From 071380cbe7490bdd1a3830e727e869a0dfa2dc32 Mon Sep 17 00:00:00 2001 From: FusionPBX Date: Wed, 11 Dec 2019 13:48:44 -0700 Subject: [PATCH] Update functions.php --- resources/functions.php | 76 +++++++++++++++++++++++++++++++++-------- 1 file changed, 61 insertions(+), 15 deletions(-) diff --git a/resources/functions.php b/resources/functions.php index 145ead7512..408b700e2d 100644 --- a/resources/functions.php +++ b/resources/functions.php @@ -284,7 +284,7 @@ if (!function_exists('if_superadmin')) { function if_superadmin($superadmin_list, $user_uuid) { if (stripos($superadmin_list, "||".$user_uuid."||") === false) { - return false; //user_uuid does not exist + return false; } else { return true; //user_uuid exists @@ -296,12 +296,14 @@ function html_select_other($table_name, $field_name, $sql_where_optional, $field_current_value) { //html select other: build a select box from distinct items in db with option for other global $domain_uuid; + $table_name = preg_replace("#[^a-zA-Z0-9_]#", "", $table_name); + $field_name = preg_replace("#[^a-zA-Z0-9_]#", "", $field_name); $html = "\n"; $html .= "\n"; - $html .= ""; return $html;
\n"; + $html .= "\n"; $html .= "\n"; - $html .= "\n"; $html .= "\n"; $sql = "select distinct(".$field_name.") as ".$field_name." "; @@ -311,7 +313,7 @@ if (is_array($result) && @sizeof($result) != 0) { foreach($result as $field) { if (strlen($field[$field_name]) > 0) { - $html .= "\n"; + $html .= "\n"; } } } @@ -331,18 +333,24 @@ } if (!function_exists('html_select')) { - function html_select($table_name, $field_name, $sql_where_optional, $field_current_value, $field_value = '', $style = '', $onchange = '') { + function html_select($table_name, $field_name, $sql_where_optional, $field_current_value, $field_value = '', $style = '', $on_change = '') { //html select: build a select box from distinct items in db global $domain_uuid; + $table_name = preg_replace("#[^a-zA-Z0-9_]#", "", $table_name); + $field_name = preg_replace("#[^a-zA-Z0-9_]#", "", $field_name); + $field_value = preg_replace("#[^a-zA-Z0-9_]#", "", $field_value); + if (strlen($field_value) > 0) { - $html .= "\n"; $html .= " \n"; + $sql = "select distinct(".$field_name.") as ".$field_name.", ".$field_value." from ".$table_name." ".$sql_where_optional." order by ".$field_name." asc "; } else { - $html .= "\n"; $html .= " \n"; + $sql = "select distinct(".$field_name.") as ".$field_name." from ".$table_name." ".$sql_where_optional." "; } @@ -353,7 +361,7 @@ if (strlen($field[$field_name]) > 0) { $selected = $field_current_value == $field[$field_name] ? "selected='selected'" : null; $array_key = strlen($field_value) > 0 ? $field_value : $field_name; - $html .= "\n"; + $html .= "\n"; } } } @@ -366,20 +374,58 @@ if (!function_exists('th_order_by')) { //html table header order by - function th_order_by($field_name, $columntitle, $order_by, $order, $app_uuid = '', $css = '', $additional_get_params='', $description='') { - if (strlen($app_uuid) > 0) { $app_uuid = "&app_uuid=".$app_uuid; } // accomodate need to pass app_uuid where necessary (inbound/outbound routes lists) - if (strlen($additional_get_params) > 0) {$additional_get_params = '&'.$additional_get_params; } // you may need to pass other parameters - $html = ""; + function th_order_by($field_name, $column_title, $order_by, $order, $app_uuid = '', $css = '', $http_get_params = '', $description = '') { + if (is_uuid($app_uuid) > 0) { $app_uuid = "&app_uuid=".$app_uuid; } // accomodate need to pass app_uuid where necessary (inbound/outbound routes lists) + + $field_name = preg_replace("#[^a-zA-Z0-9_]#", "", $field_name); + $column_title = preg_replace("#[^a-zA-Z0-9_]#", "", $column_title); + $field_value = preg_replace("#[^a-zA-Z0-9_]#", "", $field_value); + + $sanitized_parameters = ''; + if (isset($http_get_params) && strlen($http_get_params) > 0) { + $parameters = explode('&', $http_get_params); + if (is_array($parameters)) { + foreach ($parameters as $parameter) { + $array = explode('=', $parameter); + $key = preg_replace('#[^a-zA-Z0-9_\-]#', '', $array['0']); + $value = urldecode($array['1']); + if ($key == 'order_by' && strlen($value) > 0) { + //validate order by + $sanitized_parameters .= "&order_by=". preg_replace('#[^a-zA-Z0-9_\-]#', '', $value); + } + else if ($key == 'order' && strlen($value) > 0) { + //validate order + switch ($value) { + case 'asc': + $sanitized_parameters .= "&order=asc"; + break; + case 'desc': + $sanitized_parameters .= "&order=desc"; + break; + } + } + else if (strlen($value) > 0 && is_numeric($value)) { + $sanitized_parameters .= "&".$key."=".$value; + } + else { + $sanitized_parameters .= "&".$key."=".urlencode($value); + } + } + } + } + + $html = ""; $description = (strlen($description) > 0) ? $description . ', ': ''; - if (strlen($order_by) == 0) + if (strlen($order_by) == 0) { $order = 'asc'; + } if ($order == "asc") { $description .= 'sort(ascending)'; - $html .= "$columntitle"; + $html .= "".urlencode($column_title).""; } else { $description .= 'sort(descending)'; - $html .= "$columntitle"; + $html .= "".urlencode($column_title).""; } $html .= "