Security Update

core/ajax/ajax_call.php

@@ -28,7 +28,7 @@
         <label for="personFeedback">Feeback:</label>
         <textarea name="personFeedback" id="personFeedback" cols="30" rows="3" class="form-control" placeholder="Please enter feedback here"></textarea>
       </div>
-      <input type="hidden" name="personId" value="<?php echo $_GET["id"]; ?>">
+      <input type="hidden" name="personId" value="<?php echo safe_entities($_GET["id"]); ?>">
 
     </div>
     <!-- /Box body-->

core/ajax/ajax_data.php

@@ -171,8 +171,8 @@
 
     $warehouse_id = isset($_GET["warehouse_id"]) ? (int)safe_input($_GET["warehouse_id"]) : "";
     $customer_id = isset($_GET["cid"]) ? (int)safe_input($_GET["cid"]) : "";
-    $product_qnt = (isset($_GET["pqnt"]) and !empty($_GET["pqnt"])) ? $_GET["pqnt"] : get_options("defaultSaleQnt");
-    $packet = ( isset($_GET["packet"]) and !empty($_GET["packet"]) ) ? $_GET["packet"] : 0;
+    $product_qnt = (isset($_GET["pqnt"]) and !empty($_GET["pqnt"])) ? safe_entities($_GET["pqnt"]) : get_options("defaultSaleQnt");
+    $packet = ( isset($_GET["packet"]) and !empty($_GET["packet"]) ) ? safe_entities($_GET["packet"]) : 0;
 
     $customerType = "consumer";
     $selectCustomerType = easySelectA(array(
@@ -1711,4 +1711,111 @@
 
 }
 
+
+
+
+if(isset($_GET['page']) and $_GET['page'] == "salesOverviewChartData") {
+
+    $type = isset($_GET["type"]) ? $_GET["type"] : "daily";
+
+    if( $type === "weekly" ) {
+
+        $weeklySalesData = easySelectD("
+            SELECT
+                concat(date_format(db_date, '%D %M')) AS label,
+                if(sales_quantity is null, 0, sum(sales_quantity)) as sales_quantity
+            FROM time_dimension
+            LEFT JOIN (
+                SELECT 
+                    sales_delivery_date, 
+                    sum(sales_quantity) as sales_quantity 
+                FROM {$table_prefeix}sales 
+                WHERE is_trash = 0
+                GROUP BY sales_delivery_date
+            ) AS sales on sales_delivery_date = db_date
+            WHERE db_date BETWEEN NOW() - INTERVAL 30 WEEK AND NOW()
+            group by week(db_date)
+		");
+
+        $weeklySalesOverviewLabel = array();
+		$weeklySalesOverviewData = array();
+
+        if( $weeklySalesData !== false ) {
+
+            foreach($weeklySalesData["data"] as $sales ) {
+                array_push($weeklySalesOverviewLabel, $sales["label"] );
+                array_push($weeklySalesOverviewData, $sales["sales_quantity"] );
+            }
+
+        }
+
+
+        $weeklySalesData = array(
+            "labels" => $weeklySalesOverviewLabel,
+            "datasets" => array(
+                array(
+                    "label" => __("Weekly Sales"),
+                    "borderColor" => "green",
+                    "borderWidth"   => 2,
+                    "data"  => $weeklySalesOverviewData
+                )
+            )
+        );
+
+        echo json_encode($weeklySalesData);
+
+
+    } else {
+
+
+        /** Daily Sales Calculatin */
+
+        $dailySalesData = easySelectD("
+            SELECT
+                db_date AS label,
+                if(sales_quantity is null, 0, sales_quantity) as sales_quantity
+            FROM time_dimension
+            LEFT JOIN (
+                SELECT 
+                    sales_delivery_date, 
+                    sum(sales_quantity) as sales_quantity 
+                FROM {$table_prefeix}sales 
+                WHERE is_trash = 0
+                GROUP BY sales_delivery_date
+            ) AS sales on sales_delivery_date = db_date
+            WHERE db_date BETWEEN NOW() - INTERVAL 30 DAY AND NOW()
+		");
+
+        $dailySalesOverviewLabel = array();
+		$dailySalesOverviewData = array();
+
+        if( $dailySalesData !== false ) {
+
+            foreach($dailySalesData["data"] as $sales ) {
+                array_push($dailySalesOverviewLabel, $sales["label"] );
+                array_push($dailySalesOverviewData, $sales["sales_quantity"] );
+            }
+
+        }
+
+
+        $dailySalesData = array(
+            "labels" => $dailySalesOverviewLabel,
+            "datasets" => array(
+                array(
+                    "label" => __("Daily Sales"),
+                    "borderColor" => "green",
+                    "borderWidth"   => 2,
+                    "data"  => $dailySalesOverviewData
+                )
+            )
+        );
+
+        echo json_encode($dailySalesData);
+
+    }
+
+
+}
+
 ?>

core/ajax/ajax_pos.php

@@ -235,9 +235,9 @@
             (
                 '{$stock_type}',
                 '". safe_input($salesDate) ."',
-                '{$sales_id}',
+                '". safe_input($sales_id) ."',
                 '". safe_input($warehouseId) ."',
-                '". $getData["userShopId"] ."',
+                '". safe_input($getData["userShopId"]) ."',
                 '". safe_input($productId) ."',
                 '{$batchProduct["batch_id"]}',
                 '". safe_input($getData["productSalePirce"][$key]) ."',
@@ -286,9 +286,9 @@
         (
             '{$stock_type}',
             '". safe_input($salesDate) ."',
-            '{$sales_id}',
+            '". safe_input($sales_id) ."',
             '". safe_input($warehouseId) ."',
-            '". $getData["userShopId"] ."',
+            '". safe_input($getData["userShopId"]) ."',
             '". safe_input($productId) ."',
             ". ( empty($getData["productBatch"][$key]) ? "NULL" : "'". safe_input($getData["productBatch"][$key]) . "'" ) .",
             '". safe_input($getData["productSalePirce"][$key]) ."',
@@ -375,9 +375,9 @@
             (
                 '{$stock_type}',
                 '". safe_input($salesDate) ."',
-                '{$sales_id}',
+                '". safe_input($sales_id) ."',
                 '". safe_input($warehouseId) ."',
-                '". $getData["userShopId"] ."',
+                '". safe_input($getData["userShopId"]) ."',
                 '". $bp["bg_item_product_id"] ."',
                 NULL,
                 '". $bpItemSalePrice ."',