From 30980f959e27122ea01b7a4235a2b9806a2c9768 Mon Sep 17 00:00:00 2001
From: AlexanderDCrane <40072887+AlexanderDCrane@users.noreply.github.com>
Date: Wed, 29 May 2019 20:59:52 -0600
Subject: [PATCH] Update call_flows.php

---
 app/call_flows/call_flows.php | 77 +++++++++++++++++++----------------
 1 file changed, 43 insertions(+), 34 deletions(-)

diff --git a/app/call_flows/call_flows.php b/app/call_flows/call_flows.php
index 24ddc44680..d1106d50ed 100644
--- a/app/call_flows/call_flows.php
+++ b/app/call_flows/call_flows.php
@@ -49,25 +49,40 @@
 	$order_by = check_str($_GET["order_by"]);
 	$order = check_str($_GET["order"]);
 
+//validate order by
+	if (strlen($order_by) > 0) {
+		$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', $order_by);
+	}
+
+//validate the order
+	switch ($order) {
+		case 'asc':
+			break;
+		case 'desc':
+			break;
+		default:
+			$order = '';
+	}
+
 //add the search term
 	$search = strtolower(check_str($_GET["search"]));
 	if (strlen($search) > 0) {
 		$sql_search = "and (";
-		$sql_search .= "lower(call_flow_name) like '%".$search."%' ";
-		$sql_search .= "or lower(call_flow_extension) like '%".$search."%' ";
-		$sql_search .= "or lower(call_flow_feature_code) like '%".$search."%' ";
-		$sql_search .= "or lower(call_flow_context) like '%".$search."%' ";
-		//$sql_search .= "or lower(call_flow_status) like '%".$search."%' ";
-		$sql_search .= "or lower(call_flow_pin_number) like '%".$search."%' ";
-		$sql_search .= "or lower(call_flow_label) like '%".$search."%' ";
-		//$sql_search .= "or lower(call_flow_sound) like '%".$search."%' ";
-		//$sql_search .= "or lower(call_flow_app) like '%".$search."%' ";
-		//$sql_search .= "or lower(call_flow_data) like '%".$search."%' ";
-		$sql_search .= "or lower(call_flow_alternate_label) like '%".$search."%' ";
-		//$sql_search .= "or lower(call_flow_alternate_sound) like '%".$search."%' ";
-		//$sql_search .= "or lower(call_flow_alternate_app) like '%".$search."%' ";
-		//$sql_search .= "or lower(call_flow_alternate_data) like '%".$search."%' ";
-		$sql_search .= "or lower(call_flow_description) like '%".$search."%' ";
+		$sql_search .= "lower(call_flow_name) like :search ";
+		$sql_search .= "or lower(call_flow_extension) like :search ";
+		$sql_search .= "or lower(call_flow_feature_code) like :search ";
+		$sql_search .= "or lower(call_flow_context) like :search ";
+		//$sql_search .= "or lower(call_flow_status) like :search ";
+		$sql_search .= "or lower(call_flow_pin_number) like :search ";
+		$sql_search .= "or lower(call_flow_label) like :search ";
+		//$sql_search .= "or lower(call_flow_sound) like :search ";
+		//$sql_search .= "or lower(call_flow_app) like :search ";
+		//$sql_search .= "or lower(call_flow_data) like :search ";
+		$sql_search .= "or lower(call_flow_alternate_label) like :search ";
+		//$sql_search .= "or lower(call_flow_alternate_sound) like :search ";
+		//$sql_search .= "or lower(call_flow_alternate_app) like :search ";
+		//$sql_search .= "or lower(call_flow_alternate_data) like :search ";
+		$sql_search .= "or lower(call_flow_description) like :search ";
 		$sql_search .= ") ";
 	}
 
@@ -77,20 +92,14 @@
 
 //prepare to page the results
 	$sql = "select count(call_flow_uuid) as num_rows from v_call_flows ";
-	$sql .= "where domain_uuid = '".$_SESSION["domain_uuid"]."' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
 	$sql .= $sql_search;
-	if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
-	$prep_statement = $db->prepare($sql);
-	if ($prep_statement) {
-		$prep_statement->execute();
-		$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-		if ($row['num_rows'] > 0) {
-			$num_rows = $row['num_rows'];
-		}
-		else {
-			$num_rows = '0';
-		}
+	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+	if (strlen($search) > 0) {
+		$parameters['search'] = '%'.$search.'%';
 	}
+	$database = new database;
+	$num_rows = $database->select($sql, $parameters, 'column');
 
 //prepare to page the results
 	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
@@ -102,14 +111,14 @@
 
 //get the list
 	$sql = "select * from v_call_flows ";
-	$sql .= "where domain_uuid = '".$_SESSION["domain_uuid"]."' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
 	$sql .= $sql_search;
-	if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
-	$sql .= "limit $rows_per_page offset $offset ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$call_flows = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	unset ($prep_statement, $sql);
+	if (strlen($order_by) > 0) { $sql .= "order by $order_by $order "; }
+	$sql .= "limit :rows_per_page offset :offset ";
+	$database = new database;
+	$parameters['rows_per_page'] = $rows_per_page;
+	$parameters['offset'] = $offset;
+	$call_flows = $database->select($sql, $parameters, 'all');
 
 //alternate the row style
 	$c = 0;