From a1c4e7d54e1ac519999b210171c5b890c15389fb Mon Sep 17 00:00:00 2001
From: AlexanderDCrane <40072887+AlexanderDCrane@users.noreply.github.com>
Date: Sat, 1 Jun 2019 12:30:11 -0600
Subject: [PATCH] Update call_center_agents.php

---
 app/call_centers/call_center_agents.php | 45 ++++++++++++++++---------
 1 file changed, 29 insertions(+), 16 deletions(-)

diff --git a/app/call_centers/call_center_agents.php b/app/call_centers/call_center_agents.php
index 16fe82d1f2..3213866f97 100644
--- a/app/call_centers/call_center_agents.php
+++ b/app/call_centers/call_center_agents.php
@@ -51,6 +51,21 @@
 	$order_by = $_GET["order_by"];
 	$order = $_GET["order"];
 
+//validate order by
+	if (strlen($order_by) > 0) {
+		$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', $order_by);
+	}
+
+//validate the order
+	switch ($order) {
+		case 'asc':
+			break;
+		case 'desc':
+			break;
+		default:
+			$order = '';
+	}
+
 //show content
 	echo "<table width='100%' cellpadding='0' cellspacing='0' border='0'>\n";
 	echo "<tr>\n";
@@ -68,7 +83,7 @@
 	echo "</tr></table>\n";
 
 	$sql = "select * from v_call_center_agents ";
-	$sql .= "where domain_uuid = '$domain_uuid' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
 	if (strlen($order_by) == 0) {
 		$order_by = 'agent_name';
 		$order = 'asc';
@@ -76,11 +91,12 @@
 	else {
 		$sql .= "order by $order_by $order ";
 	}
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	$num_rows = count($result);
-	unset ($prep_statement, $result, $sql);
+	$database = new database;
+	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+	$parameters['rows_per_page'] = $rows_per_page;
+	$parameters['offset'] = $offset;
+	$result = $database->select($sql, $parameters, 'all');
+
 	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
 	$param = "";
 	$page = $_GET['page'];
@@ -89,7 +105,7 @@
 	$offset = $rows_per_page * $page;
 
 	$sql = "select * from v_call_center_agents ";
-	$sql .= "where domain_uuid = '$domain_uuid' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
 	if (strlen($order_by) == 0) {
 		$order_by = 'agent_name';
 		$order = 'asc';
@@ -97,12 +113,11 @@
 	else {
 		$sql .= "order by $order_by $order ";
 	}
-	$sql .= " limit $rows_per_page offset $offset ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	$result_count = count($result);
-	unset ($prep_statement, $sql);
+	$sql .= " limit :rows_per_page offset :offset ";
+	$database = new database;
+	$parameters['rows_per_page'] = $rows_per_page;
+	$parameters['offset'] = $offset;
+	$result = $database->select($sql, $parameters, 'all');
 
 	$c = 0;
 	$row_style["0"] = "row_style0";
@@ -128,9 +143,7 @@
 	echo "</td>\n";
 	echo "</tr>\n";
 
-	if ($result_count == 0) { //no results
-	}
-	else { //received results
+	if (is_array($result)) {
 		foreach($result as $row) {
 			$tr_link = (permission_exists('call_center_agent_edit')) ? "href='call_center_agent_edit.php?id=".escape($row['call_center_agent_uuid'])."'" : null;
 			echo "<tr ".$tr_link.">\n";