Context Navigation

clients_credit.php

Revision 704, 5.5 KB (checked in by brieb, 2 years ago)
Fixed several SQL injection vulnerabilities Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI Fixed severa path disclosure errors

Line
1	<?php
2	/*
3	$Rev: 285 $ \| $LastChangedBy: brieb $
4	$LastChangedDate: 2007-08-27 14:05:27 -0600 (Mon, 27 Aug 2007) $
5	+-------------------------------------------------------------------------+
6	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
7	\| All rights reserved. \|
8	+-------------------------------------------------------------------------+
9	\| \|
10	\| Redistribution and use in source and binary forms, with or without \|
11	\| modification, are permitted provided that the following conditions are \|
12	\| met: \|
13	\| \|
14	\| - Redistributions of source code must retain the above copyright \|
15	\| notice, this list of conditions and the following disclaimer. \|
16	\| \|
17	\| - Redistributions in binary form must reproduce the above copyright \|
18	\| notice, this list of conditions and the following disclaimer in the \|
19	\| documentation and/or other materials provided with the distribution. \|
20	\| \|
21	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
22	\| be used to endorse or promote products derived from this software \|
23	\| without specific prior written permission. \|
24	\| \|
25	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
26	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
27	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
28	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
29	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
30	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
31	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
32	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
33	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
34	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
35	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
36	\| \|
37	+-------------------------------------------------------------------------+
38	*/
39
40	include("../../include/session.php");
41	include("include/fields.php");
42	include("modules/bms/include/clients_credit.php");
43
44	if(!isset($_GET["id"])) $error = new appError(300,"Passed variable not set (id)");
45
46	$clientCredit = new clientCredit($db, $_GET["id"]);
47
48	if(isset($_POST["creditlimit"])){
49	if($clientCredit->update(addSlashesToArray($_POST) ))
50	$statusmessage = "Credit Updated";
51	}
52
53	$therecord = $clientCredit->get();
54
55	//setting page title
56	$pageTitle="Credit: ";
57	if($therecord["company"]=="")
58	$pageTitle.=$therecord["firstname"]." ".$therecord["lastname"];
59	else
60	$pageTitle.=$therecord["company"];
61
62	$phpbms->cssIncludes[] = "pages/clients_credit.css";
63	$phpbms->jsIncludes[] = "modules/bms/javascript/clients_credit.js";
64
65	//Form Elements
66	//==============================================================
67	$theform = new phpbmsForm();
68
69	$theinput = new inputCheckbox("hascredit",$therecord["hascredit"],"has credit");
70	if($therecord["type"] == "prospect")
71	$theinput->setAttribute("disabled","disabled");
72	$theform->addField($theinput);
73
74	$theinput = new inputCurrency("creditlimit", $therecord["creditlimit"], "credit limit");
75	if($therecord["type"] == "prospect")
76	$theinput->setAttribute("readonly","readonly");
77	$theform->addField($theinput);
78
79	$theinput = new inputCurrency("creditleft", ($therecord["creditlimit"]-$therecord["outstanding"]), "credit left");
80	$theinput->setAttribute("readonly","readonly");
81	$theform->addField($theinput);
82
83	$theform->jsMerge();
84	//==============================================================
85	//End Form Elements
86
87
88	include("header.php");
89
90	$phpbms->showTabs("clients entry", "tab:5a6ef814-2689-4e3b-2609-db43fb3cc001", ((int) $_GET["id"]));?><div class="bodyline">
91	<form action="<?php echo htmlentities($_SERVER["REQUEST_URI"]) ?>"
92	method="post" name="record" id="record">
93	<div id="topButtons">
94	<input type="button" class="Buttons" id="update1" name="update" value="save"/>
95	</div>
96
97	<h1 id="h1Title"><span><?php echo $pageTitle ?></span></h1>
98	<input type="hidden" id="type" name="type" value="<?php echo $therecord["type"]?>" />
99
100	<fieldset>
101	<legend>Credit</legend>
102	<?php if($therecord["type"] == "prospect") {?>
103	<p class="notes">Credit can only be set for clients.</p>
104	<?php }?>
105
106	<p><?php $theform->showField("hascredit")?></p>
107
108	<p><?php $theform->showField("creditlimit")?></p>
109
110
111	<input type="hidden" id="outstanding" value="<?php echo $therecord["outstanding"]?>" />
112	<p><?php $theform->showField("creditleft")?></p>
113	</fieldset>
114
115	<?php if($therecord["hascredit"]) {?>
116
117	<fieldset>
118	<legend>open items</legend>
119	<div class="fauxP">
120
121	<?php $clientCredit->showHistory($_GET["id"])?>
122
123	</div>
124	</fieldset>
125
126	<?php } //end if?>
127
128	<div align="right">
129	<input type="button" class="Buttons" id="update2" name="update" value="save"/>
130	</div>
131
132	</form>
133	</div>
134	<?php include("footer.php");?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/bms/clients_credit.php

Download in other formats: