Code cleanup and fix possible injections when a trusted user is logged in thanks to mwdmeyer, constant_chaos, disclosure5 and rightwayround from /r/msp for pointing these issues out

2021-12-12 13:16:26 -05:00 · 2021-12-12 13:16:26 -05:00 · faf39fc84a
parent 82ead8a755
commit faf39fc84a
17 changed files with 33 additions and 40 deletions
--- a/alerts_archived.php
+++ b/alerts_archived.php
@ -41,8 +41,8 @@ if(isset($_GET['o'])){

 //Date From and Date To Filter
 if(!empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }else{
  $dtf = "0000-00-00";
  $dtt = "9999-00-00";
--- a/assets.php
+++ b/assets.php
@ -41,8 +41,8 @@ if(isset($_GET['o'])){

 //Date From and Date To Filter
 if(!empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }else{
  $dtf = "0000-00-00";
  $dtt = "9999-00-00";
--- a/campaigns.php
+++ b/campaigns.php
@ -38,8 +38,8 @@

  //Date Filter
  if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-    $dtf = $_GET['dtf'];
-    $dtt = $_GET['dtt'];
+    $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+    $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
  }elseif($_GET['canned_date'] == "today"){
    $dtf = date('Y-m-d');
    $dtt = date('Y-m-d');
--- a/client_trips.php
+++ b/client_trips.php
@ -38,8 +38,8 @@ if(isset($_GET['o'])){

 //Date From and Date To Filter
 if(isset($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }else{
  $dtf = "0000-00-00";
  $dtt = "9999-00-00";
--- a/clients.php
+++ b/clients.php
@ -48,8 +48,8 @@ if(isset($_GET['order'])){

 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['date_from'])){
-  $date_from = $_GET['date_from'];
-  $date_to = $_GET['date_to'];
+  $date_from = mysqli_real_escape_string($mysqli,$_GET['date_from']);
+  $date_to = mysqli_real_escape_string($mysqli,$_GET['date_to']);
 }elseif($_GET['canned_date'] == "today"){
  $date_from = date('Y-m-d');
  $date_to = date('Y-m-d');
--- a/expenses.php
+++ b/expenses.php
@ -38,8 +38,8 @@ if(isset($_GET['o'])){

 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
  $dtf = date('Y-m-d');
  $dtt = date('Y-m-d');
--- a/index.php
+++ b/index.php
@ -1,5 +1,4 @@
 <?php include("header.php"); ?>
-	<?php $os = get_ip(); ?>
 	<!-- Breadcrumbs-->
 	<ol class="breadcrumb">
 	  <li class="breadcrumb-item">
@ -11,10 +10,4 @@
 	<!-- Page Content -->
 	<h1>Blank Page</h1>
 	<hr>
-	<p><?php echo get_user_agent(); ?></p>
-	<p><?php echo get_ip(); ?></p>
-	<p><?php echo get_os(); ?></p>
-	<p><?php echo get_web_browser(); ?></p>
-	<p><?php echo get_device(); ?></p>
-
 <?php include("footer.php"); ?>
--- a/invoices.php
+++ b/invoices.php
@ -89,8 +89,8 @@

  //Date Filter
  if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-    $dtf = $_GET['dtf'];
-    $dtt = $_GET['dtt'];
+    $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+    $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
  }elseif($_GET['canned_date'] == "today"){
    $dtf = date('Y-m-d');
    $dtt = date('Y-m-d');
--- a/logs.php
+++ b/logs.php
@ -38,8 +38,8 @@ if(isset($_GET['o'])){

 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
  $dtf = date('Y-m-d');
  $dtt = date('Y-m-d');
--- a/payments.php
+++ b/payments.php
@ -38,8 +38,8 @@ if(isset($_GET['o'])){

 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
  $dtf = date('Y-m-d');
  $dtt = date('Y-m-d');
--- a/quotes.php
+++ b/quotes.php
@ -40,8 +40,8 @@ if(isset($_GET['o'])){

 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
  $dtf = date('Y-m-d');
  $dtt = date('Y-m-d');
--- a/recurring.php
+++ b/recurring.php
@ -38,8 +38,8 @@ if(isset($_GET['o'])){

 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
  $dtf = date('Y-m-d');
  $dtt = date('Y-m-d');
--- a/revenues.php
+++ b/revenues.php
@ -38,8 +38,8 @@ if(isset($_GET['o'])){

 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
  $dtf = date('Y-m-d');
  $dtt = date('Y-m-d');
--- a/tickets.php
+++ b/tickets.php
@ -38,8 +38,8 @@

  //Date Filter
  if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-    $dtf = $_GET['dtf'];
-    $dtt = $_GET['dtt'];
+    $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+    $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
  }elseif($_GET['canned_date'] == "today"){
    $dtf = date('Y-m-d');
    $dtt = date('Y-m-d');
--- a/transfers.php
+++ b/transfers.php
@ -41,8 +41,8 @@ if(isset($_GET['o'])){

 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
  $dtf = date('Y-m-d');
  $dtt = date('Y-m-d');
--- a/trips.php
+++ b/trips.php
@ -38,8 +38,8 @@

  //Date Filter
  if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-    $dtf = $_GET['dtf'];
-    $dtt = $_GET['dtt'];
+    $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+    $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
  }elseif($_GET['canned_date'] == "today"){
    $dtf = date('Y-m-d');
    $dtt = date('Y-m-d');
--- a/vendors.php
+++ b/vendors.php
@ -40,8 +40,8 @@ if(isset($_GET['o'])){

 //Date From and Date To Filter
 if(!empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }else{
  $dtf = "0000-00-00";
  $dtt = "9999-00-00";