Database class integration.

contact_url_delete.php

@@ -38,24 +38,24 @@ else {
 	$language = new text;
 	$text = $language->get();
 
-if (count($_GET)>0) {
-	$id = check_str($_GET["id"]);
-	$contact_uuid = check_str($_GET["contact_uuid"]);
-}
+$contact_url_uuid = $_GET["id"];
+$contact_uuid = $_GET["contact_uuid"];
+
+if (is_uuid($contact_url_uuid) && is_uuid($contact_uuid)) {
+
+	$array['contact_urls'][0]['contact_url_uuid'] = $contact_url_uuid;
+	$array['contact_urls'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
 
-if (strlen($id)>0) {
-	$sql = "";
-	$sql .= "delete from v_contact_urls ";
-	$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
-	$sql .= "and contact_url_uuid = '".$id."' ";
+	$database = new database;
+	$database->app_name = 'contacts';
+	$database->app_uuid = '04481e0e-a478-c559-adad-52bd4174574c';
+	$database->delete($array);
+	unset($array);
 
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	unset($sql);
+	message::add($text['message-delete']);
 }
 
-message::add($text['message-delete']);
 header("Location: contact_edit.php?id=".$contact_uuid);
-return;
+exit;
 
 ?>

contact_url_edit.php

@@ -40,37 +40,37 @@ else {
 	$text = $language->get();
 
 //action add or update
-	if (isset($_REQUEST["id"])) {
+	if (is_uuid($_REQUEST["id"])) {
 		$action = "update";
-		$contact_url_uuid = check_str($_REQUEST["id"]);
+		$contact_url_uuid = $_REQUEST["id"];
 	}
 	else {
 		$action = "add";
 	}
 
 //get the contact uuid
-	if (strlen($_GET["contact_uuid"]) > 0) {
-		$contact_uuid = check_str($_GET["contact_uuid"]);
+	if (is_uuid($_GET["contact_uuid"])) {
+		$contact_uuid = $_GET["contact_uuid"];
 	}
 
 //get http post variables and set them to php variables
 	if (count($_POST) > 0) {
-		$url_label = check_str($_POST["url_label"]);
-		$url_label_custom = check_str($_POST["url_label_custom"]);
-		$url_address = check_str($_POST["url_address"]);
-		$url_primary = check_str($_POST["url_primary"]);
-		$url_description = check_str($_POST["url_description"]);
+		$url_label = $_POST["url_label"];
+		$url_label_custom = $_POST["url_label_custom"];
+		$url_address = $_POST["url_address"];
+		$url_primary = $_POST["url_primary"];
+		$url_description = $_POST["url_description"];
 
 		//use custom label if set
-		$url_label = ($url_label_custom != '') ? $url_label_custom : $url_label;
+		$url_label = $url_label_custom != '' ? $url_label_custom : $url_label;
 	}
 
 //process the form data
-	if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
+	if (is_array($_POST) && @sizeof($_POST) != 0 && strlen($_POST["persistformvar"]) == 0) {
 
 		//set the uuid
 			if ($action == "update") {
-				$contact_url_uuid = check_str($_POST["contact_url_uuid"]);
+				$contact_url_uuid = $_POST["contact_url_uuid"];
 			}
 
 		//check for all required data
@@ -92,89 +92,84 @@ else {
 			if ($_POST["persistformvar"] != "true") {
 
 				//update last modified
-				$sql = "update v_contacts set ";
-				$sql .= "last_mod_date = now(), ";
-				$sql .= "last_mod_user = '".$_SESSION['username']."' ";
-				$sql .= "where domain_uuid = '".$domain_uuid."' ";
-				$sql .= "and contact_uuid = '".$contact_uuid."' ";
-				$db->exec(check_sql($sql));
-				unset($sql);
+				$array['contacts'][0]['contact_uuid'] = $contact_uuid;
+				$array['contacts'][0]['domain_uuid'] = $domain_uuid;
+				$array['contacts'][0]['last_mod_date'] = 'now()';
+				$array['contacts'][0]['last_mod_user'] = $_SESSION['username'];
+
+				$p = new permissions;
+				$p->add('contact_edit', 'temp');
+
+				$database = new database;
+				$database->app_name = 'contacts';
+				$database->app_uuid = '04481e0e-a478-c559-adad-52bd4174574c';
+				$database->save($array);
+				unset($array);
+
+				$p->delete('contact_edit', 'temp');
 
 				//if primary, unmark other primary numbers
 				if ($url_primary) {
 					$sql = "update v_contact_urls set url_primary = 0 ";
-					$sql .= "where domain_uuid = '".$domain_uuid."' ";
-					$sql .= "and contact_uuid = '".$contact_uuid."' ";
-					$db->exec(check_sql($sql));
-					unset($sql);
+					$sql .= "where domain_uuid = :domain_uuid ";
+					$sql .= "and contact_uuid = :contact_uuid ";
+					$parameters['domain_uuid'] = $domain_uuid;
+					$parameters['contact_uuid'] = $contact_uuid;
+					$database = new database;
+					$database->execute($sql, $parameters);
+					unset($sql, $parameters);
 				}
 
 				if ($action == "add") {
 					$contact_url_uuid = uuid();
-					$sql = "insert into v_contact_urls ";
-					$sql .= "(";
-					$sql .= "domain_uuid, ";
-					$sql .= "contact_uuid, ";
-					$sql .= "contact_url_uuid, ";
-					$sql .= "url_label, ";
-					$sql .= "url_address, ";
-					$sql .= "url_primary, ";
-					$sql .= "url_description ";
-					$sql .= ")";
-					$sql .= "values ";
-					$sql .= "(";
-					$sql .= "'".$_SESSION['domain_uuid']."', ";
-					$sql .= "'".$contact_uuid."', ";
-					$sql .= "'".$contact_url_uuid."', ";
-					$sql .= "'".$url_label."', ";
-					$sql .= "'".$url_address."', ";
-					$sql .= (($url_primary) ? 1 : 0).", ";
-					$sql .= "'".$url_description."' ";
-					$sql .= ")";
-					$db->exec(check_sql($sql));
-					unset($sql);
+					$array['contact_urls'][0]['contact_url_uuid'] = $contact_url_uuid;
 
 					message::add($text['message-add']);
-					header("Location: contact_edit.php?id=".$contact_uuid);
-					return;
-				} //if ($action == "add")
+				}
 
 				if ($action == "update") {
-					$sql = "update v_contact_urls set ";
-					$sql .= "contact_uuid = '".$contact_uuid."', ";
-					$sql .= "url_label = '".$url_label."', ";
-					$sql .= "url_address = '".$url_address."', ";
-					$sql .= "url_primary = ".(($url_primary) ? 1 : 0).", ";
-					$sql .= "url_description = '".$url_description."' ";
-					$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
-					$sql .= "and contact_url_uuid = '".$contact_url_uuid."'";
-					$db->exec(check_sql($sql));
-					unset($sql);
+					$array['contact_urls'][0]['contact_url_uuid'] = $contact_url_uuid;
 
 					message::add($text['message-update']);
-					header("Location: contact_edit.php?id=".$contact_uuid);
-					return;
-				} //if ($action == "update")
-			} //if ($_POST["persistformvar"] != "true")
-	} //(count($_POST)>0 && strlen($_POST["persistformvar"]) == 0)
+				}
+
+				if (is_array($array) && @sizeof($array) != 0) {
+					$array['contact_urls'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
+					$array['contact_urls'][0]['contact_uuid'] = $contact_uuid;
+					$array['contact_urls'][0]['url_label'] = $url_label;
+					$array['contact_urls'][0]['url_address'] = $url_address;
+					$array['contact_urls'][0]['url_primary'] = $url_primary ? 1 : 0;
+					$array['contact_urls'][0]['url_description'] = $url_description;
+
+					$database = new database;
+					$database->app_name = 'contacts';
+					$database->app_uuid = '04481e0e-a478-c559-adad-52bd4174574c';
+					$database->save($array);
+					unset($array);
+				}
+
+				header("Location: contact_edit.php?id=".$contact_uuid);
+				exit;
+			}
+	}
 
 //pre-populate the form
-	if (count($_GET)>0 && $_POST["persistformvar"] != "true") {
+	if (is_array($_GET) && @sizeof($_GET) != 0 && $_POST["persistformvar"] != "true") {
 		$contact_url_uuid = $_GET["id"];
 		$sql = "select * from v_contact_urls ";
-		$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
-		$sql .= "and contact_url_uuid = '".$contact_url_uuid."' ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
+		$sql .= "where domain_uuid = :domain_uuid ";
+		$sql .= "and contact_url_uuid = :contact_url_uuid ";
+		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+		$parameters['contact_url_uuid'] = $contact_url_uuid;
+		$database = new database;
+		$row = $database->select($sql, $parameters, 'row');
+		if (is_array($row) && @sizeof($row) != 0) {
 			$url_label = $row["url_label"];
 			$url_address = $row["url_address"];
 			$url_primary = $row["url_primary"];
 			$url_description = $row["url_description"];
-			break; //limit to 1 row
 		}
-		unset ($prep_statement);
+		unset($sql, $parameters, $row);
 	}
 
 //show the header

contact_urls.php

@@ -48,14 +48,14 @@
 
 	//get the contact list
 		$sql = "select * from v_contact_urls ";
-		$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
-		$sql .= "and contact_uuid = '$contact_uuid' ";
+		$sql .= "where domain_uuid = :domain_uuid ";
+		$sql .= "and contact_uuid = :contact_uuid ";
 		$sql .= "order by url_primary desc, url_label asc ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		$result_count = count($result);
-		unset ($prep_statement, $sql);
+		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+		$parameters['contact_uuid'] = $contact_uuid;
+		$database = new database;
+		$result = $database->select($sql, $parameters, 'all');
+		unset($sql, $parameters);
 
 	$c = 0;
 	$row_style["0"] = "row_style0";
@@ -74,12 +74,12 @@
 	echo "</td>\n";
 	echo "</tr>\n";
 
-	if ($result_count > 0) {
+	if (is_array($result) && @sizeof($result) != 0) {
 		foreach($result as $row) {
 			if (permission_exists('contact_url_edit')) {
 				$tr_link = "href='contact_url_edit.php?contact_uuid=".escape($row['contact_uuid'])."&id=".escape($row['contact_url_uuid'])."'";
 			}
-			echo "<tr ".$tr_link." ".((escape($row['url_primary'])) ? "style='font-weight: bold;'" : null).">\n";
+			echo "<tr ".$tr_link." ".(escape($row['url_primary']) ? "style='font-weight: bold;'" : null).">\n";
 			echo "	<td valign='top' class='".$row_style[$c]."'>".escape($row['url_label'])."&nbsp;</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void' style='width: 40%; max-width: 60px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;'><a href='".escape($row['url_address'])."' target='_blank'>".str_replace("http://", "", str_replace("https://", "", escape($row['url_address'])))."</a>&nbsp;</td>\n";
 			echo "	<td valign='top' class='row_stylebg'>".escape($row['url_description'])."&nbsp;</td>\n";
@@ -92,10 +92,10 @@
 			}
 			echo "	</td>\n";
 			echo "</tr>\n";
-			$c = ($c) ? 0 : 1;
-		} //end foreach
-		unset($sql, $result, $row_count);
-	} //end if results
+			$c = $c ? 0 : 1;
+		}
+	}
+	unset($result, $row);
 
 	echo "</table>\n";
 

contact_user_delete.php

@@ -26,7 +26,7 @@
 require_once "root.php";
 require_once "resources/require.php";
 require_once "resources/check_auth.php";
-if (permission_exists('contact_group_delete')) {
+if (permission_exists('contact_user_delete')) {
 	//access granted
 }
 else {
@@ -40,19 +40,23 @@ else {
 		$language = new text;
 		$text = $language->get();
 
-		if (count($_REQUEST) > 0) {
-			$contact_user_uuid = check_str($_REQUEST["id"]);
-			$contact_uuid = check_str($_REQUEST["contact_uuid"]);
+		if (is_array($_REQUEST) && @sizeof($_REQUEST) != 0) {
+			$contact_user_uuid = $_REQUEST["id"];
+			$contact_uuid = $_REQUEST["contact_uuid"];
 		}
 	}
 
 //delete the user
 	if (is_uuid($contact_uuid) && is_uuid($contact_user_uuid)) {
-		$sql = "delete from v_contact_users ";
-		$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
-		$sql .= "and contact_user_uuid = '$contact_user_uuid' ";
-		$db->exec(check_sql($sql));
-		unset($sql);
+		$array['contact_users'][0]['contact_user_uuid'] = $contact_user_uuid;
+		$array['contact_users'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
+
+		$database = new database;
+		$database->app_name = 'contacts';
+		$database->app_uuid = '04481e0e-a478-c559-adad-52bd4174574c';
+		$database->delete($array);
+		$response = $database->message;
+		unset($array);
 	}
 
 //redirect the browser

contacts.php

@@ -48,12 +48,12 @@
 	require_once "resources/header.php";
 
 //get the search criteria
-	$search_all = strtolower(check_str($_GET["search_all"]));
-	$phone_number = check_str($_GET["phone_number"]);
+	$search_all = strtolower($_GET["search_all"]);
+	$phone_number = $_GET["phone_number"];
 
 //get variables used to control the order
-	$order_by = check_str($_GET["order_by"]);
-	$order = check_str($_GET["order"]);
+	$order_by = $_GET["order_by"];
+	$order = $_GET["order"];
 
 //retrieve current user's assigned groups (uuids)
 	foreach ($_SESSION['groups'] as $group_data) {
@@ -70,103 +70,123 @@
 	$sql .= "from ";
 	$sql .= "v_contact_settings ";
 	$sql .= "where ";
-	$sql .= "domain_uuid = '".$_SESSION['domain_uuid']."' ";
+	$sql .= "domain_uuid = :domain_uuid ";
 	$sql .= "and contact_setting_category = 'sync' ";
 	$sql .= "and contact_setting_subcategory = 'source' ";
 	$sql .= "and contact_setting_name = 'array' ";
 	$sql .= "and contact_setting_value <> '' ";
 	$sql .= "and contact_setting_value is not null ";
 	if (!(if_group("superadmin") || if_group("admin"))) {
-		$sql .= "and ( \n"; //only contacts assigned to current user's group(s) and those not assigned to any group
-		$sql .= "	contact_uuid in ( \n";
+		$sql .= "and ( "; //only contacts assigned to current user's group(s) and those not assigned to any group
+		$sql .= "	contact_uuid in ( ";
 		$sql .= "		select contact_uuid from v_contact_groups ";
-		$sql .= "		where group_uuid in ('".implode("','", array_filter($user_group_uuids))."') ";
-		$sql .= "		and domain_uuid = '".$_SESSION['domain_uuid']."' ";
-		$sql .= "	) \n";
-		$sql .= "	or \n";
-		$sql .= "	contact_uuid not in ( \n";
+		$sql .= "		where ";
+		if (is_array($user_group_uuids) && @sizeof($user_group_uuids) != 0) {
+			foreach ($user_group_uuids as $index => $user_group_uuid) {
+				if (is_uuid($user_group_uuid)) {
+					$sql_where_or[] = "group_uuid = :group_uuid_".$index;
+					$parameters['group_uuid_'.$index] = $user_group_uuid;
+				}
+			}
+			if (is_array($sql_where_or) && @sizeof($sql_where_or) != 0) {
+				$sql .= " ( ".implode(' or ', $sql_where_or)." ) ";
+			}
+			unset($sql_where_or, $index, $user_group_uuid);
+		}
+		$sql .= "		and domain_uuid = :domain_uuid ";
+		$sql .= "	) ";
+		$sql .= "	or ";
+		$sql .= "	contact_uuid not in ( ";
 		$sql .= "		select contact_uuid from v_contact_groups ";
-		$sql .= "		where group_uuid = '".$_SESSION['group_uuid']."' ";
-		$sql .= "		and domain_uuid = '".$_SESSION['domain_uuid']."' ";
-		$sql .= "	) \n";
-		$sql .= ") \n";
+		$sql .= "		where group_uuid = :group_uuid ";
+		$sql .= "		and domain_uuid = :domain_uuid ";
+		$sql .= "	) ";
+		$sql .= ") ";
 	}
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	if (count($result) > 0) {
+	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+	$parameters['group_uuid'] = $_SESSION['group_uuid'];
+	$database = new database;
+	$result = $database->select($sql, $parameters, 'all');
+	if (is_array($result) && @sizeof($result) != 0) {
 		foreach($result as $row) {
 			$contact_sync_sources[$row['contact_uuid']][] = $row['contact_setting_value'];
 		}
 	}
-	unset ($sql, $prep_statement, $result);
+	unset($sql, $parameters, $result);
 
 //build query for paging and list
-	$sql = "select count(*) as num_rows ";
+	$sql = "select count(*) ";
 	$sql .= "from v_contacts as c ";
-	$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
 	if (!(if_group("superadmin") || if_group("admin"))) {
-		$sql .= "and ( \n"; //only contacts assigned to current user's group(s) and those not assigned to any group
-		$sql .= "	contact_uuid in ( \n";
+		$sql .= "and ( "; //only contacts assigned to current user's group(s) and those not assigned to any group
+		$sql .= "	contact_uuid in ( ";
 		$sql .= "		select contact_uuid from v_contact_groups ";
-		$sql .= "		where group_uuid in ('".implode("','", array_filter($user_group_uuids))."') ";
-		$sql .= "		and domain_uuid = '".$_SESSION['domain_uuid']."' ";
-		$sql .= "	) \n";
-		$sql .= "	or contact_uuid in ( \n";
+		$sql .= "		where ";
+		if (is_array($user_group_uuids) && @sizeof($user_group_uuids) != 0) {
+			foreach ($user_group_uuids as $index => $user_group_uuid) {
+				if (is_uuid($user_group_uuid)) {
+					$sql_where_or[] = "group_uuid = :group_uuid_".$index;
+					$parameters['group_uuid_'.$index] = $user_group_uuid;
+				}
+			}
+			if (is_array($sql_where_or) && @sizeof($sql_where_or) != 0) {
+				$sql .= " ( ".implode(' or ', $sql_where_or)." ) ";
+			}
+			unset($sql_where_or, $index, $user_group_uuid);
+		}
+		$sql .= "		and domain_uuid = :domain_uuid ";
+		$sql .= "	) ";
+		$sql .= "	or contact_uuid in ( ";
 		$sql .= "		select contact_uuid from v_contact_users ";
-		$sql .= "		where user_uuid = '".$_SESSION['user_uuid']."' ";
-		$sql .= "		and domain_uuid = '".$_SESSION['domain_uuid']."' ";
+		$sql .= "		where user_uuid = :user_uuid ";
+		$sql .= "		and domain_uuid = :domain_uuid ";
 		$sql .= "";
-		$sql .= "	) \n";
-		$sql .= ") \n";
+		$sql .= "	) ";
+		$sql .= ") ";
+		$parameters['user_uuid'] = $_SESSION['user_uuid'];
 	}
 	if (strlen($phone_number) > 0) {
 		$phone_number = preg_replace('{\D}', '', $phone_number);
 		$sql .= "and contact_uuid in ( ";
 		$sql .= "	select contact_uuid from v_contact_phones ";
-		$sql .= "	where phone_number like '%".$phone_number."%' ";
-		$sql .= ") \n";
+		$sql .= "	where phone_number like :phone_number ";
+		$sql .= ") ";
+		$parameters['phone_number'] = '%'.$phone_number.'%';
 	}
 	else {
 		if (strlen($search_all) > 0) {
 			if (is_numeric($search_all)) {
-				$sql .= "and contact_uuid in ( \n";
+				$sql .= "and contact_uuid in ( ";
 				$sql .= "	select contact_uuid from v_contact_phones ";
-				$sql .= "	where phone_number like '%".$search_all."%' ";
-				$sql .= ") \n";
+				$sql .= "	where phone_number like :search_all ";
+				$sql .= ") ";
 			}
 			else {
-				$sql .= "and contact_uuid in ( \n";
+				$sql .= "and contact_uuid in ( ";
 				$sql .= "	select contact_uuid from v_contacts ";
-				$sql .= "	where domain_uuid = '".$_SESSION['domain_uuid']."' \n";
-				$sql .= "	and ( \n";
-				$sql .= "		lower(contact_organization) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_name_given) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_name_family) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_nickname) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_title) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_category) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_role) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_url) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_time_zone) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_note) like '%".$search_all."%' or \n";
-				$sql .= "		lower(contact_type) like '%".$search_all."%' \n";
-				$sql .= "	) \n";
-				$sql .= ") \n";
+				$sql .= "	where domain_uuid = :domain_uuid ";
+				$sql .= "	and ( ";
+				$sql .= "		lower(contact_organization) like :search_all or ";
+				$sql .= "		lower(contact_name_given) like :search_all or ";
+				$sql .= "		lower(contact_name_family) like :search_all or ";
+				$sql .= "		lower(contact_nickname) like :search_all or ";
+				$sql .= "		lower(contact_title) like :search_all or ";
+				$sql .= "		lower(contact_category) like :search_all or ";
+				$sql .= "		lower(contact_role) like :search_all or ";
+				$sql .= "		lower(contact_url) like :search_all or ";
+				$sql .= "		lower(contact_time_zone) like :search_all or ";
+				$sql .= "		lower(contact_note) like :search_all or ";
+				$sql .= "		lower(contact_type) like :search_all ";
+				$sql .= "	) ";
+				$sql .= ") ";
 			}
+			$parameters['search_all'] = '%'.$search_all.'%';
 		}
 	}
-	$prep_statement = $db->prepare($sql);
-	if ($prep_statement) {
-	$prep_statement->execute();
-		$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-		if ($row['num_rows'] > 0) {
-			$num_rows = $row['num_rows'];
-		}
-		else {
-			$num_rows = '0';
-		}
-	}
+	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+	$database = new database;
+	$num_rows = $database->select($sql, $parameters, 'column');
 
 //prepare to page the results
 	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
@@ -178,24 +198,24 @@
 	$offset = $rows_per_page * $page;
 
 //get the list
-	$contact_default_sort_column = ($_SESSION['contacts']['default_sort_column']['text'] != '') ? $_SESSION['contacts']['default_sort_column']['text'] : "last_mod_date";
-	$contact_default_sort_order = ($_SESSION['contacts']['default_sort_order']['text'] != '') ? $_SESSION['contacts']['default_sort_order']['text'] : "desc";
-
-	$sql = str_replace('count(*) as num_rows', '*, (select a.contact_attachment_uuid from v_contact_attachments as a where a.contact_uuid = c.contact_uuid and a.attachment_primary = 1) as contact_attachment_uuid', $sql);
-	if (strlen($order_by) > 0) {
-		$sql .= "order by ".$order_by." ".$order.", contact_organization asc ";
+	$sql = str_replace('count(*)', '*, (select a.contact_attachment_uuid from v_contact_attachments as a where a.contact_uuid = c.contact_uuid and a.attachment_primary = 1) as contact_attachment_uuid', $sql);
+	if ($order_by != '') {
+		$sql .= order_by($order_by, $order);
+		$sql .= ", contact_organization asc ";
 	}
 	else {
-		$sql .= "order by ".$contact_default_sort_column." ".$contact_default_sort_order." ";
+		$contact_default_sort_column = $_SESSION['contacts']['default_sort_column']['text'] != '' ? $_SESSION['contacts']['default_sort_column']['text'] : "last_mod_date";
+		$contact_default_sort_order = $_SESSION['contacts']['default_sort_order']['text'] != '' ? $_SESSION['contacts']['default_sort_order']['text'] : "desc";
+
+		$sql .= order_by($contact_default_sort_column, $contact_default_sort_order);
 		if ($db_type == "pgsql") {
-			$sql .= "nulls last ";
+			$sql .= " nulls last ";
 		}
 	}
-	$sql .= "limit ".$rows_per_page." offset ".$offset." ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$contacts = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	unset ($prep_statement, $sql);
+	$sql .= limit_offset($rows_per_page, $offset);
+	$database = new database;
+	$contacts = $database->select($sql, $parameters, 'all');
+	unset($sql, $parameters);
 
 //styles
 	echo "<style>\n";
@@ -264,7 +284,7 @@
 	echo "</td>\n";
 	echo "</tr>\n";
 
-	if (is_array($contacts)) {
+	if (is_array($contacts) && @sizeof($contacts) != 0) {
 		foreach($contacts as $row) {
 			$tr_link = "href='contact_edit.php?id=".escape($row['contact_uuid'])."&query_string=".urlencode($_SERVER["QUERY_STRING"])."'";
 			echo "<tr ".$tr_link.">\n";
@@ -297,7 +317,7 @@
 			echo "</tr>\n";
 			if ($c==0) { $c=1; } else { $c=0; }
 		} //end foreach
-		unset($sql, $contacts);
+		unset($contacts, $row);
 	} //end if results
 
 	echo "<tr>\n";
@@ -327,4 +347,4 @@
 //include the footer
 	require_once "resources/footer.php";
 
-?>
+?>

contacts_vcard.php

@@ -34,7 +34,7 @@ else {
 	exit;
 }
 
-if (count($_GET)>0) {
+if (is_array($_GET) && @sizeof($_GET) != 0) {
 
 	//add multi-lingual support
 		$language = new text;
@@ -49,12 +49,13 @@ if (count($_GET)>0) {
 
 	//get the contact's information
 		$sql = "select * from v_contacts ";
-		$sql .= "where domain_uuid = '".$domain_uuid."' ";
-		$sql .= "and contact_uuid = '".$contact_uuid."' ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
+		$sql .= "where domain_uuid = :domain_uuid ";
+		$sql .= "and contact_uuid = :contact_uuid ";
+		$parameters['domain_uuid'] = $domain_uuid;
+		$parameters['contact_uuid'] = $contact_uuid;
+		$database = new database;
+		$row = $database->select($sql, $parameters, 'row');
+		if (is_array($row) && @sizeof($row) != 0) {
 			$contact_type = $row["contact_type"];
 			$contact_organization = escape($row["contact_organization"]);
 			$contact_name_given = escape($row["contact_name_given"]);
@@ -64,9 +65,8 @@ if (count($_GET)>0) {
 			$contact_role = escape($row["contact_role"]);
 			$contact_time_zone = escape($row["contact_time_zone"]);
 			$contact_note = $row["contact_note"];
-			break; //limit to 1 row
 		}
-		unset ($prep_statement);
+		unset($sql, $parameters, $row);
 
 		$vcard->data['company'] = $contact_organization;
 		$vcard->data['first_name'] = $contact_name_given;
@@ -74,32 +74,33 @@ if (count($_GET)>0) {
 
 	//get the contact's primary (and a secondary, if available) email
 		$sql = "select email_address from v_contact_emails ";
-		$sql .= "where domain_uuid = '".$domain_uuid."' ";
-		$sql .= "and contact_uuid = '".$contact_uuid."' ";
+		$sql .= "where domain_uuid = :domain_uuid ";
+		$sql .= "and contact_uuid = :contact_uuid ";
 		$sql .= "order by email_primary desc ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		$e = 0;
-		foreach ($result as &$row) {
-			$vcard->data['email'.$e] = escape($row["email_address"]);
-			if (++$e == 2) { break; } //limit to 2 rows
+		$parameters['domain_uuid'] = $domain_uuid;
+		$parameters['contact_uuid'] = $contact_uuid;
+		$database = new database;
+		$result = $database->select($sql, $parameters, 'all');
+		if (is_array($result) && @sizeof($result) != 0) {
+			$e = 0;
+			foreach ($result as &$row) {
+				$vcard->data['email'.$e] = escape($row["email_address"]);
+				if (++$e == 2) { break; } //limit to 2 rows
+			}
 		}
-		unset ($prep_statement);
+		unset($sql, $parameters, $result, $row);
 
 	//get the contact's primary url
 		$sql = "select url_address from v_contact_urls ";
-		$sql .= "where domain_uuid = '".$domain_uuid."' ";
-		$sql .= "and contact_uuid = '".$contact_uuid."' ";
+		$sql .= "where domain_uuid = :domain_uuid ";
+		$sql .= "and contact_uuid = :contact_uuid ";
 		$sql .= "and url_primary = 1 ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
-			$vcard->data['url'] = escape($row["url_address"]);
-			break;	//limit to 1 row
-		}
-		unset ($prep_statement);
+		$parameters['domain_uuid'] = $domain_uuid;
+		$parameters['contact_uuid'] = $contact_uuid;
+		$database = new database;
+		$row = $database->select($sql, $parameters, 'column');
+		$vcard->data['url'] = escape($row["url_address"]);
+		unset($sql, $parameters, $row);
 
 
 		if ($_GET['type'] == "image" || $_GET['type'] == "html") {
@@ -116,25 +117,28 @@ if (count($_GET)>0) {
 
 	//get the contact's telephone numbers
 		$sql = "select * from v_contact_phones ";
-		$sql .= "where domain_uuid = '".$domain_uuid."' ";
-		$sql .= "and contact_uuid = '".$contact_uuid."' ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
-			$phone_label = $row["phone_label"];
-			$phone_number = $row["phone_number"];
-			if ($phone_label == $text['option-work']) { $vcard_phone_type = 'work'; }
-			else if ($phone_label == $text['option-home']) { $vcard_phone_type = 'home'; }
-			else if ($phone_label == $text['option-mobile']) { $vcard_phone_type = 'cell'; }
-			else if ($phone_label == $text['option-fax']) { $vcard_phone_type = 'fax'; }
-			else if ($phone_label == $text['option-pager']) { $vcard_phone_type = 'pager'; }
-			else { $vcard_phone_type = 'voice'; }
-			if ($vcard_phone_type != '') {
-				$vcard->data[$vcard_phone_type.'_tel'] = $phone_number;
+		$sql .= "where domain_uuid = :domain_uuid ";
+		$sql .= "and contact_uuid = :contact_uuid ";
+		$parameters['domain_uuid'] = $domain_uuid;
+		$parameters['contact_uuid'] = $contact_uuid;
+		$database = new database;
+		$result = $database->select($sql, $parameters, 'all');
+		if (is_array($result) && @sizeof($result) != 0) {
+			foreach ($result as &$row) {
+				$phone_label = $row["phone_label"];
+				$phone_number = $row["phone_number"];
+				if ($phone_label == $text['option-work']) { $vcard_phone_type = 'work'; }
+				else if ($phone_label == $text['option-home']) { $vcard_phone_type = 'home'; }
+				else if ($phone_label == $text['option-mobile']) { $vcard_phone_type = 'cell'; }
+				else if ($phone_label == $text['option-fax']) { $vcard_phone_type = 'fax'; }
+				else if ($phone_label == $text['option-pager']) { $vcard_phone_type = 'pager'; }
+				else { $vcard_phone_type = 'voice'; }
+				if ($vcard_phone_type != '') {
+					$vcard->data[$vcard_phone_type.'_tel'] = $phone_number;
+				}
 			}
 		}
-		unset ($prep_statement);
+		unset($sql, $parameters, $result, $row);
 
 	//get the contact's addresses
 		if ($_GET['type'] == "image" || $_GET['type'] == "html") {
@@ -142,31 +146,34 @@ if (count($_GET)>0) {
 		}
 		else {
 			$sql = "select * from v_contact_addresses ";
-			$sql .= "where domain_uuid = '".$domain_uuid."' ";
-			$sql .= "and contact_uuid = '".$contact_uuid."' ";
-			$prep_statement = $db->prepare(check_sql($sql));
-			$prep_statement->execute();
-			$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-			foreach ($result as &$row) {
-				$address_type = escape($row["address_type"]);
-				$address_street = escape($row["address_street"]);
-				$address_extended = escape($row["address_extended"]);
-				$address_locality = escape($row["address_locality"]);
-				$address_region = escape($row["address_region"]);
-				$address_postal_code = escape($row["address_postal_code"]);
-				$address_country = escape($row["address_country"]);
-				$address_latitude = $row["address_latitude"];
-				$address_longitude = $row["address_longitude"];
-				$address_type = strtolower(trim($address_type));
-
-				$vcard->data[$address_type.'_address'] = $address_street;
-				$vcard->data[$address_type.'_extended_address'] = $address_extended;
-				$vcard->data[$address_type.'_city'] = $address_locality;
-				$vcard->data[$address_type.'_state'] = $address_region;
-				$vcard->data[$address_type.'_postal_code'] = $address_postal_code;
-				$vcard->data[$address_type.'_country'] = $address_country;
+			$sql .= "where domain_uuid = :domain_uuid ";
+			$sql .= "and contact_uuid = :contact_uuid ";
+			$parameters['domain_uuid'] = $domain_uuid;
+			$parameters['contact_uuid'] = $contact_uuid;
+			$database = new database;
+			$result = $database->select($sql, $parameters, 'all');
+			if (is_array($result) && @sizeof($result) != 0) {
+				foreach ($result as &$row) {
+					$address_type = escape($row["address_type"]);
+					$address_street = escape($row["address_street"]);
+					$address_extended = escape($row["address_extended"]);
+					$address_locality = escape($row["address_locality"]);
+					$address_region = escape($row["address_region"]);
+					$address_postal_code = escape($row["address_postal_code"]);
+					$address_country = escape($row["address_country"]);
+					$address_latitude = $row["address_latitude"];
+					$address_longitude = $row["address_longitude"];
+					$address_type = strtolower(trim($address_type));
+
+					$vcard->data[$address_type.'_address'] = $address_street;
+					$vcard->data[$address_type.'_extended_address'] = $address_extended;
+					$vcard->data[$address_type.'_city'] = $address_locality;
+					$vcard->data[$address_type.'_state'] = $address_region;
+					$vcard->data[$address_type.'_postal_code'] = $address_postal_code;
+					$vcard->data[$address_type.'_country'] = $address_country;
+				}
 			}
-			unset ($prep_statement);
+			unset($sql, $parameters, $result, $row);
 		}
 
 	//download the vcard