ThaMunsta/itflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Add Client to use prepared statments

Browse Source
This commit is contained in:
johnnyq
2025-11-21 20:53:04 -05:00
committed by Mike Johnston
parent e00eb305dc
commit de79ffd87c
2 changed files with 186 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

265
agent/post/client.php
View File

@@ -14,107 +14,232 @@ if (isset($_POST['add_client'])) {
require_once 'client_model.php'; require_once 'client_model.php';
// Location inputs
$location_phone_country_code = preg_replace("/[^0-9]/", '', $_POST['location_phone_country_code']); $location_phone_country_code = preg_replace("/[^0-9]/", '', $_POST['location_phone_country_code']);
$location_phone = preg_replace("/[^0-9]/", '', $_POST['location_phone']); $location_phone = preg_replace("/[^0-9]/", '', $_POST['location_phone']);
$location_extension = preg_replace("/[^0-9]/", '', $_POST['location_extension']); $location_extension = preg_replace("/[^0-9]/", '', $_POST['location_extension']);
$location_fax_country_code = preg_replace("/[^0-9]/", '', $_POST['location_fax_country_code']); $location_fax_country_code = preg_replace("/[^0-9]/", '', $_POST['location_fax_country_code']);
$location_fax = preg_replace("/[^0-9]/", '', $_POST['location_fax']); $location_fax = preg_replace("/[^0-9]/", '', $_POST['location_fax']);
$address = sanitizeInput($_POST['address']); $address = cleanInput($_POST['address']);
$city = sanitizeInput($_POST['city']); $city = cleanInput($_POST['city']);
$state = sanitizeInput($_POST['state']); $state = cleanInput($_POST['state']);
$zip = sanitizeInput($_POST['zip']); $zip = cleanInput($_POST['zip']);
$country = sanitizeInput($_POST['country']); $country = cleanInput($_POST['country']);
$contact = sanitizeInput($_POST['contact']);
$title = sanitizeInput($_POST['title']); // Contact inputs
$contact = cleanInput($_POST['contact']);
$title = cleanInput($_POST['title']);
$contact_phone_country_code = preg_replace("/[^0-9]/", '', $_POST['contact_phone_country_code']); $contact_phone_country_code = preg_replace("/[^0-9]/", '', $_POST['contact_phone_country_code']);
$contact_phone = preg_replace("/[^0-9]/", '', $_POST['contact_phone']); $contact_phone = preg_replace("/[^0-9]/", '', $_POST['contact_phone']);
$contact_extension = preg_replace("/[^0-9]/", '', $_POST['contact_extension']); $contact_extension = preg_replace("/[^0-9]/", '', $_POST['contact_extension']);
$contact_mobile_country_code = preg_replace("/[^0-9]/", '', $_POST['contact_mobile_country_code']); $contact_mobile_country_code = preg_replace("/[^0-9]/", '', $_POST['contact_mobile_country_code']);
$contact_mobile = preg_replace("/[^0-9]/", '', $_POST['contact_mobile']); $contact_mobile = preg_replace("/[^0-9]/", '', $_POST['contact_mobile']);
$contact_email = sanitizeInput($_POST['contact_email']); $contact_email = cleanInput($_POST['contact_email']);
$extended_log_description = ''; $extended_log_description = '';
// Create client // Insert client using SET
mysqli_query($mysqli, "INSERT INTO clients SET client_name = '$name', client_type = '$type', client_website = '$website', client_referral = '$referral', client_rate = $rate, client_currency_code = '$session_company_currency', client_net_terms = $net_terms, client_tax_id_number = '$tax_id_number', client_lead = $lead, client_abbreviation = '$abbreviation', client_notes = '$notes', client_accessed_at = NOW()"); $query = mysqli_prepare(
$mysqli,
"INSERT INTO clients SET
client_name = ?,
client_type = ?,
client_website = ?,
client_referral = ?,
client_rate = ?,
client_currency_code = ?,
client_net_terms = ?,
client_tax_id_number = ?,
client_lead = ?,
client_abbreviation = ?,
client_notes = ?,
client_accessed_at = NOW()"
);
mysqli_stmt_bind_param(
$query,
"ssssdsiisss",
$name,
$type,
$website,
$referral,
$rate,
$session_company_currency,
$net_terms,
$tax_id_number,
$lead,
$abbreviation,
$notes
);
mysqli_stmt_execute($query);
$client_id = mysqli_insert_id($mysqli); $client_id = mysqli_insert_id($mysqli);
if (!file_exists($_SERVER['DOCUMENT_ROOT'] . "/uploads/clients/$client_id")) { // Create client folder
mkdir($_SERVER['DOCUMENT_ROOT'] . "/uploads/clients/$client_id"); $client_folder = $_SERVER['DOCUMENT_ROOT'] . "/uploads/clients/$client_id";
file_put_contents($_SERVER['DOCUMENT_ROOT'] . "/uploads/clients/$client_id/index.php", ""); if (!file_exists($client_folder)) {
mkdir($client_folder);
file_put_contents("$client_folder/index.php", "");
} }
// Create Referral if it doesn't exist // Create referral category if it doesn't exist
$sql = mysqli_query($mysqli, "SELECT category_name FROM categories WHERE category_type = 'Referral' AND category_archived_at IS NULL AND category_name = '$referral'"); $query = mysqli_prepare($mysqli, "SELECT category_name FROM categories WHERE category_type = 'Referral' AND category_archived_at IS NULL AND category_name = ?");
if(mysqli_num_rows($sql) == 0) { mysqli_stmt_bind_param($query, "s", $referral);
mysqli_query($mysqli, "INSERT INTO categories SET category_name = '$referral', category_type = 'Referral'"); mysqli_stmt_execute($query);
mysqli_stmt_store_result($query);
if (mysqli_stmt_num_rows($query) == 0) {
$query = mysqli_prepare($mysqli, "INSERT INTO categories SET category_name = ?, category_type = 'Referral'");
mysqli_stmt_bind_param($query, "s", $referral);
mysqli_stmt_execute($query);
logAction("Category", "Create", "$session_name created referral category $referral"); logAction("Category", "Create", "$session_name created referral category $referral");
} }
// Create Location // Insert primary location using SET
if (!empty($location_phone) || !empty($address) || !empty($city) || !empty($state) || !empty($zip)) { if (!empty($location_phone) || !empty($address) || !empty($city) || !empty($state) || !empty($zip)) {
mysqli_query($mysqli, "INSERT INTO locations SET location_name = 'Primary', location_address = '$address', location_city = '$city', location_state = '$state', location_zip = '$zip', location_phone_country_code = '$location_phone_country_code', location_phone = '$location_phone', location_phone_extension = '$location_extension', location_fax_country_code = '$location_fax_country_code', location_fax = '$location_fax', location_country = '$country', location_primary = 1, location_client_id = $client_id"); $query = mysqli_prepare(
$mysqli,
//Extended Logging "INSERT INTO locations SET
location_name = 'Primary',
location_address = ?,
location_city = ?,
location_state = ?,
location_zip = ?,
location_phone_country_code = ?,
location_phone = ?,
location_phone_extension = ?,
location_fax_country_code = ?,
location_fax = ?,
location_country = ?,
location_primary = 1,
location_client_id = ?"
);
mysqli_stmt_bind_param(
$query,
"ssssssssssi",
$address,
$city,
$state,
$zip,
$location_phone_country_code,
$location_phone,
$location_extension,
$location_fax_country_code,
$location_fax,
$country,
$client_id
);
mysqli_stmt_execute($query);
$extended_log_description .= ", primary location $address added"; $extended_log_description .= ", primary location $address added";
} }
// Insert primary contact using SET
// Create Contact
if (!empty($contact) || !empty($title) || !empty($contact_phone) || !empty($contact_mobile) || !empty($contact_email)) { if (!empty($contact) || !empty($title) || !empty($contact_phone) || !empty($contact_mobile) || !empty($contact_email)) {
mysqli_query($mysqli, "INSERT INTO contacts SET contact_name = '$contact', contact_title = '$title', contact_phone_country_code = '$contact_phone_country_code', contact_phone = '$contact_phone', contact_extension = '$contact_extension', contact_mobile_country_code = '$contact_mobile_country_code', contact_mobile = '$contact_mobile', contact_email = '$contact_email', contact_primary = 1, contact_important = 1, contact_client_id = $client_id"); $query = mysqli_prepare(
$mysqli,
//Extended Logging "INSERT INTO contacts SET
contact_name = ?,
contact_title = ?,
contact_phone_country_code = ?,
contact_phone = ?,
contact_extension = ?,
contact_mobile_country_code = ?,
contact_mobile = ?,
contact_email = ?,
contact_primary = 1,
contact_important = 1,
contact_client_id = ?"
);
mysqli_stmt_bind_param(
$query,
"ssssssssi",
$contact,
$title,
$contact_phone_country_code,
$contact_phone,
$contact_extension,
$contact_mobile_country_code,
$contact_mobile,
$contact_email,
$client_id
);
mysqli_stmt_execute($query);
$extended_log_description .= ", primary contact $contact added"; $extended_log_description .= ", primary contact $contact added";
} }
// Add Tags // Add tags
if (isset($_POST['tags'])) { if (isset($_POST['tags'])) {
$query = mysqli_prepare($mysqli, "INSERT INTO client_tags SET client_id = ?, tag_id = ?");
foreach ($_POST['tags'] as $tag) { foreach ($_POST['tags'] as $tag) {
$tag = intval($tag); $tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO client_tags SET client_id = $client_id, tag_id = $tag"); mysqli_stmt_bind_param($query, "ii", $client_id, $tag);
mysqli_stmt_execute($query);
} }
} }
// Create domain in domains/certificates // Insert domain and SSL using SET
if (!empty($website) && filter_var($website, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) { if (!empty($website) && filter_var($website, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) {
// Get domain expiry date
$expire = getDomainExpirationDate($website); $expire = getDomainExpirationDate($website);
// NS, MX, A and WHOIS records/data
$records = getDomainRecords($website); $records = getDomainRecords($website);
$a = sanitizeInput($records['a']); $a = cleanInput($records['a']);
$ns = sanitizeInput($records['ns']); $ns = cleanInput($records['ns']);
$mx = sanitizeInput($records['mx']); $mx = cleanInput($records['mx']);
$whois = sanitizeInput($records['whois']); $whois = cleanInput($records['whois']);
// Add domain record info using whois, or not
try { try {
mysqli_query($mysqli, "INSERT INTO domains SET domain_name = '$website', domain_registrar = 0, domain_webhost = 0, domain_expire = '$expire', domain_ip = '$a', domain_name_servers = '$ns', domain_mail_servers = '$mx', domain_raw_whois = '$whois', domain_client_id = $client_id"); $query = mysqli_prepare(
$extended_log_description .= ", domain $website added"; //Extended Logging $mysqli,
"INSERT INTO domains SET
domain_name = ?,
domain_registrar = 0,
domain_webhost = 0,
domain_expire = ?,
domain_ip = ?,
domain_name_servers = ?,
domain_mail_servers = ?,
domain_raw_whois = ?,
domain_client_id = ?"
);
mysqli_stmt_bind_param($query, "ssssssi", $website, $expire, $a, $ns, $mx, $whois, $client_id);
mysqli_stmt_execute($query);
$extended_log_description .= ", domain $website added";
} catch (Exception $e) { } catch (Exception $e) {
$extended_log_description .= ", domain not added"; //Extended Logging $extended_log_description .= ", domain not added";
logApp("Client", "warning", "Failed to add domain $website during client creation (usually a whois result error)"); logApp("Client", "warning", "Failed to add domain $website during client creation");
} }
// Get inserted ID (for linking certificate, if exists)
$domain_id = mysqli_insert_id($mysqli); $domain_id = mysqli_insert_id($mysqli);
// Get SSL cert for domain (if exists)
$certificate = getSSL($website); $certificate = getSSL($website);
if ($certificate['success'] == "TRUE") { if ($certificate['success'] == "TRUE") {
$expire = sanitizeInput($certificate['expire']); $expire = cleanInput($certificate['expire']);
$issued_by = sanitizeInput($certificate['issued_by']); $issued_by = cleanInput($certificate['issued_by']);
$public_key = sanitizeInput($certificate['public_key']); $public_key = cleanInput($certificate['public_key']);
mysqli_query($mysqli, "INSERT INTO certificates SET certificate_name = '$website', certificate_domain = '$website', certificate_issued_by = '$issued_by', certificate_expire = '$expire', certificate_public_key = '$public_key', certificate_domain_id = $domain_id, certificate_client_id = $client_id"); $query = mysqli_prepare(
$mysqli,
"INSERT INTO certificates SET
certificate_name = ?,
certificate_domain = ?,
certificate_issued_by = ?,
certificate_expire = ?,
certificate_public_key = ?,
certificate_domain_id = ?,
certificate_client_id = ?"
);
mysqli_stmt_bind_param(
$query,
"sssssii",
$website,
$website,
$issued_by,
$expire,
$public_key,
$domain_id,
$client_id
);
mysqli_stmt_execute($query);
//Extended Logging
$extended_log_description .= ", SSL certificate $website added"; $extended_log_description .= ", SSL certificate $website added";
} }
} }
logAction("Client", "Create", "$session_name created client $name$extended_log_description", $client_id, $client_id); logAction("Client", "Create", "$session_name created client $name$extended_log_description", $client_id, $client_id);
@@ -125,44 +250,6 @@ if (isset($_POST['add_client'])) {
} }
if (isset($_POST['edit_client'])) {
enforceUserPermission('module_client', 2);
require_once 'client_model.php';
$client_id = intval($_POST['client_id']);
mysqli_query($mysqli, "UPDATE clients SET client_name = '$name', client_type = '$type', client_website = '$website', client_referral = '$referral', client_rate = $rate, client_net_terms = $net_terms, client_tax_id_number = '$tax_id_number', client_lead = $lead, client_abbreviation = '$abbreviation', client_notes = '$notes' WHERE client_id = $client_id");
// Create Referral if it doesn't exist
$sql = mysqli_query($mysqli, "SELECT category_name FROM categories WHERE category_type = 'Referral' AND category_archived_at IS NULL AND category_name = '$referral'");
if(mysqli_num_rows($sql) == 0) {
mysqli_query($mysqli, "INSERT INTO categories SET category_name = '$referral', category_type = 'Referral'");
logAction("Category", "Create", "$session_name created referral category $referral");
}
// Tags
// Delete existing tags
mysqli_query($mysqli, "DELETE FROM client_tags WHERE client_id = $client_id");
// Add new tags
if(isset($_POST['tags'])) {
foreach($_POST['tags'] as $tag) {
$tag = intval($tag);
mysqli_query($mysqli, "INSERT INTO client_tags SET client_id = $client_id, tag_id = $tag");
}
}
logAction("Client", "Edit", "$session_name edited client $name", $client_id, $client_id);
flash_alert("Client <strong>$name</strong> updated");
redirect();
}
if (isset($_GET['archive_client'])) { if (isset($_GET['archive_client'])) {
validateCSRFToken($_GET['csrf_token']); validateCSRFToken($_GET['csrf_token']);

14
agent/post/client_model.php
View File

@@ -1,16 +1,16 @@
<?php <?php
defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
$name = sanitizeInput($_POST['name']); $name = cleanInput($_POST['name']);
$type = sanitizeInput($_POST['type']); $type = cleanInput($_POST['type']);
$website = preg_replace("(^https?://)", "", sanitizeInput($_POST['website'])); $website = preg_replace("(^https?://)", "", cleanInput($_POST['website']));
$referral = sanitizeInput($_POST['referral']); $referral = cleanInput($_POST['referral']);
$rate = floatval($_POST['rate'] ?? 0); $rate = floatval($_POST['rate'] ?? 0);
$net_terms = intval($_POST['net_terms'] ?? $config_default_net_terms); $net_terms = intval($_POST['net_terms'] ?? $config_default_net_terms);
$tax_id_number = sanitizeInput($_POST['tax_id_number'] ?? ''); $tax_id_number = cleanInput($_POST['tax_id_number'] ?? '');
$abbreviation = sanitizeInput($_POST['abbreviation']); $abbreviation = cleanInput($_POST['abbreviation'] ?? '');
if (empty($abbreviation)) { if (empty($abbreviation)) {
$abbreviation = shortenClient($name); $abbreviation = shortenClient($name);
} }
$notes = sanitizeInput($_POST['notes']); $notes = cleanInput($_POST['notes'] ?? '');
$lead = intval($_POST['lead'] ?? 0); $lead = intval($_POST['lead'] ?? 0);