From c81b948be5463780397694e2da95dabea1e5afc2 Mon Sep 17 00:00:00 2001 From: AlexanderDCrane <40072887+AlexanderDCrane@users.noreply.github.com> Date: Tue, 28 May 2019 14:36:42 -0600 Subject: [PATCH 1/2] Update call_block.php --- app/call_block/call_block.php | 50 ++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/app/call_block/call_block.php b/app/call_block/call_block.php index 7d76bf0fa6..d3cb633687 100644 --- a/app/call_block/call_block.php +++ b/app/call_block/call_block.php @@ -50,6 +50,21 @@ require_once "resources/require.php"; $order_by = $_GET["order_by"]; $order = $_GET["order"]; +//validate order by + if (strlen($order_by) > 0) { + $order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', $order_by); + } + +//validate the order + switch ($order) { + case 'asc': + break; + case 'desc': + break; + default: + $order = ''; + } + //show the content echo "\n"; echo " \n"; @@ -65,19 +80,11 @@ require_once "resources/require.php"; //prepare to page the results $sql = "select count(*) as num_rows from v_call_block "; - $sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' "; - if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; } - $prep_statement = $db->prepare($sql); - if ($prep_statement) { - $prep_statement->execute(); - $row = $prep_statement->fetch(PDO::FETCH_ASSOC); - if ($row['num_rows'] > 0) { - $num_rows = $row['num_rows']; - } - else { - $num_rows = '0'; - } - } + $sql .= "where domain_uuid = :domain_uuid "; + $parameters['domain_uuid'] = $domain_uuid; + $database = new database; + $num_rows = $database->select($sql, $parameters, 'column'); + //unset($parameters); //prepare to page the results $rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50; @@ -89,18 +96,17 @@ require_once "resources/require.php"; //get the list $sql = "select * from v_call_block "; - $sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' "; - if (strlen($order_by)> 0) { + $sql .= "where domain_uuid = :domain_uuid "; + if (strlen($order_by) > 0) { $sql .= "order by $order_by $order "; } else { $sql .= "order by call_block_number asc "; } - $sql .= " limit $rows_per_page offset $offset "; - $prep_statement = $db->prepare(check_sql($sql)); - $prep_statement->execute(); - $result = $prep_statement->fetchAll(); - $result_count = count($result); - unset ($prep_statement, $sql); + $sql .= "limit :rows_per_page offset :offset "; + $database = new database; + $parameters['rows_per_page'] = $rows_per_page; + $parameters['offset'] = $offset; + $result = $database->select($sql, $parameters, 'all'); //table headers $c = 0; @@ -122,7 +128,7 @@ require_once "resources/require.php"; echo "\n"; //show the results - if ($result_count > 0) { + if (is_array($result)) { foreach($result as $row) { $tr_link = (permission_exists('call_block_edit')) ? "href='call_block_edit.php?id=".$row['call_block_uuid']."'" : null; echo "\n"; From 6918f80755e4c8f475d25b97655d63c5b5db408d Mon Sep 17 00:00:00 2001 From: FusionPBX Date: Tue, 28 May 2019 14:53:36 -0600 Subject: [PATCH 2/2] Update call_block.php --- app/call_block/call_block.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/call_block/call_block.php b/app/call_block/call_block.php index d3cb633687..27d33795c9 100644 --- a/app/call_block/call_block.php +++ b/app/call_block/call_block.php @@ -63,7 +63,7 @@ require_once "resources/require.php"; break; default: $order = ''; - } + } //show the content echo "
\n";