Context Navigation

receipts_addedit.php

Revision 704, 10.5 KB (checked in by brieb, 2 years ago)
Fixed several SQL injection vulnerabilities Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI Fixed severa path disclosure errors

Line
1	<?php
2	/*
3	+-------------------------------------------------------------------------+
4	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
5	\| All rights reserved. \|
6	+-------------------------------------------------------------------------+
7	\| \|
8	\| Redistribution and use in source and binary forms, with or without \|
9	\| modification, are permitted provided that the following conditions are \|
10	\| met: \|
11	\| \|
12	\| - Redistributions of source code must retain the above copyright \|
13	\| notice, this list of conditions and the following disclaimer. \|
14	\| \|
15	\| - Redistributions in binary form must reproduce the above copyright \|
16	\| notice, this list of conditions and the following disclaimer in the \|
17	\| documentation and/or other materials provided with the distribution. \|
18	\| \|
19	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
20	\| be used to endorse or promote products derived from this software \|
21	\| without specific prior written permission. \|
22	\| \|
23	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
24	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
25	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
26	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
27	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
28	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
29	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
30	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
31	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
32	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
33	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
34	\| \|
35	+-------------------------------------------------------------------------+
36	*/
37	include("../../include/session.php");
38	include("include/tables.php");
39	include("include/fields.php");
40	include("modules/bms/include/receipts.php");
41
42	if(!isset($_GET["backurl"]))
43	$backurl = NULL;
44	else{
45	$backurl = $_GET["backurl"];
46	if(isset($_GET["refid"]))
47	$backurl .= "?refid=".$_GET["refid"];
48	}
49
50	if(!isset($_GET["id"]))
51	$_GET["id"] = 0;
52	$_GET["id"] = (int) $_GET["id"];
53
54	if(isset($_POST["referrer"]))
55	$_SERVER['HTTP_REFERER'] = $_POST["referrer"];
56
57	$thetable = new receipts($db,"tbld:43678406-be25-909b-c715-7e2afc7db601", $backurl);
58	$therecord = $thetable->processAddEditPage();
59
60	if($therecord["id"]){
61	if($thetable->receiptitems === NULL)
62	$thetable->receiptitems = new receiptitems($db);
63	}//end if
64
65	$pageTitle = "Receipt";
66
67	$phpbms->cssIncludes[] = "pages/receipts.css";
68	$phpbms->jsIncludes[] = "modules/bms/javascript/receipt.js";
69	$phpbms->jsIncludes[] = "modules/bms/javascript/paymentprocess.js";
70
71	if(isset($therecord["phpbmsStatus"]))
72	$statusmessage = $therecord["phpbmsStatus"];
73
74	//Form Elements
75	//==============================================================
76	$theform = new phpbmsForm();
77
78	$theinput = new inputField("theid", $therecord["id"], "id", false, NULL, 11);
79	$theinput->setAttribute("readonly", "readonly");
80	$theinput->setAttribute("class", "uneditable");
81	$theform->addField($theinput);
82
83	$theinput = new inputDatePicker("receiptdate", $therecord["receiptdate"], "date", true);
84	$theform->addField($theinput);
85
86	$theinput = new inputBasicList("status",$therecord["status"],array("open"=>"open","collected"=>"collected"));
87	$theform->addField($theinput);
88
89	$theinput = new inputCheckBox("readytopost",$therecord["readytopost"],"ready to post");
90	$theform->addField($theinput);
91
92	$theinput = new inputCheckBox("posted", $therecord["posted"] ,"posted");
93	$theinput->setAttribute("disabled","disabled");
94	$theform->addField($theinput);
95
96	$theinput = new inputSmartSearch($db, "clientid", "Pick Client With Credit", $therecord["clientid"], "client", true, 51);
97	$theinput->setAttribute("class","important");
98	$theform->addField($theinput);
99
100	$theinput = new inputCurrency("amount", $therecord["amount"], "amount", true);
101	$theinput->setAttribute("class","important");
102	$theform->addField($theinput);
103
104	$theinput = new inputComparisonField("ccnumber", $therecord["ccnumber"], "card number", false, false, 28,40);
105	$theform->addField($theinput);
106
107	$theinput = new inputComparisonField("ccexpiration", $therecord["ccexpiration"], "expiration", false, false, 8,10);
108	$theform->addField($theinput);
109
110	$theinput = new inputComparisonField("ccverification", $therecord["ccverification"], "verification/pin", false, false, 8,7);
111	$theform->addField($theinput);
112
113	$theinput = new inputField("bankname", $therecord["bankname"], "bank name", false, false, 30, 64);
114	$theform->addField($theinput);
115
116	$theinput = new inputField("checkno", $therecord["checkno"], "check number", false, false, 20 , 32);
117	$theform->addField($theinput);
118
119	$theinput = new inputComparisonField("accountnumber", $therecord["accountnumber"], "account number", false, NULL, 20, 64);
120	$theform->addField($theinput);
121
122	$theinput = new inputComparisonField("routingnumber", $therecord["routingnumber"], "routing number", false, NULL, 30, 64);
123	$theform->addField($theinput);
124
125	$theinput = new inputField("transactionid", $therecord["transactionid"], "transaction id", false, false, 32, 64);
126	$theform->addField($theinput);
127
128	$theinput = new inputChoiceList($db,"paymentother",$therecord["paymentother"],"receiptother", "reason");
129	$theform->addField($theinput);
130
131	$theinput = new inputTextarea("memo", $therecord["memo"], NULL, false, 3, 48, false);
132	$theform->addField($theinput);
133
134	$thetable->getCustomFieldInfo();
135	$theform->prepCustomFields($db, $thetable->customFieldsQueryResult, $therecord);
136	$theform->jsMerge();
137	//==============================================================
138
139	include("header.php");
140
141	?><div class="bodyline">
142	<form action="<?php echo htmlentities($_SERVER["REQUEST_URI"]) ?>" method="post" name="record" id="record">
143
144	<div id="topButtons"><?php showSaveCancel(1); ?></div>
145
146	<h1 class="h1Title"><span><?php echo $pageTitle?></span></h1>
147
148	<div id="rightSide">
149	<fieldset>
150	<legend>attributes</legend>
151
152	<p><?php $theform->showField("theid")?></p>
153
154	<p><?php $theform->showField("receiptdate")?></p>
155
156	<?php if($therecord["posted"]) { ?>
157	<p><?php $theform->showField("posted")?></p>
158	<?php }//endif ?>
159
160	<p><?php $theform->showField("status")?></p>
161
162	<p><?php $theform->showField("readytopost")?></p>
163
164	</fieldset>
165	</div>
166
167	<div id="leftSide">
168
169	<fieldset>
170	<legend>Client / Amount</legend>
171
172	<div class="fauxP big"><?php $theform->showField("clientid")?></div>
173
174	<p><?php $theform->showField("amount")?></p>
175
176	</fieldset>
177
178	<fieldset>
179	<legend>Receipt Type</legend>
180	<p><?php $thetable->showPaymentOptions($therecord["paymentmethodid"])?></p>
181
182	<div id="draft" class="paymentTypes">
183
184	<p id="bankNameP"><?php $theform->showField("bankname")?></p>
185
186	<p ><?php $theform->showField("checkno")?></p>
187
188	<p id="routingNumberP" ><?php $theform->showField("routingnumber")?></p>
189
190	<p><?php $theform->showField("accountnumber")?></p>
191
192	</div>
193
194	<div id="charge" class="paymentTypes">
195
196	<p id="ccNumberP"><?php $theform->showField("ccnumber")?></p>
197
198	<p><?php $theform->showField("ccexpiration")?></p>
199
200	<p><?php $theform->showField("ccverification")?></p>
201
202	</div>
203
204	<div id="other" class="paymentTypes">
205
206	<p><?php $theform->showField("paymentother")?></p>
207
208	</div>
209
210	<div id="transactionP">
211
212	<input type="hidden" id="processscript" />
213
214	<p id="transactionidP"><?php $theform->showField("transactionid")?></p>
215
216	<p>
217	<br/>
218	<button id="paymentProcessButton" type="button" class="graphicButtons buttonMoney" title="process payment online"><span>process payment online</span></button>
219	</p>
220
221	</div>
222
223	</fieldset>
224
225	</div>
226
227	<fieldset>
228	<legend>Distribution Items</legend>
229
230	<div id="arRightButtons">
231	<button type="button" class="smallButtons" id="loadOpenButton">load open AR items</button>
232	<button type="button" class="smallButtons" id="autoApplyButton">auto-apply</button>
233	</div>
234
235	<div>
236	<button type="button" id="addARItemButton" class="graphicButtons buttonPlus" title="add item"><span>+</span></button>
237	distribution remaining: <input type="text" id="distributionRemaining" class="invisibleTextField" readonly="readonly"/>
238	</div>
239
240	<input type="hidden" id="itemschanged" name="itemschanged" />
241	<input type="hidden" id="itemslist" name="itemslist" />
242	<table class="querytable" border="0" cellpadding="0" cellspacing="0" id="itemsTable">
243
244	<thead>
245	<tr>
246	<th align="left" nowrap="nowrap">doc ref</th>
247	<th align="left">type</th>
248	<th align="left" nowrap="nowrap">doc date</th>
249	<th align="left" nowrap="nowrap">due date</th>
250	<th align="right" width="100%" nowrap="nowrap">doc amount</th>
251	<th align="right" nowrap="nowrap">doc due</th>
252	<th align="right">applied</th>
253	<th align="right">discount</th>
254	<th align="right" nowrap="nowrap">tax adj.</th>
255	<th> </th>
256	</tr>
257	</thead>
258
259	<tfoot>
260	<tr class="queryfooter">
261	<td colspan="5" align="right"> </td>
262	<td><input id="totaldue" class="invisibleTextField currency" size="10" maxlength="12" readonly="readonly" value="$0.00"/></td>
263	<td><input id="totalapplied" class="invisibleTextField currency" size="10" maxlength="12" readonly="readonly" value="$0.00"/></td>
264	<td colspan="3"> </td>
265	</tr>
266	</tfoot>
267
268	<tbody id="itemsTbody">
269	<?php
270	if($therecord["id"]){
271	$thetable->receiptitems->show($therecord["itemslist"], $therecord["posted"], $therecord["uuid"]);
272	}//end if
273	?>
274	</tbody>
275	</table>
276
277	</fieldset>
278
279	<fieldset>
280	<legend>notes</legend>
281
282	<p><?php $theform->showField("memo")?></p>
283
284	</fieldset>
285
286	<?php $theform->showCustomFields($db, $thetable->customFieldsQueryResult) ?>
287
288	<?php $theform->showGeneralInfo($phpbms,$therecord) ?>
289	</form>
290	</div>
291	<?php include("footer.php")?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/bms/receipts_addedit.php

Download in other formats: