Fixes #5

WISPBill · Mar 15, 2016 · f8a2183 · f8a2183
1 parent c77e7fd
commit f8a2183
Show file tree

Hide file tree

Showing 65 changed files with 250 additions and 174 deletions.
diff --git a/activatecustomer2.php b/activatecustomer2.php
@@ -60,11 +60,11 @@
     // do nothing 
 } // end if
 
-$emailc = $mysqli->real_escape_string($email);
-$phonec = $mysqli->real_escape_string($phone);
-$l4c = $mysqli->real_escape_string($l4);
-$plan = $mysqli->real_escape_string($plan);
-$mode = $mysqli->real_escape_string($mode);
+$emailc = inputcleaner($email,$mysqli);
+   $phonec = inputcleaner($phone,$mysqli);
+   $l4c = inputcleaner($l4,$mysqli);
+  $plan = inputcleaner($plan,$mysqli);
+   $mode = inputcleaner($mode,$mysqli);
 if(!filter_var($emailc, FILTER_VALIDATE_EMAIL)){
      $_SESSION['exitcodev2'] = 'email';
     header('Location: activatecustomer.php');

diff --git a/adddhcp2.php b/adddhcp2.php
@@ -61,13 +61,11 @@
      $_SESSION['exitcodev2'] = '';
 }
 
-
-$name = $mysqli->real_escape_string($name);
-$pool = $mysqli->real_escape_string($pool);
-$dns = $mysqli->real_escape_string($dns);
-$site = $mysqli->real_escape_string($site);
-$portid = $mysqli->real_escape_string($port);
-
+ $name = inputcleaner($name,$mysqli);
+  $pool = inputcleaner($pool,$mysqli);
+   $dns = inputcleaner($dns,$mysqli);
+   $site = inputcleaner($site,$mysqli);
+   $portid = inputcleaner($port,$mysqli);
 // end of data sanitize and existence check
 // start of data entry
 if ($result2 = $mysqli->query("SELECT * FROM  `devices` WHERE  `type` =  'router'

diff --git a/addlink2.php b/addlink2.php
@@ -61,11 +61,11 @@
     // do nothing 
 } // end if
 
-$mastersite = $mysqli->real_escape_string($mastersite);
-$masterport = $mysqli->real_escape_string($masterport);
-$slavesite = $mysqli->real_escape_string($slavesite);
-$slaveport = $mysqli->real_escape_string($slaveport);
-$capacity = $mysqli->real_escape_string($capacity);
+ $mastersite = inputcleaner($mastersite,$mysqli);
+  $masterport = inputcleaner($masterport,$mysqli);
+   $slavesite = inputcleaner($slavesite,$mysqli);
+    $slaveport = inputcleaner($slaveport,$mysqli);
+	 $capacity = inputcleaner($capacity,$mysqli);
 // end of data sanitize and existence check
 //start of data entry for system DB
 if ($mysqli->query("INSERT INTO `$db`.`links` (`idlinks`, `capacity`, `status`, `master_site`, `slave_site`,

diff --git a/assignticket2.php b/assignticket2.php
@@ -40,7 +40,7 @@
 
 }
 
-$assignto = $mysqli->real_escape_string($assignto);
+ $assignto = inputcleaner($assignto,$mysqli);
 
 foreach ($_POST['id'] as $id) {
     /*0 unassigned
@@ -50,8 +50,8 @@
   *4 solved with escalation 
 	Odd is unsloved and even is solved
   */
-    $id = $mysqli->real_escape_string($id);
-    
+    $id = inputcleaner($id,$mysqli);
+
     if ($result2 = $mysqli->query("SELECT * FROM `ticket` WHERE `idticket` = '$id'")) {
      while ($row2 = $result2->fetch_assoc()) {
      $cusinfoid= $row2["customer_info_idcustomer_info"];

diff --git a/billcustomer2.php b/billcustomer2.php
@@ -28,6 +28,7 @@
 $email = $_POST["stripeEmail"];
 $l4= $_POST["4"];
 $token = $_POST['stripeToken'];
+
 // end of post
 // start of data sanitize and existence check
  if (empty($email)) {
@@ -49,9 +50,10 @@
     // do nothing 
 } // end if
 
-$emailc = $mysqli->real_escape_string($email);
-$phonec = $mysqli->real_escape_string($phone);
-$l4c = $mysqli->real_escape_string($l4);
+$emailc = inputcleaner($email,$mysqli);
+$phonec = inputcleaner($phone,$mysqli);
+$l4c = inputcleaner($l4,$mysqli);
+
 if(!filter_var($emailc, FILTER_VALIDATE_EMAIL)){
      $_SESSION['errorcode'] = 'email';
     header('Location: billcustomer.php');

diff --git a/billinglogic.php b/billinglogic.php
@@ -374,4 +374,12 @@ function mailuser($email,$event,$sendgridapi,$fromemail,$filldata) {
 }
 }// End of Mail User
 
+function inputcleaner($input,$mysqli) {
+	// Other actions can go here
+$input = $mysqli->real_escape_string($input);
+$input = htmlspecialchars($input);
+
+return $input;
+}// inputcleaner
+
 ?>
diff --git a/changecusser2.php b/changecusser2.php
@@ -49,9 +49,10 @@
     // do nothing 
 } // end if
 
-$emailc = $mysqli->real_escape_string($email);
-$phonec = $mysqli->real_escape_string($phone);
-$l4c = $mysqli->real_escape_string($l4);
+$emailc = inputcleaner($email,$mysqli);
+$phonec = inputcleaner($phone,$mysqli);
+$l4c = inputcleaner($l4,$mysqli);
+
 if(!filter_var($emailc, FILTER_VALIDATE_EMAIL)){
      $_SESSION['exitcodev2'] = 'email';
     header('Location: changecusser.php');

diff --git a/closeticket2.php b/closeticket2.php
@@ -38,8 +38,9 @@
     // Nothing
  }
 
- $id = $mysqli->real_escape_string($id);
-  $status= $mysqli->real_escape_string($status);
+
+  $id = inputcleaner($id,$mysqli);
+$status = inputcleaner($status,$mysqli);
 
   if(is_numeric($status)){
     //nothing

diff --git a/configrouter2.php b/configrouter2.php
@@ -56,11 +56,10 @@
 }
 
 
-$name = $mysqli->real_escape_string($name);
-$pass = $mysqli->real_escape_string($pass);
-$ip = $mysqli->real_escape_string($ip);
-$router = $mysqli->real_escape_string($router);
-
+$name = inputcleaner($name,$mysqli);
+$pass = inputcleaner($pass,$mysqli);
+$ip = inputcleaner($ip,$mysqli);
+$router = inputcleaner($router,$mysqli);
 
 // end of data sanitize and existence check
 $routerip = $ip;

diff --git a/configrouter3.php b/configrouter3.php
@@ -27,7 +27,7 @@
 $cleandata = $_SESSION['cleandata'];
 // end of post
 
-$router = $mysqli->real_escape_string($router);
+$router = inputcleaner($router,$mysqli);
 
 if ($result = $mysqli->query("SELECT * FROM `device_credentials` WHERE `devices_iddevices` = '$router'")) {
       /* fetch associative array */

diff --git a/configsite2.php b/configsite2.php
@@ -43,6 +43,11 @@
 } else{
     // We are good
 }
+
+$id = inputcleaner($id,$mysqli);
+$id2 = inputcleaner($id2,$mysqli);
+$id3 = inputcleaner($id3,$mysqli);
+
 if ($result = $mysqli->query("SELECT * FROM `devices` WHERE `iddevices` = $id")) {
       /* fetch associative array */
 

diff --git a/configsite3.php b/configsite3.php
@@ -43,6 +43,10 @@
         while ($row = $result2->fetch_assoc()) {
      $port = $row["port_id"];
      $use = $_POST["$port"];
+
+     $use = inputcleaner($use,$mysqli);
+
+
     if ($result = $mysqli->query("INSERT INTO `$db`.`device_ports`
                                  (`iddevice_ports`, `port id`, `use`,
                                  `devices_iddevices`) VALUES

diff --git a/convertlead2.php b/convertlead2.php
@@ -65,10 +65,9 @@
     // do nothing 
 } // end if
 
-$user = $mysqli->real_escape_string($user);
-$pass1 = $mysqli->real_escape_string($pass1);
-$pass2 = $mysqli->real_escape_string($pass2);
-
+$user = inputcleaner($user,$mysqli);
+$pass1 = inputcleaner($pass1,$mysqli);
+$pass2 = inputcleaner($pass2,$mysqli);
 // end of data sanitize and existence check
 if ($result = $mysqli->query("SELECT * FROM `customer_info` WHERE `idcustomer_info` = $infoid")) {
       /* fetch associative array */

diff --git a/convertleadin2.php b/convertleadin2.php
@@ -33,8 +33,8 @@
     // Nothing 
  }
 
- $leadid = $mysqli->real_escape_string($id);
- 
+ $leadidid = inputcleaner($leadidid,$mysqli);
+
  /*0 unassigned
   *1 assigned but not solved
   *2 assigned and solved

diff --git a/createadminuser2.php b/createadminuser2.php
@@ -86,15 +86,16 @@
 } else{
     // do nothing 
 } // end if
-$fname = $mysqli->real_escape_string($fname);
-$lname = $mysqli->real_escape_string($lname);
-$tel = $mysqli->real_escape_string($tel);
-$ctel = $mysqli->real_escape_string($ctel);
-$user = $mysqli->real_escape_string($user);
-$pass1 = $mysqli->real_escape_string($pass1);
-$pass2 = $mysqli->real_escape_string($pass2);
-$email1 = $mysqli->real_escape_string($email1);
-$email2 = $mysqli->real_escape_string($email2);
+
+$fname = inputcleaner($fname,$mysqli);
+$lname = inputcleaner($lname,$mysqli);
+$tel = inputcleaner($tel,$mysqli);
+$ctel = inputcleaner($ctel,$mysqli);
+$user = inputcleaner($user,$mysqli);
+$pass1 = inputcleaner($pass1,$mysqli);
+$pass2 = inputcleaner($pass2,$mysqli);
+$email1 = inputcleaner($email1,$mysqli);
+$email2 = inputcleaner($email2,$mysqli);
 
 if(!filter_var($email1, FILTER_VALIDATE_EMAIL)){
     $_SESSION['exitcode'] = 'email not valid';

diff --git a/createcontact2.php b/createcontact2.php
@@ -22,16 +22,17 @@
 require_once('./fileloader.php');
 $mysqli = new mysqli("$ip", "$username", "$password", "$db");
 // start of post
-$fname = $_POST["fname"];
-$lname = $_POST["lname"];
-$org = $_POST["org"];
-$tel = $_POST["tel"];
-$add = $_POST["add"];
-$city = $_POST["city"];
-$zip = $_POST["zip"];
-$state = $_POST["state"];
-$email1 = $_POST["email"];
-$email2 = $_POST["email2"];
+
+$fname = inputcleaner($fname,$mysqli);
+$lname = inputcleaner($lname,$mysqli);
+$org = inputcleaner($org,$mysqli);
+$tel = inputcleaner($tel,$mysqli);
+$add = inputcleaner($add,$mysqli);
+$city = inputcleaner($city,$mysqli);
+$zip = inputcleaner($zip,$mysqli);
+$state = inputcleaner($state,$mysqli);
+$email1 = inputcleaner($email1,$mysqli);
+$email2 = inputcleaner($email2,$mysqli);
 // end of post
 
 // start of data sanitize and existence check

diff --git a/createcontactnote2.php b/createcontactnote2.php
@@ -26,6 +26,10 @@
 // start of post
 $note = $_POST["text1"];
 $id = $_POST["contact"];
+
+$id = inputcleaner($id,$mysqli);
+$note = inputcleaner($note,$mysqli);
+
 // end of post
 // start of data sanitize and existence check
  if (empty($note)) {

diff --git a/createdevice2.php b/createdevice2.php
@@ -75,13 +75,14 @@
   {
   //do nothing 
   }
-$name = $mysqli->real_escape_string($name);
-$serial = $mysqli->real_escape_string($serial);
-$modle = $mysqli->real_escape_string($modle);
-$mac = $mysqli->real_escape_string($mac);
-$type = $mysqli->real_escape_string($type);
-$man = $mysqli->real_escape_string($man);
 
+
+$name = inputcleaner($name,$mysqli);
+$serial = inputcleaner($serial,$mysqli);
+$modle = inputcleaner($modle,$mysqli);
+$mac = inputcleaner($mac,$mysqli);
+$type = inputcleaner($type,$mysqli);
+$man = inputcleaner($man,$mysqli);
 // end of data sanitize and existence check
 // start of data entry
 if ($mysqli->query("INSERT INTO `$db`.`devices` (`iddevices`, `location_idlocation`, `name`, `serial_number`, `manufacturer`, `model`, `type`, `librenms_id`, `field_status`, `mac`)

diff --git a/createlead2.php b/createlead2.php
@@ -91,17 +91,17 @@
     // do nothing 
 } // end if
 
+$fname = inputcleaner($fname,$mysqli);
+$lname = inputcleaner($lname,$mysqli);
+$tel = inputcleaner($tel,$mysqli);
+$add = inputcleaner($add,$mysqli);
+$city = inputcleaner($city,$mysqli);
+$zip = inputcleaner($zip,$mysqli);
+$state = inputcleaner($state,$mysqli);
+$email1 = inputcleaner($email1,$mysqli);
+$email2 = inputcleaner($email2,$mysqli);
+$source = inputcleaner($source,$mysqli);
 
-$fname = $mysqli->real_escape_string($fname);
-$lname = $mysqli->real_escape_string($lname);
-$tel = $mysqli->real_escape_string($tel);
-$add = $mysqli->real_escape_string($add);
-$city = $mysqli->real_escape_string($city);
-$zip = $mysqli->real_escape_string($zip);
-$state = $mysqli->real_escape_string($state);
-$email1 = $mysqli->real_escape_string($email1);
-$email2 = $mysqli->real_escape_string($email2);
-$source = $mysqli->real_escape_string($source);
 if(!filter_var($email1, FILTER_VALIDATE_EMAIL)){
     $_SESSION['exitcodev2'] = 'Email was Not Valid';
      header('Location: createlead.php');

diff --git a/createplan2.php b/createplan2.php
@@ -62,6 +62,10 @@
 $up = $mysqli->real_escape_string($up);
 $down = $mysqli->real_escape_string($down);
 
+$name = inputcleaner($name,$mysqli);
+$price = inputcleaner($price,$mysqli);
+$up = inputcleaner($up,$mysqli);
+$down = inputcleaner($down,$mysqli);
 // end of data sanitize and existence check
 // start of cheack for exsting plan name
 

diff --git a/createsite2.php b/createsite2.php
@@ -60,13 +60,11 @@
      $_SESSION['exitcodev2'] = '';
 }
 
-
-$name = $mysqli->real_escape_string($name);
-$lat = $mysqli->real_escape_string($lat);
-$lon = $mysqli->real_escape_string($lon);
-$type = $mysqli->real_escape_string($type);
-$con = $mysqli->real_escape_string($con);
-
+$name = inputcleaner($name,$mysqli);
+$lat = inputcleaner($lat,$mysqli);
+$lon = inputcleaner($lon,$mysqli);
+$type = inputcleaner($type,$mysqli);
+$con = inputcleaner($con,$mysqli);
 // end of data sanitize and existence check
 // start of data entry
 if ($mysqli->query("INSERT INTO `$db`.`location` (`idlocation`, `name`,

diff --git a/createticketnote2.php b/createticketnote2.php
@@ -42,9 +42,8 @@
     // do nothing 
 } // end if
 
-$note = $mysqli->real_escape_string($note);
-$id = $mysqli->real_escape_string($id);
-
+$id = inputcleaner($id,$mysqli);
+$note = inputcleaner($note,$mysqli);
 // end of data sanitize and existence check
 
 $time = time();

diff --git a/deleteadminuser2.php b/deleteadminuser2.php
@@ -30,6 +30,7 @@
 }
 $mysqli = new mysqli("$ip", "$username", "$password", "$db");
 foreach ($_POST['id'] as $id) {
+	$id = inputcleaner($id,$mysqli);
      if ($result = $mysqli->query("DELETE FROM `$db`.`admin_users` WHERE `admin_users`.`idadmin` = $id")) {
 
     } 

diff --git a/deletecustomer2.php b/deletecustomer2.php
@@ -48,9 +48,10 @@
     // do nothing 
 } // end if
 
-$emailc = $mysqli->real_escape_string($email);
-$phonec = $mysqli->real_escape_string($phone);
-$l4c = $mysqli->real_escape_string($l4);
+$emailc = inputcleaner($email,$mysqli);
+$phonec = inputcleaner($phone,$mysqli);
+$l4c = inputcleaner($l4,$mysqli);
+
 if(!filter_var($emailc, FILTER_VALIDATE_EMAIL)){
      $_SESSION['exitcodev2'] = 'email';
     header('Location: deletecustomer.php');

diff --git a/deletemail.php b/deletemail.php
@@ -27,9 +27,11 @@
     header('Location: index.php');
 }
 $folder = $_POST['folder'];
+$folder = inputcleaner($folder,$mysqli);
 
              if(isset($_POST['id'])){
             $uid = $_POST['id'];
+			$uid = inputcleaner($uid,$mysqli);
         } else{
             //no folder we want to view
           header('Location: mailbox.php');