php
View File

@@ -12,7 +12,7 @@ if (isset($_POST['add_ticket'])) {
$sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE company_id = $session_company_id");
$row = mysqli_fetch_array($sql_settings);
$config_ticket_prefix = $row['config_ticket_prefix'];
$config_ticket_next_number = $row['config_ticket_next_number'];
$config_ticket_next_number = intval($row['config_ticket_next_number']);
// HTML Purifier
require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
@@ -22,14 +22,14 @@ if (isset($_POST['add_ticket'])) {
$client_id = $session_client_id;
$contact = $session_contact_id;
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['subject'])));
$subject = sanitizeInput($_POST['subject']);
$details = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['details'])))));
// Ensure priority is low/med/high (as can be user defined)
if ($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High") {
$priority = "Low";
} else {
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['priority'])));
$priority = sanitizeInput($_POST['priority']);
}
// Get the next Ticket Number and add 1 for the new ticket number
@@ -37,11 +37,11 @@ if (isset($_POST['add_ticket'])) {
$new_config_ticket_next_number = $config_ticket_next_number + 1;
mysqli_query($mysqli, "UPDATE settings SET config_ticket_next_number = $new_config_ticket_next_number WHERE company_id = $session_company_id");
mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_at = NOW(), ticket_created_by = '0', ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
mysqli_query($mysqli, "INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 'Open', ticket_created_by = 0, ticket_contact_id = $contact, ticket_client_id = $client_id, company_id = $session_company_id");
$id = mysqli_insert_id($mysqli);
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Create', log_description = 'Client contact $session_contact_name created ticket $subject', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $client_id, company_id = $session_company_id");
header("Location: ticket.php?id=" . $id);
@@ -71,10 +71,10 @@ if (isset($_POST['add_ticket_comment'])) {
if (verifyContactTicketAccess($ticket_id, "Open")) {
// Add the comment
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = '$session_company_id'");
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = '$comment', ticket_reply_type = 'Client', ticket_reply_by = $session_contact_id, ticket_reply_ticket_id = $ticket_id, company_id = $session_company_id");
// Update Ticket Last Response Field & set ticket to open as client has replied
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Open', ticket_updated_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id' LIMIT 1");
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Open' WHERE ticket_id = $ticket_id AND ticket_client_id = $session_client_id LIMIT 1");
// Redirect
header("Location: " . $_SERVER["HTTP_REFERER"]);
@@ -87,17 +87,17 @@ if (isset($_POST['add_ticket_comment'])) {
if (isset($_POST['add_ticket_feedback'])) {
$ticket_id = intval($_POST['ticket_id']);
$feedback = trim(strip_tags(mysqli_real_escape_string($mysqli, $_POST['add_ticket_feedback'])));
$feedback = sanitizeInput($_POST['add_ticket_feedback']);
// Verify the contact has access to the provided ticket ID
if (verifyContactTicketAccess($ticket_id, "Closed")) {
// Add feedback
mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' LIMIT 1");
mysqli_query($mysqli, "UPDATE tickets SET ticket_feedback = '$feedback' WHERE ticket_id = $ticket_id AND ticket_client_id = $session_client_id LIMIT 1");
// Notify on bad feedback
if ($feedback == "Bad") {
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_timestamp = NOW(), notification_client_id = '$session_client_id', company_id = '$session_company_id'");
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Feedback', notification = '$session_contact_name rated ticket ID $ticket_id as bad', notification_client_id = $session_client_id, company_id = $session_company_id");
}
// Redirect
@@ -117,13 +117,13 @@ if (isset($_GET['close_ticket'])) {
if (verifyContactTicketAccess($ticket_id, "Open")) {
// Close ticket
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = '$session_client_id'");
mysqli_query($mysqli, "UPDATE tickets SET ticket_status = 'Closed', ticket_closed_at = NOW() WHERE ticket_id = $ticket_id AND ticket_client_id = $session_client_id");
// Add reply
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_created_at = NOW(), ticket_reply_by = '$session_contact_id', ticket_reply_ticket_id = '$ticket_id', company_id = $session_company_id");
mysqli_query($mysqli, "INSERT INTO ticket_replies SET ticket_reply = 'Ticket closed by $session_contact_name.', ticket_reply_type = 'Client', ticket_reply_by = $session_contact_id, ticket_reply_ticket_id = $ticket_id, company_id = $session_company_id");
//Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), company_id = $session_company_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Ticket', log_action = 'Closed', log_description = '$ticket_id Closed by client', log_ip = '$session_ip', log_user_agent = '$session_user_agent', company_id = $session_company_id");
header("Location: ticket.php?id=" . $ticket_id);
} else {
@@ -147,10 +147,10 @@ if (isset($_POST['edit_profile'])) {
$new_password = $_POST['new_password'];
if (!empty($new_password)) {
$password_hash = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = '$session_contact_id' AND contact_client_id = '$session_client_id'");
mysqli_query($mysqli, "UPDATE contacts SET contact_password_hash = '$password_hash' WHERE contact_id = $session_contact_id AND contact_client_id = $session_client_id");
// Logging
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Client contact $session_contact_name modified their profile/password.', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $session_client_id, company_id = $session_company_id");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Client contact $session_contact_name modified their profile/password.', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_client_id = $session_client_id, company_id = $session_company_id");
}
header('Location: index.php');
}

2
portal/profile.php
View File

@@ -36,7 +36,7 @@ require_once('inc_portal.php');
<input type="password" class="form-control" minlength="6" required data-toggle="password" name="new_password" placeholder="Leave blank for no change" autocomplete="new-password">
</div>
</div>
<button type="submit" name="edit_profile" class="btn btn-primary mt-3"><i class="fa fa-fw fa-check"></i> Save password</button>
<button type="submit" name="edit_profile" class="btn btn-primary text-bold mt-3"><i class="fas fa-check mr-2"></i>Save password</button>
</form>
</div>
<?php endif ?>

12
portal/ticket.php
View File

@@ -10,9 +10,9 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
$ticket_id = intval($_GET['id']);
if ($session_contact_id == $session_client_primary_contact_id || $session_contact_is_technical_contact) {
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id'");
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = $ticket_id AND ticket_client_id = $session_client_id");
} else {
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = '$ticket_id' AND ticket_client_id = '$session_client_id' AND ticket_contact_id = '$session_contact_id'");
$ticket_sql = mysqli_query($mysqli, "SELECT * FROM tickets WHERE ticket_id = $ticket_id AND ticket_client_id = $session_client_id AND ticket_contact_id = $session_contact_id");
}
$ticket_row = mysqli_fetch_array($ticket_sql);
@@ -20,7 +20,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
if ($ticket_row) {
$ticket_prefix = htmlentities($ticket_row['ticket_prefix']);
$ticket_number = $ticket_row['ticket_number'];
$ticket_number = intval($ticket_row['ticket_number']);
$ticket_status = htmlentities($ticket_row['ticket_status']);
$ticket_priority = htmlentities($ticket_row['ticket_priority']);
$ticket_subject = htmlentities($ticket_row['ticket_subject']);
@@ -110,11 +110,11 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
$sql = mysqli_query($mysqli, "SELECT * FROM ticket_replies LEFT JOIN users ON ticket_reply_by = user_id LEFT JOIN contacts ON ticket_reply_by = contact_id WHERE ticket_reply_ticket_id = $ticket_id AND ticket_reply_archived_at IS NULL AND ticket_reply_type != 'Internal' ORDER BY ticket_reply_id DESC");
while ($row = mysqli_fetch_array($sql)) {
$ticket_reply_id = $row['ticket_reply_id'];
$ticket_reply_id = intval($row['ticket_reply_id']);
$ticket_reply = $row['ticket_reply'];
$ticket_reply_created_at = $row['ticket_reply_created_at'];
$ticket_reply_updated_at = $row['ticket_reply_updated_at'];
$ticket_reply_by = $row['ticket_reply_by'];
$ticket_reply_by = intval($row['ticket_reply_by']);
$ticket_reply_type = $row['ticket_reply_type'];
if ($ticket_reply_type == "Client") {
@@ -124,7 +124,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
$avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
} else {
$ticket_reply_by_display = htmlentities($row['user_name']);
$user_id = $row['user_id'];
$user_id = intval($row['user_id']);
$user_avatar = $row['user_avatar'];
$user_initials = initials($row['user_name']);
$avatar_link = "../uploads/users/$user_id/$user_avatar";

6
portal/ticket_view_all.php
View File

@@ -27,7 +27,7 @@ if (!isset($_GET['status'])) {
$ticket_status_snippet = "ticket_status LIKE '%'";
}
$all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_client_id = '$session_client_id' ORDER BY ticket_id DESC");
$all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_client_id = $session_client_id ORDER BY ticket_id DESC");
?>
<h2>All tickets</h2>
@@ -56,9 +56,9 @@ $all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts O
<?php
while ($row = mysqli_fetch_array($all_tickets)) {
$ticket_id = $row['ticket_id'];
$ticket_id = intval($row['ticket_id']);
$ticket_prefix = htmlentities($row['ticket_prefix']);
$ticket_number = $row['ticket_number'];
$ticket_number = intval($row['ticket_number']);
$ticket_subject = htmlentities($row['ticket_subject']);
$ticket_status = htmlentities($row['ticket_status']);
$ticket_contact_name = htmlentities($row['contact_name']);

12
portal/tickets.php
View File

@@ -22,22 +22,22 @@ if (!isset($_GET['status'])) {
$ticket_status_snippet = "ticket_status LIKE '%'";
}
$contact_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_contact_id = '$session_contact_id' AND ticket_client_id = '$session_client_id' ORDER BY ticket_id DESC");
$contact_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts ON ticket_contact_id = contact_id WHERE $ticket_status_snippet AND ticket_contact_id = $session_contact_id AND ticket_client_id = $session_client_id ORDER BY ticket_id DESC");
//Get Total tickets closed
$sql_total_tickets_closed = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_closed FROM tickets WHERE ticket_status = 'Closed' AND ticket_client_id = $session_client_id AND ticket_contact_id = $session_contact_id");
$row = mysqli_fetch_array($sql_total_tickets_closed);
$total_tickets_closed = $row['total_tickets_closed'];
$total_tickets_closed = intval($row['total_tickets_closed']);
//Get Total tickets open
$sql_total_tickets_open = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets_open FROM tickets WHERE ticket_status != 'Closed' AND ticket_client_id = $session_client_id AND ticket_contact_id = $session_contact_id");
$row = mysqli_fetch_array($sql_total_tickets_open);
$total_tickets_open = $row['total_tickets_open'];
$total_tickets_open = intval($row['total_tickets_open']);
//Get Total tickets
$sql_total_tickets = mysqli_query($mysqli, "SELECT COUNT(ticket_id) AS total_tickets FROM tickets WHERE ticket_client_id = $session_client_id AND ticket_contact_id = $session_contact_id");
$row = mysqli_fetch_array($sql_total_tickets);
$total_tickets = $row['total_tickets'];
$total_tickets = intval($row['total_tickets']);
?>
@@ -81,9 +81,9 @@ $total_tickets = $row['total_tickets'];
<?php
while ($row = mysqli_fetch_array($contact_tickets)) {
$ticket_id = $row['ticket_id'];
$ticket_id = intval($row['ticket_id']);
$ticket_prefix = htmlentities($row['ticket_prefix']);
$ticket_number = $row['ticket_number'];
$ticket_number = intval($row['ticket_number']);
$ticket_subject = htmlentities($row['ticket_subject']);
$ticket_status = htmlentities($row['ticket_status']);
?>