Update conference_control_details.php (#4246)

app/conference_controls/conference_control_details.php

@@ -22,14 +22,29 @@
 	$order_by = check_str($_GET["order_by"]);
 	$order = check_str($_GET["order"]);
 
+//validate order by
+	if (strlen($order_by) > 0) {
+		$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', $order_by);
+	}
+
+//validate the order
+	switch ($order) {
+		case 'asc':
+			break;
+		case 'desc':
+			break;
+		default:
+			$order = '';
+	}
+
 //add the search term
 	$search = check_str($_GET["search"]);
 	if (strlen($search) > 0) {
 		$sql_search = "and (";
-		$sql_search .= "control_digits like '%".$search."%'";
+		$sql_search .= "control_digits like :search";
-		$sql_search .= "or control_action like '%".$search."%'";
+		$sql_search .= "or control_action like :search";
-		$sql_search .= "or control_data like '%".$search."%'";
+		$sql_search .= "or control_data like :search";
-		$sql_search .= "or control_enabled like '%".$search."%'";
+		$sql_search .= "or control_enabled like :search";
 		$sql_search .= ")";
 	}
 //additional includes
@@ -39,21 +54,16 @@
 //prepare to page the results
 	$sql = "select count(*) as num_rows ";
 	$sql .= "from v_conference_control_details ";
-	$sql .= "where conference_control_uuid = '$conference_control_uuid' ";
+	$sql .= "where conference_control_uuid = :conference_control_uuid ";
-	//$sql .= "and domain_uuid = '$domain_uuid' ";
+	//$sql .= "and domain_uuid = :domain_uuid ";
 	$sql .= $sql_search;
-	if (strlen($order_by) > 0) { $sql .= "order by $order_by $order "; }
+	$parameters['conference_control_uuid'] = $conference_control_uuid;
-	$prep_statement = $db->prepare($sql);
+	//$parameters['domain_uuid'] = $domain_uuid;
-	if ($prep_statement) {
+	if (strlen($search) > 0) {
-		$prep_statement->execute();
+		$parameters['search'] = '%'.$search.'%';
-		$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-		if ($row['num_rows'] > 0) {
-				$num_rows = $row['num_rows'];
-		}
-		else {
-				$num_rows = '0';
-		}
 	}
+	$database = new database;
+	$row = $database->select($sql, $parameters, 'all');
 
 //prepare to page the results
 	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
@@ -65,15 +75,15 @@
 
 //get the list
 	$sql = "select * from v_conference_control_details ";
-	$sql .= "where conference_control_uuid = '$conference_control_uuid' ";
+	$sql .= "where conference_control_uuid = :conference_control_uuid ";
-	//$sql .= "and domain_uuid = '$domain_uuid' ";
+	//$sql .= "and domain_uuid = :domain_uuid ";
 	$sql .= $sql_search;
 	if (strlen($order_by) > 0) { $sql .= "order by $order_by $order "; }
-	$sql .= "limit $rows_per_page offset $offset ";
+	$sql .= "limit :rows_per_page offset :offset ";
-	$prep_statement = $db->prepare(check_sql($sql));
+	$database = new database;
-	$prep_statement->execute();
+	$parameters['rows_per_page'] = $rows_per_page;
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	$parameters['offset'] = $offset;
-	unset ($prep_statement, $sql);
+	$result = $database->select($sql, $parameters, 'all');
 
 //alternate the row style
 	$c = 0;