nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2026-01-06 11:43:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix the SQL command when using the advanced search and improve security on how showall is being used.

Browse Source
This commit is contained in:
markjcrane
2016-02-23 19:05:52 -07:00
parent d58122aa56
commit 7437048eb4
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/xml_cdr/xml_cdr.php
View File

@@ -110,7 +110,7 @@ else {
echo " <input type='hidden' name='order' value='$order'>\n";
}
if (permission_exists('xml_cdr_all' && $_REQUEST['showall'] == 'true')) {
echo " <input type='hidden' name='showall' value='true'>\n";
echo " <input type='hidden' name='showall' value='true'>\n";
}
echo " <table cellpadding='0' cellspacing='0' border='0'>\n";
echo " <tr>\n";

10
app/xml_cdr/xml_cdr_inc.php
View File

@@ -17,7 +17,7 @@
The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2014
Portions created by the Initial Developer are Copyright (C) 2008-2016
the Initial Developer. All Rights Reserved.
Contributor(s):
@@ -229,9 +229,8 @@ else {
$param .= "&bridge_uuid=".$bridge_uuid;
$param .= "&mos_comparison=".$mos_comparison;
$param .= "&mos_score=".$mos_score;
if ($_GET['showall'] && permission_exists('xml_cdr_all')) {
$param .= "&showall=" . $_GET['showall'];
if ($_GET['showall'] == 'true' && permission_exists('xml_cdr_all')) {
$param .= "&showall=true";
}
if (isset($order_by)) {
$param .= "&order_by=".$order_by."&order=".$order;
@@ -326,7 +325,8 @@ else {
else {
$sql .= " limit ".$rows_per_page." offset ".$offset." ";
}
$sql= str_replace(" ", " ", $sql);
$sql= str_replace("where and", "where", $sql);
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_ASSOC);