From faf39fc84ad3844bddee0bcdf53990d9fe4703c4 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Sun, 12 Dec 2021 13:16:26 -0500 Subject: [PATCH] Code cleanup and fix possible injections when a trusted user is logged in thanks to mwdmeyer, constant_chaos, disclosure5 and rightwayround from /r/msp for pointing these issues out --- alerts_archived.php | 4 ++-- assets.php | 4 ++-- campaigns.php | 4 ++-- client_trips.php | 4 ++-- clients.php | 4 ++-- expenses.php | 4 ++-- index.php | 9 +-------- invoices.php | 4 ++-- logs.php | 4 ++-- payments.php | 4 ++-- quotes.php | 4 ++-- recurring.php | 4 ++-- revenues.php | 4 ++-- tickets.php | 4 ++-- transfers.php | 4 ++-- trips.php | 4 ++-- vendors.php | 4 ++-- 17 files changed, 33 insertions(+), 40 deletions(-) diff --git a/alerts_archived.php b/alerts_archived.php index cc3f5515..96f3f03a 100644 --- a/alerts_archived.php +++ b/alerts_archived.php @@ -41,8 +41,8 @@ if(isset($_GET['o'])){ //Date From and Date To Filter if(!empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }else{ $dtf = "0000-00-00"; $dtt = "9999-00-00"; diff --git a/assets.php b/assets.php index dda159ec..02ab7986 100644 --- a/assets.php +++ b/assets.php @@ -41,8 +41,8 @@ if(isset($_GET['o'])){ //Date From and Date To Filter if(!empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }else{ $dtf = "0000-00-00"; $dtt = "9999-00-00"; diff --git a/campaigns.php b/campaigns.php index 0708467a..a50b96f4 100644 --- a/campaigns.php +++ b/campaigns.php @@ -38,8 +38,8 @@ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/client_trips.php b/client_trips.php index 7b2436b7..ab3c1318 100644 --- a/client_trips.php +++ b/client_trips.php @@ -38,8 +38,8 @@ if(isset($_GET['o'])){ //Date From and Date To Filter if(isset($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }else{ $dtf = "0000-00-00"; $dtt = "9999-00-00"; diff --git a/clients.php b/clients.php index 57200431..0121c5bd 100644 --- a/clients.php +++ b/clients.php @@ -48,8 +48,8 @@ if(isset($_GET['order'])){ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['date_from'])){ - $date_from = $_GET['date_from']; - $date_to = $_GET['date_to']; + $date_from = mysqli_real_escape_string($mysqli,$_GET['date_from']); + $date_to = mysqli_real_escape_string($mysqli,$_GET['date_to']); }elseif($_GET['canned_date'] == "today"){ $date_from = date('Y-m-d'); $date_to = date('Y-m-d'); diff --git a/expenses.php b/expenses.php index 5e45c396..7065e7ba 100644 --- a/expenses.php +++ b/expenses.php @@ -38,8 +38,8 @@ if(isset($_GET['o'])){ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/index.php b/index.php index f812b8a2..d5a3ee96 100644 --- a/index.php +++ b/index.php @@ -1,5 +1,4 @@ -
  1. @@ -11,10 +10,4 @@

    Blank Page

    -

    -

    -

    -

    -

    - - + \ No newline at end of file diff --git a/invoices.php b/invoices.php index 0d0f0b06..96481d2d 100644 --- a/invoices.php +++ b/invoices.php @@ -89,8 +89,8 @@ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/logs.php b/logs.php index 459e6ea6..8c51241c 100644 --- a/logs.php +++ b/logs.php @@ -38,8 +38,8 @@ if(isset($_GET['o'])){ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/payments.php b/payments.php index 48878e79..f13a5ff8 100644 --- a/payments.php +++ b/payments.php @@ -38,8 +38,8 @@ if(isset($_GET['o'])){ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/quotes.php b/quotes.php index 416f3294..3eb54e21 100644 --- a/quotes.php +++ b/quotes.php @@ -40,8 +40,8 @@ if(isset($_GET['o'])){ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/recurring.php b/recurring.php index 7605f04f..913bbe00 100644 --- a/recurring.php +++ b/recurring.php @@ -38,8 +38,8 @@ if(isset($_GET['o'])){ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/revenues.php b/revenues.php index 4e87e376..8ad93969 100644 --- a/revenues.php +++ b/revenues.php @@ -38,8 +38,8 @@ if(isset($_GET['o'])){ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/tickets.php b/tickets.php index 2c123f3b..6e32582b 100644 --- a/tickets.php +++ b/tickets.php @@ -38,8 +38,8 @@ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/transfers.php b/transfers.php index 38f8749f..0fe893c2 100644 --- a/transfers.php +++ b/transfers.php @@ -41,8 +41,8 @@ if(isset($_GET['o'])){ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/trips.php b/trips.php index 54c2e813..ed24e67f 100644 --- a/trips.php +++ b/trips.php @@ -38,8 +38,8 @@ //Date Filter if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }elseif($_GET['canned_date'] == "today"){ $dtf = date('Y-m-d'); $dtt = date('Y-m-d'); diff --git a/vendors.php b/vendors.php index 56b66f3f..aa8078b4 100644 --- a/vendors.php +++ b/vendors.php @@ -40,8 +40,8 @@ if(isset($_GET['o'])){ //Date From and Date To Filter if(!empty($_GET['dtf'])){ - $dtf = $_GET['dtf']; - $dtt = $_GET['dtt']; + $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']); + $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']); }else{ $dtf = "0000-00-00"; $dtt = "9999-00-00";