Navigation Menu

Skip to content

Commit

Permalink
Fix Security issue
Browse files Browse the repository at this point in the history
  • Loading branch information
@kmkalam24
kmkalam24 committed Apr 29, 2023
1 parent 1b426f5 commit e71c023
Show file tree
Hide file tree
Showing 14 changed files with 57 additions and 48 deletions.
2 changes: 1 addition & 1 deletion core/ajax/ajax_data.php
View file
Expand Up @@ -378,7 +378,7 @@
) as product_price on product_price.product_id = sub_product.product_id"
),
"where" => array(
"is_raw_materials = 0 and bg_product_id = {$product_id}"
"is_raw_materials = 0 and bg_product_id = '{$product_id}'"
)

));
Expand Down
2 changes: 1 addition & 1 deletion core/ajax/ajax_pos.php
View file
Expand Up @@ -306,7 +306,7 @@
"inner join {$table_prefix}bg_product_items as bg_product on bg_product_id = product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down
14 changes: 6 additions & 8 deletions core/functions.php
View file
Expand Up @@ -1876,7 +1876,7 @@ function getCustomerPaymentInfo_back(int $customer_id) {
sum(received_payments_bonus) as received_payments_bonus
from {$table_prefix}received_payments where is_trash = 0 group by received_payments_from
) as {$table_prefix}received_payments on customer_id = received_payments_from
where customer_id = {$customer_id}"
where customer_id = '{$customer_id}'"
);

}
Expand Down Expand Up @@ -2042,7 +2042,7 @@ function updateAccountBalance(int $accounts_id) {
where is_trash = 0
group by journal_records_accounts
) as journal_incoming_records on journal_incoming_records.journal_records_accounts = accounts_id
where accounts_id = {$accounts_id}"
where accounts_id = '{$accounts_id}'"
)["data"][0];


Expand Down Expand Up @@ -2090,7 +2090,7 @@ function getEmployeePayableAmount(int $emp_id, string $salary_type) {
from {$table_prefix}employees
left join ( select salary_emp_id, salary_type, sum(salary_amount) as salary_amount_sum from {$table_prefix}salaries where is_trash = 0 and salary_type='{$salary_type}' group by salary_emp_id ) as {$table_prefix}salaries on salary_emp_id = emp_id
left join ( select payment_items_employee, sum(payment_items_amount) as payment_items_amount_sum from {$table_prefix}payment_items where is_trash = 0 and payment_items_type='{$salary_type}' group by payment_items_employee ) as get_payments_items on payment_items_employee = emp_id
where emp_id = {$emp_id}
where emp_id = '{$emp_id}'
")["data"][0]["emp_payable_amount"];

// if salary type is salary then add the installment amount with payable amount
Expand Down Expand Up @@ -2425,12 +2425,10 @@ function send_sms($number, $msg) {

global $table_prefix;

//$url = "http://66.45.237.70/maskingapi.php";
$url = "http://66.45.237.70/api.php";
$url = "URL";
$data= array(
'username'=>"Royal",
'password'=>"CZXAPH@K8",
//'senderid'=> "The Royal",
'username'=>"username",
'password'=>"password",
'number'=>$number,
'message'=>$msg
);
Expand Down
10 changes: 8 additions & 2 deletions module/accounts/ajax.php
View file
Expand Up @@ -125,6 +125,7 @@

// List of all columns name
$columns = array(
"",
"accounts_name",
"accounts_type",
"accounts_balance",
Expand Down Expand Up @@ -446,7 +447,7 @@

<div class="form-group required">
<label for="transferAmount"><?= __("Amount:"); ?></label>
<input type="number" name="transferAmount" id="transferAmount" class="form-control" required>
<input type="number" min="0" name="transferAmount" id="transferAmount" class="form-control" required>
</div>
<div class="form-group">
<label for="transferDescription"><?= __("Description:"); ?></label>
Expand Down Expand Up @@ -492,6 +493,8 @@
return _e("Please enter transfer amount");
} else if( !negative_value_is_allowed($_POST["transferAcountsFrom"]) and $accounts_balance < $_POST["transferAmount"] ) {
return _e('Transfer amount is exceeded of account balance (%s)', number_format($accounts_balance, 2) );
} else if( $_POST["transferAmount"] < 0 ) {
return _e("Transfer amount can not be negative value.");
}

$insertTransfer = easyInsert(
Expand Down Expand Up @@ -854,7 +857,7 @@
</div>
<div class="form-group required">
<label for="capitalAmount"><?= __("Amount:"); ?></label>
<input type="number" name="capitalAmount" id="capitalAmount" class="form-control" required>
<input type="number" min="0" name="capitalAmount" id="capitalAmount" class="form-control" required>
</div>
<div class="form-group">
<label for="capitalDescription"><?= __("Description:"); ?></label>
Expand Down Expand Up @@ -885,6 +888,8 @@
return _e("Please select accounts");
} elseif(empty($_POST["capitalAmount"])) {
return _e("Please enter amount");
} elseif ( $_POST["capitalAmount"] < 0 ) {
return _e("Capital amount can not be a negative amount.");
}

$insertCapital = easyInsert(
Expand Down Expand Up @@ -1114,6 +1119,7 @@

// List of all columns name
$columns = array(
"",
"customer_name",
"closings_title",
"closings_date"
Expand Down
2 changes: 1 addition & 1 deletion module/accounts/closings.php
View file
Expand Up @@ -16,7 +16,7 @@

<!-- Box header -->
<div class="box-header">
<h3 class="box-title"><?= __("Capital List"); ?></h3>
<h3 class="box-title"><?= __("Closing List"); ?></h3>
<div class="printButtonPosition"></div>
</div>

Expand Down
29 changes: 16 additions & 13 deletions module/accounts/overview.php
View file
Expand Up @@ -80,7 +80,7 @@
) as get_bills on bills_date = db_date
where month(CURRENT_DATE) = month(db_date) and year(CURRENT_DATE) = year(db_date)
order by db_date ASC
")["data"];
");

$dates = array();
$incomes = array();
Expand All @@ -90,22 +90,25 @@
$profit = array();
$profitable = array();

// loop all data and push data into relavent array
foreach($overview as $key => $data) {
if( $overview !== false ) {

array_push($dates, $data["db_date"]);
array_push($incomes, $data["total_income"]);
array_push($receivable, $data["receivables_amount"]);
array_push($expence, $data["total_expence"]);
array_push($payable, ($data["payables_amount"]) < 0 ? 0 : $data["payables_amount"] );
// loop all data and push data into relavent array
foreach($overview["data"] as $key => $data) {

// Calculate Profit
$calculateProfit = $data["total_income"] - $data["total_expence"];

array_push($profit, $calculateProfit);
array_push($dates, $data["db_date"]);
array_push($incomes, $data["total_income"]);
array_push($receivable, $data["receivables_amount"]);
array_push($expence, $data["total_expence"]);
array_push($payable, ($data["payables_amount"]) < 0 ? 0 : $data["payables_amount"] );

}
// Calculate Profit
$calculateProfit = $data["total_income"] - $data["total_expence"];

array_push($profit, $calculateProfit);

}

}

?>

Expand Down
6 changes: 4 additions & 2 deletions module/customer-support/case-reply-view.php
View file
Expand Up @@ -266,7 +266,8 @@
"table" => "cases",
"fields" => "case_id, case_title, case_status",
"where" => array(
"is_trash = 0 and case_id != {$_GET["case_id"]} and case_person" => $case["case_person"]
"is_trash = 0 and case_id != '{$_GET["case_id"]}'",
" and case_person" => $case["case_person"]
),
"orderby" => array(
"case_id" => "DESC"
Expand Down Expand Up @@ -348,7 +349,8 @@
"table" => "cases",
"fields" => "case_id, case_title, case_status",
"where" => array(
"is_trash = 0 and case_id != {$_GET["case_id"]} and case_customer" => $case["case_customer"]
"is_trash = 0 and case_id != '{$_GET["case_id"]}'",
" and case_customer" => $case["case_customer"]
),
"orderby" => array(
"case_id" => "DESC"
Expand Down
10 changes: 5 additions & 5 deletions module/expenses/ajax.php
View file
Expand Up @@ -1558,12 +1558,12 @@ function (data, status) {
) as totalPaidAmount on loan_id = totalPaidAmount.loan_ids
left join (select
loan_ids, 1 as thisMonthInstallmentPayingStatus
from {$table_prefix}loan_installment where is_trash = 0 and MONTH(loan_installment_date) = {$month} and year(loan_installment_date) = {$year} group by loan_ids
from {$table_prefix}loan_installment where is_trash = 0 and MONTH(loan_installment_date) = '{$month}' and year(loan_installment_date) = '{$year}' group by loan_ids
) as thisMonthStatus on loan_id = thisMonthStatus.loan_ids
where loan.is_trash = 0 and loan_borrower = {$emp_id} and loan_installment_starting_from <= '{$year}-{$month}-01'
where loan.is_trash = 0 and loan_borrower = '{$emp_id}' and loan_installment_starting_from <= '{$year}-{$month}-01'
and ( loan_paid_amount is null or loan_paid_amount < loan_amount)"
// loan_paid_amount can be NULL on left join if there is no recrods, for that the is null check.
// We can also use HAVING cluese without using is null check. But it will raise a error with full_group_by mode.
// loan_paid_amount can be NULL on left join if there is no records, for that the is null check.
// We can also use HAVING clause without using is null check. But it will raise a error with full_group_by mode.
);

// Check if there any Loan Data Exists
Expand Down Expand Up @@ -3881,7 +3881,7 @@ function(data, status) {
left join ( select advance_payment_pay_to, sum(advance_payment_amount) as advance_payment_amount_sum from {$table_prefix}advance_payments where is_trash = 0 group by advance_payment_pay_to ) as get_advance_payments on advance_payment_pay_to = emp_id
left join ( select payment_to_employee, sum(payment_amount) as payment_amount_sum from {$table_prefix}payments where is_trash = 0 and payment_type = 'Advance Adjustment' group by payment_to_employee ) as get_payments on payment_to_employee = emp_id
left join ( select payments_return_emp_id, sum(payments_return_amount) as payments_return_amount_sum from {$table_prefix}payments_return where is_trash = 0 group by payments_return_emp_id ) as get_advance_return on payments_return_emp_id = emp_id
where emp_id = {$emp_id}"
where emp_id = '{$emp_id}'"
)["data"][0];

if( ( $_POST["returnableAdvancePaymentAmount"] + $getEmpAdvancePaymentData["advance_adjust_amount"] ) > $getEmpAdvancePaymentData["advance_paid_amount"] ) {
Expand Down
10 changes: 5 additions & 5 deletions module/loan-management/ajax.php
View file
Expand Up @@ -266,7 +266,7 @@
*
from {$table_prefix}loan as loan
left join {$table_prefix}employees on loan_borrower = emp_id
where loan.is_trash = 0 and loan_id = {$loan_id}
where loan.is_trash = 0 and loan_id = '{$loan_id}'
"
)["data"][0];

Expand Down Expand Up @@ -740,12 +740,12 @@ function (data, status) {
) as totalPaidAmount on loan_id = totalPaidAmount.loan_ids
left join (select
loan_ids, 1 as thisMonthInstallmentPayingStatus
from {$table_prefix}loan_installment where is_trash = 0 and MONTH(loan_installment_date) = {$month} and year(loan_installment_date) = {$year} group by loan_ids
from {$table_prefix}loan_installment where is_trash = 0 and MONTH(loan_installment_date) = '{$month}' and year(loan_installment_date) = '{$year}' group by loan_ids
) as thisMonthStatus on loan_id = thisMonthStatus.loan_ids
where loan.is_trash = 0 and loan_borrower = {$emp_id} and loan_installment_starting_from <= '{$year}-{$month}-01'
where loan.is_trash = 0 and loan_borrower = '{$emp_id}' and loan_installment_starting_from <= '{$year}-{$month}-01'
and ( loan_paid_amount is null or loan_paid_amount < loan_amount)"
// loan_paid_amount can be NULL on left join if there is no recrods, for that the is null check.
// We can also use HAVING cluese without using is null check. But it will raise a error with full_group_by mode.
// loan_paid_amount can be NULL on left join if there is no records, for that the is null check.
// We can also use HAVING clause without using is null check. But it will raise a error with full_group_by mode.
);

// Check if there any Loan Data Exists
Expand Down
2 changes: 1 addition & 1 deletion module/marketing/add-specimen-copy.php
View file
Expand Up @@ -126,7 +126,7 @@
"inner join {$table_prefix}bg_product_items as bg_product on bg_product_id = product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down
2 changes: 1 addition & 1 deletion module/marketing/edit-specimen-copy.php
View file
Expand Up @@ -135,7 +135,7 @@
"inner join {$table_prefix}bg_product_items as bg_product on bg_product_id = product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down
2 changes: 1 addition & 1 deletion module/marketing/new-sc-distribution.php
View file
Expand Up @@ -104,7 +104,7 @@
"inner join {$table_prefix}bg_product_items as bg_product on bg_product_id = product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down
2 changes: 1 addition & 1 deletion module/my-shop/shop-overview.php
View file
Expand Up @@ -29,7 +29,7 @@
payment_date,
sum(payment_amount) as payment_amount_sum
from {$table_prefix}payments
where payment_from = {$accountsId}
where payment_from = '{$accountsId}'
group by payment_date
) as get_payments on payment_date = db_date
where db_date = CURRENT_DATE
Expand Down
12 changes: 6 additions & 6 deletions module/stock-management/ajax.php
View file
Expand Up @@ -175,7 +175,7 @@
) as product_price on product_price.product_id = bg_item_product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down Expand Up @@ -511,7 +511,7 @@
) as product_price on product_price.product_id = bg_item_product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down Expand Up @@ -1118,7 +1118,7 @@
) as product_price on product_price.product_id = bg_item_product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down Expand Up @@ -1651,7 +1651,7 @@
"inner join {$table_prefix}bg_product_items as bg_product on bg_product_id = product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down Expand Up @@ -1973,7 +1973,7 @@
) as product_price on product_price.product_id = bg_item_product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down Expand Up @@ -3287,7 +3287,7 @@
"left join {$table_prefix}products as sub_product on sub_product.product_id = bg_item_product_id"
),
"where" => array(
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = {$productId}"
"( product.has_sub_product = 1 or product.product_type = 'Bundle' ) and bg_product.is_raw_materials = 0 and product.product_id = '{$productId}'"
)
));

Expand Down

0 comments on commit e71c023

Please sign in to comment.