From ff4f7c577802c6904cc3ed7bca250ec192bc47c6 Mon Sep 17 00:00:00 2001 From: Mian Muhammad Imran Shah Date: Sat, 4 Sep 2021 19:11:41 +0500 Subject: [PATCH] XSS Fixed --- application/controllers/Employees.php | 158 ++++++++++++++++++-------- 1 file changed, 108 insertions(+), 50 deletions(-) diff --git a/application/controllers/Employees.php b/application/controllers/Employees.php index 021ca86..32f8b62 100644 --- a/application/controllers/Employees.php +++ b/application/controllers/Employees.php @@ -34,6 +34,10 @@ public function __construct() // A view function for add new employee public function add_employee() { + $group_id = $this->session->userdata("group_id"); + if ($group_id != 1) { + $Page = $this->General->check_url_permission_single(); + } $this->header(); $this->load->view('employee/add_employee'); @@ -44,6 +48,10 @@ public function add_employee() // Adding new employees public function insert_employee() { + $group_id = $this->session->userdata("group_id"); + if ($group_id != 1) { + $Page = $this->General->check_url_permission_single(); + } $uploaddir = "uploads/images/"; if ($_FILES['file_picture']['name'] != '') { @@ -78,56 +86,85 @@ public function insert_employee() } + $this->load->library('form_validation'); extract($_POST); + $this->form_validation->set_rules('EMP_NAME', 'Employee Name', 'trim|required|min_length[5]|max_length[12]'); + if ($this->form_validation->run() == FALSE) { + $this->session->set_flashdata('error', 'Invalid Input'); + redirect(base_url() . 'index.php/Employees/add_employee'); + } else { + $this->load->model('Main_model'); + $record = $this->Main_model->fetch_maxid("employee_profile"); + foreach ($record as $record) { - $this->load->model('Main_model'); - $record = $this->Main_model->fetch_maxid("employee_profile"); - foreach ($record as $record) { + $Maxtype = $record->EMP_ID; + } + $EMP_ID = $Maxtype + 1; + $user_id = $this->session->userdata('user_id'); + $data = array( + 'EMP_ID' => $EMP_ID, + 'EMP_NAME' => $this->security->xss_clean($emp_name), + 'EMP_EMAIL' => $this->security->xss_clean($fname), + 'EMP_ADDRESS' => $this->security->xss_clean($curr_address), + 'EMP_GENDER' => $per_address, + 'EMP_PHONE' => $this->security->xss_clean($contact_no), + 'EMP_CELL' => $this->security->xss_clean($mobile_no), + 'EMP_DATE' => date('Y-m-d'), + 'CREATED_DATE' => date('Y-m-d'), + 'CREATED_USERID' => $user_id - $Maxtype = $record->EMP_ID; - } - $EMP_ID = $Maxtype + 1; - $user_id = $this->session->userdata('user_id'); - $data = array( - 'EMP_ID' => $EMP_ID, - 'EMP_NAME' => $emp_name, - 'EMP_EMAIL' => $fname, - 'EMP_ADDRESS' => $curr_address, - 'EMP_GENDER' => $per_address, - 'EMP_PHONE' => $contact_no, - 'EMP_CELL' => $mobile_no, - 'EMP_DATE' => date('Y-m-d'), - 'CREATED_DATE' => date('Y-m-d'), - 'CREATED_USERID' => $user_id - - ); - if ($picture != '') { - - $data['EMP_PIC'] = $picture; - } + ); + if ($picture != '') { - $this->db->insert('employee_profile', $data); - $this->session->set_flashdata('msg', '
+ $data['EMP_PIC'] = $picture; + } + + + $this->db->insert('employee_profile', $data); + $this->session->set_flashdata('msg', '
Record added Successfully..!
'); - redirect(base_url() . 'index.php/employees/employee_list'); + redirect(base_url() . 'index.php/employees/employee_list'); + } } // Updating employee information public function update_employee() { + $group_id = $this->session->userdata("group_id"); + if ($group_id != 1) { + $Page = $this->General->check_url_permission_single(); + } extract($_POST); - $uploaddir = "uploads/images/"; if ($_FILES['file_picture']['name'] != '') { - $picture = ''; + // exit; + $data_upload = $uploaddir . basename($_FILES['file_picture']['name']); + $imageFileType = strtolower(pathinfo($data_upload, PATHINFO_EXTENSION)); + //exit; + // Allow certain file formats + if ( + $imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg" + && $imageFileType != "gif" + ) { + $this->session->set_flashdata('msg', '
+ + Sorry, only JPG, JPEG, PNG & GIF files are allowed. +
'); + //echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed."; + $uploadOk = 0; + redirect(base_url() . 'index.php/employees/add_employee'); + } if (move_uploaded_file($_FILES['file_picture']['tmp_name'], $data_upload)) { $picture = $data_upload; @@ -138,27 +175,38 @@ public function update_employee() $picture = ''; } - $user_id = $this->session->userdata('user_id'); - $data = array( - 'EMP_NAME' => $emp_name, - 'EMP_EMAIL' => $emp_email, - 'EMP_ADDRESS' => $caddress, - 'EMP_GENDER' => $emp_gender, - 'EMP_PHONE' => $emp_phone, - 'EMP_CELL' => $emp_cell, - 'EMP_DATE' => date('Y-m-d'), - 'CREATED_DATE' => date('Y-m-d'), - 'CREATED_USERID' => $user_id - - ); - if ($picture != '') { - - $data['EMP_PIC'] = $picture; - } - $where = array('EMP_ID' => $emp_id); - $this->db->update('employee_profile', $data, $where); - $this->session->set_flashdata('msg', '
+ $this->load->library('form_validation'); + extract($_POST); + $this->form_validation->set_rules('category_name', 'Category Name', 'trim|required|min_length[5]|max_length[12]'); + if ($this->form_validation->run() == FALSE) { + $this->session->set_flashdata('error', 'Invalid Input'); + redirect(base_url() . 'index.php/category/list_category'); + } else { + + + $user_id = $this->session->userdata('user_id'); + $data = array( + 'EMP_ID' => $EMP_ID, + 'EMP_NAME' => $this->security->xss_clean($emp_name), + 'EMP_EMAIL' => $this->security->xss_clean($emp_email), + 'EMP_ADDRESS' => $this->security->xss_clean($caddress), + 'EMP_GENDER' => $emp_gender, + 'EMP_PHONE' => $this->security->xss_clean($emp_phone), + 'EMP_CELL' => $this->security->xss_clean($emp_cell), + 'EMP_DATE' => date('Y-m-d'), + 'CREATED_DATE' => date('Y-m-d'), + 'CREATED_USERID' => $user_id + + ); + if ($picture != '') { + + $data['EMP_PIC'] = $picture; + } + + $where = array('EMP_ID' => $emp_id); + $this->db->update('employee_profile', $data, $where); + $this->session->set_flashdata('msg', '
'); - redirect(base_url() . 'index.php/employees/employee_list'); + redirect(base_url() . 'index.php/employees/employee_list'); + } } // List of all employees public function employee_list() { + $group_id = $this->session->userdata("group_id"); + if ($group_id != 1) { + $Page = $this->General->check_url_permission_single(); + } $data['employees'] = $this->General->fetch_records("employee_profile"); $this->header($title = 'Employees List'); $this->load->view('employee/employee_list', $data); @@ -180,6 +233,7 @@ public function employee_list() // Employee details public function employee_detail() { + $id = $this->uri->segment(3); $where = array('EMP_ID' => $id); $this->header(); @@ -190,6 +244,10 @@ public function employee_detail() // Edit employee form public function edit_employee($id) { + $group_id = $this->session->userdata("group_id"); + if ($group_id != 1) { + $Page = $this->General->check_url_permission_single(); + } $data['record'] = $this->General->select_where('employee_profile', array('EMP_ID' => $id)); $this->header(); $this->load->view('employee/edit_employee', $data);