Update extension_edit.php
Use check_str on extension edit when building the sql queries. In the future will switch to PHP PDO prepared statements with parameters. This change fixes a problem where the check_str is used twice and duplicating the single quote.
This commit is contained in:
FusionPBX
GitHub
parent
4ba9e89765
commit
da5c667202
|
|
@ -17,7 +17,7 @@
|
||||||
|
|
||||||
The Initial Developer of the Original Code is
|
The Initial Developer of the Original Code is
|
||||||
Mark J Crane <markjcrane@fusionpbx.com>
|
Mark J Crane <markjcrane@fusionpbx.com>
|
||||||
Copyright (C) 2008-2015 All Rights Reserved.
|
Copyright (C) 2008-2016 All Rights Reserved.
|
||||||
|
|
||||||
Contributor(s):
|
Contributor(s):
|
||||||
Mark J Crane <markjcrane@fusionpbx.com>
|
Mark J Crane <markjcrane@fusionpbx.com>
|
||||||
|
|
@ -45,7 +45,7 @@
|
||||||
//set the action as an add or an update
|
//set the action as an add or an update
|
||||||
if (isset($_REQUEST["id"])) {
|
if (isset($_REQUEST["id"])) {
|
||||||
$action = "update";
|
$action = "update";
|
||||||
$extension_uuid = check_str($_REQUEST["id"]);
|
$extension_uuid = $_REQUEST["id"];
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$action = "add";
|
$action = "add";
|
||||||
|
|
@ -54,7 +54,7 @@
|
||||||
//get total extension count from the database, check limit, if defined
|
//get total extension count from the database, check limit, if defined
|
||||||
if ($action == 'add') {
|
if ($action == 'add') {
|
||||||
if ($_SESSION['limit']['extensions']['numeric'] != '') {
|
if ($_SESSION['limit']['extensions']['numeric'] != '') {
|
||||||
$sql = "select count(*) as num_rows from v_extensions where domain_uuid = '".$_SESSION['domain_uuid']."' ";
|
$sql = "select count(*) as num_rows from v_extensions where domain_uuid = '".check_str($_SESSION['domain_uuid'])."' ";
|
||||||
$prep_statement = $db->prepare($sql);
|
$prep_statement = $db->prepare($sql);
|
||||||
if ($prep_statement) {
|
if ($prep_statement) {
|
||||||
$prep_statement->execute();
|
$prep_statement->execute();
|
||||||
|
|
@ -74,66 +74,66 @@
|
||||||
//get the http values and set them as php variables
|
//get the http values and set them as php variables
|
||||||
if (count($_POST) > 0) {
|
if (count($_POST) > 0) {
|
||||||
//get the values from the HTTP POST and save them as PHP variables
|
//get the values from the HTTP POST and save them as PHP variables
|
||||||
$extension = str_replace(' ','-',check_str($_POST["extension"]));
|
$extension = str_replace(' ','-',$_POST["extension"]);
|
||||||
$number_alias = check_str($_POST["number_alias"]);
|
$number_alias = $_POST["number_alias"];
|
||||||
$password = check_str($_POST["password"]);
|
$password = $_POST["password"];
|
||||||
|
|
||||||
// server verification on account code
|
// server verification on account code
|
||||||
$accountcode = $_POST["accountcode"];
|
$accountcode = $_POST["accountcode"];
|
||||||
|
|
||||||
$effective_caller_id_name = check_str($_POST["effective_caller_id_name"]);
|
$effective_caller_id_name = $_POST["effective_caller_id_name"];
|
||||||
$effective_caller_id_number = check_str($_POST["effective_caller_id_number"]);
|
$effective_caller_id_number = $_POST["effective_caller_id_number"];
|
||||||
$outbound_caller_id_name = check_str($_POST["outbound_caller_id_name"]);
|
$outbound_caller_id_name = $_POST["outbound_caller_id_name"];
|
||||||
$outbound_caller_id_number = check_str($_POST["outbound_caller_id_number"]);
|
$outbound_caller_id_number = $_POST["outbound_caller_id_number"];
|
||||||
$emergency_caller_id_name = check_str($_POST["emergency_caller_id_name"]);
|
$emergency_caller_id_name = $_POST["emergency_caller_id_name"];
|
||||||
$emergency_caller_id_number = check_str($_POST["emergency_caller_id_number"]);
|
$emergency_caller_id_number = $_POST["emergency_caller_id_number"];
|
||||||
$directory_full_name = check_str($_POST["directory_full_name"]);
|
$directory_full_name = $_POST["directory_full_name"];
|
||||||
$directory_visible = check_str($_POST["directory_visible"]);
|
$directory_visible = $_POST["directory_visible"];
|
||||||
$directory_exten_visible = check_str($_POST["directory_exten_visible"]);
|
$directory_exten_visible = $_POST["directory_exten_visible"];
|
||||||
$limit_max = check_str($_POST["limit_max"]);
|
$limit_max = $_POST["limit_max"];
|
||||||
$limit_destination = check_str($_POST["limit_destination"]);
|
$limit_destination = $_POST["limit_destination"];
|
||||||
$device_uuid = check_str($_POST["device_uuid"]);
|
$device_uuid = $_POST["device_uuid"];
|
||||||
$device_line = check_str($_POST["device_line"]);
|
$device_line = $_POST["device_line"];
|
||||||
$voicemail_password = check_str($_POST["voicemail_password"]);
|
$voicemail_password = $_POST["voicemail_password"];
|
||||||
$voicemail_enabled = check_str($_POST["voicemail_enabled"]);
|
$voicemail_enabled = $_POST["voicemail_enabled"];
|
||||||
$voicemail_mail_to = check_str($_POST["voicemail_mail_to"]);
|
$voicemail_mail_to = $_POST["voicemail_mail_to"];
|
||||||
$voicemail_file = check_str($_POST["voicemail_file"]);
|
$voicemail_file = $_POST["voicemail_file"];
|
||||||
$voicemail_local_after_email = check_str($_POST["voicemail_local_after_email"]);
|
$voicemail_local_after_email = $_POST["voicemail_local_after_email"];
|
||||||
$user_context = check_str($_POST["user_context"]);
|
$user_context = $_POST["user_context"];
|
||||||
$range = check_str($_POST["range"]);
|
$range = $_POST["range"];
|
||||||
$autogen_users = check_str($_POST["autogen_users"]);
|
$autogen_users = $_POST["autogen_users"];
|
||||||
$missed_call_app = check_str($_POST["missed_call_app"]);
|
$missed_call_app = $_POST["missed_call_app"];
|
||||||
$missed_call_data = check_str($_POST["missed_call_data"]);
|
$missed_call_data = $_POST["missed_call_data"];
|
||||||
$toll_allow = check_str($_POST["toll_allow"]);
|
$toll_allow = $_POST["toll_allow"];
|
||||||
$call_timeout = check_str($_POST["call_timeout"]);
|
$call_timeout = $_POST["call_timeout"];
|
||||||
$call_group = check_str($_POST["call_group"]);
|
$call_group = $_POST["call_group"];
|
||||||
$call_screen_enabled = check_str($_POST["call_screen_enabled"]);
|
$call_screen_enabled = $_POST["call_screen_enabled"];
|
||||||
$user_record = check_str($_POST["user_record"]);
|
$user_record = $_POST["user_record"];
|
||||||
$hold_music = check_str($_POST["hold_music"]);
|
$hold_music = $_POST["hold_music"];
|
||||||
$auth_acl = check_str($_POST["auth_acl"]);
|
$auth_acl = $_POST["auth_acl"];
|
||||||
$cidr = check_str($_POST["cidr"]);
|
$cidr = $_POST["cidr"];
|
||||||
$sip_force_contact = check_str($_POST["sip_force_contact"]);
|
$sip_force_contact = $_POST["sip_force_contact"];
|
||||||
$sip_force_expires = check_str($_POST["sip_force_expires"]);
|
$sip_force_expires = $_POST["sip_force_expires"];
|
||||||
$nibble_account = check_str($_POST["nibble_account"]);
|
$nibble_account = $_POST["nibble_account"];
|
||||||
$mwi_account = check_str($_POST["mwi_account"]);
|
$mwi_account = $_POST["mwi_account"];
|
||||||
$sip_bypass_media = check_str($_POST["sip_bypass_media"]);
|
$sip_bypass_media = $_POST["sip_bypass_media"];
|
||||||
$absolute_codec_string = check_str($_POST["absolute_codec_string"]);
|
$absolute_codec_string = $_POST["absolute_codec_string"];
|
||||||
$force_ping = check_str($_POST["force_ping"]);
|
$force_ping = $_POST["force_ping"];
|
||||||
$dial_string = check_str($_POST["dial_string"]);
|
$dial_string = $_POST["dial_string"];
|
||||||
$enabled = check_str($_POST["enabled"]);
|
$enabled = $_POST["enabled"];
|
||||||
$description = check_str($_POST["description"]);
|
$description = $_POST["description"];
|
||||||
}
|
}
|
||||||
|
|
||||||
//delete the user from the v_extension_users
|
//delete the user from the v_extension_users
|
||||||
if ($_REQUEST["delete_type"] == "user" && strlen($_REQUEST["delete_uuid"]) > 0 && permission_exists("extension_delete")) {
|
if ($_REQUEST["delete_type"] == "user" && strlen($_REQUEST["delete_uuid"]) > 0 && permission_exists("extension_delete")) {
|
||||||
//set the variables
|
//set the variables
|
||||||
$extension_uuid = check_str($_REQUEST["id"]);
|
$extension_uuid = $_REQUEST["id"];
|
||||||
$user_uuid = check_str($_REQUEST["delete_uuid"]);
|
$user_uuid = $_REQUEST["delete_uuid"];
|
||||||
//delete the group from the users
|
//delete the group from the users
|
||||||
$sql = "delete from v_extension_users ";
|
$sql = "delete from v_extension_users ";
|
||||||
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
|
$sql .= "where domain_uuid = '".check_str($_SESSION['domain_uuid'])."' ";
|
||||||
$sql .= "and extension_uuid = '".$extension_uuid."' ";
|
$sql .= "and extension_uuid = '".check_str($extension_uuid)."' ";
|
||||||
$sql .= "and user_uuid = '".$user_uuid."' ";
|
$sql .= "and user_uuid = '".check_str($user_uuid)."' ";
|
||||||
$db->exec(check_sql($sql));
|
$db->exec(check_sql($sql));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -141,12 +141,12 @@
|
||||||
if (is_dir($_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/app/devices')) {
|
if (is_dir($_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/app/devices')) {
|
||||||
if ($_REQUEST["delete_type"] == "device_line" && strlen($_REQUEST["delete_uuid"]) > 0 && permission_exists("extension_delete")) {
|
if ($_REQUEST["delete_type"] == "device_line" && strlen($_REQUEST["delete_uuid"]) > 0 && permission_exists("extension_delete")) {
|
||||||
//set the variables
|
//set the variables
|
||||||
$extension_uuid = check_str($_REQUEST["id"]);
|
$extension_uuid = $_REQUEST["id"];
|
||||||
$device_line_uuid = check_str($_REQUEST["delete_uuid"]);
|
$device_line_uuid = $_REQUEST["delete_uuid"];
|
||||||
//delete device_line
|
//delete device_line
|
||||||
$sql = "delete from v_device_lines ";
|
$sql = "delete from v_device_lines ";
|
||||||
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
|
$sql .= "where domain_uuid = '".check_str($_SESSION['domain_uuid'])."' ";
|
||||||
$sql .= "and device_line_uuid = '$device_line_uuid' ";
|
$sql .= "and device_line_uuid = '".check_str($device_line_uuid)."' ";
|
||||||
$db->exec(check_sql($sql));
|
$db->exec(check_sql($sql));
|
||||||
unset($sql);
|
unset($sql);
|
||||||
}
|
}
|
||||||
|
|
@ -157,7 +157,7 @@
|
||||||
|
|
||||||
//set the domain_uuid
|
//set the domain_uuid
|
||||||
if (permission_exists('extension_domain')) {
|
if (permission_exists('extension_domain')) {
|
||||||
$domain_uuid = check_str($_POST["domain_uuid"]);
|
$domain_uuid = $_POST["domain_uuid"];
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$domain_uuid = $_SESSION['domain_uuid'];
|
$domain_uuid = $_SESSION['domain_uuid'];
|
||||||
|
|
@ -383,8 +383,8 @@
|
||||||
|
|
||||||
//get the voicemail_uuid
|
//get the voicemail_uuid
|
||||||
$sql = "select voicemail_uuid from v_voicemails ";
|
$sql = "select voicemail_uuid from v_voicemails ";
|
||||||
$sql .= "where voicemail_id = '".$extension."' ";
|
$sql .= "where voicemail_id = '".check_str($extension)."' ";
|
||||||
$sql .= "and domain_uuid = '".$_SESSION["domain_uuid"]."' ";
|
$sql .= "and domain_uuid = '".check_str($_SESSION["domain_uuid"])."' ";
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare(check_sql($sql));
|
||||||
$prep_statement->execute();
|
$prep_statement->execute();
|
||||||
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
||||||
|
|
@ -432,11 +432,11 @@
|
||||||
//update devices having extension assigned to line(s) with new password
|
//update devices having extension assigned to line(s) with new password
|
||||||
if ($action == "update" && $range == 1 && permission_exists('extension_password')) {
|
if ($action == "update" && $range == 1 && permission_exists('extension_password')) {
|
||||||
$sql = "update v_device_lines set ";
|
$sql = "update v_device_lines set ";
|
||||||
$sql .= "password = '".$password."' ";
|
$sql .= "password = '".check_str($password)."' ";
|
||||||
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
|
$sql .= "where domain_uuid = '".check_str($_SESSION['domain_uuid'])."' ";
|
||||||
$sql .= "and server_address = '".$_SESSION['domain_name']."' ";
|
$sql .= "and server_address = '".check_str($_SESSION['domain_name'])."' ";
|
||||||
$sql .= "and user_id = '".$extension."' ";
|
$sql .= "and user_id = '".check_str($extension)."' ";
|
||||||
$sql .= "and password = '".$extension."' ";
|
$sql .= "and password = '".check_str($extension)."' ";
|
||||||
$db->exec(check_sql($sql));
|
$db->exec(check_sql($sql));
|
||||||
unset($sql);
|
unset($sql);
|
||||||
}
|
}
|
||||||
|
|
@ -465,8 +465,8 @@
|
||||||
|
|
||||||
//get the device_uuid
|
//get the device_uuid
|
||||||
$sql = "SELECT device_uuid FROM v_devices ";
|
$sql = "SELECT device_uuid FROM v_devices ";
|
||||||
$sql .= "WHERE device_mac_address = '".$device_mac_address."' ";
|
$sql .= "WHERE device_mac_address = '".check_str($device_mac_address)."' ";
|
||||||
$sql .= "AND domain_uuid = '".$domain_uuid."' ";
|
$sql .= "AND domain_uuid = '".check_str($domain_uuid)."' ";
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare(check_sql($sql));
|
||||||
$prep_statement->execute();
|
$prep_statement->execute();
|
||||||
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
||||||
|
|
@ -590,10 +590,10 @@
|
||||||
|
|
||||||
//pre-populate the form
|
//pre-populate the form
|
||||||
if (count($_GET) > 0 && $_POST["persistformvar"] != "true") {
|
if (count($_GET) > 0 && $_POST["persistformvar"] != "true") {
|
||||||
$extension_uuid = check_str($_GET["id"]);
|
$extension_uuid = $_GET["id"];
|
||||||
$sql = "select * from v_extensions ";
|
$sql = "select * from v_extensions ";
|
||||||
$sql .= "where extension_uuid = '".$extension_uuid."' ";
|
$sql .= "where extension_uuid = '".check_str($extension_uuid)."' ";
|
||||||
$sql .= "and domain_uuid = '".$domain_uuid."' ";
|
$sql .= "and domain_uuid = '".check_str($domain_uuid)."' ";
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare(check_sql($sql));
|
||||||
$prep_statement->execute();
|
$prep_statement->execute();
|
||||||
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
||||||
|
|
@ -641,8 +641,8 @@
|
||||||
if (is_dir($_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/app/voicemails')) {
|
if (is_dir($_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/app/voicemails')) {
|
||||||
//get the voicemails
|
//get the voicemails
|
||||||
$sql = "select * from v_voicemails ";
|
$sql = "select * from v_voicemails ";
|
||||||
$sql .= "where domain_uuid = '".$domain_uuid."' ";
|
$sql .= "where domain_uuid = '".check_str($domain_uuid)."' ";
|
||||||
$sql .= "and voicemail_id = '".((is_numeric($number_alias)) ? $number_alias : $extension)."' ";
|
$sql .= "and voicemail_id = '".((is_numeric($number_alias)) ? check_str($number_alias) : check_str($extension))."' ";
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare(check_sql($sql));
|
||||||
$prep_statement->execute();
|
$prep_statement->execute();
|
||||||
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
|
||||||
|
|
@ -669,8 +669,8 @@
|
||||||
//get the device lines
|
//get the device lines
|
||||||
$sql = "SELECT d.device_mac_address, d.device_template, d.device_description, l.device_line_uuid, l.device_uuid, l.line_number ";
|
$sql = "SELECT d.device_mac_address, d.device_template, d.device_description, l.device_line_uuid, l.device_uuid, l.line_number ";
|
||||||
$sql .= "FROM v_device_lines as l, v_devices as d ";
|
$sql .= "FROM v_device_lines as l, v_devices as d ";
|
||||||
$sql .= "WHERE (l.user_id = '".$extension."' or l.user_id = '".$number_alias."')";
|
$sql .= "WHERE (l.user_id = '".check_str($extension)."' or l.user_id = '".check_str($number_alias)."')";
|
||||||
$sql .= "AND l.domain_uuid = '".$domain_uuid."' ";
|
$sql .= "AND l.domain_uuid = '".check_str($domain_uuid)."' ";
|
||||||
$sql .= "AND l.device_uuid = d.device_uuid ";
|
$sql .= "AND l.device_uuid = d.device_uuid ";
|
||||||
$sql .= "ORDER BY l.line_number, d.device_mac_address asc ";
|
$sql .= "ORDER BY l.line_number, d.device_mac_address asc ";
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare(check_sql($sql));
|
||||||
|
|
@ -680,7 +680,7 @@
|
||||||
|
|
||||||
//get the devices
|
//get the devices
|
||||||
$sql = "SELECT * FROM v_devices ";
|
$sql = "SELECT * FROM v_devices ";
|
||||||
$sql .= "WHERE domain_uuid = '".$domain_uuid."' ";
|
$sql .= "WHERE domain_uuid = '".check_str($domain_uuid)."' ";
|
||||||
$sql .= "ORDER BY device_mac_address asc ";
|
$sql .= "ORDER BY device_mac_address asc ";
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare(check_sql($sql));
|
||||||
$prep_statement->execute();
|
$prep_statement->execute();
|
||||||
|
|
@ -691,8 +691,8 @@
|
||||||
$sql = "SELECT u.username, e.user_uuid FROM v_extension_users as e, v_users as u ";
|
$sql = "SELECT u.username, e.user_uuid FROM v_extension_users as e, v_users as u ";
|
||||||
$sql .= "where e.user_uuid = u.user_uuid ";
|
$sql .= "where e.user_uuid = u.user_uuid ";
|
||||||
$sql .= "and u.user_enabled = 'true' ";
|
$sql .= "and u.user_enabled = 'true' ";
|
||||||
$sql .= "and e.domain_uuid = '".$domain_uuid."' ";
|
$sql .= "and e.domain_uuid = '".check_str($domain_uuid)."' ";
|
||||||
$sql .= "and e.extension_uuid = '".$extension_uuid."' ";
|
$sql .= "and e.extension_uuid = '".check_str($extension_uuid)."' ";
|
||||||
$sql .= "order by u.username asc ";
|
$sql .= "order by u.username asc ";
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare(check_sql($sql));
|
||||||
$prep_statement->execute();
|
$prep_statement->execute();
|
||||||
|
|
@ -704,9 +704,9 @@
|
||||||
|
|
||||||
//get the users
|
//get the users
|
||||||
$sql = "SELECT * FROM v_users ";
|
$sql = "SELECT * FROM v_users ";
|
||||||
$sql .= "where domain_uuid = '".$domain_uuid."' ";
|
$sql .= "where domain_uuid = '".check_str($domain_uuid)."' ";
|
||||||
if (isset($assigned_user_uuids)) foreach($assigned_user_uuids as $assigned_user_uuid) {
|
if (isset($assigned_user_uuids)) foreach($assigned_user_uuids as $assigned_user_uuid) {
|
||||||
$sql .= "and user_uuid <> '".$assigned_user_uuid."' ";
|
$sql .= "and user_uuid <> '".check_str($assigned_user_uuid)."' ";
|
||||||
}
|
}
|
||||||
unset($assigned_user_uuids);
|
unset($assigned_user_uuids);
|
||||||
$sql .= "and user_enabled = 'true' ";
|
$sql .= "and user_enabled = 'true' ";
|
||||||
|
|
@ -718,7 +718,7 @@
|
||||||
|
|
||||||
//get the destinations
|
//get the destinations
|
||||||
$sql = "select * from v_destinations ";
|
$sql = "select * from v_destinations ";
|
||||||
$sql .= "where domain_uuid = '".$domain_uuid."' ";
|
$sql .= "where domain_uuid = '".check_str($domain_uuid)."' ";
|
||||||
$sql .= "and destination_type = 'inbound' ";
|
$sql .= "and destination_type = 'inbound' ";
|
||||||
$sql .= "order by destination_number asc ";
|
$sql .= "order by destination_number asc ";
|
||||||
$prep_statement = $db->prepare(check_sql($sql));
|
$prep_statement = $db->prepare(check_sql($sql));
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue