diff --git a/src/EcclesiaCRM/APIControllers/PeopleGroupController.php b/src/EcclesiaCRM/APIControllers/PeopleGroupController.php index a0819307f8..b3064e6359 100644 --- a/src/EcclesiaCRM/APIControllers/PeopleGroupController.php +++ b/src/EcclesiaCRM/APIControllers/PeopleGroupController.php @@ -140,8 +140,9 @@ public function addressBook (ServerRequestInterface $request, ResponseInterface public function searchGroup(ServerRequestInterface $request, ResponseInterface $response, array $args): ResponseInterface { $query = $args['query']; - $searchLikeString = '%'.$query.'%'; + $query = filter_var($query, FILTER_SANITIZE_STRING); + $searchLikeString = '%'.$query.'%'; $groups = GroupQuery::create() ->filterByName($searchLikeString, Criteria::LIKE) diff --git a/src/EcclesiaCRM/APIControllers/SearchController.php b/src/EcclesiaCRM/APIControllers/SearchController.php index cc8170d60e..727e2f4110 100644 --- a/src/EcclesiaCRM/APIControllers/SearchController.php +++ b/src/EcclesiaCRM/APIControllers/SearchController.php @@ -49,6 +49,9 @@ public function getSearchResult (ServerRequestInterface $request, ResponseInterf $req = (object)$request->getParsedBody(); $query = $req->SearchTerm; + + $query = filter_var($query, FILTER_SANITIZE_STRING); + $query_elements = $req->Elements; $group_elements = $req->GroupElements; $group_role_elements = $req->GroupRoleElements; diff --git a/src/EcclesiaCRM/Service/FinancialService.php b/src/EcclesiaCRM/Service/FinancialService.php index f4e0ec52c7..37d6aeb319 100644 --- a/src/EcclesiaCRM/Service/FinancialService.php +++ b/src/EcclesiaCRM/Service/FinancialService.php @@ -392,6 +392,8 @@ public function getPayments($depID) public function searchDeposits($searchTerm) { + $searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING); + MiscUtils::requireUserGroupMembership('bFinance'); $fetch = 'SELECT dep_ID, dep_Comment, dep_Date, dep_EnteredBy, dep_Type FROM deposit_dep @@ -421,6 +423,8 @@ public function searchDeposits($searchTerm) public function searchPayments($searchTerm) { + $searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING); + MiscUtils::requireUserGroupMembership('bFinance'); $fetch = 'SELECT dep_ID, dep_Comment, dep_Date, dep_EnteredBy, dep_Type, plg_FamID, plg_amount, plg_CheckNo, plg_plgID, plg_GroupKey FROM deposit_dep diff --git a/src/EcclesiaCRM/Service/PersonService.php b/src/EcclesiaCRM/Service/PersonService.php index 338ce6a008..21d47d061d 100644 --- a/src/EcclesiaCRM/Service/PersonService.php +++ b/src/EcclesiaCRM/Service/PersonService.php @@ -14,14 +14,17 @@ class PersonService { - public function search($searchTerm, $includeFamilyRole=true) + public function search($searchTerm, $includeFamilyRole = true) { - $searchLikeString = '%'.$searchTerm.'%'; + $searchTerm = filter_var($searchTerm, FILTER_SANITIZE_STRING); + + $searchLikeString = '%' . $searchTerm . '%'; + $people = PersonQuery::create()-> - filterByFirstName($searchLikeString, Criteria::LIKE)-> - _or()->filterByLastName($searchLikeString, Criteria::LIKE)-> - _or()->filterByEmail($searchLikeString, Criteria::LIKE)-> - limit(15)->find(); + filterByFirstName($searchLikeString, Criteria::LIKE)-> + _or()->filterByLastName($searchLikeString, Criteria::LIKE)-> + _or()->filterByEmail($searchLikeString, Criteria::LIKE)-> + limit(15)->find(); $return = []; foreach ($people as $person) { $values['id'] = $person->getId(); @@ -58,43 +61,43 @@ public function search($searchTerm, $includeFamilyRole=true) public function getPeopleEmailsAndGroups() { $persons = PersonQuery::Create() - ->addJoin(PersonTableMap::COL_PER_ID,Person2group2roleP2g2rTableMap::COL_P2G2R_PER_ID,Criteria::LEFT_JOIN) - ->addJoin(Person2group2roleP2g2rTableMap::COL_P2G2R_GRP_ID,GroupTableMap::COL_GRP_ID,Criteria::LEFT_JOIN) - ->addMultipleJoin(array(array(GroupTableMap::COL_GRP_ROLELISTID,ListOptionTableMap::COL_LST_ID), - array(Person2group2roleP2g2rTableMap::COL_P2G2R_RLE_ID,ListOptionTableMap::COL_LST_OPTIONID)), - Criteria::LEFT_JOIN) - ->addAsColumn("GroupName",GroupTableMap::COL_GRP_NAME) - ->addAsColumn("OptionName",ListOptionTableMap::COL_LST_OPTIONNAME) - ->filterByEmail('',Criteria::NOT_EQUAL) - ->_and()->filterByDateDeactivated (null) - ->orderById() - ->find(); + ->addJoin(PersonTableMap::COL_PER_ID, Person2group2roleP2g2rTableMap::COL_P2G2R_PER_ID, Criteria::LEFT_JOIN) + ->addJoin(Person2group2roleP2g2rTableMap::COL_P2G2R_GRP_ID, GroupTableMap::COL_GRP_ID, Criteria::LEFT_JOIN) + ->addMultipleJoin(array(array(GroupTableMap::COL_GRP_ROLELISTID, ListOptionTableMap::COL_LST_ID), + array(Person2group2roleP2g2rTableMap::COL_P2G2R_RLE_ID, ListOptionTableMap::COL_LST_OPTIONID)), + Criteria::LEFT_JOIN) + ->addAsColumn("GroupName", GroupTableMap::COL_GRP_NAME) + ->addAsColumn("OptionName", ListOptionTableMap::COL_LST_OPTIONNAME) + ->filterByEmail('', Criteria::NOT_EQUAL) + ->_and()->filterByDateDeactivated(null) + ->orderById() + ->find(); - $people = []; + $people = []; $lastPersonId = 0; - $per = []; + $per = []; foreach ($persons as $person) { - if ($lastPersonId != $person->getId()) { - if ($lastPersonId != 0) { - $people[] = $per; + if ($lastPersonId != $person->getId()) { + if ($lastPersonId != 0) { + $people[] = $per; + } + $per = []; + $per['id'] = $person->getId(); + $per['email'] = $person->getEmail(); + $per['firstName'] = $person->getFirstName(); + $per['lastName'] = $person->getLastName(); } - $per = []; - $per['id'] = $person->getId(); - $per['email'] = $person->getEmail(); - $per['firstName'] = $person->getFirstName(); - $per['lastName'] = $person->getLastName(); - } - if (!is_null($person->getGroupName()) && !is_null($person->getOptionName()) ) { - $per[$person->getGroupName()] = _($person->getOptionName()); - } - - if ($lastPersonId != $person->getId()) { - $lastPersonId = $person->getId(); - } + if (!is_null($person->getGroupName()) && !is_null($person->getOptionName())) { + $per[$person->getGroupName()] = _($person->getOptionName()); + } + + if ($lastPersonId != $person->getId()) { + $lastPersonId = $person->getId(); + } } - $people[] = $per; + $people[] = $per; return $people; }