From 8f4c124fcff5b3a731ac96596ab4da102edbe781 Mon Sep 17 00:00:00 2001
From: Nate <github@najo.com>
Date: Wed, 14 Aug 2019 13:38:18 -0600
Subject: [PATCH] Variables: Database class integration.

---
 app/vars/app_defaults.php  | 358 ++++++++++++++++---------------------
 app/vars/var_delete.php    |  32 ++--
 app/vars/var_edit.php      | 144 ++++++---------
 app/vars/vars.php          |  67 +++----
 app/vars/vars_textarea.php |   2 +-
 5 files changed, 266 insertions(+), 337 deletions(-)

diff --git a/app/vars/app_defaults.php b/app/vars/app_defaults.php
index adfb61f903..94ecec79ab 100644
--- a/app/vars/app_defaults.php
+++ b/app/vars/app_defaults.php
@@ -27,207 +27,166 @@
 if ($domains_processed == 1) {
 
 	//add the variables to the database
-		$sql = "select count(*) as num_rows from v_vars ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		if ($prep_statement) {
-			$prep_statement->execute();
-			$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-			if ($row['num_rows'] == 0) {
-				//get the xml
-					if (file_exists('/usr/share/examples/fusionpbx/resources/templates/conf/vars.xml')) {
-						$xml_file = '/usr/share/examples/fusionpbx/resources/templates/conf/vars.xml';
-					}
-					elseif (file_exists('/usr/local/share/fusionpbx/resources/templates/conf/vars.xml')) {
-						$xml_file = '/usr/local/share/fusionpbx/resources/templates/conf/vars.xml';
-					}
-					else {
-						$xml_file = $_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/resources/templates/conf/vars.xml';
-					}
+		$sql = "select count(*) from v_vars ";
+		$database = new database;
+		$num_rows = $database->select($sql, null, 'column');
+		unset($sql);
 
-				//load the xml and save it into an array
-					$xml_string = file_get_contents($xml_file);
-					$xml = simplexml_load_string($xml_string);
-					$json = json_encode($xml);
-					$variables = json_decode($json, true);
-					//<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA" category="Codecs" enabled="true"/>
-					$x = 0;
-					foreach ($variables['X-PRE-PROCESS'] as $variable) {
-						$var_category = $variable['@attributes']['category'];
-						$data = explode('=', $variable['@attributes']['data']);
-						$var_name = $data[0];
-						$var_value = $data[1];
-						$var_command = $variable['@attributes']['cmd'];
-						$var_enabled = $variable['@attributes']['enabled'];
-						$var_order = '';
-						$var_description = '';
+		if ($num_rows == 0) {
+			//get the xml
+				if (file_exists('/usr/share/examples/fusionpbx/resources/templates/conf/vars.xml')) {
+					$xml_file = '/usr/share/examples/fusionpbx/resources/templates/conf/vars.xml';
+				}
+				elseif (file_exists('/usr/local/share/fusionpbx/resources/templates/conf/vars.xml')) {
+					$xml_file = '/usr/local/share/fusionpbx/resources/templates/conf/vars.xml';
+				}
+				else {
+					$xml_file = $_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/resources/templates/conf/vars.xml';
+				}
 
-						$array['vars'][$x]['var_category'] = $var_category;
-						$array['vars'][$x]['var_uuid'] = uuid();
-						$array['vars'][$x]['var_name'] = $var_name;
-						$array['vars'][$x]['var_value'] = $var_value;
-						$array['vars'][$x]['var_command'] = $var_command;
-						$array['vars'][$x]['var_enabled'] = $var_enabled;
-						$array['vars'][$x]['var_order'] = $var_order;
-						$array['vars'][$x]['var_description'] = $var_description;
-						$x++;
-					}
+			//load the xml and save it into an array
+				$xml_string = file_get_contents($xml_file);
+				$xml = simplexml_load_string($xml_string);
+				$json = json_encode($xml);
+				$variables = json_decode($json, true);
+				//<X-PRE-PROCESS cmd="set" data="global_codec_prefs=G7221@32000h,G7221@16000h,G722,PCMU,PCMA" category="Codecs" enabled="true"/>
+				$x = 0;
+				foreach ($variables['X-PRE-PROCESS'] as $variable) {
+					$var_category = $variable['@attributes']['category'];
+					$data = explode('=', $variable['@attributes']['data']);
+					$var_name = $data[0];
+					$var_value = $data[1];
+					$var_command = $variable['@attributes']['cmd'];
+					$var_enabled = $variable['@attributes']['enabled'];
+					$var_order = '';
+					$var_description = '';
 
-				//add the dialplan permission
-					$p = new permissions;
-					$p->add("var_add", "temp");
-					$p->add("var_edit", "temp");
+					$array['vars'][$x]['var_category'] = $var_category;
+					$array['vars'][$x]['var_uuid'] = uuid();
+					$array['vars'][$x]['var_name'] = $var_name;
+					$array['vars'][$x]['var_value'] = $var_value;
+					$array['vars'][$x]['var_command'] = $var_command;
+					$array['vars'][$x]['var_enabled'] = $var_enabled;
+					$array['vars'][$x]['var_order'] = $var_order;
+					$array['vars'][$x]['var_description'] = $var_description;
+					$x++;
+				}
 
-				//save to the data
-					$database = new database;
-					$database->app_name = 'vars';
-					$database->app_uuid = '54e08402-c1b8-0a9d-a30a-f569fc174dd8';
-					$database->save($array);
-					$message = $database->message;
+			//grant temporary permissions
+				$p = new permissions;
+				$p->add("var_add", "temp");
+				$p->add("var_edit", "temp");
 
-				//remove the temporary permission
-					$p->delete("var_add", "temp");
-					$p->delete("var_edit", "temp");
-	
-			}
+			//execute insert
+				$database = new database;
+				$database->app_name = 'vars';
+				$database->app_uuid = '54e08402-c1b8-0a9d-a30a-f569fc174dd8';
+				$database->save($array);
+				$message = $database->message;
+
+			//revoke temporary permissions
+				$p->delete("var_add", "temp");
+				$p->delete("var_edit", "temp");
 		}
 
-	// Set country depend variables as country code and international direct dialing code (exit code)
+
+	//set country depend variables as country code and international direct dialing code (exit code)
 		if (!function_exists('set_country_vars')) {
 			function set_country_vars($db, $x) {
 				require "resources/countries.php";
 	
 				//$country_iso=$_SESSION['domain']['country']['iso_code'];
 	
-				$sql = "select default_setting_value as value from v_default_settings ";
+				$sql = "select default_setting_value ";
+				$sql .= "from v_default_settings ";
 				$sql .= "where default_setting_name = 'iso_code' ";
 				$sql .= "and default_setting_category = 'domain' ";
 				$sql .= "and default_setting_subcategory = 'country' ";
 				$sql .= "and default_setting_enabled = 'true';";
-				$prep_statement = $db->prepare(check_sql($sql));
-				if ($prep_statement) {
-					$prep_statement->execute();
-					$result = $prep_statement->fetchAll(PDO::FETCH_ASSOC);
-					if ( count($result)> 0) {
-						$country_iso = $result[0]["value"];
-					}
-				}
-				unset($prep_statement, $sql, $result);
+				$database = new database;
+				$country_iso = $database->select($sql, null, 'column');
+				unset($sql);
 
-				if ( $country_iso===NULL ) {
+				if ($country_iso === null ) {
 					return;
 				}
 
-				if(isset($countries[$country_iso])){
+				if (isset($countries[$country_iso])) {
 					$country = $countries[$country_iso];
 
-					// Set default Country ISO code
-					$sql = "select count(*) as num_rows from v_vars ";
+					//set default country iso code
+					$sql = "select count(*) from v_vars ";
 					$sql .= "where var_name = 'default_country' ";
 					$sql .= "and var_category = 'Defaults' ";
-					$prep_statement = $db->prepare(check_sql($sql));
-					if ($prep_statement) {
-						$prep_statement->execute();
-						$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-	
-						if ($row['num_rows'] == 0) {
-							$sql = "insert into v_vars ";
-							$sql .= "(";
-							$sql .= "var_uuid, ";
-							$sql .= "var_name, ";
-							$sql .= "var_value, ";
-							$sql .= "var_category, ";
-							$sql .= "var_enabled, ";
-							$sql .= "var_order, ";
-							$sql .= "var_description ";
-							$sql .= ")";
-							$sql .= "values ";
-							$sql .= "(";
-							$sql .= "'".uuid()."', ";
-							$sql .= "'default_country', ";
-							$sql .= "'".$country["isocode"]."', ";
-							$sql .= "'Defaults', ";
-							$sql .= "'true', ";
-							$sql .= "'".$x."', ";
-							$sql .= "'' ";
-							$sql .= ");";
-							$db->exec(check_sql($sql));
-							unset($sql, $row);
-							$x++;
-						}
-					}
-					unset($prep_statement, $sql);
+					$database = new database;
+					$num_rows = $database->select($sql, null, 'column');
+					unset($sql);
 
-					//Set default Country code
-					$sql = "select count(*) as num_rows from v_vars ";
+					if ($num_rows == 0) {
+						$array['vars'][$x]['var_uuid'] = uuid();
+						$array['vars'][$x]['var_name'] = 'default_country';
+						$array['vars'][$x]['var_value'] = $country["isocode"];
+						$array['vars'][$x]['var_category'] = 'Defaults';
+						$array['vars'][$x]['var_enabled'] = 'true';
+						$array['vars'][$x]['var_order'] = $x;
+						$array['vars'][$x]['var_description'] = null;
+						$x++;
+					}
+					unset($num_rows);
+
+					//set default country code
+					$sql = "select count(*) from v_vars ";
 					$sql .= "where var_name = 'default_countrycode' ";
 					$sql .= "and var_category = 'Defaults' ";
-					$prep_statement = $db->prepare(check_sql($sql));
-					if ($prep_statement) {
-						$prep_statement->execute();
-						$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-						if ($row['num_rows'] == 0) {
-							$sql = "insert into v_vars ";
-							$sql .= "(";
-							$sql .= "var_uuid, ";
-							$sql .= "var_name, ";
-							$sql .= "var_value, ";
-							$sql .= "var_category, ";
-							$sql .= "var_enabled, ";
-							$sql .= "var_order, ";
-							$sql .= "var_description ";
-							$sql .= ")";
-							$sql .= "values ";
-							$sql .= "(";
-							$sql .= "'".uuid()."', ";
-							$sql .= "'default_countrycode', ";
-							$sql .= "'".$country["countrycode"]."', ";
-							$sql .= "'Defaults', ";
-							$sql .= "'true', ";
-							$sql .= "'".$x."', ";
-							$sql .= "'' ";
-							$sql .= ");";
-							$db->exec(check_sql($sql));
-							unset($sql, $row);
-							$x++;
-						}
-					}
-					unset($prep_statement, $sql);
+					$database = new database;
+					$num_rows = $database->select($sql, null, 'column');
+					unset($sql);
 
-					// Set default International Direct Dialing code
-					$sql = "select count(*) as num_rows from v_vars ";
+					if ($num_rows == 0) {
+						$array['vars'][$x]['var_uuid'] = uuid();
+						$array['vars'][$x]['var_name'] = 'default_countrycode';
+						$array['vars'][$x]['var_value'] = $country["countrycode"];
+						$array['vars'][$x]['var_category'] = 'Defaults';
+						$array['vars'][$x]['var_enabled'] = 'true';
+						$array['vars'][$x]['var_order'] = $x;
+						$array['vars'][$x]['var_description'] = null;
+						$x++;
+					}
+					unset($num_rows);
+
+					//set default international direct dialing code
+					$sql = "select count(*) from v_vars ";
 					$sql .= "where var_name = 'default_exitcode' ";
 					$sql .= "and var_category = 'Defaults' ";
-					$prep_statement = $db->prepare(check_sql($sql));
-					if ($prep_statement) {
-						$prep_statement->execute();
-						$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-						if ($row['num_rows'] == 0) {
-							$sql = "insert into v_vars ";
-							$sql .= "(";
-							$sql .= "var_uuid, ";
-							$sql .= "var_name, ";
-							$sql .= "var_value, ";
-							$sql .= "var_category, ";
-							$sql .= "var_enabled, ";
-							$sql .= "var_order, ";
-							$sql .= "var_description ";
-							$sql .= ")";
-							$sql .= "values ";
-							$sql .= "(";
-							$sql .= "'".uuid()."', ";
-							$sql .= "'default_exitcode', ";
-							$sql .= "'".$country["exitcode"]."', ";
-							$sql .= "'Defaults', ";
-							$sql .= "'true', ";
-							$sql .= "'".$x."', ";
-							$sql .= "'' ";
-							$sql .= ");";
-							$db->exec(check_sql($sql));
-							unset($sql, $row);
-							$x++;
-						}
+					$database = new database;
+					$num_rows = $database->select($sql, null, 'column');
+					unset($sql);
+
+					if ($num_rows == 0) {
+						$array['vars'][$x]['var_uuid'] = uuid();
+						$array['vars'][$x]['var_name'] = 'default_exitcode';
+						$array['vars'][$x]['var_value'] = $country["exitcode"];
+						$array['vars'][$x]['var_category'] = 'Defaults';
+						$array['vars'][$x]['var_enabled'] = 'true';
+						$array['vars'][$x]['var_order'] = $x;
+						$array['vars'][$x]['var_description'] = null;
+						$x++;
 					}
-					unset($prep_statement, $sql, $countries);
+					unset($num_rows, $countries);
+				}
+
+				if (is_array($array) && @sizeof($array) != 0) {
+					//grant temporary permissions
+						$p = new permissions;
+						$p->add("var_add", "temp");
+					//execute inserts
+						$database = new database;
+						$database->app_name = 'vars';
+						$database->app_uuid = '54e08402-c1b8-0a9d-a30a-f569fc174dd8';
+						$database->save($array);
+						unset($array);
+					//revoke temporary permissions
+						$p->delete("var_add", "temp");
 				}
 			}
 		}
@@ -239,43 +198,40 @@ if ($domains_processed == 1) {
 					$sql = "update v_vars set ";
 					$sql .= "var_enabled = 'false' ";
 					$sql .= "where (var_name = 'domain' or var_name = 'domain_uuid') ";
-					$db->exec(check_sql($sql));
+					$database = new database;
+					$database->execute($sql);
 					unset($sql);
 			}
 			else {
 				//set the domain_uuid
-					$sql = "select count(*) as num_rows from v_vars ";
+					$sql = "select count(*) from v_vars ";
 					$sql .= "where var_name = 'domain_uuid' ";
-					$prep_statement = $db->prepare($sql);
-					if ($prep_statement) {
-						$prep_statement->execute();
-						$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-						if ($row['num_rows'] == 0) {
-							$sql = "insert into v_vars ";
-							$sql .= "(";
-							$sql .= "var_uuid, ";
-							$sql .= "var_name, ";
-							$sql .= "var_value, ";
-							$sql .= "var_category, ";
-							$sql .= "var_enabled, ";
-							$sql .= "var_order, ";
-							$sql .= "var_description ";
-							$sql .= ")";
-							$sql .= "values ";
-							$sql .= "(";
-							$sql .= "'".uuid()."', ";
-							$sql .= "'domain_uuid', ";
-							$sql .= "'".$domain_uuid."', ";
-							$sql .= "'Defaults', ";
-							$sql .= "'true', ";
-							$sql .= "'999', ";
-							$sql .= "'' ";
-							$sql .= ");";
-							$db->exec(check_sql($sql));
-							unset($sql);
-						}
-						unset($prep_statement, $row);
+					$database = new database;
+					$num_rows = $database->select($sql, null, 'column');
+					unset($sql);
+
+					if ($num_rows == 0) {
+						//build insert array
+							$array['vars'][0]['var_uuid'] = uuid();
+							$array['vars'][0]['var_name'] = 'domain_uuid';
+							$array['vars'][0]['var_value'] = $domain_uuid;
+							$array['vars'][0]['var_category'] = 'Defaults';
+							$array['vars'][0]['var_enabled'] = 'true';
+							$array['vars'][0]['var_order'] = 999;
+							$array['vars'][0]['var_description'] = null;
+						//grant temporary permissions
+							$p = new permissions;
+							$p->add("var_add", "temp");
+						//execute inserts
+							$database = new database;
+							$database->app_name = 'vars';
+							$database->app_uuid = '54e08402-c1b8-0a9d-a30a-f569fc174dd8';
+							$database->save($array);
+							unset($array);
+						//revoke temporary permissions
+							$p->delete("var_add", "temp");
 					}
+					unset($num_rows);
 			}
 
 		//set country code variables
@@ -285,4 +241,4 @@ if ($domains_processed == 1) {
 			save_var_xml();
 }
 
-?>
+?>
\ No newline at end of file
diff --git a/app/vars/var_delete.php b/app/vars/var_delete.php
index 3949e76920..69019f40d1 100644
--- a/app/vars/var_delete.php
+++ b/app/vars/var_delete.php
@@ -42,26 +42,26 @@
 	$text = $language->get();
 
 //get the id
-	if (count($_GET) > 0) {
-		$id = $_GET["id"];
-	}
+	$var_uuid = $_GET["id"];
 
 //delete the data
-	if (strlen($id) > 0 && is_uuid($id)) {
-		//delete the variable
-		$sql = "delete from v_vars ";
-		$sql .= "where var_uuid = '$id' ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		unset($sql);
-
+	if (is_uuid($var_uuid)) {
+		//build array
+			$array['vars'][0]['var_uuid'] = $var_uuid;
+		//execute delete
+			$database = new database;
+			$database->app_name = 'vars';
+			$database->app_uuid = '54e08402-c1b8-0a9d-a30a-f569fc174dd8';
+			$database->delete($array);
+			unset($array);
 		//rewrite the xml
-		save_var_xml();
+			save_var_xml();
+		//set message
+			message::add($text['message-delete']);
 	}
 
-//redirect the browser
-	message::add($text['message-delete']);
+//redirect
 	header("Location: vars.php");
-	return;
+	exit;
 
-?>
+?>
\ No newline at end of file
diff --git a/app/vars/var_edit.php b/app/vars/var_edit.php
index ccf429d220..bdf5a247e9 100644
--- a/app/vars/var_edit.php
+++ b/app/vars/var_edit.php
@@ -43,9 +43,9 @@
 	$text = $language->get();
 
 //set the action as an add or an update
-	if (isset($_REQUEST["id"])) {
+	if (is_uuid($_REQUEST["id"]) {
 		$action = "update";
-		$var_uuid = check_str($_REQUEST["id"]);
+		$var_uuid = $_REQUEST["id"];
 	}
 	else {
 		$action = "add";
@@ -53,18 +53,18 @@
 
 //set http values as php variables
 	if (count($_POST) > 0) {
-		$var_category = check_str(trim($_POST["var_category"]));
-		$var_name = check_str(trim($_POST["var_name"]));
-		$var_value = check_str(trim($_POST["var_value"]));
-		$var_command = check_str(trim($_POST["var_command"]));
-		$var_hostname = check_str(trim($_POST["var_hostname"]));
-		$var_enabled = check_str(trim($_POST["var_enabled"]));
-		$var_order = check_str(trim($_POST["var_order"]));
-		$var_description = check_str(trim($_POST["var_description"]));
+		$var_category = trim($_POST["var_category"]);
+		$var_name = trim($_POST["var_name"]);
+		$var_value = trim($_POST["var_value"]);
+		$var_command = trim($_POST["var_command"]);
+		$var_hostname = trim($_POST["var_hostname"]);
+		$var_enabled = trim($_POST["var_enabled"]);
+		$var_order = trim($_POST["var_order"]);
+		$var_description = trim($_POST["var_description"]);
 		$var_description = str_replace("''", "'", $var_description);
 
 		if (strlen($_POST["var_category_other"]) > 0) {
-			$var_category = check_str(trim($_POST["var_category_other"]));
+			$var_category = trim($_POST["var_category_other"]);
 		}
 	}
 
@@ -73,7 +73,7 @@
 
 		//get the uuid
 			if ($action == "update") {
-				$var_uuid = check_str($_POST["var_uuid"]);
+				$var_uuid = $_POST["var_uuid"];
 			}
 
 		//check for all required data
@@ -100,71 +100,37 @@
 		//add or update the database
 			if ($_POST["persistformvar"] != "true") {
 				if ($action == "add" && permission_exists('var_add')) {
-					//insert the variable
+					//begin insert array
 						$var_uuid = uuid();
-						$sql = "insert into v_vars ";
-						$sql .= "(";
-						$sql .= "var_uuid, ";
-						$sql .= "var_category, ";
-						$sql .= "var_name, ";
-						$sql .= "var_value, ";
-						$sql .= "var_command, ";
-						$sql .= "var_hostname, ";
-						$sql .= "var_enabled, ";
-						$sql .= "var_order, ";
-						$sql .= "var_description ";
-						$sql .= ")";
-						$sql .= "values ";
-						$sql .= "(";
-						$sql .= "'$var_uuid', ";
-						$sql .= "'$var_category', ";
-						$sql .= "'$var_name', ";
-						$sql .= "'$var_value', ";
-						$sql .= "'$var_command', ";
-						if (strlen($var_hostname) > 0) {
-							$sql .= "'$var_hostname', ";
-						}
-						else {
-							$sql .= "null, ";
-						}
-						$sql .= "'$var_enabled', ";
-						$sql .= "'$var_order', ";
-						$sql .= "'".base64_encode($var_description)."' ";
-						$sql .= ")";
-						$db->exec(check_sql($sql));
-						unset($sql);
-
-					//unset the user defined variables
-						$_SESSION["user_defined_variables"] = "";
-
-					//synchronize the configuration
-						save_var_xml();
-
-					//set the message and redirect the user
+						$array['vars'][0]['var_uuid'] = $var_uuid;
+					//set message
 						message::add($text['message-add']);
-						header("Location: vars.php");
-						return;
-				} //if ($action == "add")
+				}
 
 				if ($action == "update" && permission_exists('var_edit')) {
-					//update the variables
-						$sql = "update v_vars set ";
-						$sql .= "var_category = '$var_category', ";
-						$sql .= "var_name = '$var_name', ";
-						$sql .= "var_value = '$var_value', ";
-						$sql .= "var_command = '$var_command', ";
-						if (strlen($var_hostname) > 0) {
-							$sql .= "var_hostname = '$var_hostname', ";
-						}
-						else {
-							$sql .= "var_hostname = null, ";
-						}
-						$sql .= "var_enabled = '$var_enabled', ";
-						$sql .= "var_order = '$var_order', ";
-						$sql .= "var_description = '".base64_encode($var_description)."' ";
-						$sql .= "where var_uuid = '$var_uuid' ";
-						$db->exec(check_sql($sql));
-						unset($sql);
+					//begin update array
+						$array['vars'][0]['var_uuid'] = $var_uuid;
+					//set message
+						message::add($text['message-update']);
+				}
+
+				if (is_array($array) && @sizeof($array) != 0) {
+					//add common fields to array
+						$array['vars'][0]['var_category'] = $var_category;
+						$array['vars'][0]['var_name'] = $var_name;
+						$array['vars'][0]['var_value'] = $var_value;
+						$array['vars'][0]['var_command'] = $var_command;
+						$array['vars'][0]['var_hostname'] = $var_hostname != '' ? $var_hostname : null;
+						$array['vars'][0]['var_enabled'] = $var_enabled;
+						$array['vars'][0]['var_order'] = $var_order;
+						$array['vars'][0]['var_description'] = base64_encode($var_description);
+
+					//execute insert/update
+						$database = new database;
+						$database->app_name = 'vars';
+						$database->app_uuid = '54e08402-c1b8-0a9d-a30a-f569fc174dd8';
+						$database->save($array);
+						unset($array);
 
 					//unset the user defined variables
 						$_SESSION["user_defined_variables"] = "";
@@ -172,23 +138,23 @@
 					//synchronize the configuration
 						save_var_xml();
 
-					//set the message and redirect the user
-						message::add($text['message-update']);
+					//redirect
 						header("Location: vars.php");
-						return;
-				} //if ($action == "update")
-		} //if ($_POST["persistformvar"] != "true")
-	} //(count($_POST)>0 && strlen($_POST["persistformvar"]) == 0)
+						exit;
+				}
+			}
+
+	}
 
 //pre-populate the form
-	if (is_array($_GET) && $_POST["persistformvar"] != "true") {
+	if (is_array($_GET) && is_uuid($_GET["id"]) && $_POST["persistformvar"] != "true") {
 		$var_uuid = $_GET["id"];
 		$sql = "select * from v_vars ";
-		$sql .= "where var_uuid = '$var_uuid' ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
+		$sql .= "where var_uuid = :var_uuid ";
+		$parameters['something'] = $var_uuid;
+		$database = new database;
+		$row = $database->select($sql, $parameters, 'row');
+		if (is_array($row) && @sizeof($row) != 0) {
 			$var_category = $row["var_category"];
 			$var_name = $row["var_name"];
 			$var_value = $row["var_value"];
@@ -198,7 +164,7 @@
 			$var_order = $row["var_order"];
 			$var_description = base64_decode($row["var_description"]);
 		}
-		unset ($prep_statement);
+		unset($sql, $parameters);
 	}
 
 //include header
@@ -326,8 +292,8 @@
 	echo "</td>\n";
 	echo "<td class='vtable' align='left'>\n";
 	echo "	<select name='var_order' class='formfld'>\n";
-	$i=0;
-	while($i<=999) {
+	$i = 0;
+	while ($i <= 999) {
 		$selected = ($var_order == $i) ? "selected='selected'" : null;
 		if (strlen($i) == 1) {
 			echo "	<option value='00$i' ".$selected.">00$i</option>\n";
@@ -446,4 +412,4 @@
 //include header
 	require_once "resources/footer.php";
 
-?>
+?>
\ No newline at end of file
diff --git a/app/vars/vars.php b/app/vars/vars.php
index 332470bc78..da114d30e1 100644
--- a/app/vars/vars.php
+++ b/app/vars/vars.php
@@ -42,22 +42,37 @@
 	$text = $language->get();
 
 //toggle enabled state
-	if ($_REQUEST['id'] != '' && $_REQUEST['enabled'] != '') {
-		$sql = "update v_vars set ";
-		$sql .= "var_enabled = '".check_str($_REQUEST['enabled'])."' ";
-		$sql .= "where var_uuid = '".check_str($_REQUEST['id'])."' ";
-		$db->exec(check_sql($sql));
-		unset($sql);
+	if (is_uuid($_REQUEST['id']) && (strtolower($_REQUEST['enabled']) == 'true' || strtolower($_REQUEST['enabled']) == 'false') {
+		//build array
+			$array['vars'][0]['var_uuid'] = $_REQUEST['id'];
+			$array['vars'][0]['var_enabled'] = strtolower($_REQUEST['enabled']);
+
+		//grant temporary permissions
+			$p = new permissions;
+			$p->add('var_edit', 'temp');
+
+		//execute update
+			$database = new database;
+			$database->app_name = 'vars';
+			$database->app_uuid = '54e08402-c1b8-0a9d-a30a-f569fc174dd8';
+			$database->save($array);
+			unset($array);
+
+		//revoke temporary permissions
+			$p->delete('var_edit', 'temp');
 
 		//unset the user defined variables
-		$_SESSION["user_defined_variables"] = "";
+			$_SESSION["user_defined_variables"] = "";
 
 		//synchronize the configuration
-		save_var_xml();
+			save_var_xml();
 
-		message::add($text['message-update']);
-		header("Location: vars.php?id=".$_REQUEST['id']);
-		exit;
+		//set message
+			message::add($text['message-update']);
+
+		//redirect
+			header("Location: vars.php?id=".$_REQUEST['id']);
+			exit;
 	}
 
 //include the header
@@ -78,17 +93,10 @@
 	echo "</table>\n";
 
 	$sql = "select * from v_vars ";
-	if (strlen($order_by)> 0) {
-		$sql .= "order by $order_by $order ";
-	}
-	else {
-		$sql .= "order by var_category, var_order asc ";
-	}
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	$result_count = count($result);
-	unset ($prep_statement, $sql);
+	$sql .= $order_by != '' ? order_by($order_by, $order) : "order by var_category, var_order asc ";
+	$database = new database;
+	$result = $database->select($sql, null, 'all');
+	unset($sql);
 
 	$c = 0;
 	$row_style["0"] = "row_style0";
@@ -96,8 +104,7 @@
 
 	echo "<table class='tr_hover' width='100%' border='0' cellpadding='0' cellspacing='0'>\n";
 
-	$tmp_var_header = '';
-	$tmp_var_header .= "<tr>\n";
+	$tmp_var_header = "<tr>\n";
 	$tmp_var_header .= th_order_by('var_name', $text['label-name'], $order_by, $order);
 	$tmp_var_header .= th_order_by('var_value', $text['label-value'], $order_by, $order);
 	$tmp_var_header .= th_order_by('var_hostname', $text['label-hostname'], $order_by, $order);
@@ -110,7 +117,7 @@
 	$tmp_var_header .= "</td>\n";
 	$tmp_var_header .= "<tr>\n";
 
-	if ($result_count > 0) {
+	if (is_array($result) && @sizeof($result) != 0) {
 		$prev_var_category = '';
 		foreach($result as $row) {
 			$var_value = $row['var_value'];
@@ -170,10 +177,10 @@
 			echo "</tr>\n";
 
 			$prev_var_category = $row['var_category'];
-			if ($c==0) { $c=1; } else { $c=0; }
-		} //end foreach
-		unset($sql, $result, $row_count);
-	} //end if results
+			$c = $c ? 0 : 1;
+		}
+	}
+	unset($result, $row);
 
 	echo "<tr>\n";
 	echo "<td colspan='6' align='left'>\n";
@@ -197,4 +204,4 @@
 //include the footer
 	require_once "resources/footer.php";
 
-?>
+?>
\ No newline at end of file
diff --git a/app/vars/vars_textarea.php b/app/vars/vars_textarea.php
index 75c8bcd207..ea5d67afd8 100644
--- a/app/vars/vars_textarea.php
+++ b/app/vars/vars_textarea.php
@@ -161,4 +161,4 @@ if ($_GET['a'] == "default" && permission_exists('var_edit')) {
 
 <?php
 	require_once "resources/footer.php";
-?>
+?>
\ No newline at end of file