Use the new database class and other updates

invoices/app_config.php

@@ -153,7 +153,29 @@
 		$apps[$x]['db'][$y]['fields'][$z]['type'] = 'text';
 		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = 'Enter a payment method reference number.';
 		$z++;
-
+		$apps[$x]['db'][$y]['fields'][$z]['name'] = "insert_date";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['pgsql'] = 'timestamptz';
+		$apps[$x]['db'][$y]['fields'][$z]['type']['sqlite'] = 'date';
+		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = 'date';
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
+		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name'] = "insert_user";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['pgsql'] = "uuid";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['sqlite'] = "text";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = "char(36)";
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
+		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name'] = "update_date";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['pgsql'] = 'timestamptz';
+		$apps[$x]['db'][$y]['fields'][$z]['type']['sqlite'] = 'date';
+		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = 'date';
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
+		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name'] = "update_user";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['pgsql'] = "uuid";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['sqlite'] = "text";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = "char(36)";
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
 
 		$y++;
 		$apps[$x]['db'][$y]['table']['name'] = "v_invoice_items";
@@ -215,5 +237,28 @@
 		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = 'decimal(10,2)';
 		$apps[$x]['db'][$y]['fields'][$z]['description'] = 'Enter the unit price.';
 		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name'] = "insert_date";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['pgsql'] = 'timestamptz';
+		$apps[$x]['db'][$y]['fields'][$z]['type']['sqlite'] = 'date';
+		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = 'date';
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
+		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name'] = "insert_user";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['pgsql'] = "uuid";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['sqlite'] = "text";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = "char(36)";
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
+		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name'] = "update_date";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['pgsql'] = 'timestamptz';
+		$apps[$x]['db'][$y]['fields'][$z]['type']['sqlite'] = 'date';
+		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = 'date';
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
+		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name'] = "update_user";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['pgsql'] = "uuid";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['sqlite'] = "text";
+		$apps[$x]['db'][$y]['fields'][$z]['type']['mysql'] = "char(36)";
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
 
 ?>

invoices/invoice_edit.php

@@ -42,165 +42,195 @@
 	$text = $language->get();
 
 //action add or update
-	if (isset($_REQUEST["id"])) {
+	if (is_uuid($_REQUEST["id"])) {
 		$action = "update";
-		$invoice_uuid = check_str($_REQUEST["id"]);
-		$back = check_str($_REQUEST['back']);
+		$invoice_uuid = $_REQUEST["id"];
+		$back = $_REQUEST['back'];
 	}
 	else {
 		$action = "add";
 	}
 
 //get http post variables and set them to php variables
-	if (count($_POST) > 0) {
-		$invoice_number = check_str($_POST["invoice_number"]);
-		$invoice_type = check_str($_POST["invoice_type"]);
-		$contact_uuid_from = check_str($_POST["contact_uuid_from"]);
-		$contact_uuid_to = check_str($_POST["contact_uuid_to"]);
-		$invoice_purchase_order_number = check_str($_POST["invoice_purchase_order_number"]);
-		$invoice_currency = check_str($_POST["invoice_currency"]);
-		$invoice_notes = check_str($_POST["invoice_notes"]);
+	if (is_array($_REQUEST)) {
+		//$invoice_uuid = $_REQUEST["invoice_uuid"];
+		$contact_uuid_from = $_REQUEST["contact_uuid_from"];
+		$contact_uuid_to = $_REQUEST["contact_uuid_to"];
+		$invoice_number = $_REQUEST["invoice_number"];
+		//$invoice_date = $_REQUEST["invoice_date"];
+		$invoice_type = $_REQUEST["invoice_type"];
+		$invoice_purchase_order_number = $_REQUEST["invoice_purchase_order_number"];
+		$invoice_currency = $_REQUEST["invoice_currency"];
+		$invoice_notes = $_REQUEST["invoice_notes"];
+		$invoice_paid = $_REQUEST["invoice_paid"];
+		$invoice_paid_date = $_REQUEST["invoice_paid_date"];
+		$invoice_paid_method = $_REQUEST["invoice_paid_method"];
+		$invoice_paid_method_ref = $_REQUEST["invoice_paid_method_ref"];
 	}
 
-if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
-
-	$msg = '';
-	if ($action == "update") {
-		$invoice_uuid = check_str($_POST["invoice_uuid"]);
-	}
-
-	//check for all required data
-		//if (strlen($invoice_uuid) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_uuid']."<br>\n"; }
-		//if (strlen($domain_uuid) == 0) { $msg .= $text['message-required']." ".$text['label-domain_uuid']."<br>\n"; }
-		//if (strlen($contact_uuid_from) == 0) { $msg .= $text['message-required']." ".$text['label-contact_uuid_from']."<br>\n"; }
-		//if (strlen($contact_uuid_to) == 0) { $msg .= $text['message-required']." ".$text['label-contact_uuid_to']."<br>\n"; }
-		//if (strlen($invoice_number) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_number']."<br>\n"; }
-		//if (strlen($invoice_date) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_date']."<br>\n"; }
-		//if (strlen($invoice_notes) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_notes']."<br>\n"; }
-		if (strlen($msg) > 0 && strlen($_POST["persistformvar"]) == 0) {
-			require_once "resources/header.php";
-			require_once "resources/persist_form_var.php";
-			echo "<div align='center'>\n";
-			echo "<table><tr><td>\n";
-			echo $msg."<br />";
-			echo "</td></tr></table>\n";
-			persistformvar($_POST);
-			echo "</div>\n";
-			require_once "resources/footer.php";
-			return;
-		}
-
-	//add or update the database
-		if ($_POST["persistformvar"] != "true") {
-			if ($action == "add" && permission_exists('invoice_add')) {
-				$invoice_uuid = uuid();
-				$sql = "insert into v_invoices ";
-				$sql .= "(";
-				$sql .= "domain_uuid, ";
-				$sql .= "invoice_uuid, ";
-				$sql .= "invoice_number, ";
-				$sql .= "invoice_type, ";
-				$sql .= "contact_uuid_from, ";
-				$sql .= "contact_uuid_to, ";
-				$sql .= "invoice_purchase_order_number, ";
-				$sql .= "invoice_currency, ";
-				$sql .= "invoice_notes, ";
-				$sql .= "invoice_date ";
-				$sql .= ")";
-				$sql .= "values ";
-				$sql .= "(";
-				$sql .= "'$domain_uuid', ";
-				$sql .= "'$invoice_uuid', ";
-				$sql .= "'$invoice_number', ";
-				$sql .= "'$invoice_type', ";
-				$sql .= "'$contact_uuid_from', ";
-				$sql .= "'$contact_uuid_to', ";
-				$sql .= "'$invoice_purchase_order_number', ";
-				$sql .= "'$invoice_currency', ";
-				$sql .= "'$invoice_notes', ";
-				$sql .= "now() ";
-				$sql .= ")";
-				$db->exec(check_sql($sql));
-				unset($sql);
-
-				//set redirect
-				$_SESSION['message'] = $text['message-add'];
-				header("Location: invoices.php");
-				return;
-
-			} //if ($action == "add")
-
-			if ($action == "update" && permission_exists('invoice_edit')) {
-				$invoice_paid = check_str($_POST["invoice_paid"]);
-				if ($invoice_paid == '1') {
-					$invoice_paid_date = check_str($_POST["invoice_paid_date"]);
-					$invoice_paid_method = check_str($_POST["invoice_paid_method"]);
-					$invoice_paid_method_ref = check_str($_POST["invoice_paid_method_ref"]);
+//process the user data and save it to the database
+	if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
+
+		//validate the token
+			$token = new token;
+			if (!$token->validate($_SERVER['PHP_SELF'])) {
+				message::add($text['message-invalid_token'],'negative');
+				header('Location: invoices.php');
+				exit;
+			}
+
+		//process the http post data by submitted action
+			if ($_POST['action'] != '' && strlen($_POST['action']) > 0) {
+
+				//prepare the array(s)
+				//send the array to the database class
+				switch ($_POST['action']) {
+					case 'copy':
+						if (permission_exists('invoice_add')) {
+							$obj = new database;
+							$obj->copy($array);
+						}
+						break;
+					case 'delete':
+						if (permission_exists('invoice_delete')) {
+							$obj = new database;
+							$obj->delete($array);
+						}
+						break;
+					case 'toggle':
+						if (permission_exists('invoice_update')) {
+							$obj = new database;
+							$obj->toggle($array);
+						}
+						break;
 				}
 
-				//set defaults
-				$invoice_paid = ($invoice_paid != '1') ? 'null' : $invoice_paid;
-				$invoice_paid_date = ($invoice_paid_date == '') ? 'null' : "'".$invoice_paid_date."'";
-				$invoice_paid_method = ($invoice_paid_method == '') ? 'null' : "'".$invoice_paid_method."'";
-				$invoice_paid_method_ref = ($invoice_paid_method_ref == '') ? 'null' : "'".$invoice_paid_method_ref."'";
-
-				$sql = "update v_invoices set ";
-				$sql .= "invoice_number = '$invoice_number', ";
-				$sql .= "invoice_type = '$invoice_type', ";
-				$sql .= "contact_uuid_from = '$contact_uuid_from', ";
-				$sql .= "contact_uuid_to = '$contact_uuid_to', ";
-				$sql .= "invoice_purchase_order_number = '$invoice_purchase_order_number', ";
-				$sql .= "invoice_currency = '$invoice_currency', ";
-				$sql .= "invoice_paid = $invoice_paid, ";
-				$sql .= "invoice_paid_date = $invoice_paid_date, ";
-				$sql .= "invoice_paid_method = $invoice_paid_method, ";
-				$sql .= "invoice_paid_method_ref = $invoice_paid_method_ref, ";
-				$sql .= "invoice_notes = '$invoice_notes' ";
-				$sql .= "where domain_uuid = '$domain_uuid' ";
-				$sql .= "and invoice_uuid = '$invoice_uuid' ";
-				$db->exec(check_sql($sql));
-				unset($sql);
-
-				//set redirect
-				$_SESSION['message'] = $text['message-update'];
-				header("Location: ".(($back != '') ? $back : "invoices.php"));
+				//redirect the user
+				if (in_array($_POST['action'], array('copy', 'delete', 'toggle'))) {
+					header('Location: invoice_edit.php?id='.$id);
+					exit;
+				}
+			}
+
+		//check for all required data
+			$msg = '';
+			//if (strlen($invoice_uuid) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_uuid']."<br>\n"; }
+			//if (strlen($domain_uuid) == 0) { $msg .= $text['message-required']." ".$text['label-domain_uuid']."<br>\n"; }
+			//if (strlen($contact_uuid_from) == 0) { $msg .= $text['message-required']." ".$text['label-contact_uuid_from']."<br>\n"; }
+			//if (strlen($contact_uuid_to) == 0) { $msg .= $text['message-required']." ".$text['label-contact_uuid_to']."<br>\n"; }
+			//if (strlen($invoice_number) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_number']."<br>\n"; }
+			//if (strlen($invoice_date) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_date']."<br>\n"; }
+			//if (strlen($invoice_notes) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_notes']."<br>\n"; }
+			//if (strlen($invoice_type) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_type']."<br>\n"; }
+			//if (strlen($invoice_purchase_order_number) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_purchase_order_number']."<br>\n"; }
+			//if (strlen($invoice_currency) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_currency']."<br>\n"; }
+			//if (strlen($invoice_paid) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_paid']."<br>\n"; }
+			//if (strlen($invoice_paid_date) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_paid_date']."<br>\n"; }
+			//if (strlen($invoice_paid_method) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_paid_method']."<br>\n"; }
+			//if (strlen($invoice_paid_method_ref) == 0) { $msg .= $text['message-required']." ".$text['label-invoice_paid_method_ref']."<br>\n"; }
+			if (!empty($msg) && strlen($_POST["persistformvar"]) == 0) {
+				require_once "resources/header.php";
+				require_once "resources/persist_form_var.php";
+				echo "<div align='center'>\n";
+				echo "<table><tr><td>\n";
+				echo $msg."<br />";
+				echo "</td></tr></table>\n";
+				persistformvar($_POST);
+				echo "</div>\n";
+				require_once "resources/footer.php";
 				return;
+			}
 
-			} //if ($action == "update")
-		} //if ($_POST["persistformvar"] != "true")
-} //(count($_POST)>0 && strlen($_POST["persistformvar"]) == 0)
+		//add the invoice_uuid
+			if (!is_uuid($_POST["invoice_uuid"])) {
+				$invoice_uuid = uuid();
+			}
+
+		//set defaults
+			$invoice_paid = ($invoice_paid != '1') ? null : $invoice_paid;
+			$invoice_paid_date = ($invoice_paid_date == '') ? null : "'".$invoice_paid_date."'";
+			$invoice_paid_method = ($invoice_paid_method == '') ? null : "'".$invoice_paid_method."'";
+			$invoice_paid_method_ref = ($invoice_paid_method_ref == '') ? null : "'".$invoice_paid_method_ref."'";
+
+		//prepare the array
+			$array['invoices'][0]['invoice_uuid'] = $invoice_uuid;
+			$array['invoices'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
+			$array['invoices'][0]['invoice_uuid'] = $invoice_uuid;
+			$array['invoices'][0]['domain_uuid'] = $domain_uuid;
+			$array['invoices'][0]['contact_uuid_from'] = $contact_uuid_from;
+			$array['invoices'][0]['contact_uuid_to'] = $contact_uuid_to;
+			$array['invoices'][0]['invoice_number'] = $invoice_number;
+			$array['invoices'][0]['invoice_date'] = 'now()';
+			$array['invoices'][0]['invoice_notes'] = $invoice_notes;
+			$array['invoices'][0]['invoice_type'] = $invoice_type;
+			$array['invoices'][0]['invoice_purchase_order_number'] = $invoice_purchase_order_number;
+			$array['invoices'][0]['invoice_currency'] = $invoice_currency;
+			$array['invoices'][0]['invoice_paid'] = $invoice_paid;
+			$array['invoices'][0]['invoice_paid_date'] = $invoice_paid_date;
+			$array['invoices'][0]['invoice_paid_method'] = $invoice_paid_method;
+			$array['invoices'][0]['invoice_paid_method_ref'] = $invoice_paid_method_ref;
+
+		//save the data
+			$database = new database;
+			$database->app_name = 'invoices';
+			$database->app_uuid = 'e5a1f4f5-7766-ec9c-118b-50f76b0788c0';
+			$result = $database->save($array);
+			//view_array($result);
+
+		//set redirect
+			$_SESSION['message'] = $text['message-update'];
+			header("Location: ".(($back != '') ? $back : "invoices.php"));
+			return;
+
+	} //(count($_POST)>0 && strlen($_POST["persistformvar"]) == 0)
 
 //pre-populate the form
-	if (count($_GET)>0 && $_POST["persistformvar"] != "true") {
-		$invoice_uuid = check_str($_GET["id"]);
-		$sql = "select * from v_invoices ";
-		$sql .= "where domain_uuid = '$domain_uuid' ";
-		$sql .= "and invoice_uuid = '$invoice_uuid' ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
+	if (is_array($_GET) && $_POST["persistformvar"] != "true") {
+		$sql = "select ";
+		$sql .= " invoice_uuid, ";
+		$sql .= " invoice_uuid, ";
+		$sql .= " domain_uuid, ";
+		$sql .= " contact_uuid_from, ";
+		$sql .= " contact_uuid_to, ";
+		$sql .= " invoice_number, ";
+		$sql .= " invoice_date, ";
+		$sql .= " invoice_notes, ";
+		$sql .= " invoice_type, ";
+		$sql .= " invoice_purchase_order_number, ";
+		$sql .= " invoice_currency, ";
+		$sql .= " invoice_paid, ";
+		$sql .= " invoice_paid_date, ";
+		$sql .= " invoice_paid_method, ";
+		$sql .= " invoice_paid_method_ref ";
+		$sql .= "from v_invoices ";
+		$sql .= "where invoice_uuid = :invoice_uuid ";
+		//$sql .= "and domain_uuid = :domain_uuid ";
+		//$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+		$parameters['invoice_uuid'] = $invoice_uuid;
+		$database = new database;
+		$row = $database->select($sql, $parameters, 'row');
+		if (is_array($row) && @sizeof($row) != 0) {
+			$invoice_uuid = $row["invoice_uuid"];
+			$contact_uuid_from = $row["contact_uuid_from"];
+			$contact_uuid_to = $row["contact_uuid_to"];
 			$invoice_number = $row["invoice_number"];
-			$invoice_type = $row["invoice_type"];
 			$invoice_date = $row["invoice_date"];
+			$invoice_notes = $row["invoice_notes"];
+			$invoice_type = $row["invoice_type"];
+			$invoice_purchase_order_number = $row["invoice_purchase_order_number"];
+			$invoice_currency = $row["invoice_currency"];
 			$invoice_paid = $row["invoice_paid"];
 			$invoice_paid_date = $row["invoice_paid_date"];
 			$invoice_paid_method = $row["invoice_paid_method"];
 			$invoice_paid_method_ref = $row["invoice_paid_method_ref"];
-			$contact_uuid_from = $row["contact_uuid_from"];
-			$contact_uuid_to = $row["contact_uuid_to"];
-			$invoice_purchase_order_number = $row["invoice_purchase_order_number"];
-			$invoice_currency = $row["invoice_currency"];
-			$invoice_notes = $row["invoice_notes"];
-			break; //limit to 1 row
 		}
-		unset ($prep_statement);
+		unset($sql, $parameters, $row);
+	}
 
-		//format paid date (if any)
-		if ($invoice_paid_date != '') {
-			$tmp = explode(' ',$invoice_paid_date);
-			$invoice_paid_date = $tmp[0];
-		}
+//format paid date (if any)
+	if ($invoice_paid_date != '') {
+		$tmp = explode(' ',$invoice_paid_date);
+		$invoice_paid_date = $tmp[0];
 	}
 
 //set the default currency
@@ -210,27 +240,43 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 
 //get the list of contacts
 	$sql = "select contact_uuid, contact_organization, contact_name_given, contact_name_family from v_contacts ";
-	$sql .= "where domain_uuid = '$domain_uuid' ";
+	$sql .= "where domain_uuid = :domain_uuid ";
 	$sql .= "order by contact_organization asc ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$contacts = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+	$contacts = $database->select($sql, $parameters, 'all');
 	unset ($prep_statement, $sql);
 
+//get the contact from name
+	if (!empty($contact_uuid_from)) {
+		foreach($contacts as $row) {
+			if ($row['contact_uuid'] == $contact_uuid_from) {
+				$contact_name_from = $row['contact_organization'].", ".$row['contact_name_given'].", ".$row['contact_name_family'];
+				break;
+			}
+		}
+	}
+
+//get the contact to name
+	if (!empty($contact_uuid_to)) {
+		foreach($contacts as $row) {
+			if ($row['contact_uuid'] == $contact_uuid_to) {
+				$contact_name_to = $row['contact_organization'].", ".$row['contact_name_given'].", ".$row['contact_name_family'];
+				break;
+			}
+		}
+	}
+
 //get the default invoice number and contact_uuid_from
 	if ($action == "add") {
 		$sql = "select * from v_invoices ";
-		$sql .= "where domain_uuid = '$domain_uuid' ";
+		$sql .= "where domain_uuid = :domain_uuid ";
 		$sql .= "order by invoice_number desc ";
 		$sql .= "limit 1 ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		if ($prep_statement) {
-			$prep_statement->execute();
-			$row = $prep_statement->fetch();
-			$invoice_number = $row['invoice_number'] + 1;
-			$contact_uuid_from = $row['contact_uuid_from'];
-			unset ($prep_statement);
-		}
+		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+		$row = $database->select($sql, $parameters, 'row');
+		$invoice_number = $row['invoice_number'] + 1;
+		$contact_uuid_from = $row['contact_uuid_from'];
+		unset ($prep_statement);
 	}
 
 //set the contact 'to' when adding an invoice
@@ -241,6 +287,47 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 //show the header
 	require_once "resources/header.php";
 
+?>
+
+<script type="text/javascript">
+	function get_contacts(element_id, id, search) {
+		var xhttp = new XMLHttpRequest();
+		xhttp.onreadystatechange = function() {
+			if (this.readyState == 4 && this.status == 200) {
+				//create a handle for the contact select object
+				select = document.getElementById(element_id);
+
+				//remove current options
+				while (select.options.length > 0) {
+					select.remove(0);
+				}
+
+				//add an empty row
+				//select.add(new Option('', ''));
+
+				//add new options from the json results
+				obj = JSON.parse(this.responseText);
+				for (var i=0; i < obj.length; i++) {
+					select.add(new Option(obj[i].name, obj[i].id));
+				}
+			}
+		};
+		if (search) {
+			xhttp.open("GET", "/app/contacts/contact_json.php?search="+search, true);
+		}
+		else {
+			xhttp.open("GET", "/app/contacts/contact_json.php", true);
+		}
+		xhttp.send();
+	}
+</script>
+
+<?php
+
+//create token
+	$object = new token;
+	$token = $object->create($_SERVER['PHP_SELF']);
+
 //show the content
 	echo "<form method='post' name='frm' action=''>\n";
 	echo "<table width='100%'  border='0' cellpadding='0' cellspacing='0'>\n";
@@ -284,6 +371,11 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "	".$text['label-contact_uuid_from']."\n";
 	echo "</td>\n";
 	echo "<td class='vtable' align='left'>\n";
+	echo "	<input class=\"formfld\" type=\"text\" name=\"contact_search\" placeholder=\"".$text['label-search']."\" style=\"width: 80px;\" onkeyup=\"get_contacts('contact_from_select', 'contact_from_uuid', this.value);\" maxlength=\"255\" value=\"\">\n";
+	echo "	<select class='formfld' style=\"width: 150px;\" id=\"contact_from_select\" name=\"contact_uuid_from\" >\n";
+	echo "		<option value='".escape($contact_uuid_from)."'>".escape($contact_name_from ?? '')."</option>\n";
+	echo "	</select>\n";
+	/*
 	echo "<select name=\"contact_uuid_from\" id=\"contact_uuid_from\" class=\"formfld\">\n";
 	echo "<option value=\"\"></option>\n";
 	foreach($contacts as $row) {
@@ -308,6 +400,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	}
 	unset($sql, $result, $row_count);
 	echo "</select>\n";
+	*/
 	echo "<br />\n";
 	echo $text['description-contact_uuid_from']." \n";
 	echo "<a href='".PROJECT_PATH."/app/contacts/contact_edit.php?id=".escape($contact_uuid_from)."'>".$text['button-view']."</a>\n";
@@ -319,6 +412,12 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "	".$text['label-contact_uuid_to']."\n";
 	echo "</td>\n";
 	echo "<td class='vtable' align='left'>\n";
+
+	echo "	<input class=\"formfld\" type=\"text\" name=\"contact_search\" placeholder=\"".$text['label-search']."\" style=\"width: 80px;\" onkeyup=\"get_contacts('contact_to_select', 'contact_to_uuid', this.value);\" maxlength=\"255\" value=\"\">\n";
+	echo "	<select class='formfld' style=\"width: 150px;\" id=\"contact_to_select\" name=\"contact_uuid_to\" >\n";
+	echo "		<option value='".escape($contact_uuid_to)."'>".escape($contact_name_to ?? '')."</option>\n";
+	echo "	</select>\n";
+	/*
 	echo "<select name=\"contact_uuid_to\" id=\"contact_uuid_to\" class=\"formfld\">\n";
 	echo "<option value=\"\"></option>\n";
 	foreach($contacts as $row) {
@@ -343,6 +442,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	}
 	unset($sql, $result, $row_count);
 	echo "</select>\n";
+	*/
 	echo "<br />\n";
 	echo $text['description-contact_uuid_to']." \n";
 	echo "<a href='".PROJECT_PATH."/app/contacts/contact_edit.php?id=".escape($contact_uuid_to)."'>".$text['button-view']."</a>\n";
@@ -432,6 +532,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
 	echo "		</td>\n";
 	echo "	</tr>";
 	echo "</table>";
+	echo "<input type='hidden' name='".$token['name']."' value='".$token['hash']."'>\n";
 	echo "</form>";
 
 	if ($action == "update") {

invoices/invoice_item_edit.php

@@ -46,23 +46,23 @@
 //action add or update
 	if (isset($_REQUEST["id"])) {
 		$action = "update";
-		$invoice_item_uuid = check_str($_REQUEST["id"]);
-		$back = check_str($_REQUEST['back']);
+		$invoice_item_uuid = $_REQUEST["id"];
+		$back = $_REQUEST['back'];
 	}
 	else {
 		$action = "add";
-		$back = check_str($_REQUEST['back']);
+		$back = $_REQUEST['back'];
 	}
 
 //get http post variables and set them to php variables
 	if (strlen(count($_REQUEST)) > 0) {
-		$contact_uuid = check_str($_REQUEST["contact_uuid"]);
-		$invoice_uuid = check_str($_REQUEST["invoice_uuid"]);
+		$contact_uuid = $_REQUEST["contact_uuid"];
+		$invoice_uuid = $_REQUEST["invoice_uuid"];
 	}	
 	if (count($_POST) > 0) {
-		$item_qty = check_str($_POST["item_qty"]);
-		$item_desc = check_str($_POST["item_desc"]);
-		$item_unit_price = check_str($_POST["item_unit_price"]);
+		$item_qty = $_POST["item_qty"];
+		$item_desc = $_POST["item_desc"];
+		$item_unit_price = $_POST["item_unit_price"];
 	}
 
 //process the data from the http post
@@ -70,7 +70,7 @@
 
 		//get the id
 			if ($action == "update") {
-				$invoice_item_uuid = check_str($_POST["invoice_item_uuid"]);
+				$invoice_item_uuid = $_POST["invoice_item_uuid"];
 			}
 
 		//check for all required data
@@ -94,73 +94,59 @@
 				return;
 			}
 
-		//add or update the database
-			if ($_POST["persistformvar"] != "true") {
-				if ($action == "add" && permission_exists('invoice_item_add')) {
-					$invoice_item_uuid = uuid();
-					$sql = "insert into v_invoice_items ";
-					$sql .= "(";
-					$sql .= "domain_uuid, ";
-					$sql .= "invoice_uuid, ";
-					$sql .= "invoice_item_uuid, ";
-					$sql .= "item_qty, ";
-					$sql .= "item_desc, ";
-					$sql .= "item_unit_price ";
-					$sql .= ")";
-					$sql .= "values ";
-					$sql .= "(";
-					$sql .= "'$domain_uuid', ";
-					$sql .= "'$invoice_uuid', ";
-					$sql .= "'$invoice_item_uuid', ";
-					$sql .= "'$item_qty', ";
-					$sql .= "'$item_desc', ";
-					$sql .= "'$item_unit_price' ";
-					$sql .= ")";
-					$db->exec(check_sql($sql));
-					unset($sql);
-
-					//set redirect
-					$_SESSION['message'] = $text['message-add'];
-					$back = ($back != '') ? "&back=".$back : null;
-					header("Location: invoice_edit.php?id=".$invoice_uuid."&contact_uuid=".$contact_uuid.$back);
-					return;
-	
-				} //if ($action == "add")
-
-				if ($action == "update" && permission_exists('invoice_item_edit')) {
-					$sql = "update v_invoice_items set ";
-					$sql .= "item_qty = '$item_qty', ";
-					$sql .= "item_desc = '$item_desc', ";
-					$sql .= "item_unit_price = '$item_unit_price' ";
-					$sql .= "where domain_uuid = '$domain_uuid' ";
-					$sql .= "and invoice_item_uuid = '$invoice_item_uuid'";
-					$db->exec(check_sql($sql));
-					unset($sql);
-
-					//set redirect
-					$_SESSION['message'] = $text['message-update'];
-					$back = ($back != '') ? "&back=".$back : null;
-					header("Location: invoice_edit.php?id=".$invoice_uuid."&contact_uuid=".$contact_uuid.$back);
-					return;
-
-				} //if ($action == "update")
-			} //if ($_POST["persistformvar"] != "true")
-	} //(count($_POST)>0 && strlen($_POST["persistformvar"]) == 0)
+		//add the invoice_uuid
+			if (!is_uuid($_POST["invoice_item_uuid"])) {
+				$invoice_item_uuid = uuid();
+			}
+
+		//prepare the array
+			$array['invoice_items'][0]['invoice_item_uuid'] = $invoice_item_uuid;
+			$array['invoice_items'][0]['invoice_uuid'] = $invoice_uuid;
+			$array['invoice_items'][0]['domain_uuid'] = $_SESSION['domain_uuid'];
+			$array['invoice_items'][0]['item_qty'] = $item_qty;
+			$array['invoice_items'][0]['item_desc'] = $item_desc;
+			$array['invoice_items'][0]['item_unit_price'] = $item_unit_price;
+
+		//save the data
+			$database = new database;
+			$database->app_name = 'invoices';
+			$database->app_uuid = 'e5a1f4f5-7766-ec9c-118b-50f76b0788c0';
+			$result = $database->save($array);
+			//view_array($result);
+
+		//redirect the browser
+			if ($action == "add" && permission_exists('invoice_item_add')) {
+				$_SESSION['message'] = $text['message-add'];
+				$back = ($back != '') ? "&back=".$back : null;
+				header("Location: invoice_edit.php?id=".$invoice_uuid."&contact_uuid=".$contact_uuid.$back);
+				return;
+			}
+
+			if ($action == "update" && permission_exists('invoice_item_edit')) {
+				$_SESSION['message'] = $text['message-update'];
+				$back = ($back != '') ? "&back=".$back : null;
+				header("Location: invoice_edit.php?id=".$invoice_uuid."&contact_uuid=".$contact_uuid.$back);
+				return;
+			}
+
+	}
 
 //pre-populate the form
-	if (count($_GET) > 0 && $_POST["persistformvar"] != "true") {
-		$invoice_item_uuid = check_str($_GET["id"]);
+	if (is_array($_GET) && $_POST["persistformvar"] != "true") {
+		$invoice_item_uuid = $_GET["id"];
 		$sql = "select * from v_invoice_items ";
-		$sql .= "where domain_uuid = '$domain_uuid' ";
-		$sql .= "and invoice_item_uuid = '$invoice_item_uuid' ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
-			$item_qty = $row["item_qty"];
-			$item_desc = $row["item_desc"];
-			$item_unit_price = $row["item_unit_price"];
-			break; //limit to 1 row
+		$sql .= "where domain_uuid = :domain_uuid ";
+		$sql .= "and invoice_item_uuid = :invoice_item_uuid ";
+		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+		$parameters['invoice_item_uuid'] = $invoice_item_uuid;
+		$database = new database;
+		$result = $database->select($sql, $parameters, 'all');
+		if (!empty($result)) {
+			foreach ($result as &$row) {
+				$item_qty = $row["item_qty"];
+				$item_desc = $row["item_desc"];
+				$item_unit_price = $row["item_unit_price"];
+			}
 		}
 		unset ($prep_statement);
 	}
@@ -205,7 +191,7 @@
 	echo "	".$text['label-item_desc']."\n";
 	echo "</td>\n";
 	echo "<td class='vtable' align='left'>\n";
-	echo "  <textarea class='formfld' type='text' rows='15' name='item_desc'>".escape($item_desc)."</textarea>\n";
+	echo "  <textarea class='formfld' type='text' rows='15' name='item_desc'>".$item_desc."</textarea>\n";
 	echo "<br />\n";
 	//echo $text['description-item_desc']."\n";
 	echo "</td>\n";

invoices/invoice_items.php

@@ -53,19 +53,17 @@
 
 //prepare to page the results
 	$sql = "select count(*) as num_rows from v_invoice_items ";
-	$sql .= "where domain_uuid = '$domain_uuid' ";
-	$sql .= " and invoice_uuid = '$invoice_uuid' ";
-	if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
-	$prep_statement = $db->prepare($sql);
-	if ($prep_statement) {
-		$prep_statement->execute();
-		$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-		if ($row['num_rows'] > 0) {
-			$num_rows = $row['num_rows'];
-		}
-		else {
-			$num_rows = '0';
-		}
+	$sql .= "where domain_uuid = :domain_uuid ";
+	$sql .= " and invoice_uuid = :invoice_uuid ";
+	if (!empty($order_by)) { $sql .= "order by $order_by $order "; }
+	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+	$parameters['invoice_uuid'] = $invoice_uuid;
+	$row = $database->select($sql, $parameters, 'row');
+	if ($row['num_rows'] > 0) {
+		$num_rows = $row['num_rows'];
+	}
+	else {
+		$num_rows = '0';
 	}
 
 //prepare to page the results
@@ -78,14 +76,12 @@
 
 //get the list
 	$sql = "select * from v_invoice_items ";
-	$sql .= "where domain_uuid = '$domain_uuid' ";
-	$sql .= " and invoice_uuid = '$invoice_uuid' ";
-	if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
-	$sql .= "limit $rows_per_page offset $offset ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	$result_count = count($result);
+	$sql .= "where domain_uuid = :domain_uuid ";
+	$sql .= " and invoice_uuid = :invoice_uuid ";
+	if (!empty($order_by)) { $sql .= "order by $order_by $order "; }
+	$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+	$parameters['invoice_uuid'] = $invoice_uuid;
+	$result = $database->select($sql, $parameters, 'all');
 	unset ($prep_statement, $sql);
 
 //set the row style
@@ -111,7 +107,7 @@
 	echo "</td>\n";
 	echo "<tr>\n";
 
-	if ($result_count > 0) {
+	if (!empty($result)) {
 		foreach($result as $row) {
 			$item_desc = $row['item_desc'];
 			$item_desc = str_replace("\n", "<br />", $item_desc);