Skip to content

Commit

Permalink
Improved Security & New Functions
Browse files Browse the repository at this point in the history 
Improved Security
Changed most queries to bind parameters
Escaped all parameters
Added "Close" Ticket function
Added "Reply" Ticket function
  • Loading branch information
@BMSVieira
BMSVieira committed Jun 23, 2022
1 parent 7980754 commit e42776c
Show file tree
Hide file tree
Showing 7 changed files with 232 additions and 19 deletions.
7 changes: 5 additions & 2 deletions ost_wbs/classes/class.department.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ class Department
{
public function all($parameters)
{
// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Request method
$validRequests = array("GET");
Helper::validRequest($validRequests);
Expand Down Expand Up @@ -61,6 +64,8 @@ public function all($parameters)

public function specific($parameters)
{
// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Request method
$validRequests = array("GET");
Expand Down Expand Up @@ -176,7 +181,5 @@ private function execQuery($string)
throw new Exception("Something went wrong.");
}
}


}
?>
6 changes: 6 additions & 0 deletions ost_wbs/classes/class.faq.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ class Faq

public function all($parameters)
{
// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Request method
$validRequests = array("GET");
Helper::validRequest($validRequests);
Expand Down Expand Up @@ -79,6 +82,9 @@ public function all($parameters)

public function specific($parameters,$exception = FALSE)
{
// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Request method
$validRequests = array("GET");
Helper::validRequest($validRequests);
Expand Down
14 changes: 14 additions & 0 deletions ost_wbs/classes/class.helper.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,20 @@ static function get_last_id($table, $field)
return $printLastId->$field;
}

/* Escape parameters */
static function escapeParameters($parameters)
{
// Connect Database
$Dbobj = new DBConnection();
$mysqli = $Dbobj->getDBConnect();

foreach($parameters as $key=>$value) {
$parameters[$key] = mysqli_real_escape_string($mysqli, $parameters[$key]);
}

return $parameters;
}

// Check parameters
static function checkRequest($parameters, $expectedParameters)
{
Expand Down
25 changes: 16 additions & 9 deletions ost_wbs/classes/class.sla.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ class Sla
{
public function all($parameters)
{
// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Request method
$validRequests = array("GET");
Helper::validRequest($validRequests);
Expand Down Expand Up @@ -60,7 +63,9 @@ public function all($parameters)

public function specific($parameters)
{

// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Connect Database
$Dbobj = new DBConnection();
$mysqli = $Dbobj->getDBConnect();
Expand Down Expand Up @@ -117,7 +122,7 @@ public function add($parameters)
Helper::checkRequest($parameters, $expectedParameters);

// Check if row already exists
if($this->checkExists('name', $parameters["parameters"]['name'])) { throw new Exception("Item Already exists"); }
if($this->checkExists('name', $parameters["parameters"]['name'], "sla")) { throw new Exception("Item Already exists"); }

// Prepare query
$paramOrder = "";
Expand Down Expand Up @@ -165,7 +170,7 @@ public function delete($parameters)
$paramOrder = "";
$valuesOrder = "";

if($this->checkExists('id', $parameters["parameters"]['id']) == 0) { throw new Exception("Item does not exist."); }
if($this->checkExists('id', $parameters["parameters"]['id'], "sla") == 0) { throw new Exception("Item does not exist."); }

foreach ($parameters["parameters"] as $key => $value) {

Expand All @@ -188,19 +193,21 @@ public function delete($parameters)

}

private function checkExists($field, $value)
private function checkExists($field, $value, $table)
{

// Connect Database
$Dbobj = new DBConnection();
$mysqli = $Dbobj->getDBConnect();

// Check if already exists
$checkExists = $mysqli->query("SELECT * FROM ".TABLE_PREFIX."sla WHERE ".TABLE_PREFIX."sla.".$field." = '".$value."'");
$numRows = $checkExists->num_rows;
$stmt = $mysqli->prepare("SELECT * FROM ".TABLE_PREFIX."".$table." WHERE ".$field." = ?");
$stmt->bind_param('s', $value);
$stmt->execute();

return $numRows;
$result = $stmt->get_result();
$numRows = $result->num_rows;

return $numRows;
}

private function execQuery($string)
Expand All @@ -221,4 +228,4 @@ private function execQuery($string)
}

}
?>
?>
175 changes: 173 additions & 2 deletions ost_wbs/classes/class.ticket.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ function compileResults($result)

public function all($parameters)
{

// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Request method
$validRequests = array("GET");
Helper::validRequest($validRequests);
Expand Down Expand Up @@ -142,6 +146,10 @@ public function all($parameters)

public function specific($parameters)
{

// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Request method
$validRequests = array("GET");
Helper::validRequest($validRequests);
Expand All @@ -159,7 +167,7 @@ public function specific($parameters)

// Fetch data
while($PrintTickets = $getTickets->fetch_object()){ array_push($result, self::compileResults($PrintTickets)); }
// Check if there are some results in the array
if(!$result){
throw new Exception("No items found.");
Expand All @@ -174,6 +182,8 @@ public function specific($parameters)

public function add($parameters)
{
// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Permission
Helper::checkPermission();
Expand Down Expand Up @@ -281,7 +291,150 @@ public function add($parameters)
return $this->execQuery($thread_entry);

}


public function reply($parameters)
{
// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Permission
Helper::checkPermission();

// Check Request method
$validRequests = array("POST", "PUT");
Helper::validRequest($validRequests);

// Expected parameters
$expectedParameters = array("ticket_id", "body", "staff_id");

// Check if all paremeters are correct
Helper::checkRequest($parameters, $expectedParameters);

// Check if ticket exists
if($this->checkExists('ticket_id', $parameters["parameters"]['ticket_id'], "ticket") == 0) { throw new Exception("Ticket does not exist."); }
// Check if staff exists
if($this->checkExists('staff_id', $parameters["parameters"]['staff_id'], "staff") == 0) { throw new Exception("Staff does not exist."); }

// Connect Database
$Dbobj = new DBConnection();
$mysqli = $Dbobj->getDBConnect();

// Prepare query

// Get thread ID from Ticket ID
$stmt = $mysqli->prepare("SELECT * FROM ".TABLE_PREFIX."thread WHERE object_id = ?");
$stmt->bind_param('s', $parameters["parameters"]['ticket_id']);
$stmt->execute();

$result = $stmt->get_result();
$row = $result->fetch_object();

$thread_id = $row->id;

// Add rows with thread ID
$thread = 'insert into '.TABLE_PREFIX.'thread_entry (';
$thread .= 'thread_id,';
$thread .= 'staff_id,';
$thread .= 'body,';
$thread .= 'source,';
$thread .= 'type,';
$thread .= 'created,';
$thread .= 'updated) VALUES (';
$thread .= ''.$thread_id.',';
$thread .= ''.$parameters["parameters"]["staff_id"].',';
$thread .= '"<p>'.utf8_decode($parameters["parameters"]["body"]).'</p>",';
$thread .= '"API",';
$thread .= '"R",';
$thread .= 'now(),';
$thread .= 'now())';

// Send query to be executed
$this->execQuery($thread);

// Update last response in thread_id
$threadUpdate = 'update '.TABLE_PREFIX.'thread SET ';
$threadUpdate .= 'lastresponse = now(), ';
$threadUpdate .= 'lastmessage = now() WHERE ';
$threadUpdate .= 'id = '.$thread_id.'';

// Send query to be executed
return $this->execQuery($threadUpdate);;
}

public function close($parameters)
{

// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Permission
Helper::checkPermission();

// Check Request method
$validRequests = array("POST", "PUT");
Helper::validRequest($validRequests);

// Expected parameters
$expectedParameters = array("ticket_id", "body", "staff_id","status_id", "team_id", "dept_id", "topic_id", "username");

// Check if all paremeters are correct
Helper::checkRequest($parameters, $expectedParameters);

// Connect Database
$Dbobj = new DBConnection();
$mysqli = $Dbobj->getDBConnect();

// Prepare date to send to reply function
$sendParam["parameters"]["ticket_id"] = $parameters["parameters"]['ticket_id'];
$sendParam["parameters"]["body"] = $parameters["parameters"]['body'];
$sendParam["parameters"]["staff_id"] = $parameters["parameters"]['staff_id'];

// Set Reply
self::reply($sendParam);

// Get thread ID from Ticket ID
$stmt = $mysqli->prepare("SELECT * FROM ".TABLE_PREFIX."thread WHERE object_id = ?");
$stmt->bind_param('s', $parameters["parameters"]['ticket_id']);
$stmt->execute();

$result = $stmt->get_result();
$row = $result->fetch_object();
$thread_id = $row->id;

// Update ticket status
$ticketStatusUpdate = 'update '.TABLE_PREFIX.'ticket SET ';
$ticketStatusUpdate .= 'status_id = '.$parameters["parameters"]["status_id"].', ';
$ticketStatusUpdate .= 'updated = now() WHERE ';
$ticketStatusUpdate .= 'ticket_id = '.$parameters["parameters"]["ticket_id"].'';

// Insert into event thread
$threadEvent = 'insert into '.TABLE_PREFIX.'thread_event (';
$threadEvent .= 'thread_id,';
$threadEvent .= 'thread_type,';
$threadEvent .= 'event_id,';
$threadEvent .= 'staff_id,';
$threadEvent .= 'team_id,';
$threadEvent .= 'dept_id,';
$threadEvent .= 'topic_id,';
$threadEvent .= 'username,';
$threadEvent .= 'timestamp) VALUES (';
$threadEvent .= ''.$thread_id.',';
$threadEvent .= '"T",';
$threadEvent .= '2,';
$threadEvent .= ''.$parameters["parameters"]["staff_id"].',';
$threadEvent .= ''.$parameters["parameters"]["team_id"].',';
$threadEvent .= ''.$parameters["parameters"]["dept_id"].',';
$threadEvent .= ''.$parameters["parameters"]["topic_id"].',';
$threadEvent .= '"'.$parameters["parameters"]["username"].'",';
$threadEvent .= 'now())';

// Send query to be executed
$this->execQuery($threadEvent);

// Send query to be executed
return $this->execQuery($ticketStatusUpdate);;
}

private function execQuery($string)
{
// Connect Database
Expand All @@ -297,5 +450,23 @@ private function execQuery($string)
throw new Exception("Something went wrong.");
}
}

private function checkExists($field, $value, $table)
{
// Connect Database
$Dbobj = new DBConnection();
$mysqli = $Dbobj->getDBConnect();

// Check if already exists
$stmt = $mysqli->prepare("SELECT * FROM ".TABLE_PREFIX."".$table." WHERE ".$field." = ?");
$stmt->bind_param('s', $value);
$stmt->execute();

$result = $stmt->get_result();
$numRows = $result->num_rows;

return $numRows;
}

}
?>
3 changes: 3 additions & 0 deletions ost_wbs/classes/class.topics.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ class Topics

public function all($parameters)
{
// Escape Parameters
$parameters['parameters'] = Helper::escapeParameters($parameters["parameters"]);

// Check Request method
$validRequests = array("GET");
Helper::validRequest($validRequests);
Expand Down
Loading

0 comments on commit e42776c

Please sign in to comment.