From 7437048eb422d1484f9a5b7a6f3833f67ec42cc6 Mon Sep 17 00:00:00 2001 From: markjcrane Date: Tue, 23 Feb 2016 19:05:52 -0700 Subject: [PATCH] Fix the SQL command when using the advanced search and improve security on how showall is being used. --- app/xml_cdr/xml_cdr.php | 2 +- app/xml_cdr/xml_cdr_inc.php | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/xml_cdr/xml_cdr.php b/app/xml_cdr/xml_cdr.php index 6056753568..0835bc39eb 100644 --- a/app/xml_cdr/xml_cdr.php +++ b/app/xml_cdr/xml_cdr.php @@ -110,7 +110,7 @@ else { echo " \n"; } if (permission_exists('xml_cdr_all' && $_REQUEST['showall'] == 'true')) { - echo " \n"; + echo " \n"; } echo " \n"; echo " \n"; diff --git a/app/xml_cdr/xml_cdr_inc.php b/app/xml_cdr/xml_cdr_inc.php index 89da4a41c1..9a634d6229 100644 --- a/app/xml_cdr/xml_cdr_inc.php +++ b/app/xml_cdr/xml_cdr_inc.php @@ -17,7 +17,7 @@ The Initial Developer of the Original Code is Mark J Crane - Portions created by the Initial Developer are Copyright (C) 2008-2014 + Portions created by the Initial Developer are Copyright (C) 2008-2016 the Initial Developer. All Rights Reserved. Contributor(s): @@ -229,9 +229,8 @@ else { $param .= "&bridge_uuid=".$bridge_uuid; $param .= "&mos_comparison=".$mos_comparison; $param .= "&mos_score=".$mos_score; - - if ($_GET['showall'] && permission_exists('xml_cdr_all')) { - $param .= "&showall=" . $_GET['showall']; + if ($_GET['showall'] == 'true' && permission_exists('xml_cdr_all')) { + $param .= "&showall=true"; } if (isset($order_by)) { $param .= "&order_by=".$order_by."&order=".$order; @@ -326,7 +325,8 @@ else { else { $sql .= " limit ".$rows_per_page." offset ".$offset." "; } - + $sql= str_replace(" ", " ", $sql); + $sql= str_replace("where and", "where", $sql); $prep_statement = $db->prepare(check_sql($sql)); $prep_statement->execute(); $result = $prep_statement->fetchAll(PDO::FETCH_ASSOC);