Messages: Database class integration.

2019-08-09 09:57:13 -06:00 · 2019-08-09 09:57:13 -06:00 · 9df6a8a2bf
parent 5a46d98da6
commit 9df6a8a2bf
10 changed files with 290 additions and 301 deletions
--- a/app/messages/app_defaults.php
+++ b/app/messages/app_defaults.php
@ -33,7 +33,8 @@ if ($domains_processed == 1) {
 	$sql .= "where default_setting_category = 'message' ";
 	$sql .= "and default_setting_subcategory = 'http_auth_password' ";
 	$sql .= "and default_setting_name = 'array' ";
-	$db->exec($sql);
+	$database = new database;
 	$database->execute($sql);
 	unset($sql);
 	//update domain settings
@ -42,7 +43,8 @@ if ($domains_processed == 1) {
 	$sql .= "where domain_setting_category = 'message' ";
 	$sql .= "and domain_setting_subcategory = 'http_auth_password' ";
 	$sql .= "and domain_setting_name = 'array' ";
-	$db->exec($sql);
+	$database = new database;
 	$database->execute($sql);
 	unset($sql);
 }
--- a/app/messages/index.php
+++ b/app/messages/index.php
@ -29,43 +29,40 @@
 	require_once "resources/require.php";
 //default authorized to false
-	$authorized = 'false';
+	$authorized = false;
 //get the user settings
 	$sql = "select user_uuid, domain_uuid from v_user_settings ";
 	$sql .= "where user_setting_category = 'message' ";
 	$sql .= "and user_setting_subcategory = 'key' ";
-	$sql .= "and user_setting_value = :key ";
+	$sql .= "and user_setting_value = :user_setting_value ";
 	$sql .= "and user_setting_enabled = 'true' ";
-	$prep_statement = $db->prepare($sql);
+	$parameters['user_setting_value'] = $_GET['key'];
-	$prep_statement->bindParam(':key', $_GET['key']);
+	$database = new database;
-	if ($prep_statement) {
+	$row = $database->select($sql, $parameters, 'row');
-		$prep_statement->execute();
+	if (is_array($row) && @sizeof($row) != 0 && is_uuid($row['user_uuid'])) {
-		$row = $prep_statement->fetch(PDO::FETCH_NAMED);
+		$domain_uuid = $row['domain_uuid'];
-		if (is_uuid($row['user_uuid'])) {
+		$user_uuid = $row['user_uuid'];
-			$domain_uuid = $row['domain_uuid'];
+		$authorized = true;
 			$user_uuid = $row['user_uuid'];
 			$authorized = 'true';
 		}
 	}
 //authorization failed
-	if ($authorized == 'false') {
+	if (!$authorized) {
 		//log the failed auth attempt to the system, to be available for fail2ban.
-		openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
+			openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
-		syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_GET['key']);
+			syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$_GET['key']);
-		closelog();
+			closelog();
 		//send http 404
-		header("HTTP/1.0 404 Not Found");
+			header("HTTP/1.0 404 Not Found");
-		echo "<html>\n";
+			echo "<html>\n";
-		echo "<head><title>404 Not Found</title></head>\n";
+			echo "<head><title>404 Not Found</title></head>\n";
-		echo "<body bgcolor=\"white\">\n";
+			echo "<body bgcolor=\"white\">\n";
-		echo "<center><h1>404 Not Found</h1></center>\n";
+			echo "<center><h1>404 Not Found</h1></center>\n";
-		echo "<hr><center>nginx/1.12.1</center>\n";
+			echo "<hr><center>nginx/1.12.1</center>\n";
-		echo "</body>\n";
+			echo "</body>\n";
-		echo "</html>\n";
+			echo "</html>\n";
-		exit();
+			exit();
 	}
 //get the raw input data
@ -81,18 +78,13 @@
 	$sql = "select c.contact_uuid ";
 	$sql .= "from v_contacts as c, v_contact_phones as p ";
 	$sql .= "where p.contact_uuid = c.contact_uuid ";
-	//$sql .= "and p.phone_number = :phone_number ";
+	$sql .= "and p.phone_number = :phone_number ";
-	$sql .= "and p.phone_number = '".$phone_number."' ";
+	$sql .= "and c.domain_uuid = :domain_uuid ";
-	$sql .= "and c.domain_uuid = '".$domain_uuid."' ";
+	$parameters['phone_number'] = $phone_number;
-	$prep_statement = $db->prepare($sql);
+	$parameters['domain_uuid'] = $domain_uuid;
-	//$prep_statement->bindParam(':phone_number', $phone_number);
+	$database = new database;
-	$prep_statement->execute();
+	$contact_uuid = $database->select($sql, $parameters, 'column');
-	$row = $prep_statement->fetch(PDO::FETCH_NAMED);
+	unset($sql, $parameters);
 	$contact_uuid = $row['contact_uuid'];
 	//$contact_name_given = $row['contact_name_given'];
 	//$contact_name_family = $row['contact_name_family'];
 	//$contact_organization = $row['contact_organization'];
 //build message array
 	$message_uuid = uuid();
@ -109,6 +101,10 @@
 	$array['messages'][0]['message_text'] = $message['text'];
 	$array['messages'][0]['message_json'] = $json;
 //add the required permission
 	$p = new permissions;
 	$p->add("message_add", "temp");
 //build message media array (if necessary)
 	if (is_array($message['media'])) {
 		foreach($message['media'] as $index => $media_url) {
@ -123,18 +119,14 @@
 				$array['message_media'][$index]['message_media_content'] = base64_encode(file_get_contents($media_url));
 			}
 		}
 	}
-//add the required permission
+		$p->add("message_media_add", "temp");
-	$p = new permissions;
+	}
 	$p->add("message_add", "temp");
 	$p->add("message_media_add", "temp");
 //save message to the database
 	$database = new database;
 	$database->app_name = 'messages';
 	$database->app_uuid = '4a20815d-042c-47c8-85df-085333e79b87';
 	$database->uuid($message_uuid);
 	$database->save($array);
 	$result = $database->message;
@ -147,14 +139,17 @@
 //get the list of extensions using the user_uuid
 	$sql = "select * from v_domains as d, v_extensions as e ";
-	$sql .= "where extension_uuid in (select extension_uuid from v_extension_users where user_uuid = '".$user_uuid."') ";
+	$sql .= "where extension_uuid in ( ";
 	$sql .= "	select extension_uuid ";
 	$sql .= "	from v_extension_users ";
 	$sql .= "	where user_uuid = :user_uuid ";
 	$sql .= ") ";
 	$sql .= "and e.domain_uuid = d.domain_uuid ";
 	$sql .= "and e.enabled = 'true' ";
-	$prep_statement = $db->prepare($sql);
+	$parameters['user_uuid'] = $user_uuid;
-	if ($prep_statement) {
+	$database = new database;
-		$prep_statement->execute();
+	$extensions = $database->select($sql, $parameters, 'all');
-		$extensions = $prep_statement->fetchall(PDO::FETCH_NAMED);
+	unset($sql, $parameters);
 	}
 //create the event socket connection
 	if (is_array($extensions)) {
@ -162,7 +157,7 @@
 	}
 //send the sip message
-	if (is_array($extensions)) {
+	if (is_array($extensions) && @sizeof($extensions) != 0) {
 		foreach ($extensions as $row) {
 			$domain_name = $row['domain_name'];
 			$extension = $row['extension'];
@ -176,6 +171,7 @@
 			$response = event_socket_request($fp, "api log notice ".$command);
 		}
 	}
 	unset($extensions, $row);
 //set the file
 	//$file = '/tmp/sms.txt';
--- a/app/messages/message_delete.php
+++ b/app/messages/message_delete.php
@ -27,31 +27,43 @@
 //includes
 	require_once "root.php";
 	require_once "resources/require.php";
 	require_once "resources/check_auth.php";
 //check permissions
 	if (!permission_exists('message_delete')) {
 		echo "access denied";
 		exit;
 	}
 //add multi-lingual support
 	$language = new text;
 	$text = $language->get();
 //get the id
 	$message_uuids = $_REQUEST['messages'];
 //delete the message
-	message::add($text['message-delete']);
+	if (is_array($message_uuids) && @sizeof($message_uuids) != 0) {
 //delete the data
 	if (isset($_GET["id"]) && is_uuid($_GET["id"]) && permission_exists('message_delete')) {
 		//get the id
 			$id = check_str($_GET["id"]);
 		//delete message
-			$sql = "delete from v_messages ";
+			foreach ($message_uuids as $index => $message_uuid) {
-			$sql .= "where message_uuid = '$id' ";
+				$array['messages'][$index]['message_uuid'] = $message_uuid;
-			$sql .= "and domain_uuid = '$domain_uuid' ";
+				$array['messages'][$index]['domain_uuid'] = $domain_uuid;
-			$prep_statement = $db->prepare(check_sql($sql));
+			}
-			$prep_statement->execute();
+
-			unset($sql);
+			$database = new database;
 			$database->app_name = 'messages';
 			$database->app_uuid = '4a20815d-042c-47c8-85df-085333e79b87';
 			$database->delete($array);
 			unset($array);
 		//set message
 			message::add($text['message-delete']);
 		//redirect the user
 			header('Location: messages_log.php');
 	}
 //redirect the user
 	header('Location: messages_log.php');
 	exit;
 ?>
--- a/app/messages/message_edit.php
+++ b/app/messages/message_edit.php
@ -43,10 +43,9 @@
 	$text = $language->get();
 //action add or update
-	if (isset($_REQUEST["id"])) {
+	if (is_uuid($_REQUEST["id"])) {
 		$action = "update";
-		$message_uuid = check_str($_REQUEST["id"]);
+		$message_uuid = $_REQUEST["id"];
 		$id = check_str($_REQUEST["id"]);
 	}
 	else {
 		$action = "add";
@ -54,18 +53,18 @@
 //get http post variables and set them to php variables
 	if (is_array($_POST)) {
-		$message_uuid = check_str($_POST["message_uuid"]);
+		$message_uuid = $_POST["message_uuid"];
-		//$user_uuid = check_str($_POST["user_uuid"]);
+		//$user_uuid = $_POST["user_uuid"];
-		$message_type = check_str($_POST["message_type"]);
+		$message_type = $_POST["message_type"];
-		$message_direction = check_str($_POST["message_direction"]);
+		$message_direction = $_POST["message_direction"];
-		$message_date = check_str($_POST["message_date"]);
+		$message_date = $_POST["message_date"];
-		$message_from = check_str($_POST["message_from"]);
+		$message_from = $_POST["message_from"];
-		$message_to = check_str($_POST["message_to"]);
+		$message_to = $_POST["message_to"];
-		$message_text = check_str($_POST["message_text"]);
+		$message_text = $_POST["message_text"];
-		$message_media_type = check_str($_POST["message_media_type"]);
+		$message_media_type = $_POST["message_media_type"];
-		$message_media_url = check_str($_POST["message_media_url"]);
+		$message_media_url = $_POST["message_media_url"];
-		$message_media_content = check_str($_POST["message_media_content"]);
+		$message_media_content = $_POST["message_media_content"];
-		$message_json = check_str($_POST["message_json"]);
+		$message_json = $_POST["message_json"];
 	}
 //process the user data and save it to the database
@ -73,7 +72,7 @@
 		//get the uuid from the POST
 			if ($action == "update") {
-				$message_uuid = check_str($_POST["message_uuid"]);
+				$message_uuid = $_POST["message_uuid"];
 			}
 		//check for all required data
@ -106,7 +105,7 @@
 				$_POST["domain_uuid"] = $_SESSION["domain_uuid"];
 		//add the message_uuid
-			if (strlen($_POST["message_uuid"]) == 0) {
+			if (!is_uuid($_POST["message_uuid"])) {
 				$message_uuid = uuid();
 				$_POST["message_uuid"] = $message_uuid;
 			}
@ -117,18 +116,8 @@
 		//save to the data
 			$database = new database;
 			$database->app_name = 'messages';
-			$database->app_uuid = null;
+			$database->app_uuid = '4a20815d-042c-47c8-85df-085333e79b87';
 			if (strlen($message_uuid) > 0) {
 				$database->uuid($message_uuid);
 			}
 			$database->save($array);
 			$message = $database->message;
 		//debug info
 			//echo "<pre>";
 			//print_r($message);
 			//echo "</pre>";
 			//exit;
 		//redirect the user
 			if (isset($action)) {
@ -139,20 +128,19 @@
 					message::add($text['message-update']);
 				}
 				header('Location: message_edit.php?id='.$message_uuid);
-				return;
+				exit;
 			}
-	} //(is_array($_POST) && strlen($_POST["persistformvar"]) == 0)
+	}
 //pre-populate the form
 	if (is_array($_GET) && $_POST["persistformvar"] != "true") {
-		$message_uuid = check_str($_GET["id"]);
+		$message_uuid = $_GET["id"];
 		$sql = "select * from v_messages ";
-		$sql .= "where message_uuid = '$message_uuid' ";
+		$sql .= "where message_uuid = :message_uuid ";
-		//$sql .= "and domain_uuid = '$domain_uuid' ";
+		$parameters['message_uuid'] = $message_uuid;
-		$prep_statement = $db->prepare(check_sql($sql));
+		$database = new database;
-		$prep_statement->execute();
+		$row = $database->select($sql, $parameters, 'row');
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+		if (is_array($row) && @sizeof($row) != 0) {
 		foreach ($result as &$row) {
 			$user_uuid = $row["user_uuid"];
 			$message_type = $row["message_type"];
 			$message_direction = $row["message_direction"];
@ -165,28 +153,21 @@
 			$message_media_content = $row["message_media_content"];
 			$message_json = $row["message_json"];
 		}
-		unset ($prep_statement);
+		unset($sql, $parameters);
 	}
 //show the header
 	require_once "resources/header.php";
 //get the extensions
 	$sql = "select * from v_users ";
 	$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
 	$sql .= "and user_enabled = 'true' ";
 	$prep_statement = $db->prepare(check_sql($sql));
 	$prep_statement->execute();
 	$users = $prep_statement->fetchAll(PDO::FETCH_NAMED);
 	unset ($prep_statement, $sql);
 //get the users
-	$sql = "SELECT user_uuid, username FROM v_users ";
+	$sql = "select user_uuid, username from v_users ";
-	$sql .= "WHERE domain_uuid = '".$_SESSION['domain_uuid']."' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
-	$sql .= "ORDER by username asc ";
+	$sql .= "and user_enabled = 'true' ";
-	$prep_statement = $db->prepare(check_sql($sql));
+	$sql .= "order by username asc ";
-	$prep_statement->execute();
+	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
-	$users = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	$database = new database;
 	$users = $database->select($sql, $parameters, 'all');
 	unset($sql, $parameters);
 //show the content
 	echo "<form name='frm' id='frm' method='post' action=''>\n";
--- a/app/messages/message_media.php
+++ b/app/messages/message_media.php
@ -40,16 +40,19 @@
 //get media
 	if (is_uuid($message_media_uuid)) {
-		$sql = "select message_media_type, message_media_url, message_media_content from v_message_media ";
+		$sql = "select message_media_type, message_media_url, message_media_content ";
-		$sql .= "where message_media_uuid = '".$message_media_uuid."' ";
+		$sql .= "from v_message_media ";
 		$sql .= "where message_media_uuid = :message_media_uuid ";
 		if (is_uuid($_SESSION['user_uuid'])) {
-			$sql .= "and user_uuid = '".$_SESSION['user_uuid']."' ";
+			$sql .= "and user_uuid = :user_uuid ";
 			$parameters['user_uuid'] = $_SESSION['user_uuid'];
 		}
-		$sql .= "and (domain_uuid = '".$domain_uuid."' or domain_uuid is null) ";
+		$sql .= "and (domain_uuid = :domain_uuid or domain_uuid is null) ";
-		$prep_statement = $db->prepare(check_sql($sql));
+		$parameters['message_media_uuid'] = $message_media_uuid;
-		$prep_statement->execute();
+		$parameters['domain_uuid'] = $domain_uuid;
-		$media = $prep_statement->fetch(PDO::FETCH_NAMED);
+		$database = new database;
-		unset ($prep_statement, $sql);
+		$media = $database->select($sql, $parameters, 'row');
 		unset($sql, $parameters);
 		switch (strtolower($media['message_media_type'])) {
 			case 'jpg':
--- a/app/messages/message_send.php
+++ b/app/messages/message_send.php
@ -57,9 +57,9 @@
 //get http post variables and set them to php variables
 	if (is_array($_POST)) {
-		$message_from = check_str($_POST["message_from"]);
+		$message_from = $_POST["message_from"];
-		$message_to = check_str($_POST["message_to"]);
+		$message_to = $_POST["message_to"];
-		$message_text = check_str($_POST["message_text"]);
+		$message_text = $_POST["message_text"];
 		$message_media = $_FILES["message_media"];
 	}
@ -77,10 +77,8 @@
 					exit;
 			}
 		// handle media (if any)
-			if (is_array($message_media) && sizeof($message_media) != 0) {
+			if (is_array($message_media) && @sizeof($message_media) != 0) {
 				// reorganize media array, ignore errored files
 				$f = 0;
 				foreach ($message_media['error'] as $index => $error) {
@ -96,22 +94,19 @@
 				$message_media = $tmp_media;
 				unset($tmp_media, $f);
 			}
-			$message_type = is_array($message_media) && sizeof($message_media) != 0 ? 'mms' : 'sms';
+			$message_type = is_array($message_media) && @sizeof($message_media) != 0 ? 'mms' : 'sms';
 		//get the contact uuid
-			//$sql = "SELECT trim(c.contact_name_given || ' ' || c.contact_name_family || ' (' || c.contact_organization || ')') AS name, p.phone_number AS number ";
+			$sql = "select c.contact_uuid ";
-			$sql = "SELECT c.contact_uuid ";
+			$sql .= "from v_contacts as c, v_contact_phones as p ";
-			$sql .= "FROM v_contacts as c, v_contact_phones as p ";
+			$sql .= "where p.contact_uuid = c.contact_uuid ";
-			$sql .= "WHERE p.contact_uuid = c.contact_uuid ";
+			$sql .= "and p.phone_number like :phone_number ";
-			//$sql .= "and p.phone_number = :phone_number ";
+			$sql .= "and c.domain_uuid = :domain_uuid ";
-			$sql .= "and p.phone_number like '%".$phone_number."%' ";
+			$parameters['phone_number'] = '%'.$phone_number.'%';
-			$sql .= "and c.domain_uuid = '".$domain_uuid."' ";
+			$parameters['domain_uuid'] = $domain_uuid;
-			$prep_statement = $db->prepare($sql);
+			$database = new database;
-			//$prep_statement->bindParam(':phone_number', $phone_number);
+			$contact_uuid = $database->select($sql, $parameters, 'column');
-			$prep_statement->execute();
+			unset($sql, $parameters);
 			$row = $prep_statement->fetch(PDO::FETCH_NAMED);
 			$contact_uuid = $row['contact_uuid'];
 		//build the message array
 			$message_uuid = uuid();
@ -127,7 +122,8 @@
 			$array['messages'][0]['message_text'] = $message_text;
 		//build message media array (if necessary)
-			if (is_array($message_media)) {
+			$p = new permissions;
 			if (is_array($message_media) && @sizeof($message_media) != 0) {
 				foreach($message_media as $index => $media) {
 					$array['message_media'][$index]['message_media_uuid'] = $media['uuid'];
 					$array['message_media'][$index]['message_uuid'] = $message_uuid;
@ -137,19 +133,19 @@
 					$array['message_media'][$index]['message_media_url'] = $media['name'];
 					$array['message_media'][$index]['message_media_content'] = base64_encode(file_get_contents($media['tmp_name']));
 				}
 				$p->add('message_media_add', 'temp');
 			}
 		//save to the data
 			$database = new database;
 			$database->app_name = 'messages';
-			$database->app_uuid = null;
+			$database->app_uuid = '4a20815d-042c-47c8-85df-085333e79b87';
 			$database->uuid($message_uuid);
 			$database->save($array);
-			$message = $database->message;
+			unset($array);
 			unset($array, $message);
-		//debug info
+		//remove any temporary permissions
-			//echo "<pre>".print_r($message, true)."</pre>"; exit;
+			$p->delete('message_media_add', 'temp');
 		//santize the from
 			$message_from = preg_replace('{[\D]}', '', $message_from);
@ -157,12 +153,11 @@
 		//prepare message to send
 			$message['to'] = $message_to;
 			$message['text'] = $message_text;
-			if (is_array($message_media) && sizeof($message_media) != 0) {
+			if (is_array($message_media) && @sizeof($message_media) != 0) {
 				$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? 'https://' : 'http://';
 				foreach ($message_media as $index => $media) {
 					$path = $protocol.$_SERVER['HTTP_HOST'].'/app/messages/message_media.php?id='.$media['uuid'].'&action=download&.'.strtolower(pathinfo($media['name'], PATHINFO_EXTENSION));
 					$message['media'][] = $path;
 					//echo $path."<br><br>";
 				}
 			}
 			$http_content = json_encode($message);
@ -185,11 +180,9 @@
 				$headers[] = "Authorization: Basic ".base64_encode($http_auth_user.':'.$http_auth_password);
 			}
 			$response = http_request($http_destination, $http_method, $headers, $http_content);
 			//echo $http_content."<br><br>".$response;
 		//redirect the user
 			//$_SESSION["message"] = $text['message-sent'];
 			return true;
-	} //(is_array($_POST) && strlen($_POST["persistformvar"]) == 0)
+	}
 ?>
--- a/app/messages/messages.php
+++ b/app/messages/messages.php
@ -41,31 +41,33 @@
 //get (from) destinations
 	$sql = "select destination_number from v_destinations ";
-	$sql .= "where domain_uuid = '".$domain_uuid."' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
 	$sql .= "and destination_type_text = 1 ";
 	$sql .= "and destination_enabled = 'true' ";
 	$sql .= "order by destination_number asc ";
-	$prep_statement = $db->prepare(check_sql($sql));
+	$parameters['domain_uuid'] = $domain_uuid;
-	$prep_statement->execute();
+	$database = new database;
-	$rows = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	$rows = $database->select($sql, $parameters, 'all');
-	//view_array($rows);
+	if (is_array($rows) && @sizeof($rows)) {
 	if (is_array($rows) && sizeof($rows)) {
 		foreach ($rows as $row) {
 			$destinations[] = $row['destination_number'];
 		}
 	}
-	unset ($prep_statement, $sql, $row, $record);
+	unset($sql, $parameters, $rows, $row);
 //get self (primary contact attachment) image
 	if (!is_array($_SESSION['tmp']['messages']['contact_me'])) {
-		$sql = "select attachment_filename as filename, attachment_content as image from v_contact_attachments ";
+		$sql = "select attachment_filename as filename, attachment_content as image ";
-		$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
+		$sql .= "from v_contact_attachments ";
-		$sql .= "and contact_uuid = '".$_SESSION['user']['contact_uuid']."' ";
+		$sql .= "where domain_uuid = :domain_uuid ";
 		$sql .= "and contact_uuid = :contact_uuid ";
 		$sql .= "and attachment_primary = 1 ";
-		$prep_statement = $db->prepare(check_sql($sql));
+		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
-		$prep_statement->execute();
+		$parameters['contact_uuid'] = $_SESSION['user']['contact_uuid'];
-		$_SESSION['tmp']['messages']['contact_me'] = $prep_statement->fetch(PDO::FETCH_NAMED);
+		$database = new database;
-		unset ($sql, $bind, $prep_statement);
+		$row = $database->select($sql, $parameters, 'row');
 		$_SESSION['tmp']['messages']['contact_me'] = $row;
 		unset($sql, $parameters, $row);
 	}
 //additional includes
--- a/app/messages/messages_contacts.php
+++ b/app/messages/messages_contacts.php
@ -47,27 +47,30 @@
 		$array = explode(' ',$_SESSION['message']['display_last']['text']);
 		if (is_array($array) && is_numeric($array[0]) && $array[0] > 0) {
 			if ($array[1] == 'messages') {
-				$limit = "limit ".$array[0]." offset 0 ";
+				$limit = limit_offset($array[0], 0);
 			}
 			else {
-				$since = "and message_date >= '".date("Y-m-d H:i:s", strtotime('-'.$_SESSION['message']['display_last']['text']))."' ";
+				$since = "and message_date >= :message_date ";
 				$parameters['message_date'] = date("Y-m-d H:i:s", strtotime('-'.$_SESSION['message']['display_last']['text']));
 			}
 		}
 	}
-	if ($limit == '' && $since == '') { $limit = "limit 25 offset 0"; } //default (message count)
+	if ($limit == '' && $since == '') { $limit = limit_offset(25, 0); } //default (message count)
-	$sql = "select message_direction, message_from, message_to, contact_uuid from v_messages ";
+	$sql = "select message_direction, message_from, message_to, contact_uuid ";
-	$sql .= "where user_uuid = '".$_SESSION['user_uuid']."' ";
+	$sql .= "from v_messages ";
-	$sql .= "and (domain_uuid = '".$domain_uuid."' or domain_uuid is null) ";
+	$sql .= "where user_uuid = :user_uuid ";
 	$sql .= "and (domain_uuid = :domain_uuid or domain_uuid is null) ";
 	$sql .= $since;
 	$sql .= "order by message_date desc ";
 	$sql .= $limit;
-	$prep_statement = $db->prepare(check_sql($sql));
+	$parameters['user_uuid'] = $_SESSION['user_uuid'];
-	$prep_statement->execute();
+	$parameters['domain_uuid'] = $domain_uuid;
-	$messages = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	$database = new database;
-	unset ($prep_statement, $sql);
+	$messages = $database->select($sql, $parameters, 'all');
 	unset($sql, $parameters);
 //parse out numbers
-	if (is_array($messages) && sizeof($messages) != 0) {
+	if (is_array($messages) && @sizeof($messages) != 0) {
 		$numbers = [];
 		foreach($messages as $message) {
 			$number_from = preg_replace('{[\D]}', '', $message['message_from']);
@ -85,6 +88,7 @@
 			unset($number_from, $number_to);
 		}
 	}
 	unset($messages, $message);
 //get contact details, if uuid available
 	if (is_array($contact) && sizeof($contact) != 0) {
@ -93,18 +97,19 @@
 				$sql = "select c.contact_name_given, c.contact_name_family, ";
 				$sql .= "(select ce.email_address from v_contact_emails as ce where ce.contact_uuid = c.contact_uuid and ce.email_primary = 1) as contact_email ";
 				$sql .= "from v_contacts as c ";
-				$sql .= "where c.contact_uuid = '".$field['contact_uuid']."' ";
+				$sql .= "where c.contact_uuid = :contact_uuid ";
-				$sql .= "and (c.domain_uuid = '".$domain_uuid."' or c.domain_uuid is null) ";
+				$sql .= "and (c.domain_uuid = :domain_uuid or c.domain_uuid is null) ";
-				$prep_statement = $db->prepare(check_sql($sql));
+				$parameters['contact_uuid'] = $field['contact_uuid'];
-				$prep_statement->execute();
+				$parameters['domain_uuid'] = $domain_uuid;
-				$row = $prep_statement->fetch(PDO::FETCH_NAMED);
+				$database = new database;
-				if (is_array($row) && sizeof($row) != 0) {
+				$row = $database->select($sql, $parameters, 'row');
 				if (is_array($row) && @sizeof($row) != 0) {
 					$contact[$number]['contact_uuid'] = $field['contact_uuid'];
 					$contact[$number]['contact_name_given'] = $row['contact_name_given'];
 					$contact[$number]['contact_name_family'] = $row['contact_name_family'];
 					$contact[$number]['contact_email'] = $row['contact_email'];
 				}
-				unset($prep_statement, $sql);
+				unset($sql, $parameters, $row);
 			}
 			else {
 				unset($contact[$number]);
@ -114,51 +119,52 @@
 //get destinations and remove from numbers array
 	$sql = "select destination_number from v_destinations ";
-	$sql .= "where domain_uuid = '".$domain_uuid."' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
 	$sql .= "and destination_enabled = 'true' ";
 	$sql .= "order by destination_number asc ";
-	$prep_statement = $db->prepare(check_sql($sql));
+	$parameters['domain_uuid'] = $domain_uuid;
-	$prep_statement->execute();
+	$database = new database;
-	$rows = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	$rows = $database->select($sql, $parameters, 'all');
-	if (is_array($rows) && sizeof($rows)) {
+	if (is_array($rows) && @sizeof($rows)) {
 		foreach ($rows as $row) {
 			$destinations[] = $row['destination_number'];
 		}
 	}
-	unset ($prep_statement, $sql, $row, $record);
+	unset($sql, $parameters, $rows, $row);
 	$numbers = array_diff($numbers, $destinations);
 //get contact (primary attachment) images and cache them
-	if (is_array($numbers) && sizeof($numbers) != 0) {
+	if (is_array($numbers) && @sizeof($numbers) != 0) {
 		foreach ($numbers as $number) {
 			$contact_uuids[] = $contact[$number]['contact_uuid'];
 		}
-		if (is_array($contact_uuids) && sizeof($contact_uuids) != 0) {
+		if (is_array($contact_uuids) && @sizeof($contact_uuids) != 0) {
-			$sql = "select contact_uuid as uuid, attachment_filename as filename, attachment_content as image from v_contact_attachments ";
+			$sql = "select contact_uuid as uuid, attachment_filename as filename, attachment_content as image ";
-			$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
+			$sql .= "from v_contact_attachments ";
-			$sql .= "and ( 0 = 1 ";
+			$sql .= "where domain_uuid = :domain_uuid ";
-			foreach ($contact_uuids as $contact_uuid) {
+			$sql .= "and (";
-				$sql .= "or contact_uuid = '".$contact_uuid."' ";
+			foreach ($contact_uuids as $index => $contact_uuid) {
 				$sql_where[] = "contact_uuid = :contact_uuid_".$index;
 				$parameters['contact_uuid_'.$index] = $contact_uuid;
 			}
 			$sql .= implode(' or ', $sql_where);
 			$sql .= ") ";
 			$sql .= "and attachment_primary = 1 ";
-			$prep_statement = $db->prepare(check_sql($sql));
+			$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
-			$prep_statement->execute();
+			$database = new database;
-			$contact_ems = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+			$contact_ems = $database->select($sql, $parameters, 'all');
-
+			if (is_array($contact_ems) && @sizeof($contact_ems) != 0) {
 			if (is_array($contact_ems) && sizeof($contact_ems) != 0) {
 				foreach ($contact_ems as $contact_em) {
 					$_SESSION['tmp']['messages']['contact_em'][$contact_em['uuid']]['filename'] = $contact_em['filename'];
 					$_SESSION['tmp']['messages']['contact_em'][$contact_em['uuid']]['image'] = $contact_em['image'];
 				}
 			}
 		}
-		unset($sql, $prep_statement, $contact_uuids, $contact_ems, $contact_em);
+		unset($sql, $sql_where, $parameters, $contact_uuids, $contact_ems, $contact_em);
 	}
 //contacts list
-	if (is_array($numbers) && sizeof($numbers) != 0) {
+	if (is_array($numbers) && @sizeof($numbers) != 0) {
 		echo "<table class='tr_hover' width='100%' border='0' cellpadding='0' cellspacing='0'>\n";
 		foreach($numbers as $number) {
 			if ($current_contact != '' && $number == $current_contact) {
@ -206,7 +212,7 @@
 		echo "<script>\n";
 		foreach ($numbers as $number) {
-			if (is_array($_SESSION['tmp']['messages']['contact_em'][$contact[$number]['contact_uuid']]) && sizeof($_SESSION['tmp']['messages']['contact_em'][$contact[$number]['contact_uuid']]) != 0) {
+			if (is_array($_SESSION['tmp']['messages']['contact_em'][$contact[$number]['contact_uuid']]) && @sizeof($_SESSION['tmp']['messages']['contact_em'][$contact[$number]['contact_uuid']]) != 0) {
 				echo "$('img#contact_image_".$contact[$number]['contact_uuid']."').css('backgroundImage', 'url(' + $('img#src_message-bubble-image-em_".$contact[$number]['contact_uuid']."').attr('src') + ')');\n";
 			}
 		}
--- a/app/messages/messages_log.php
+++ b/app/messages/messages_log.php
@ -65,21 +65,22 @@
 	}
 //get variables used to control the order
-	$order_by = check_str($_GET["order_by"]);
+	$order_by = $_GET["order_by"];
-	$order = check_str($_GET["order"]);
+	$order = $_GET["order"];
 //add the search term
-	$search = strtolower(check_str($_GET["search"]));
+	$search = strtolower($_GET["search"]);
 	if (strlen($search) > 0) {
 		$sql_search = " (";
-		$sql_search .= "lower(message_type) like '%".$search."%' ";
+		$sql_search .= "lower(message_type) like :search ";
-		$sql_search .= "or lower(message_direction) like '%".$search."%' ";
+		$sql_search .= "or lower(message_direction) like :search ";
-		$sql_search .= "or lower(message_date) like '%".$search."%' ";
+		$sql_search .= "or lower(message_date) like :search ";
-		$sql_search .= "or lower(message_from) like '%".$search."%' ";
+		$sql_search .= "or lower(message_from) like :search ";
-		$sql_search .= "or lower(message_to) like '%".$search."%' ";
+		$sql_search .= "or lower(message_to) like :search ";
-		$sql_search .= "or lower(message_text) like '%".$search."%' ";
+		$sql_search .= "or lower(message_text) like :search ";
-		$sql_search .= "or lower(message_media_type) like '%".$search."%' ";
+		$sql_search .= "or lower(message_media_type) like :search ";
 		$sql_search .= ") ";
 		$parameters['search'] = '%'.$search.'%';
 	}
 //additional includes
@ -87,29 +88,23 @@
 	require_once "resources/paging.php";
 //prepare to page the results
-	$sql = "select count(message_uuid) as num_rows from v_messages ";
+	$sql = "select count(*) from v_messages ";
 	if ($_GET['show'] == "all" && permission_exists('message_all')) {
 		if (isset($sql_search)) {
 			$sql .= "where ".$sql_search;
 		}
-	} else {
+	}
-		$sql .= "where user_uuid = '".$_SESSION['user_uuid']."' ";
+	else {
-		$sql .= "and (domain_uuid = '".$domain_uuid."' or domain_uuid is null) ";
+		$sql .= "where user_uuid = :user_uuid ";
 		$sql .= "and (domain_uuid = :domain_uuid or domain_uuid is null) ";
 		if (isset($sql_search)) {
 			$sql .= "and ".$sql_search;
 		}
 		$parameters['user_uuid'] = $_SESSION['user_uuid'];
 		$parameters['domain_uuid'] = $domain_uuid;
 	}
-	$prep_statement = $db->prepare($sql);
+	$database = new database;
-	if ($prep_statement) {
+	$num_rows = $database->select($sql, $parameters, 'column');
 		$prep_statement->execute();
 		$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
 		if ($row['num_rows'] > 0) {
 			$num_rows = $row['num_rows'];
 		}
 		else {
 			$num_rows = '0';
 		}
 	}
 //prepare to page the results
 	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
@ -123,24 +118,12 @@
 	$offset = $rows_per_page * $page;
 //get the list
-	$sql = "select * from v_messages ";
+	$sql = str_replace('count(*)', '*', $sql);
 	if ($_GET['show'] == "all" && permission_exists('message_all')) {
 		if (isset($sql_search)) {
 			$sql .= "where ".$sql_search;
 		}
 	} else {
 		$sql .= "where user_uuid = '".$_SESSION['user_uuid']."' ";
 		$sql .= "and (domain_uuid = '".$domain_uuid."' or domain_uuid is null) ";
 		if (isset($sql_search)) {
 				$sql .= "and ".$sql_search;
 		}
 	}
 	$sql .= "order by message_date desc ";
-	$sql .= "limit $rows_per_page offset $offset ";
+	$sql .= limit_offset($rows_per_page, $offset);
-	$prep_statement = $db->prepare(check_sql($sql));
+	$database = new database;
-	$prep_statement->execute();
+	$messages = $database->select($sql, $parameters, 'all');
-	$messages = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	unset($sql, $parameters);
 	unset ($prep_statement, $sql);
 //alternate the row style
 	$c = 0;
@ -174,12 +157,15 @@
 	if (permission_exists('message_all')) {
 		if ($_GET['show'] == 'all') {
-			echo "				<input type='hidden' name='show' value='all'>";
+			echo "		<input type='hidden' name='show' value='all'>";
 		}
 		else {
-			echo "				<input type='button' class='btn' value='".$text['button-show_all']."' onclick=\"window.location='messages_log.php?show=all';\">\n";
+			echo "		<input type='button' class='btn' value='".$text['button-show_all']."' onclick=\"window.location='messages_log.php?show=all';\">\n";
 		}
 	}
 	if (permission_exists('message_delete')) {
 		echo "			<input type='button' class='btn' value='".$text['button-delete']."' onclick=\"if (confirm('".$text['confirm-delete']."')) { document.getElementById('form_message_log').action = 'message_delete.php'; document.getElementById('form_message_log').submit(); }\">\n";
 	}
 	echo "				<input type='text' class='txt' style='width: 150px; margin-left: 15px;' name='search' id='search' value='".escape($search)."'>\n";
 	echo "				<input type='submit' class='btn' name='submit' value='".$text['button-search']."'>\n";
@ -188,9 +174,9 @@
 	echo "	</tr>\n";
 	echo "</table>\n";
-	echo "<form method='post' action=''>\n";
+	echo "<form id='form_message_log' method='post' action=''>\n";
 	echo "<table class='tr_hover' width='100%' border='0' cellpadding='0' cellspacing='0'>\n";
-	if (is_array($messages)) {
+	if (is_array($messages) && @sizeof($messages) != 0) {
 		$x = 0;
 		foreach($messages as $row) {
@ -215,9 +201,8 @@
 			}
 			echo "<tr ".$tr_link.">\n";
 			//echo "	<td valign='top' class=''>".escape($row['user_uuid'])."&nbsp;</td>\n";
-			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void' style='align: center; padding: 3px 3px 0px 8px;'>\n";
+			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void' style='align: center; padding: 3px 3px 0px 7px;'>\n";
-			echo "		<input type='checkbox' name=\"messages[$x][checked]\" id='checkbox_".$x."' value='true' onclick=\"if (!this.checked) { document.getElementById('chk_all_".$x."').checked = false; }\">\n";
+			echo "		<input type='checkbox' name=\"messages[]\" id='checkbox_".$x."' value='".escape($row['message_uuid'])."' onclick=\"if (!this.checked) { document.getElementById('chk_all_".$x."').checked = false; }\">\n";
 			echo "		<input type='hidden' name=\"messages[$x][message_uuid]\" value='".escape($row['message_uuid'])."' />\n";
 			echo "	</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."'>";
 			switch ($row['message_type']) {
@ -241,15 +226,15 @@
 				echo "<a href='message_edit.php?id=".escape($row['message_uuid'])."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
 			}
 			if (permission_exists('message_delete')) {
-				echo "<a href='message_delete.php?id=".escape($row['message_uuid'])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
+				echo "<a href='message_delete.php?messages[]=".escape($row['message_uuid'])."' alt='".$text['button-delete']."' onclick=\"if (confirm('".$text['confirm-delete']."')) { document.getElementById('form_message_log').submit(); } else { return false; }\">$v_link_label_delete</a>";
 			}
 			echo "	</td>\n";
 			echo "</tr>\n";
 			$x++;
-			if ($c==0) { $c=1; } else { $c=0; }
+			$c = $c ? 0 : 1;
-		} //end foreach
+		}
-		unset($sql, $messages);
+	}
-	} //end if results
+	unset($messages, $row);
 	echo "<tr>\n";
 	echo "<td colspan='8' align='left'>\n";
--- a/app/messages/messages_thread.php
+++ b/app/messages/messages_thread.php
@ -51,14 +51,15 @@
 		$array = explode(' ',$_SESSION['message']['display_last']['text']);
 		if (is_array($array) && is_numeric($array[0]) && $array[0] > 0) {
 			if ($array[1] == 'messages') {
-				$limit = "limit ".$array[0]." offset 0 ";
+				$limit = limit_offset($array[0], 0);
 			}
 			else {
-				$since = "and message_date >= '".date("Y-m-d H:i:s", strtotime('-'.$_SESSION['message']['display_last']['text']))."' ";
+				$since = "and message_date >= :message_date ";
 				$parameters['message_date'] = date("Y-m-d H:i:s", strtotime('-'.$_SESSION['message']['display_last']['text']));
 			}
 		}
 	}
-	if ($limit == '' && $since == '') { $limit = "limit 25 offset 0"; } //default (message count)
+	if ($limit == '' && $since == '') { $limit = limit_offset(25, 0); } //default (message count)
 	$sql = "select ";
 	$sql .= "message_uuid, ";
 	$sql .= "domain_uuid, ";
@ -66,47 +67,55 @@
 	$sql .= "contact_uuid, ";
 	$sql .= "message_type, ";
 	$sql .= "message_direction, ";
-	$sql .= "message_date at time zone '".$_SESSION['domain']['time_zone']['name']."' as message_date, ";
+	$sql .= "message_date at time zone :time_zone as message_date, ";
 	$sql .= "message_from, ";
 	$sql .= "message_to, ";
 	$sql .= "message_text ";
 	$sql .= "from v_messages ";
-	$sql .= "where user_uuid = '".$_SESSION['user_uuid']."' ";
+	$sql .= "where user_uuid = :user_uuid ";
-	$sql .= "and (domain_uuid = '".$domain_uuid."' or domain_uuid is null) ";
+	$sql .= "and (domain_uuid = :domain_uuid or domain_uuid is null) ";
 	$sql .= $since;
-	$sql .= "and (message_from like '%".$number."' or message_to like '%".$number."') ";
+	$sql .= "and (message_from like :message_number or message_to like :message_number) ";
 	$sql .= "order by message_date desc ";
 	$sql .= $limit;
-	$prep_statement = $db->prepare(check_sql($sql));
+	$parameters['time_zone'] = $_SESSION['domain']['time_zone']['name'];
-	$prep_statement->execute();
+	$parameters['user_uuid'] = $_SESSION['user_uuid'];
-	$messages = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	$parameters['domain_uuid'] = $domain_uuid;
 	$parameters['message_number'] = '%'.$number;
 	$database = new database;
 	$messages = $database->select($sql, $parameters, 'all');
 	$messages = array_reverse($messages);
-	unset ($prep_statement, $sql);
+	unset($sql, $parameters);
 //get media (if any)
-	$sql = "select message_uuid, message_media_uuid, message_media_type, length(decode(message_media_content,'base64')) as message_media_size from v_message_media ";
+	$sql = "select ";
-	$sql .= "where user_uuid = '".$_SESSION['user_uuid']."' ";
+	$sql .= "message_uuid, ";
-	$sql .= "and (domain_uuid = '".$domain_uuid."' or domain_uuid is null) ";
+	$sql .= "message_media_uuid, ";
-	$sql .= "and message_uuid in ( ";
+	$sql .= "message_media_type, ";
-	foreach ($messages as $message) {
+	$sql .= "length(decode(message_media_content,'base64')) as message_media_size ";
-		$message_uuids[] = "'".$message['message_uuid']."'";
+	$sql .= "from v_message_media ";
 	$sql .= "where user_uuid = :user_uuid ";
 	$sql .= "and (domain_uuid = :domain_uuid or domain_uuid is null) ";
 	$sql .= "and ( ";
 	foreach ($messages as $index => $message) {
 		$message_uuids[] = "message_uuid = :message_uuid_".$index;
 		$parameters['message_uuid_'.$index] = $message['message_uuid'];
 	}
-	$sql .= implode(',', $message_uuids);
+	$sql .= implode(' or ', $message_uuids);
 	$sql .= ") ";
 	$sql .= "and message_media_type <> 'txt' ";
-	$prep_statement = $db->prepare(check_sql($sql));
+	$parameters['user_uuid'] = $_SESSION['user_uuid'];
-	$prep_statement->execute();
+	$parameters['domain_uuid'] = $domain_uuid;
-	$rows = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	$database = new database;
-	unset ($prep_statement, $sql);
+	$rows = $database->select($sql, $parameters, 'all');
 	unset($sql, $parameters, $index);
 //prep media array
-	if (is_array($rows) && sizeof($rows) != 0) {
+	if (is_array($rows) && @sizeof($rows) != 0) {
-		$x = 0;
+		foreach ($rows as $index => $row) {
-		foreach ($rows as $row) {
+			$message_media[$row['message_uuid']][$index]['uuid'] = $row['message_media_uuid'];
-			$message_media[$row['message_uuid']][$x]['uuid'] = $row['message_media_uuid'];
+			$message_media[$row['message_uuid']][$index]['type'] = $row['message_media_type'];
-			$message_media[$row['message_uuid']][$x]['type'] = $row['message_media_type'];
+			$message_media[$row['message_uuid']][$index]['size'] = $row['message_media_size'];
 			$message_media[$row['message_uuid']][$x]['size'] = $row['message_media_size'];
 			$x++;
 		}
 	}
@ -197,7 +206,7 @@
 	}
 	//output messages
-		if (is_array($messages) && sizeof($messages) != 0) {
+		if (is_array($messages) && @sizeof($messages) != 0) {
 			foreach ($messages as $message) {
 				//parse from message
 				if ($message['message_direction'] == 'inbound') {
@ -214,7 +223,7 @@
 							if (
 								$message['message_direction'] == 'inbound' &&
 								is_array($_SESSION['tmp']['messages']['contact_em'][$contact_uuid]) &&
-								sizeof($_SESSION['tmp']['messages']['contact_em'][$contact_uuid]) != 0
+								@sizeof($_SESSION['tmp']['messages']['contact_em'][$contact_uuid]) != 0
 								) {
 								echo "<div class='message-bubble-image-em'>\n";
 								echo "	<img class='message-bubble-image-em'><br />\n";
@ -223,7 +232,7 @@
 						//contact image me
 							else if (
 								is_array($_SESSION['tmp']['messages']['contact_me']) &&
-								sizeof($_SESSION['tmp']['messages']['contact_me']) != 0
+								@sizeof($_SESSION['tmp']['messages']['contact_me']) != 0
 								) {
 								echo "<div class='message-bubble-image-me'>\n";
 								echo "	<img class='message-bubble-image-me'><br />\n";
@ -235,7 +244,7 @@
 								echo "<div class='message-text'>".str_replace("\n",'<br />',escape($message['message_text']))."</div>\n";
 							}
 						//attachments
-							if (is_array($message_media[$message['message_uuid']]) && sizeof($message_media[$message['message_uuid']]) != 0) {
+							if (is_array($message_media[$message['message_uuid']]) && @sizeof($message_media[$message['message_uuid']]) != 0) {
 								foreach ($message_media[$message['message_uuid']] as $media) {
 									if ($media['type'] != 'txt') {