Code cleanup and fix possible injections when a trusted user is logge…

…d in thanks to mwdmeyer, constant_chaos, disclosure5 and rightwayround from /r/msp for pointing these issues out

alerts_archived.php

@@ -41,8 +41,8 @@
 
 //Date From and Date To Filter
 if(!empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }else{
   $dtf = "0000-00-00";
   $dtt = "9999-00-00";

assets.php

@@ -41,8 +41,8 @@
 
 //Date From and Date To Filter
 if(!empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }else{
   $dtf = "0000-00-00";
   $dtt = "9999-00-00";

campaigns.php

@@ -38,8 +38,8 @@
 
   //Date Filter
   if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-    $dtf = $_GET['dtf'];
-    $dtt = $_GET['dtt'];
+    $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+    $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
   }elseif($_GET['canned_date'] == "today"){
     $dtf = date('Y-m-d');
     $dtt = date('Y-m-d');

client_trips.php

@@ -38,8 +38,8 @@
 
 //Date From and Date To Filter
 if(isset($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }else{
   $dtf = "0000-00-00";
   $dtt = "9999-00-00";

clients.php

@@ -48,8 +48,8 @@
 
 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['date_from'])){
-  $date_from = $_GET['date_from'];
-  $date_to = $_GET['date_to'];
+  $date_from = mysqli_real_escape_string($mysqli,$_GET['date_from']);
+  $date_to = mysqli_real_escape_string($mysqli,$_GET['date_to']);
 }elseif($_GET['canned_date'] == "today"){
   $date_from = date('Y-m-d');
   $date_to = date('Y-m-d');

expenses.php

@@ -38,8 +38,8 @@
 
 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
   $dtf = date('Y-m-d');
   $dtt = date('Y-m-d');

index.php

@@ -1,5 +1,4 @@
 <?php include("header.php"); ?>
-	<?php $os = get_ip(); ?>
 	<!-- Breadcrumbs-->
 	<ol class="breadcrumb">
 	  <li class="breadcrumb-item">
@@ -11,10 +10,4 @@
 	<!-- Page Content -->
 	<h1>Blank Page</h1>
 	<hr>
-	<p><?php echo get_user_agent(); ?></p>
-	<p><?php echo get_ip(); ?></p>
-	<p><?php echo get_os(); ?></p>
-	<p><?php echo get_web_browser(); ?></p>
-	<p><?php echo get_device(); ?></p>
-
-<?php include("footer.php"); ?>
+<?php include("footer.php"); ?>

invoices.php

@@ -89,8 +89,8 @@
 
   //Date Filter
   if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-    $dtf = $_GET['dtf'];
-    $dtt = $_GET['dtt'];
+    $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+    $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
   }elseif($_GET['canned_date'] == "today"){
     $dtf = date('Y-m-d');
     $dtt = date('Y-m-d');

logs.php

@@ -38,8 +38,8 @@
 
 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
   $dtf = date('Y-m-d');
   $dtt = date('Y-m-d');

payments.php

@@ -38,8 +38,8 @@
 
 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
   $dtf = date('Y-m-d');
   $dtt = date('Y-m-d');

quotes.php

@@ -40,8 +40,8 @@
 
 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
   $dtf = date('Y-m-d');
   $dtt = date('Y-m-d');

recurring.php

@@ -38,8 +38,8 @@
 
 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
   $dtf = date('Y-m-d');
   $dtt = date('Y-m-d');

revenues.php

@@ -38,8 +38,8 @@
 
 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
   $dtf = date('Y-m-d');
   $dtt = date('Y-m-d');

tickets.php

@@ -38,8 +38,8 @@
 
   //Date Filter
   if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-    $dtf = $_GET['dtf'];
-    $dtt = $_GET['dtt'];
+    $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+    $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
   }elseif($_GET['canned_date'] == "today"){
     $dtf = date('Y-m-d');
     $dtt = date('Y-m-d');

transfers.php

@@ -41,8 +41,8 @@
 
 //Date Filter
 if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }elseif($_GET['canned_date'] == "today"){
   $dtf = date('Y-m-d');
   $dtt = date('Y-m-d');

trips.php

@@ -38,8 +38,8 @@
 
   //Date Filter
   if($_GET['canned_date'] == "custom" AND !empty($_GET['dtf'])){
-    $dtf = $_GET['dtf'];
-    $dtt = $_GET['dtt'];
+    $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+    $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
   }elseif($_GET['canned_date'] == "today"){
     $dtf = date('Y-m-d');
     $dtt = date('Y-m-d');

vendors.php

@@ -40,8 +40,8 @@
 
 //Date From and Date To Filter
 if(!empty($_GET['dtf'])){
-  $dtf = $_GET['dtf'];
-  $dtt = $_GET['dtt'];
+  $dtf = mysqli_real_escape_string($mysqli,$_GET['dtf']);
+  $dtt = mysqli_real_escape_string($mysqli,$_GET['dtt']);
 }else{
   $dtf = "0000-00-00";
   $dtt = "9999-00-00";