ThaMunsta/itflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Move the initialization of ip, user agent, browser and os vars to guest_header.php

Browse Source 
- General tidy and bugfixing of undefined vars
This commit is contained in:
Marcus Hill
2023-02-08 14:24:47 +00:00
parent 38fcf3fb9c
commit 52243c0a1d
4 changed files with 1503 additions and 1530 deletions
Download Patch File Download Diff File Expand all files Collapse all files
guest_header.php
+3 -1
View File
@@ -6,7 +6,9 @@ require_once("functions.php");
session_start(); session_start();
$ip = trim(strip_tags(mysqli_real_escape_string($mysqli, getIP()))); $ip = trim(strip_tags(mysqli_real_escape_string($mysqli, getIP())));
$user_agent = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT'])); $ua = strip_tags(mysqli_real_escape_string($mysqli, $_SERVER['HTTP_USER_AGENT']));
$os = strip_tags(mysqli_real_escape_string($mysqli, getOS($ua)));
$browser = strip_tags(mysqli_real_escape_string($mysqli, getWebBrowser($ua)));
?> ?>
guest_pay_invoice_stripe.php
-3
View File
@@ -13,9 +13,6 @@ $config_stripe_publishable = htmlentities($stripe_vars['config_stripe_publishabl
$config_stripe_secret = htmlentities($stripe_vars['config_stripe_secret']); $config_stripe_secret = htmlentities($stripe_vars['config_stripe_secret']);
$config_stripe_account = intval($stripe_vars['config_stripe_account']); $config_stripe_account = intval($stripe_vars['config_stripe_account']);
$os = trim(strip_tags(mysqli_real_escape_string($mysqli, getOS($user_agent))));
$browser = trim(strip_tags(mysqli_real_escape_string($mysqli, getWebBrowser($user_agent))));
// Check Stripe is configured // Check Stripe is configured
if ($config_stripe_enable == 0 || $config_stripe_account == 0 || empty($config_stripe_publishable) || empty($config_stripe_secret)) { if ($config_stripe_enable == 0 || $config_stripe_account == 0 || empty($config_stripe_publishable) || empty($config_stripe_secret)) {
echo "<br><h2>Stripe payments not enabled/configured</h2>"; echo "<br><h2>Stripe payments not enabled/configured</h2>";
guest_view_invoice.php
+38 -62
View File
@@ -2,12 +2,18 @@
require_once("guest_header.php"); require_once("guest_header.php");
if (isset($_GET['invoice_id'], $_GET['url_key'])) { if (!isset($_GET['invoice_id'], $_GET['url_key'])) {
echo "<br><h2>Oops, something went wrong! Please raise a ticket if you believe this is an error.</h2>";
require_once("guest_footer.php");
exit();
}
$url_key = mysqli_real_escape_string($mysqli, $_GET['url_key']); $url_key = mysqli_real_escape_string($mysqli, $_GET['url_key']);
$invoice_id = intval($_GET['invoice_id']); $invoice_id = intval($_GET['invoice_id']);
$sql = mysqli_query($mysqli, "SELECT * FROM invoices $sql = mysqli_query(
$mysqli,
"SELECT * FROM invoices
LEFT JOIN clients ON invoice_client_id = client_id LEFT JOIN clients ON invoice_client_id = client_id
LEFT JOIN locations ON primary_location = location_id LEFT JOIN locations ON primary_location = location_id
LEFT JOIN contacts ON primary_contact = contact_id LEFT JOIN contacts ON primary_contact = contact_id
@@ -17,7 +23,12 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
AND invoice_url_key = '$url_key'" AND invoice_url_key = '$url_key'"
); );
if (mysqli_num_rows($sql) == 1) { if (mysqli_num_rows($sql) !== 1) {
// Invalid invoice/key
echo "<br><h2>Oops, something went wrong! Please raise a ticket if you believe this is an error.</h2>";
require_once("guest_footer.php");
exit();
}
$row = mysqli_fetch_array($sql); $row = mysqli_fetch_array($sql);
$invoice_id = $row['invoice_id']; $invoice_id = $row['invoice_id'];
@@ -44,7 +55,7 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
$client_currency_code = htmlentities($row['client_currency_code']); $client_currency_code = htmlentities($row['client_currency_code']);
$client_net_terms = htmlentities($row['client_net_terms']); $client_net_terms = htmlentities($row['client_net_terms']);
if ($client_net_terms == 0) { if ($client_net_terms == 0) {
$client_net_terms = $config_default_net_terms; $client_net_terms = intval($row['config_default_net_terms']);
} }
$company_id = $row['company_id']; $company_id = $row['company_id'];
$company_name = htmlentities($row['company_name']); $company_name = htmlentities($row['company_name']);
@@ -54,6 +65,7 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
$company_zip = htmlentities($row['company_zip']); $company_zip = htmlentities($row['company_zip']);
$company_phone = formatPhoneNumber($row['company_phone']); $company_phone = formatPhoneNumber($row['company_phone']);
$company_email = htmlentities($row['company_email']); $company_email = htmlentities($row['company_email']);
$company_website = htmlentities($row['company_website']);
$company_logo = htmlentities($row['company_logo']); $company_logo = htmlentities($row['company_logo']);
if (!empty($company_logo)) { if (!empty($company_logo)) {
$company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo"));
@@ -67,12 +79,6 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
//Set Currency Format //Set Currency Format
$currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY); $currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY);
$ip = strip_tags(mysqli_real_escape_string($mysqli,getIP()));
$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
$os = strip_tags(mysqli_real_escape_string($mysqli,getOS($session_user_agent)));
$browser = strip_tags(mysqli_real_escape_string($mysqli,getWebBrowser($session_user_agent)));
$invoice_tally_total = 0; // Default $invoice_tally_total = 0; // Default
//Set Badge color based off of invoice status //Set Badge color based off of invoice status
@@ -86,7 +92,6 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
//Mark viewed in history //Mark viewed in history
mysqli_query($mysqli, "INSERT INTO history SET history_status = '$invoice_status', history_description = 'Invoice viewed - $ip - $os - $browser', history_created_at = NOW(), history_invoice_id = $invoice_id, company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO history SET history_status = '$invoice_status', history_description = 'Invoice viewed - $ip - $os - $browser', history_created_at = NOW(), history_invoice_id = $invoice_id, company_id = $company_id");
//Prevent SQL Error if client_name has ' in their name example Bill's Market
if ($invoice_status !== 'Paid') { if ($invoice_status !== 'Paid') {
$client_name_escaped = mysqli_real_escape_string($mysqli, $row['client_name']); $client_name_escaped = mysqli_real_escape_string($mysqli, $row['client_name']);
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Invoice Viewed', notification = 'Invoice $invoice_prefix$invoice_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Invoice Viewed', notification = 'Invoice $invoice_prefix$invoice_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id");
@@ -109,6 +114,9 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
} }
} }
// Invoice individual items
$sql_invoice_items = mysqli_query($mysqli, "SELECT * FROM invoice_items WHERE item_invoice_id = $invoice_id ORDER BY item_id ASC");
?> ?>
<div class="card"> <div class="card">
@@ -118,14 +126,9 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
<a class="btn btn-primary" href="#" onclick="window.print();"><i class="fa fa-fw fa-print"></i> Print</a> <a class="btn btn-primary" href="#" onclick="window.print();"><i class="fa fa-fw fa-print"></i> Print</a>
<a class="btn btn-primary" href="#" onclick="pdfMake.createPdf(docDefinition).download('<?php echo "$invoice_date-$company_name-Invoice-$invoice_prefix$invoice_number.pdf"; ?>');"><i class="fa fa-fw fa-download"></i> Download</a> <a class="btn btn-primary" href="#" onclick="pdfMake.createPdf(docDefinition).download('<?php echo "$invoice_date-$company_name-Invoice-$invoice_prefix$invoice_number.pdf"; ?>');"><i class="fa fa-fw fa-download"></i> Download</a>
<?php <?php
if ($invoice_status != "Paid" && $invoice_status != "Cancelled" && $invoice_status != "Draft" && $config_stripe_enable == 1) { if ($invoice_status !== "Paid" && $invoice_status !== "Cancelled" && $invoice_status !== "Draft" && $config_stripe_enable == 1) { ?>
?>
<?php
if ($config_stripe_enable == 1) {
?>
<a class="btn btn-success" href="guest_pay_invoice_stripe.php?invoice_id=<?php echo $invoice_id; ?>&url_key=<?php echo $url_key; ?>"><i class="fa fa-fw fa-credit-card"></i> Pay Online <small>(Coming Soon)</small></a> <a class="btn btn-success" href="guest_pay_invoice_stripe.php?invoice_id=<?php echo $invoice_id; ?>&url_key=<?php echo $url_key; ?>"><i class="fa fa-fw fa-credit-card"></i> Pay Online <small>(Coming Soon)</small></a>
<?php } ?> <?php } ?>
<?php } ?>
</div> </div>
</div> </div>
<div class="card-body"> <div class="card-body">
@@ -185,8 +188,6 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
</div> </div>
</div> </div>
<?php $sql_invoice_items = mysqli_query($mysqli, "SELECT * FROM invoice_items WHERE item_invoice_id = $invoice_id ORDER BY item_id ASC"); ?>
<div class="row mb-4"> <div class="row mb-4">
<div class="col-md-12"> <div class="col-md-12">
<div class="card"> <div class="card">
@@ -230,11 +231,7 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
<td class="text-right"><?php echo numfmt_format_currency($currency_format, $item_total, $invoice_currency_code); ?></td> <td class="text-right"><?php echo numfmt_format_currency($currency_format, $item_total, $invoice_currency_code); ?></td>
</tr> </tr>
<?php <?php } ?>
}
?>
</tbody> </tbody>
</table> </table>
@@ -283,7 +280,7 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
<hr class="mt-5"> <hr class="mt-5">
<center style="white-space:pre-line"><?php echo $config_invoice_footer; ?></center> <div style="white-space:pre-line; text-align: center;"><?php echo $config_invoice_footer; ?></div>
</div> </div>
</div> </div>
@@ -711,12 +708,11 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
<?php <?php
// PREVIOUS UNPAID INVOICES
$sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id = $client_id AND invoice_due < CURDATE() AND(invoice_status = 'Sent' OR invoice_status = 'Viewed' OR invoice_status = 'Partial') ORDER BY invoice_date DESC"); $sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id = $client_id AND invoice_due < CURDATE() AND(invoice_status = 'Sent' OR invoice_status = 'Viewed' OR invoice_status = 'Partial') ORDER BY invoice_date DESC");
if (mysqli_num_rows($sql) > 1) { if (mysqli_num_rows($sql) > 1) { ?>
?>
<div class="card d-print-none card-danger"> <div class="card d-print-none card-danger">
<div class="card-header"> <div class="card-header">
@@ -765,17 +761,15 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
</table> </table>
</div> </div>
</div> </div>
<?php
}
?>
<?php <?php } // End previous unpaid invoices
// CURRENT INVOICES
$sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id = $client_id AND invoice_due > CURDATE() AND(invoice_status = 'Sent' OR invoice_status = 'Viewed' OR invoice_status = 'Partial') ORDER BY invoice_number DESC"); $sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id = $client_id AND invoice_due > CURDATE() AND(invoice_status = 'Sent' OR invoice_status = 'Viewed' OR invoice_status = 'Partial') ORDER BY invoice_number DESC");
if (mysqli_num_rows($sql) > 1) { if (mysqli_num_rows($sql) > 1) { ?>
?>
<div class="card d-print-none card-light"> <div class="card d-print-none card-light">
@@ -817,9 +811,7 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
<td class="text-right"><?php echo numfmt_format_currency($currency_format, $invoice_amount, $invoice_currency_code); ?></td> <td class="text-right"><?php echo numfmt_format_currency($currency_format, $invoice_amount, $invoice_currency_code); ?></td>
</tr> </tr>
<?php <?php } ?>
}
?>
</tbody> </tbody>
</table> </table>
@@ -832,12 +824,11 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
<?php <?php
// PREVIOUS PAID INVOICES
$sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id = $client_id AND invoice_status = 'Paid' ORDER BY invoice_date DESC"); $sql = mysqli_query($mysqli, "SELECT * FROM invoices WHERE invoice_client_id = $client_id AND invoice_status = 'Paid' ORDER BY invoice_date DESC");
if (mysqli_num_rows($sql) > 1) { if (mysqli_num_rows($sql) > 1) { ?>
?>
<div class="card d-print-none collapse" id="collapsePreviousInvoices"> <div class="card d-print-none collapse" id="collapsePreviousInvoices">
<div class="card-header bg-dark"> <div class="card-header bg-dark">
@@ -908,32 +899,17 @@ if (isset($_GET['invoice_id'], $_GET['url_key'])) {
<tr> <tr>
<td colspan="4"><?php echo $payment_date; ?> - <?php echo numfmt_format_currency($currency_format, $payment_amount, $payment_currency_code); ?> - <?php echo $payment_method; ?> - <?php echo $payment_reference; ?> - <?php echo $days; ?> <?php echo $payment_note; ?></td> <td colspan="4"><?php echo $payment_date; ?> - <?php echo numfmt_format_currency($currency_format, $payment_amount, $payment_currency_code); ?> - <?php echo $payment_method; ?> - <?php echo $payment_reference; ?> - <?php echo $days; ?> <?php echo $payment_note; ?></td>
</tr> </tr>
<?php
} <?php } ?>
?> <?php } ?>
<?php
}
?>
</tbody> </tbody>
</table> </table>
</div> </div>
</div> </div>
<?php <?php } // End previous paid invoices
}
?>
<?php
}else{
echo "GTFO";
}
}else{
echo "GTFO";
}
?>
<?php include("guest_footer.php"); ?> require_once("guest_footer.php");
guest_view_quote.php
+25 -27
View File
@@ -1,13 +1,20 @@
<?php <?php
include("guest_header.php"); require_once("guest_header.php");
if (!isset($_GET['quote_id'], $_GET['url_key'])) {
echo "<br><h2>Oops, something went wrong! Please raise a ticket if you believe this is an error.</h2>";
require_once("guest_footer.php");
exit();
}
if (isset($_GET['quote_id'], $_GET['url_key'])) {
$url_key = mysqli_real_escape_string($mysqli, $_GET['url_key']); $url_key = mysqli_real_escape_string($mysqli, $_GET['url_key']);
$quote_id = intval($_GET['quote_id']); $quote_id = intval($_GET['quote_id']);
$sql = mysqli_query($mysqli,"SELECT * FROM quotes $sql = mysqli_query(
$mysqli,
"SELECT * FROM quotes
LEFT JOIN clients ON quote_client_id = client_id LEFT JOIN clients ON quote_client_id = client_id
LEFT JOIN locations ON primary_location = location_id LEFT JOIN locations ON primary_location = location_id
LEFT JOIN contacts ON primary_contact = contact_id LEFT JOIN contacts ON primary_contact = contact_id
@@ -17,7 +24,12 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) {
AND quote_url_key = '$url_key'" AND quote_url_key = '$url_key'"
); );
if (mysqli_num_rows($sql) == 1) { if (mysqli_num_rows($sql) !== 1) {
// Invalid quote/key
echo "<br><h2>Oops, something went wrong! Please raise a ticket if you believe this is an error.</h2>";
require_once("guest_footer.php");
exit();
}
$row = mysqli_fetch_array($sql); $row = mysqli_fetch_array($sql);
@@ -44,7 +56,7 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) {
$client_currency_code = htmlentities($row['client_currency_code']); $client_currency_code = htmlentities($row['client_currency_code']);
$client_net_terms = htmlentities($row['client_net_terms']); $client_net_terms = htmlentities($row['client_net_terms']);
if ($client_net_terms == 0) { if ($client_net_terms == 0) {
$client_net_terms = $config_default_net_terms; $client_net_terms = intval($row['config_default_net_terms']);
} }
$company_id = $row['company_id']; $company_id = $row['company_id'];
$company_name = htmlentities($row['company_name']); $company_name = htmlentities($row['company_name']);
@@ -54,6 +66,7 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) {
$company_zip = htmlentities($row['company_zip']); $company_zip = htmlentities($row['company_zip']);
$company_phone = formatPhoneNumber($row['company_phone']); $company_phone = formatPhoneNumber($row['company_phone']);
$company_email = htmlentities($row['company_email']); $company_email = htmlentities($row['company_email']);
$company_website = htmlentities($row['company_website']);
$company_logo = htmlentities($row['company_logo']); $company_logo = htmlentities($row['company_logo']);
if (!empty($company_logo)) { if (!empty($company_logo)) {
$company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo")); $company_logo_base64 = base64_encode(file_get_contents("uploads/settings/$company_id/$company_logo"));
@@ -64,12 +77,6 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) {
//Set Currency Format //Set Currency Format
$currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY); $currency_format = numfmt_create($company_locale, NumberFormatter::CURRENCY);
$ip = strip_tags(mysqli_real_escape_string($mysqli,getIP()));
$session_user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
$os = strip_tags(mysqli_real_escape_string($mysqli,getOS($session_user_agent)));
$browser = strip_tags(mysqli_real_escape_string($mysqli,getWebBrowser($session_user_agent)));
//Update status to Viewed only if invoice_status = "Sent" //Update status to Viewed only if invoice_status = "Sent"
if ($quote_status == 'Sent') { if ($quote_status == 'Sent') {
mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Viewed' WHERE quote_id = $quote_id"); mysqli_query($mysqli,"UPDATE quotes SET quote_status = 'Viewed' WHERE quote_id = $quote_id");
@@ -78,9 +85,10 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) {
//Mark viewed in history //Mark viewed in history
mysqli_query($mysqli,"INSERT INTO history SET history_status = '$quote_status', history_description = 'Quote viewed - $ip - $os - $browser', history_created_at = NOW(), history_quote_id = $quote_id, company_id = $company_id"); mysqli_query($mysqli,"INSERT INTO history SET history_status = '$quote_status', history_description = 'Quote viewed - $ip - $os - $browser', history_created_at = NOW(), history_quote_id = $quote_id, company_id = $company_id");
//Prevent SQL Error if client_name has ' in their name example Bill's Market if ($quote_status == "Draft" || $quote_status == "Sent" || $quote_status == "Viewed") {
$client_name_escaped = mysqli_escape_string($mysqli, $row['client_name']); $client_name_escaped = mysqli_escape_string($mysqli, $row['client_name']);
mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Quote Viewed', notification = 'Quote $quote_prefix$quote_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Quote Viewed', notification = 'Quote $quote_prefix$quote_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_timestamp = NOW(), notification_client_id = $client_id, company_id = $company_id");
}
?> ?>
@@ -171,6 +179,8 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) {
<tbody> <tbody>
<?php <?php
$total_tax = $sub_total = 0; // Default 0
while ($row = mysqli_fetch_array($sql_items)) { while ($row = mysqli_fetch_array($sql_items)) {
$item_id = $row['item_id']; $item_id = $row['item_id'];
$item_name = htmlentities($row['item_name']); $item_name = htmlentities($row['item_name']);
@@ -224,12 +234,6 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) {
<td>Subtotal</td> <td>Subtotal</td>
<td class="text-right"><?php echo numfmt_format_currency($currency_format, $sub_total, $quote_currency_code); ?></td> <td class="text-right"><?php echo numfmt_format_currency($currency_format, $sub_total, $quote_currency_code); ?></td>
</tr> </tr>
<?php if ($discount > 0) { ?>
<tr class="border-bottom">
<td>Discount</td>
<td class="text-right"><?php echo numfmt_format_currency($currency_format, $quote_discount, $quote_currency_code); ?></td>
</tr>
<?php } ?>
<?php if ($total_tax > 0) { ?> <?php if ($total_tax > 0) { ?>
<tr class="border-bottom"> <tr class="border-bottom">
<td>Tax</td> <td>Tax</td>
@@ -247,7 +251,7 @@ if (isset($_GET['quote_id'], $_GET['url_key'])) {
<hr class="mt-5"> <hr class="mt-5">
<center style="white-space:pre-line"><?php echo $config_quote_footer; ?></center> <div style="white-space:pre-line; text-align: center;"><?php echo $config_quote_footer; ?></div>
</div> </div>
</div> </div>
@@ -639,12 +643,6 @@ var docDefinition = {
} }
</script> </script>
<?php
}else{
echo "GTFO";
}
}else{
echo "GTFO";
} ?>
<?php include("guest_footer.php"); <?php
require_once("guest_footer.php");