From f88789b17a5aeab8147b5e69a1c43ef7536a03df Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Sat, 8 Jun 2019 14:26:08 -0600
Subject: [PATCH] Update conference_centers.php

---
 .../resources/classes/conference_centers.php  | 141 ++++++++++--------
 1 file changed, 78 insertions(+), 63 deletions(-)

diff --git a/app/conference_centers/resources/classes/conference_centers.php b/app/conference_centers/resources/classes/conference_centers.php
index 1049bcf0b4..a2f332f941 100644
--- a/app/conference_centers/resources/classes/conference_centers.php
+++ b/app/conference_centers/resources/classes/conference_centers.php
@@ -76,37 +76,51 @@
 				if ($not_admin) {
 					$sql .= "v_meeting_users as u, ";
 				}
-				$sql .= "where r.domain_uuid = '".$this->domain_uuid."' ";
+				$sql .= "where r.domain_uuid = :domain_uuid ";
 				$sql .= "and r.meeting_uuid = p.meeting_uuid ";
 				if ($not_admin) {
 					$sql .= "and r.meeting_uuid = u.meeting_uuid ";
-					$sql .= "and u.user_uuid = '".$_SESSION["user_uuid"]."' ";
+					$sql .= "and u.user_uuid = :user_uuid ";
+					$parameters['user_uuid'] = $user_uuid;
 				}
-				if (isset($this->search)) {
-					$sql .= "and r.meeting_uuid = '".$this->meeting_uuid."' ";
+				if (isset($this->meeting_uuid)) {
+					$sql .= "and r.meeting_uuid = :meeting_uuid ";
+					$parameters['meeting_uuid'] = $this->meeting_uuid;
 				}
 
 				if (isset($this->created_by)) {
-					$sql .= "and created_by = '".$this->created_by."' ";
-				}
-
-				$prep_statement = $this->db->prepare(check_sql($sql));
-				if ($prep_statement) {
-					$prep_statement->execute();
-					$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-					if ($row['num_rows'] > 0) {
-						return $row['num_rows'];
-					}
-					else {
-						return 0;
-					}
+					$sql .= "and created_by = :created_by ";
+					$parameters['created_by'] = $this->created_by;
 				}
+				$parameters['domain_uuid'] = $this->domain_uuid;
+				$database = new database;
+				return $database->select($sql, $parameters, 'column');
 		}
 
 		/**
 		 * get the list of conference rooms
 		 */
 		public function rooms() {
+
+			//get variables used to control the order
+				$order_by = $this->order_by;
+				$order = $this->order;
+
+			//validate order by
+				if (strlen($order_by) > 0) {
+					$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', $order_by);
+				}
+
+			//validate the order
+				switch ($order) {
+					case 'asc':
+						break;
+					case 'desc':
+						break;
+					default:
+						$order = '';
+				}
+
 			//get the list of rooms
 				$not_admin = 1;
 				if (permission_exists("conference_room_view_all")) {
@@ -122,68 +136,71 @@
 				if ($not_admin) {
 					$sql .= ", v_meeting_users as u ";
 				}
-				$sql .= "where r.domain_uuid = '".$this->domain_uuid."' ";
+				$sql .= "where r.domain_uuid = :domain_uuid ";
 				$sql .= "and r.meeting_uuid = p.meeting_uuid ";
 				if ($not_admin) {
 					$sql .= "and r.meeting_uuid = u.meeting_uuid ";
-					$sql .= "and u.user_uuid = '".$_SESSION["user_uuid"]."' ";
+					$sql .= "and u.user_uuid = :user_uuid ";
+					$parameters['user_uuid'] = $_SESSION["user_uuid"];
 				}
 				//if (is_numeric($this->search)) {
 				//	$sql .= "and p.member_pin = '".$this->search."' ";
+				//	$parameters['domain_uuid'] = $this->domain_uuid;
 				//}
 				if (isset($this->search)) {
-					$sql .= "and r.meeting_uuid = '".$this->meeting_uuid."' ";
+					$sql .= "and r.meeting_uuid = :meeting_uuid ";
+					$parameters['meeting_uuid'] = $this->meeting_uuid;
 				}
 				if (isset($this->created_by)) {
-					$sql .= "and r.created_by = '".$this->created_by."' ";
+					$sql .= "and r.created_by = :created_by ";
+					$parameters['created_by'] = $this->created_by;
 				}
 				if (strlen($this->order_by) == 0) {
 					$sql .= "order by r.description, r.meeting_uuid asc ";
 				} else {
-					$sql .= "order by $this->order_by $this->order ";
+					$sql .= "order by $order_by $order ";
 				}
-				$sql .= "limit $this->rows_per_page offset $this->offset ";
-				$prep_statement = $this->db->prepare(check_sql($sql));
-				if ($prep_statement) {
-					$prep_statement->execute();
-					$rows = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-					$this->count = count($rows);
-					if ($this->count > 0) {
-						$x = 0;
-						foreach($rows as $row) {
-							//increment the array index
-								if (isset($previous) && $row["conference_room_uuid"] != $previous) { $x++; }
-							//build the array
-								$result[$x]["domain_uuid"] = $row["domain_uuid"];
-								$result[$x]["conference_room_uuid"] = $row["conference_room_uuid"];
-								$result[$x]["conference_center_uuid"] = $row["conference_center_uuid"];
-								$result[$x]["meeting_uuid"] = $row["meeting_uuid"];
-								$result[$x]["conference_room_name"] = $row["conference_room_name"];
-								$result[$x]["max_members"] = $row["max_members"];
-								$result[$x]["wait_mod"] = $row["wait_mod"];
-								$result[$x]["announce"] = $row["announce"];
-								$result[$x]["mute"] = $row["mute"];
-								$result[$x]["record"] = $row["record"];
-								$result[$x]["sounds"] = $row["sounds"];
-								$result[$x]["profile"] = $row["profile"];
-								$result[$x]["meeting_user_uuid"] = $row["meeting_user_uuid"];
-								$result[$x]["user_uuid"] = $row["user_uuid"];
-								$result[$x]["moderator_pin"] = $row["moderator_pin"];
-								$result[$x]["participant_pin"] = $row["participant_pin"];
-								$result[$x]["created"] = $row["created"];
-								$result[$x]["created_by"] = $row["created_by"];
-								$result[$x]["enabled"] = $row["enabled"];
-								$result[$x]["description"] = $row["description"];
-							//set the previous uuid
-								$previous = $row["conference_room_uuid"];
-						}
-						unset($rows);
+				$sql .= "limit :rows_per_page offset :offset ";
+				$parameters['domain_uuid'] = $this->domain_uuid;
+				$parameters['rows_per_page'] = $this->rows_per_page;
+				$parameters['offset'] = $this->offset;
+				$database = new database;
+				$conference_rooms = $database->select($sql, $parameters, 'all');
+
+				if (is_array($conference_rooms)) {
+					$x = 0;
+					foreach($conference_rooms as $row) {
+						//increment the array index
+							if (isset($previous) && $row["conference_room_uuid"] != $previous) { $x++; }
+						//build the array
+							$result[$x]["domain_uuid"] = $row["domain_uuid"];
+							$result[$x]["conference_room_uuid"] = $row["conference_room_uuid"];
+							$result[$x]["conference_center_uuid"] = $row["conference_center_uuid"];
+							$result[$x]["meeting_uuid"] = $row["meeting_uuid"];
+							$result[$x]["conference_room_name"] = $row["conference_room_name"];
+							$result[$x]["max_members"] = $row["max_members"];
+							$result[$x]["wait_mod"] = $row["wait_mod"];
+							$result[$x]["announce"] = $row["announce"];
+							$result[$x]["mute"] = $row["mute"];
+							$result[$x]["record"] = $row["record"];
+							$result[$x]["sounds"] = $row["sounds"];
+							$result[$x]["profile"] = $row["profile"];
+							$result[$x]["meeting_user_uuid"] = $row["meeting_user_uuid"];
+							$result[$x]["user_uuid"] = $row["user_uuid"];
+							$result[$x]["moderator_pin"] = $row["moderator_pin"];
+							$result[$x]["participant_pin"] = $row["participant_pin"];
+							$result[$x]["created"] = $row["created"];
+							$result[$x]["created_by"] = $row["created_by"];
+							$result[$x]["enabled"] = $row["enabled"];
+							$result[$x]["description"] = $row["description"];
+						//set the previous uuid
+							$previous = $row["conference_room_uuid"];
 					}
-					unset ($prep_statement, $sql);
+					unset($conference_rooms);
 				}
+				unset ($parameters, $sql);
 				return $result;
 		}
-		
 
 		/**
 		 * download the recordings
@@ -273,9 +290,7 @@
 
 //example conference center
 	/*
-	require_once "app/conference_centers/resources/classes/conference_center.php";
-	$conference_center = new conference_center;
-	$conference_center->db = $db;
+	$conference_center = new conference_centers;
 	$conference_center->domain_uuid = $_SESSION['domain_uuid'];
 	$conference_center->rows_per_page = 150;
 	$conference_center->offset = 0;