dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update extension_edit.php 

Use check_str on extension edit when building the sql queries. In the future will switch to PHP PDO prepared statements with parameters. This change fixes a problem where the check_str is used twice and duplicating the single quote.
This commit is contained in:
FusionPBX 2016-11-24 03:21:35 -07:00 committed by GitHub
parent 4ba9e89765
commit da5c667202
1 changed files with 79 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
app/extensions/extension_edit.php
View File

@ -17,7 +17,7 @@
The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com>
Copyright (C) 2008-2015 All Rights Reserved.
Copyright (C) 2008-2016 All Rights Reserved.
Contributor(s):
Mark J Crane <markjcrane@fusionpbx.com>
@ -45,7 +45,7 @@
//set the action as an add or an update
if (isset($_REQUEST["id"])) {
$action = "update";
$extension_uuid = check_str($_REQUEST["id"]);
$extension_uuid = $_REQUEST["id"];
}
else {
$action = "add";
@ -54,7 +54,7 @@
//get total extension count from the database, check limit, if defined
if ($action == 'add') {
if ($_SESSION['limit']['extensions']['numeric'] != '') {
$sql = "select count(*) as num_rows from v_extensions where domain_uuid = '".$_SESSION['domain_uuid']."' ";
$sql = "select count(*) as num_rows from v_extensions where domain_uuid = '".check_str($_SESSION['domain_uuid'])."' ";
$prep_statement = $db->prepare($sql);
if ($prep_statement) {
$prep_statement->execute();
@ -74,66 +74,66 @@
//get the http values and set them as php variables
if (count($_POST) > 0) {
//get the values from the HTTP POST and save them as PHP variables
$extension = str_replace(' ','-',check_str($_POST["extension"]));
$number_alias = check_str($_POST["number_alias"]);
$password = check_str($_POST["password"]);
$extension = str_replace(' ','-',$_POST["extension"]);
$number_alias = $_POST["number_alias"];
$password = $_POST["password"];
// server verification on account code
$accountcode = $_POST["accountcode"];
$effective_caller_id_name = check_str($_POST["effective_caller_id_name"]);
$effective_caller_id_number = check_str($_POST["effective_caller_id_number"]);
$outbound_caller_id_name = check_str($_POST["outbound_caller_id_name"]);
$outbound_caller_id_number = check_str($_POST["outbound_caller_id_number"]);
$emergency_caller_id_name = check_str($_POST["emergency_caller_id_name"]);
$emergency_caller_id_number = check_str($_POST["emergency_caller_id_number"]);
$directory_full_name = check_str($_POST["directory_full_name"]);
$directory_visible = check_str($_POST["directory_visible"]);
$directory_exten_visible = check_str($_POST["directory_exten_visible"]);
$limit_max = check_str($_POST["limit_max"]);
$limit_destination = check_str($_POST["limit_destination"]);
$device_uuid = check_str($_POST["device_uuid"]);
$device_line = check_str($_POST["device_line"]);
$voicemail_password = check_str($_POST["voicemail_password"]);
$voicemail_enabled = check_str($_POST["voicemail_enabled"]);
$voicemail_mail_to = check_str($_POST["voicemail_mail_to"]);
$voicemail_file = check_str($_POST["voicemail_file"]);
$voicemail_local_after_email = check_str($_POST["voicemail_local_after_email"]);
$user_context = check_str($_POST["user_context"]);
$range = check_str($_POST["range"]);
$autogen_users = check_str($_POST["autogen_users"]);
$missed_call_app = check_str($_POST["missed_call_app"]);
$missed_call_data = check_str($_POST["missed_call_data"]);
$toll_allow = check_str($_POST["toll_allow"]);
$call_timeout = check_str($_POST["call_timeout"]);
$call_group = check_str($_POST["call_group"]);
$call_screen_enabled = check_str($_POST["call_screen_enabled"]);
$user_record = check_str($_POST["user_record"]);
$hold_music = check_str($_POST["hold_music"]);
$auth_acl = check_str($_POST["auth_acl"]);
$cidr = check_str($_POST["cidr"]);
$sip_force_contact = check_str($_POST["sip_force_contact"]);
$sip_force_expires = check_str($_POST["sip_force_expires"]);
$nibble_account = check_str($_POST["nibble_account"]);
$mwi_account = check_str($_POST["mwi_account"]);
$sip_bypass_media = check_str($_POST["sip_bypass_media"]);
$absolute_codec_string = check_str($_POST["absolute_codec_string"]);
$force_ping = check_str($_POST["force_ping"]);
$dial_string = check_str($_POST["dial_string"]);
$enabled = check_str($_POST["enabled"]);
$description = check_str($_POST["description"]);
$effective_caller_id_name = $_POST["effective_caller_id_name"];
$effective_caller_id_number = $_POST["effective_caller_id_number"];
$outbound_caller_id_name = $_POST["outbound_caller_id_name"];
$outbound_caller_id_number = $_POST["outbound_caller_id_number"];
$emergency_caller_id_name = $_POST["emergency_caller_id_name"];
$emergency_caller_id_number = $_POST["emergency_caller_id_number"];
$directory_full_name = $_POST["directory_full_name"];
$directory_visible = $_POST["directory_visible"];
$directory_exten_visible = $_POST["directory_exten_visible"];
$limit_max = $_POST["limit_max"];
$limit_destination = $_POST["limit_destination"];
$device_uuid = $_POST["device_uuid"];
$device_line = $_POST["device_line"];
$voicemail_password = $_POST["voicemail_password"];
$voicemail_enabled = $_POST["voicemail_enabled"];
$voicemail_mail_to = $_POST["voicemail_mail_to"];
$voicemail_file = $_POST["voicemail_file"];
$voicemail_local_after_email = $_POST["voicemail_local_after_email"];
$user_context = $_POST["user_context"];
$range = $_POST["range"];
$autogen_users = $_POST["autogen_users"];
$missed_call_app = $_POST["missed_call_app"];
$missed_call_data = $_POST["missed_call_data"];
$toll_allow = $_POST["toll_allow"];
$call_timeout = $_POST["call_timeout"];
$call_group = $_POST["call_group"];
$call_screen_enabled = $_POST["call_screen_enabled"];
$user_record = $_POST["user_record"];
$hold_music = $_POST["hold_music"];
$auth_acl = $_POST["auth_acl"];
$cidr = $_POST["cidr"];
$sip_force_contact = $_POST["sip_force_contact"];
$sip_force_expires = $_POST["sip_force_expires"];
$nibble_account = $_POST["nibble_account"];
$mwi_account = $_POST["mwi_account"];
$sip_bypass_media = $_POST["sip_bypass_media"];
$absolute_codec_string = $_POST["absolute_codec_string"];
$force_ping = $_POST["force_ping"];
$dial_string = $_POST["dial_string"];
$enabled = $_POST["enabled"];
$description = $_POST["description"];
}
//delete the user from the v_extension_users
if ($_REQUEST["delete_type"] == "user" && strlen($_REQUEST["delete_uuid"]) > 0 && permission_exists("extension_delete")) {
//set the variables
$extension_uuid = check_str($_REQUEST["id"]);
$user_uuid = check_str($_REQUEST["delete_uuid"]);
$extension_uuid = $_REQUEST["id"];
$user_uuid = $_REQUEST["delete_uuid"];
//delete the group from the users
$sql = "delete from v_extension_users ";
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
$sql .= "and extension_uuid = '".$extension_uuid."' ";
$sql .= "and user_uuid = '".$user_uuid."' ";
$sql .= "where domain_uuid = '".check_str($_SESSION['domain_uuid'])."' ";
$sql .= "and extension_uuid = '".check_str($extension_uuid)."' ";
$sql .= "and user_uuid = '".check_str($user_uuid)."' ";
$db->exec(check_sql($sql));
}
@ -141,12 +141,12 @@
if (is_dir($_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/app/devices')) {
if ($_REQUEST["delete_type"] == "device_line" && strlen($_REQUEST["delete_uuid"]) > 0 && permission_exists("extension_delete")) {
//set the variables
$extension_uuid = check_str($_REQUEST["id"]);
$device_line_uuid = check_str($_REQUEST["delete_uuid"]);
$extension_uuid = $_REQUEST["id"];
$device_line_uuid = $_REQUEST["delete_uuid"];
//delete device_line
$sql = "delete from v_device_lines ";
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
$sql .= "and device_line_uuid = '$device_line_uuid' ";
$sql .= "where domain_uuid = '".check_str($_SESSION['domain_uuid'])."' ";
$sql .= "and device_line_uuid = '".check_str($device_line_uuid)."' ";
$db->exec(check_sql($sql));
unset($sql);
}
@ -157,7 +157,7 @@
//set the domain_uuid
if (permission_exists('extension_domain')) {
$domain_uuid = check_str($_POST["domain_uuid"]);
$domain_uuid = $_POST["domain_uuid"];
}
else {
$domain_uuid = $_SESSION['domain_uuid'];
@ -383,8 +383,8 @@
//get the voicemail_uuid
$sql = "select voicemail_uuid from v_voicemails ";
$sql .= "where voicemail_id = '".$extension."' ";
$sql .= "and domain_uuid = '".$_SESSION["domain_uuid"]."' ";
$sql .= "where voicemail_id = '".check_str($extension)."' ";
$sql .= "and domain_uuid = '".check_str($_SESSION["domain_uuid"])."' ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
@ -432,11 +432,11 @@
//update devices having extension assigned to line(s) with new password
if ($action == "update" && $range == 1 && permission_exists('extension_password')) {
$sql = "update v_device_lines set ";
$sql .= "password = '".$password."' ";
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
$sql .= "and server_address = '".$_SESSION['domain_name']."' ";
$sql .= "and user_id = '".$extension."' ";
$sql .= "and password = '".$extension."' ";
$sql .= "password = '".check_str($password)."' ";
$sql .= "where domain_uuid = '".check_str($_SESSION['domain_uuid'])."' ";
$sql .= "and server_address = '".check_str($_SESSION['domain_name'])."' ";
$sql .= "and user_id = '".check_str($extension)."' ";
$sql .= "and password = '".check_str($extension)."' ";
$db->exec(check_sql($sql));
unset($sql);
}
@ -465,8 +465,8 @@
//get the device_uuid
$sql = "SELECT device_uuid FROM v_devices ";
$sql .= "WHERE device_mac_address = '".$device_mac_address."' ";
$sql .= "AND domain_uuid = '".$domain_uuid."' ";
$sql .= "WHERE device_mac_address = '".check_str($device_mac_address)."' ";
$sql .= "AND domain_uuid = '".check_str($domain_uuid)."' ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
@ -590,10 +590,10 @@
//pre-populate the form
if (count($_GET) > 0 && $_POST["persistformvar"] != "true") {
$extension_uuid = check_str($_GET["id"]);
$extension_uuid = $_GET["id"];
$sql = "select * from v_extensions ";
$sql .= "where extension_uuid = '".$extension_uuid."' ";
$sql .= "and domain_uuid = '".$domain_uuid."' ";
$sql .= "where extension_uuid = '".check_str($extension_uuid)."' ";
$sql .= "and domain_uuid = '".check_str($domain_uuid)."' ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
@ -641,8 +641,8 @@
if (is_dir($_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/app/voicemails')) {
//get the voicemails
$sql = "select * from v_voicemails ";
$sql .= "where domain_uuid = '".$domain_uuid."' ";
$sql .= "and voicemail_id = '".((is_numeric($number_alias)) ? $number_alias : $extension)."' ";
$sql .= "where domain_uuid = '".check_str($domain_uuid)."' ";
$sql .= "and voicemail_id = '".((is_numeric($number_alias)) ? check_str($number_alias) : check_str($extension))."' ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
@ -669,8 +669,8 @@
//get the device lines
$sql = "SELECT d.device_mac_address, d.device_template, d.device_description, l.device_line_uuid, l.device_uuid, l.line_number ";
$sql .= "FROM v_device_lines as l, v_devices as d ";
$sql .= "WHERE (l.user_id = '".$extension."' or l.user_id = '".$number_alias."')";
$sql .= "AND l.domain_uuid = '".$domain_uuid."' ";
$sql .= "WHERE (l.user_id = '".check_str($extension)."' or l.user_id = '".check_str($number_alias)."')";
$sql .= "AND l.domain_uuid = '".check_str($domain_uuid)."' ";
$sql .= "AND l.device_uuid = d.device_uuid ";
$sql .= "ORDER BY l.line_number, d.device_mac_address asc ";
$prep_statement = $db->prepare(check_sql($sql));
@ -680,7 +680,7 @@
//get the devices
$sql = "SELECT * FROM v_devices ";
$sql .= "WHERE domain_uuid = '".$domain_uuid."' ";
$sql .= "WHERE domain_uuid = '".check_str($domain_uuid)."' ";
$sql .= "ORDER BY device_mac_address asc ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
@ -691,8 +691,8 @@
$sql = "SELECT u.username, e.user_uuid FROM v_extension_users as e, v_users as u ";
$sql .= "where e.user_uuid = u.user_uuid ";
$sql .= "and u.user_enabled = 'true' ";
$sql .= "and e.domain_uuid = '".$domain_uuid."' ";
$sql .= "and e.extension_uuid = '".$extension_uuid."' ";
$sql .= "and e.domain_uuid = '".check_str($domain_uuid)."' ";
$sql .= "and e.extension_uuid = '".check_str($extension_uuid)."' ";
$sql .= "order by u.username asc ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
@ -704,9 +704,9 @@
//get the users
$sql = "SELECT * FROM v_users ";
$sql .= "where domain_uuid = '".$domain_uuid."' ";
$sql .= "where domain_uuid = '".check_str($domain_uuid)."' ";
if (isset($assigned_user_uuids)) foreach($assigned_user_uuids as $assigned_user_uuid) {
$sql .= "and user_uuid <> '".$assigned_user_uuid."' ";
$sql .= "and user_uuid <> '".check_str($assigned_user_uuid)."' ";
}
unset($assigned_user_uuids);
$sql .= "and user_enabled = 'true' ";
@ -718,7 +718,7 @@
//get the destinations
$sql = "select * from v_destinations ";
$sql .= "where domain_uuid = '".$domain_uuid."' ";
$sql .= "where domain_uuid = '".check_str($domain_uuid)."' ";
$sql .= "and destination_type = 'inbound' ";
$sql .= "order by destination_number asc ";
$prep_statement = $db->prepare(check_sql($sql));