Security Added some mysql escapes to some get vars in api and guest view invoice and quote

2019-08-28 21:54:27 -04:00
parent 0e451056b4
commit bbf8756882
3 changed files with 3 additions and 3 deletions
--- a/api.php
+++ b/api.php
@@ -3,7 +3,7 @@
 <?php
 //Check Key 
 if(isset($_GET['api_key'])){
-    $config_api_key = $_GET['api_key'];
+    $config_api_key = mysqli_real_escape_string($mysqli,$_GET['api_key']);
    $sql = mysqli_query($mysqli,"SELECT * FROM settings, companies WHERE settings.company_id = companies.company_id AND settings.config_api_key = '$config_api_key'");
--- a/guest_view_invoice.php
+++ b/guest_view_invoice.php
@@ -4,7 +4,7 @@
 if(isset($_GET['invoice_id'], $_GET['url_key'])){
-  $url_key = $_GET['url_key'];
+  $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']);
  $invoice_id = intval($_GET['invoice_id']);
  $sql = mysqli_query($mysqli,"SELECT * FROM invoices, clients
--- a/guest_view_quote.php
+++ b/guest_view_quote.php
@@ -4,7 +4,7 @@
 if(isset($_GET['quote_id'], $_GET['url_key'])){
-  $url_key = $_GET['url_key'];
+  $url_key = mysqli_real_escape_string($mysqli,$_GET['url_key']);
  $quote_id = intval($_GET['quote_id']);
  $sql = mysqli_query($mysqli,"SELECT * FROM quotes, clients