Update services.php

app/services/services.php

@@ -17,15 +17,19 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Portions created by the Initial Developer are Copyright (C) 2008-2014
+	Portions created by the Initial Developer are Copyright (C) 2008-2018
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
 	Mark J Crane <markjcrane@fusionpbx.com>
 */
+
+//includes
 require_once "root.php";
 require_once "resources/require.php";
 require_once "resources/check_auth.php";
+
+//check permissions
 if (permission_exists('service_view')) {
 	//access granted
 }
@@ -102,6 +106,38 @@ if (strlen($_GET["a"]) > 0) {
 	return;
 }
 
+//get the service count
+$sql = "select * from v_services ";
+if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
+$prep_statement = $db->prepare(check_sql($sql));
+$prep_statement->execute();
+$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+$num_rows = count($result);
+unset ($prep_statement, $result, $sql);
+
+//paging
+$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
+$param = "";
+$page = $_GET['page'];
+if (strlen($page) == 0) { $page = 0; $_GET['page'] = 0; }
+list($paging_controls, $rows_per_page, $var_3) = paging($num_rows, $param, $rows_per_page);
+$offset = $rows_per_page * $page;
+
+//get the service data
+$sql = "select * from v_services ";
+if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
+$sql .= " limit $rows_per_page offset $offset ";
+$prep_statement = $db->prepare(check_sql($sql));
+$prep_statement->execute();
+$services = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+unset ($prep_statement, $sql);
+
+//set the row style
+$c = 0;
+$row_style["0"] = "row_style0";
+$row_style["1"] = "row_style1";
+
+
 //check if a process is running
 function is_process_running($pid) {
 	$status = shell_exec( 'ps -p ' . $pid );
@@ -114,6 +150,7 @@ if (strlen($_GET["a"]) > 0) {
 	}
 }
 
+//show the table content
 echo "<table width='100%' cellpadding='0' cellspacing='0' border='0'>\n";
 echo "<tr>\n";
 echo "<td width='50%' align='left' nowrap='nowrap'><b>".$text['header-services']."</b></td>\n";
@@ -126,33 +163,6 @@ if (strlen($_GET["a"]) > 0) {
 echo "</tr>\n";
 echo "</tr></table>\n";
 
-	$sql = "select * from v_services ";
-	if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	$num_rows = count($result);
-	unset ($prep_statement, $result, $sql);
-	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
-	$param = "";
-	$page = $_GET['page'];
-	if (strlen($page) == 0) { $page = 0; $_GET['page'] = 0; }
-	list($paging_controls, $rows_per_page, $var_3) = paging($num_rows, $param, $rows_per_page);
-	$offset = $rows_per_page * $page;
-
-	$sql = "select * from v_services ";
-	if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
-	$sql .= " limit $rows_per_page offset $offset ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	$result_count = count($result);
-	unset ($prep_statement, $sql);
-
-	$c = 0;
-	$row_style["0"] = "row_style0";
-	$row_style["1"] = "row_style1";
-
 echo "<table class='tr_hover' width='100%' border='0' cellpadding='0' cellspacing='0'>\n";
 echo "<tr>\n";
 echo th_order_by('service_name', $text['label-name'], $order_by, $order);
@@ -166,16 +176,16 @@ if (strlen($_GET["a"]) > 0) {
 echo "</td>\n";
 echo "</tr>\n";
 
-	if ($result_count > 0) {
+if (is_array($services)) {
-		foreach($result as $row) {
+	foreach($services as $row) {
-			$tr_link = (permission_exists('service_edit')) ? "href='service_edit.php?id=".$row[service_uuid]."'" : null;
+		$tr_link = (permission_exists('service_edit')) ? "href='service_edit.php?id=".escape($row[service_uuid])."'" : null;
 		echo "<tr ".$tr_link.">\n";
 		echo "	<td valign='top' class='".$row_style[$c]."'>";
 		if (permission_exists('service_edit')) {
-				echo "<a href='service_edit.php?id=".$row[service_uuid]."'>".$row[service_name]."</a>";
+			echo "<a href='service_edit.php?id=".escape($row[service_uuid])."'>".escape($row[service_name])."</a>";
 		}
 		else {
-				echo $row[service_name];
+			echo escape($row[service_name]);
 		}
 		echo "	</td>\n";
 		echo "	<td valign='top' class='".$row_style[$c]."'>\n";
@@ -200,10 +210,10 @@ if (strlen($_GET["a"]) > 0) {
 				}
 				else {
 					if ($service_running) {
-							echo "		<a href='services.php?id=".$row[service_uuid]."&a=stop' alt='stop'>".$text['label-stop']."</a>";
+						echo "		<a href='services.php?id=".escape($row[service_uuid])."&a=stop' alt='stop'>".$text['label-stop']."</a>";
 					}
 					else {
-							echo "		<a href='services.php?id=".$row[service_uuid]."&a=start' alt='start'>".$text['label-start']."</a>";
+						echo "		<a href='services.php?id=".escape($row[service_uuid])."&a=start' alt='start'>".$text['label-start']."</a>";
 					}
 				}
 			}
@@ -234,28 +244,27 @@ if (strlen($_GET["a"]) > 0) {
 			echo "</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]."'>\n";
 			if ($service_running) {
-					echo "		<a href='services.php?id=".$row[service_uuid]."&a=stop' alt='stop'>".$text['label-stop']."</a>";
+				echo "		<a href='services.php?id=".escape($row[service_uuid])."&a=stop' alt='stop'>".$text['label-stop']."</a>";
 			}
 			else {
-					echo "		<a href='services.php?id=".$row[service_uuid]."&a=start' alt='start'>".$text['label-start']."</a>";
+				echo "		<a href='services.php?id=".escape($row[service_uuid])."&a=start' alt='start'>".$text['label-start']."</a>";
 			}
 		}
 
-
 		echo "</td>\n";
-			echo "	<td valign='top' class='row_stylebg'>".$row[service_description]."&nbsp;</td>\n";
+		echo "	<td valign='top' class='row_stylebg'>".escape($row[service_description])."&nbsp;</td>\n";
 		echo "	<td class='list_control_icons'>";
 		if (permission_exists('service_edit')) {
-				echo "<a href='service_edit.php?id=".$row[service_uuid]."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
+			echo "<a href='service_edit.php?id=".escape($row[service_uuid])."' alt='".$text['button-edit']."'>$v_link_label_edit</a>";
 		}
 		if (permission_exists('service_delete')) {
-				echo "<a href='service_delete.php?id=".$row[service_uuid]."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
+			echo "<a href='service_delete.php?id=".escape($row[service_uuid])."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>";
 		}
 		echo "	</td>\n";
 		echo "</tr>\n";
 		if ($c==0) { $c=1; } else { $c=0; }
 	} //end foreach
-		unset($sql, $result, $row_count);
+	unset($sql, $services);
 } //end if results
 
 echo "<tr>\n";