Database class integration.

core/upgrade/index.php

@@ -214,13 +214,14 @@
 		echo 			"<input type='checkbox' name='do[menu]' id='do_menu' value='1' onchange=\"$('#sel_menu').fadeToggle('fast');\">";
 		echo 			"<select name='sel_menu' id='sel_menu' class='formfld' style='display: none; vertical-align: middle; margin-left: 5px;'>";
 		$sql = "select * from v_menus ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
-			echo "<option value='".$row["menu_uuid"]."|".$row["menu_language"]."'>".$row["menu_name"]."</option>";
+		$database = new database;
+		$result = $database->select($sql, null, 'all');
+		if (is_array($result) && sizeof($result) != 0) {
+			foreach ($result as &$row) {
+				echo "<option value='".$row["menu_uuid"]."|".$row["menu_language"]."'>".$row["menu_name"]."</option>";
+			}
 		}
-		unset ($sql, $result, $prep_statement);
+		unset ($sql, $result);
 		echo 			"</select>";
 		echo 			" &nbsp;".$text['description-upgrade_menu'];
 		echo "	</td>\n";

core/user_settings/user_dashboard.php

@@ -54,7 +54,8 @@
 		$sql .= "default_setting_category = 'login' ";
 		$sql .= "and default_setting_subcategory = 'message' ";
 		$sql .= "and default_setting_name = 'text' ";
-		$db->exec(check_sql($sql));
+		$database = new database;
+		$database->execute($sql);
 		unset($sql);
 	}
 
@@ -127,18 +128,19 @@
 				$stats['domain']['devices']['total'] = 0;
 				$stats['domain']['devices']['disabled'] = 0;
 				$sql = "select domain_uuid, device_enabled from v_devices";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['devices']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['devices']['disabled'] += ($row['device_enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['devices']['total']++;
-						$stats['domain']['devices']['disabled'] += ($row['device_enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['devices']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['devices']['disabled'] += ($row['device_enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['devices']['total']++;
+							$stats['domain']['devices']['disabled'] += ($row['device_enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//extensions
@@ -148,18 +150,19 @@
 				$stats['domain']['extensions']['total'] = 0;
 				$stats['domain']['extensions']['disabled'] = 0;
 				$sql = "select domain_uuid, enabled from v_extensions";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['extensions']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['extensions']['disabled'] += ($row['enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['extensions']['total']++;
-						$stats['domain']['extensions']['disabled'] += ($row['enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['extensions']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['extensions']['disabled'] += ($row['enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['extensions']['total']++;
+							$stats['domain']['extensions']['disabled'] += ($row['enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//gateways
@@ -169,18 +172,19 @@
 				$stats['domain']['gateways']['total'] = 0;
 				$stats['domain']['gateways']['disabled'] = 0;
 				$sql = "select domain_uuid, enabled from v_gateways";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['gateways']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['gateways']['disabled'] += ($row['enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['gateways']['total']++;
-						$stats['domain']['gateways']['disabled'] += ($row['enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['gateways']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['gateways']['disabled'] += ($row['enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['gateways']['total']++;
+							$stats['domain']['gateways']['disabled'] += ($row['enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//users
@@ -190,18 +194,19 @@
 				$stats['domain']['users']['total'] = 0;
 				$stats['domain']['users']['disabled'] = 0;
 				$sql = "select domain_uuid, user_enabled from v_users";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['users']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['users']['disabled'] += ($row['user_enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['users']['total']++;
-						$stats['domain']['users']['disabled'] += ($row['user_enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['users']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['users']['disabled'] += ($row['user_enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['users']['total']++;
+							$stats['domain']['users']['disabled'] += ($row['user_enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//destinations
@@ -211,18 +216,19 @@
 				$stats['domain']['destinations']['total'] = 0;
 				$stats['domain']['destinations']['disabled'] = 0;
 				$sql = "select domain_uuid, destination_enabled from v_destinations";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['destinations']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['destinations']['disabled'] += ($row['destination_enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['destinations']['total']++;
-						$stats['domain']['destinations']['disabled'] += ($row['destination_enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['destinations']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['destinations']['disabled'] += ($row['destination_enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['destinations']['total']++;
+							$stats['domain']['destinations']['disabled'] += ($row['destination_enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//call center queues
@@ -232,18 +238,19 @@
 				$stats['domain']['call_center_queues']['total'] = 0;
 				$stats['domain']['call_center_queues']['disabled'] = 0;
 				$sql = "select domain_uuid from v_call_center_queues";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['call_center_queues']['total'] = count($result);
-				foreach ($result as $row) {
-					//$stats['system']['call_center_queues']['disabled'] += ($row['queue_enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['call_center_queues']['total']++;
-						//$stats['domain']['call_center_queues']['disabled'] += ($row['queue_enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['call_center_queues']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						//$stats['system']['call_center_queues']['disabled'] += ($row['queue_enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['call_center_queues']['total']++;
+							//$stats['domain']['call_center_queues']['disabled'] += ($row['queue_enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//ivr menus
@@ -253,18 +260,19 @@
 				$stats['domain']['ivr_menus']['total'] = 0;
 				$stats['domain']['ivr_menus']['disabled'] = 0;
 				$sql = "select domain_uuid, ivr_menu_enabled from v_ivr_menus";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['ivr_menus']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['ivr_menus']['disabled'] += ($row['ivr_menu_enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['ivr_menus']['total']++;
-						$stats['domain']['ivr_menus']['disabled'] += ($row['ivr_menu_enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['ivr_menus']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['ivr_menus']['disabled'] += ($row['ivr_menu_enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['ivr_menus']['total']++;
+							$stats['domain']['ivr_menus']['disabled'] += ($row['ivr_menu_enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//ring groups
@@ -274,18 +282,19 @@
 				$stats['domain']['ring_groups']['total'] = 0;
 				$stats['domain']['ring_groups']['disabled'] = 0;
 				$sql = "select domain_uuid, ring_group_enabled from v_ring_groups";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['ring_groups']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['ring_groups']['disabled'] += ($row['ring_group_enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['ring_groups']['total']++;
-						$stats['domain']['ring_groups']['disabled'] += ($row['ring_group_enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['ring_groups']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['ring_groups']['disabled'] += ($row['ring_group_enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['ring_groups']['total']++;
+							$stats['domain']['ring_groups']['disabled'] += ($row['ring_group_enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//voicemails
@@ -295,18 +304,19 @@
 				$stats['domain']['voicemails']['total'] = 0;
 				$stats['domain']['voicemails']['disabled'] = 0;
 				$sql = "select domain_uuid, voicemail_enabled from v_voicemails";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['voicemails']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['voicemails']['disabled'] += ($row['voicemail_enabled'] != 'true') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['voicemails']['total']++;
-						$stats['domain']['voicemails']['disabled'] += ($row['voicemail_enabled'] != 'true') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['voicemails']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['voicemails']['disabled'] += ($row['voicemail_enabled'] != 'true') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['voicemails']['total']++;
+							$stats['domain']['voicemails']['disabled'] += ($row['voicemail_enabled'] != 'true') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 
 		//voicemail messages
@@ -316,18 +326,19 @@
 				$stats['domain']['messages']['total'] = 0;
 				$stats['domain']['messages']['new'] = 0;
 				$sql = "select domain_uuid, message_status from v_voicemail_messages";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				$stats['system']['messages']['total'] = count($result);
-				foreach ($result as $row) {
-					$stats['system']['messages']['new'] += ($row['message_status'] != 'saved') ? 1 : 0;
-					if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
-						$stats['domain']['messages']['total']++;
-						$stats['domain']['messages']['new'] += ($row['message_status'] != 'saved') ? 1 : 0;
+				$database = new database;
+				$result = $database->select($sql, null, 'all');
+				if (is_array($result) && sizeof($result) != 0) {
+					$stats['system']['messages']['total'] = sizeof($result);
+					foreach ($result as $row) {
+						$stats['system']['messages']['new'] += ($row['message_status'] != 'saved') ? 1 : 0;
+						if ($row['domain_uuid'] == $_SESSION['domain_uuid']) {
+							$stats['domain']['messages']['total']++;
+							$stats['domain']['messages']['new'] += ($row['message_status'] != 'saved') ? 1 : 0;
+						}
 					}
 				}
-				unset ($sql, $prep_statement, $result);
+				unset($sql, $result);
 			}
 	}
 
@@ -410,6 +421,7 @@
 			foreach ($_SESSION['user']['extension'] as $assigned_extension) {
 				$assigned_extensions[$assigned_extension['extension_uuid']] = $assigned_extension['user'];
 			}
+			unset($assigned_extension);
 
 			//if also viewing system status, show more recent calls (more room avaialble)
 			$missed_limit = (is_array($selected_blocks) && in_array('counts', $selected_blocks)) ? 10 : 5;
@@ -425,30 +437,34 @@
 				from
 					v_xml_cdr
 				where
-					domain_uuid = '".$_SESSION['domain_uuid']."'
+					domain_uuid = :domain_uuid
 					and (
 						direction = 'inbound'
 						or direction = 'local'
 					)
-					and (missed_call = true or bridge_uuid is null)
-					and destination_number in ('".implode("','",$assigned_extensions)."')
-					and (";
-					$x = 0;
-					foreach ($assigned_extensions as $assigned_extension_uuid => $assigned_extension) {
-						$sql .= "extension_uuid = '".$assigned_extension_uuid."' ";
-						$sql .= "or destination_number = '".$assigned_extension."' ";
-						if (++$x < sizeof($assigned_extensions)) { $sql .= "or "; }
+					and (missed_call = true or bridge_uuid is null) ";
+					if (is_array($assigned_extensions) && sizeof($assigned_extensions) != 0) {
+						$x = 0;
+						foreach ($assigned_extensions as $assigned_extension_uuid => $assigned_extension) {
+							$sql_where_array[] = "extension_uuid = :assigned_extension_uuid_".$x;
+							$sql_where_array[] = "destination_number = :destination_number_".$x;
+							$parameters['assigned_extension_uuid_'.$x] = $assigned_extension_uuid;
+							$parameters['destination_number_'.$x] = $assigned_extension;
+							$x++;
+						}
+						if (is_array($sql_where_array) && sizeof($sql_where_array) != 0) {
+							$sql .= "and (".implode(' or ', $sql_where_array).") ";
+						}
+						unset($sql_where_array);
 					}
 					$sql .= "
-					)
 					and start_epoch > ".(time() - 86400)."
 				order by
 					start_epoch desc";
-			$prep_statement = $db->prepare(check_sql($sql));
-			$prep_statement->execute();
-			$result = $prep_statement->fetchAll(PDO::FETCH_ASSOC);
-			$result_count = count($result);
-			unset ($prep_statement, $sql);
+			$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+			$database = new database;
+			$result = $database->select($sql, $parameters, 'all');
+			$num_rows = is_array($result) ? sizeof($result) : 0;
 
 			$c = 0;
 			$row_style["0"] = "row_style0";
@@ -456,20 +472,20 @@
 
 			$hud[$n]['html'] .= "<span class='hud_title' onclick=\"document.location.href='".PROJECT_PATH."/app/xml_cdr/xml_cdr.php?call_result=missed'\">".$text['label-missed_calls']."</span>";
 
-			$hud[$n]['html'] .= "<span class='hud_stat' onclick=\"$('#hud_'+".$n."+'_details').slideToggle('fast');\">".$result_count."</span>";
+			$hud[$n]['html'] .= "<span class='hud_stat' onclick=\"$('#hud_'+".$n."+'_details').slideToggle('fast');\">".$num_rows."</span>";
 			$hud[$n]['html'] .= "<span class='hud_stat_title' onclick=\"$('#hud_'+".$n."+'_details').slideToggle('fast');\">".$text['label-last_24_hours']."</span>\n";
 
 			$hud[$n]['html'] .= "<div class='hud_details' id='hud_".$n."_details'>";
 			$hud[$n]['html'] .= "<table class='tr_hover' width='100%' cellpadding='0' cellspacing='0' border='0'>\n";
 			$hud[$n]['html'] .= "<tr>\n";
-			if ($result_count > 0) {
+			if ($num_rows > 0) {
 				$hud[$n]['html'] .= "<th class='hud_heading'>&nbsp;</th>\n";
 			}
 			$hud[$n]['html'] .= "<th class='hud_heading' width='100%'>".$text['label-cid_number']."</th>\n";
 			$hud[$n]['html'] .= "<th class='hud_heading'>".$text['label-missed']."</th>\n";
 			$hud[$n]['html'] .= "</tr>\n";
 
-			if ($result_count > 0) {
+			if ($num_rows > 0) {
 				$theme_cdr_images_exist = (
 					file_exists($theme_image_path."icon_cdr_inbound_voicemail.png") &&
 					file_exists($theme_image_path."icon_cdr_inbound_cancelled.png") &&
@@ -512,8 +528,8 @@
 					$hud[$n]['html'] .= "</tr>\n";
 					$c = ($c) ? 0 : 1;
 				}
-				unset($sql, $result, $row_count);
 			}
+			unset($sql, $parameters, $result, $num_rows, $index, $row);
 
 			$hud[$n]['html'] .= "</table>\n";
 			$hud[$n]['html'] .= "<span style='display: block; margin: 6px 0 7px 0;'><a href='".PROJECT_PATH."/app/xml_cdr/xml_cdr.php?call_result=missed'>".$text['label-view_all']."</a></span>\n";
@@ -544,26 +560,33 @@
 				from
 					v_xml_cdr
 				where
-					domain_uuid = '".$_SESSION['domain_uuid']."'
-					and (";
-					$x = 0;
-					foreach ($assigned_extensions as $assigned_extension_uuid => $assigned_extension) {
-						$sql .= "extension_uuid = '".$assigned_extension_uuid."' ";
-						$sql .= "or caller_id_number = '".$assigned_extension."' ";
-						$sql .= "or destination_number = '".$assigned_extension."' ";
-						$sql .= "or destination_number = '*99".$assigned_extension."' ";
-						if (++$x < sizeof($assigned_extensions)) { $sql .= "or "; }
+					domain_uuid = :domain_uuid ";
+					if (is_array($assigned_extensions) && sizeof($assigned_extensions) != 0) {
+						$x = 0;
+						foreach ($assigned_extensions as $assigned_extension_uuid => $assigned_extension) {
+							$sql_where_array[] = "extension_uuid = extension_uuid_".$x;
+							$sql_where_array[] = "caller_id_number = caller_id_number_".$x;
+							$sql_where_array[] = "destination_number = destination_number_1_".$x;
+							$sql_where_array[] = "destination_number = destination_number_2_".$x;
+							$parameters['extension_uuid_'.$x] = $assigned_extension_uuid;
+							$parameters['caller_id_number_'.$x] = $assigned_extension;
+							$parameters['destination_number_1_'.$x] = $assigned_extension;
+							$parameters['destination_number_2_'.$x] = '*99'.$assigned_extension;
+							$x++;
+						}
+						if (is_array($sql_where_array) && sizeof($sql_where_array) != 0) {
+							$sql .= "and (".implode(' or ', $sql_where_array).") ";
+						}
+						unset($sql_where_array);
 					}
 					$sql .= "
-					)
 					and start_epoch > ".(time() - 86400)."
 				order by
 					start_epoch desc";
-			$prep_statement = $db->prepare(check_sql($sql));
-			$prep_statement->execute();
-			$result = $prep_statement->fetchAll(PDO::FETCH_ASSOC);
-			$result_count = count($result);
-			unset ($prep_statement, $sql);
+			$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
+			$database = new database;
+			$result = $database->select($sql, $parameters, 'all');
+			$num_rows = is_array($result) ? sizeof($result) : 0;
 
 			$c = 0;
 			$row_style["0"] = "row_style0";
@@ -571,20 +594,20 @@
 
 			$hud[$n]['html'] .= "<span class='hud_title' onclick=\"document.location.href='".PROJECT_PATH."/app/xml_cdr/xml_cdr.php';\">".$text['label-recent_calls']."</span>";
 
-			$hud[$n]['html'] .= "<span class='hud_stat' onclick=\"$('#hud_'+".$n."+'_details').slideToggle('fast');\">".$result_count."</span>";
+			$hud[$n]['html'] .= "<span class='hud_stat' onclick=\"$('#hud_'+".$n."+'_details').slideToggle('fast');\">".$num_rows."</span>";
 			$hud[$n]['html'] .= "<span class='hud_stat_title' onclick=\"$('#hud_'+".$n."+'_details').slideToggle('fast');\">".$text['label-last_24_hours']."</span>\n";
 
 			$hud[$n]['html'] .= "<div class='hud_details' id='hud_".$n."_details'>";
 			$hud[$n]['html'] .= "<table class='tr_hover' width='100%' cellpadding='0' cellspacing='0' border='0'>\n";
 			$hud[$n]['html'] .= "<tr>\n";
-			if ($result_count > 0) {
+			if ($num_rows > 0) {
 				$hud[$n]['html'] .= "<th class='hud_heading'>&nbsp;</th>\n";
 			}
 			$hud[$n]['html'] .= "<th class='hud_heading' width='100%'>".$text['label-cid_number']."</th>\n";
 			$hud[$n]['html'] .= "<th class='hud_heading'>".$text['label-date_time']."</th>\n";
 			$hud[$n]['html'] .= "</tr>\n";
 
-			if ($result_count > 0) {
+			if ($num_rows > 0) {
 				$theme_cdr_images_exist = (
 					file_exists($theme_image_path."icon_cdr_inbound_answered.png") &&
 					file_exists($theme_image_path."icon_cdr_inbound_voicemail.png") &&
@@ -659,8 +682,8 @@
 					unset($cdr_name, $cdr_number);
 					$c = ($c) ? 0 : 1;
 				}
-				unset($sql, $result, $row_count);
 			}
+			unset($sql, $parameters, $result, $num_rows, $index, $row);
 
 			$hud[$n]['html'] .= "</table>\n";
 			$hud[$n]['html'] .= "<span style='display: block; margin: 6px 0 7px 0;'><a href='".PROJECT_PATH."/app/xml_cdr/xml_cdr.php'>".$text['label-view_all']."</a></span>\n";
@@ -1076,7 +1099,7 @@
 			//db connections
 				switch ($db_type) {
 					case 'pgsql':
-						$sql = "select count(*) as connections from pg_stat_activity";
+						$sql = "select count(*) from pg_stat_activity";
 						break;
 					case 'mysql':
 						$sql = "show status where `variable_name` = 'Threads_connected'";
@@ -1090,11 +1113,9 @@
 						}
 				}
 				if ($sql != '') {
-					$prep_statement = $db->prepare(check_sql($sql));
-					$prep_statement->execute();
-					$result = $prep_statement->fetch(PDO::FETCH_NAMED);
-					$connections = $result['connections'];
-					unset ($sql, $prep_statement, $result);
+					$database = new database;
+					$connections = $database->select($sql, null, 'column');
+					unset($sql);
 				}
 				if ($connections != '') {
 					$hud[$n]['html'] .= "<tr class='tr_link_void'>\n";

core/user_settings/user_setting_delete.php

@@ -44,26 +44,32 @@
 
 //delete user settings
 	$user_setting_uuids = $_REQUEST["id"];
-	$user_uuid = check_str($_REQUEST["user_uuid"]);
+	$user_uuid = $_REQUEST["user_uuid"];
 
-	if (sizeof($user_setting_uuids) > 0) {
-		foreach ($user_setting_uuids as $user_setting_uuid) {
-			$sql = "delete from v_user_settings ";
-			$sql .= "where user_uuid = '".$user_uuid."' ";
-			$sql .= "and user_setting_uuid = '".$user_setting_uuid."' ";
-			$prep_statement = $db->prepare(check_sql($sql));
-			$prep_statement->execute();
-			unset ($prep_statement, $sql);
+	if (is_uuid($user_uuid) && is_array($user_setting_uuids) && sizeof($user_setting_uuids) != 0) {
+		foreach ($user_setting_uuids as $index => $user_setting_uuid) {
+			if (is_uuid($user_setting_uuid)) {
+				$array['user_settings'][$index]['user_setting_uuid'] = $user_setting_uuid;
+				$array['user_settings'][$index]['user_uuid'] = $user_uuid;
+			}
+		}
+		if (is_array($array) && sizeof($array) != 0) {
+			$database = new database;
+			$database->app_name = 'user_settings';
+			$database->app_uuid = '3a3337f7-78d1-23e3-0cfd-f14499b8ed97';
+			$database->delete($array);
+			$user_settings_deleted = sizeof($array['user_settings']);
+			unset($array);
 		}
 		// set message
-		$_SESSION["message"] = $text['message-delete'].": ".sizeof($user_setting_uuids);
+		message::add($text['message-delete'].": ".$user_settings_deleted);
 	}
 	else {
 		// set message
 		message::add($text['message-delete_failed'], 'negative');
 	}
 
-	header("Location: /core/users/user_edit.php?id=".check_str($_REQUEST["user_uuid"]));
+	header("Location: /core/users/user_edit.php?id=".$user_uuid);
 	exit;
 
 ?>

core/user_settings/user_setting_edit.php

@@ -62,35 +62,35 @@
 	}
 
 //action add or update
-	if (isset($_REQUEST["id"])) {
+	if (is_uuid($_REQUEST["id"])) {
 		$action = "update";
-		$user_setting_uuid = check_str($_REQUEST["id"]);
+		$user_setting_uuid = $_REQUEST["id"];
 	}
 	else {
 		$action = "add";
 	}
 
 //set the user_uuid
-	if (strlen($_GET["user_uuid"]) > 0) {
-		$user_uuid = check_str($_GET["user_uuid"]);
+	if (is_uuid($_GET["user_uuid"])) {
+		$user_uuid = $_GET["user_uuid"];
 	}
 
 //get http post variables and set them to php variables
 	if (count($_REQUEST) > 0) {
-		$user_setting_category = strtolower(check_str($_REQUEST["user_setting_category"]));
-		$user_setting_subcategory = strtolower(check_str($_POST["user_setting_subcategory"]));
-		$user_setting_name = strtolower(check_str($_POST["user_setting_name"]));
-		$user_setting_value = check_str($_POST["user_setting_value"]);
-		$user_setting_order = check_str($_POST["user_setting_order"]);
-		$user_setting_enabled = strtolower(check_str($_POST["user_setting_enabled"]));
-		$user_setting_description = check_str($_POST["user_setting_description"]);
+		$user_setting_category = strtolower($_REQUEST["user_setting_category"]);
+		$user_setting_subcategory = strtolower($_POST["user_setting_subcategory"]);
+		$user_setting_name = strtolower($_POST["user_setting_name"]);
+		$user_setting_value = $_POST["user_setting_value"];
+		$user_setting_order = $_POST["user_setting_order"];
+		$user_setting_enabled = strtolower($_POST["user_setting_enabled"]);
+		$user_setting_description = $_POST["user_setting_description"];
 	}
 
 if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 
 	$msg = '';
 	if ($action == "update") {
-		$user_setting_uuid = check_str($_POST["user_setting_uuid"]);
+		$user_setting_uuid = $_POST["user_setting_uuid"];
 	}
 
 	//check for all required/authorized data
@@ -122,198 +122,177 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 			//update switch timezone variables
 				if ($user_setting_category == "domain" && $user_setting_subcategory == "time_zone" && $user_setting_name == "name" ) {
 					//get the dialplan_uuid
-						$sql = "select * from v_dialplans ";
-						$sql .= "where domain_uuid = '".$domain_uuid."' ";
+						$sql = "select dialplan_uuid from v_dialplans ";
+						$sql .= "where domain_uuid = :domain_uuid ";
 						$sql .= "and app_uuid = '9f356fe7-8cf8-4c14-8fe2-6daf89304458' ";
-						$prep_statement = $db->prepare(check_sql($sql));
-						$prep_statement->execute();
-						$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-						foreach ($result as $row) {
-							$dialplan_uuid = $row["dialplan_uuid"];
-						}
-						unset ($prep_statement);
+						$parameters['domain_uuid'] = $domain_uuid;
+						$database = new database;
+						$dialplan_uuid = $database->select($sql, $parameters, 'column');
+						unset($sql, $parameters);
 
 					//get the action
-						$sql = "select * from v_dialplan_details ";
-						$sql .= "where domain_uuid = '".$domain_uuid."' ";
-						$sql .= "and dialplan_uuid = '".$dialplan_uuid."' ";
+						$sql = "select dialplan_detail_uuid from v_dialplan_details ";
+						$sql .= "where domain_uuid = :domain_uuid ";
+						$sql .= "and dialplan_uuid = :dialplan_uuid ";
 						$sql .= "and dialplan_detail_tag = 'action' ";
 						$sql .= "and dialplan_detail_type = 'set' ";
 						$sql .= "and dialplan_detail_data like 'timezone=%' ";
-						$prep_statement = $db->prepare(check_sql($sql));
-						$prep_statement->execute();
-						$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-						$detail_action = "add";
-						foreach ($result as $row) {
-							$dialplan_detail_uuid = $row["dialplan_detail_uuid"];
+						$parameters['domain_uuid'] = $domain_uuid;
+						$parameters['dialplan_uuid'] = $dialplan_uuid;
+						$database = new database;
+						$dialplan_detail_uuid = $database->select($sql, $parameters, 'column');
+						if (is_uuid($dialplan_detail_uuid)) {
 							$detail_action = "update";
 						}
-						unset ($prep_statement);
+						unset($sql, $parameters);
 
 					//update the timezone
 						if ($detail_action == "update") {
-							$sql = "update v_dialplan_details ";
-							$sql .= "set dialplan_detail_data = 'timezone=".$user_setting_value."' ";
-							$sql .= "where dialplan_detail_uuid = '".$dialplan_detail_uuid."' ";
+							$p = new permissions;
+							$p->add('dialplan_detail_edit', 'temp');
+
+							$array['dialplan_details'][0]['dialplan_detail_uuid'] = $dialplan_detail_uuid;
+							$array['dialplan_details'][0]['dialplan_detail_data'] = 'timezone='.$user_setting_value;
 						}
 						else {
-							$dialplan_detail_uuid = uuid();
-							$dialplan_detail_group = 0;
-							$sql = "insert into v_dialplan_details ";
-							$sql .= "(";
-							$sql .= "domain_uuid, ";
-							$sql .= "dialplan_detail_uuid, ";
-							$sql .= "dialplan_uuid, ";
-							$sql .= "dialplan_detail_tag, ";
-							$sql .= "dialplan_detail_type, ";
-							$sql .= "dialplan_detail_data, ";
-							$sql .= "dialplan_detail_inline, ";
-							$sql .= "dialplan_detail_group ";
-							$sql .= ") ";
-							$sql .= "values ";
-							$sql .= "(";
-							$sql .= "'".$domain_uuid."', ";
-							$sql .= "'".$dialplan_detail_uuid."', ";
-							$sql .= "'".$dialplan_uuid."', ";
-							$sql .= "'action', ";
-							$sql .= "'set', ";
-							$sql .= "'timezone=".$user_setting_value."', ";
-							$sql .= "'true', ";
-							$sql .= "'".$dialplan_detail_group."' ";
-							$sql .= "); ";
+							$p = new permissions;
+							$p->add('dialplan_detail_add', 'temp');
+
+							$array['dialplan_details'][0]['domain_uuid'] = $domain_uuid;
+							$array['dialplan_details'][0]['dialplan_detail_uuid'] = uuid();
+							$array['dialplan_details'][0]['dialplan_uuid'] = $dialplan_uuid;
+							$array['dialplan_details'][0]['dialplan_detail_tag'] = 'action';
+							$array['dialplan_details'][0]['dialplan_detail_type'] = 'set';
+							$array['dialplan_details'][0]['dialplan_detail_data'] = 'timezone='.$user_setting_value;
+							$array['dialplan_details'][0]['dialplan_detail_inline'] = 'true';
+							$array['dialplan_details'][0]['dialplan_detail_group'] = 0;
+						}
+						if (is_array($array) && sizeof($array) != 0) {
+							$database = new database;
+							$database->app_name = 'user_settings';
+							$database->app_uuid = '3a3337f7-78d1-23e3-0cfd-f14499b8ed97';
+							$database->save($array);
+							unset($array);
+
+							$p->delete('dialplan_detail_edit', 'temp');
+							$p->delete('dialplan_detail_add', 'temp');
 						}
-						$db->query($sql);
-						unset($sql);
 				}
 
 			//add the user setting
 				if ($action == "add" && permission_exists('user_setting_add')) {
-					$sql = "insert into v_user_settings ";
-					$sql .= "(";
-					$sql .= "user_uuid, ";
-					$sql .= "domain_uuid, ";
-					$sql .= "user_setting_uuid, ";
-					$sql .= "user_setting_category, ";
-					$sql .= "user_setting_subcategory, ";
-					$sql .= "user_setting_name, ";
-					$sql .= "user_setting_value, ";
-					$sql .= "user_setting_order, ";
-					$sql .= "user_setting_enabled, ";
-					$sql .= "user_setting_description ";
-					$sql .= ")";
-					$sql .= "values ";
-					$sql .= "(";
-					$sql .= "'$user_uuid', ";
-					$sql .= "'$domain_uuid', ";
-					$sql .= "'".uuid()."', ";
-					$sql .= "'$user_setting_category', ";
-					$sql .= "'$user_setting_subcategory', ";
-					$sql .= "'$user_setting_name', ";
-					$sql .= "'$user_setting_value', ";
-					$sql .= "$user_setting_order, ";
-					$sql .= "'$user_setting_enabled', ";
-					$sql .= "'$user_setting_description' ";
-					$sql .= ")";
-					$db->exec(check_sql($sql));
-					unset($sql);
-				} //if ($action == "add")
+					$array['user_settings'][0]['user_setting_uuid'] = uuid();
+				}
 
 			//update the user setting
 				if ($action == "update" && permission_exists('user_setting_edit')) {
-					$sql = "update v_user_settings set ";
-					$sql .= "user_setting_category = '$user_setting_category', ";
-					$sql .= "user_setting_subcategory = '$user_setting_subcategory', ";
-					$sql .= "user_setting_name = '$user_setting_name', ";
-					$sql .= "user_setting_value = '$user_setting_value', ";
-					$sql .= "user_setting_order = $user_setting_order, ";
-					$sql .= "user_setting_enabled = '$user_setting_enabled', ";
-					$sql .= "user_setting_description = '$user_setting_description' ";
-					$sql .= "where user_uuid = '$user_uuid' ";
-					$sql .= "and user_setting_uuid = '$user_setting_uuid'";
-					$db->exec(check_sql($sql));
-					unset($sql);
-				} //if ($action == "update")
+					$array['user_settings'][0]['user_setting_uuid'] = $user_setting_uuid;
+				}
+
+			//execute add or update
+				if (is_array($array) && sizeof($array) != 0) {
+					$array['user_settings'][0]['user_uuid'] = $user_uuid;
+					$array['user_settings'][0]['domain_uuid'] = $domain_uuid;
+					$array['user_settings'][0]['user_setting_category'] = $user_setting_category;
+					$array['user_settings'][0]['user_setting_subcategory'] = $user_setting_subcategory;
+					$array['user_settings'][0]['user_setting_name'] = $user_setting_name;
+					$array['user_settings'][0]['user_setting_value'] = $user_setting_value;
+					$array['user_settings'][0]['user_setting_order'] = $user_setting_order;
+					$array['user_settings'][0]['user_setting_enabled'] = $user_setting_enabled;
+					$array['user_settings'][0]['user_setting_description'] = $user_setting_description;
+
+					$database = new database;
+					$database->app_name = 'user_settings';
+					$database->app_uuid = '3a3337f7-78d1-23e3-0cfd-f14499b8ed97';
+					$database->save($array);
+					unset($array);
+				}
 
 			//update time zone
 				if ($user_setting_category == "domain" && $user_setting_subcategory == "time_zone" && $user_setting_name == "name" && strlen($user_setting_value) > 0 ) {
 					$sql = "select * from v_dialplans ";
 					$sql .= "where app_uuid = '34dd307b-fffe-4ead-990c-3d070e288126' ";
-					$sql .= "and domain_uuid = '".$_SESSION["domain_uuid"]."' ";
-					$prep_statement = $db->prepare(check_sql($sql));
-					$prep_statement->execute();
-					$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
+					$sql .= "and domain_uuid = :domain_uuid ";
+					$parameters['domain_uuid'] = $_SESSION["domain_uuid"];
+					$database = new database;
+					$result = $database->select($sql, $parameters, 'all');
+					unset($sql, $parameters);
+
 					$time_zone_found = false;
-					foreach ($result as &$row) {
-						//get the dialplan_uuid
-							$dialplan_uuid = $row["dialplan_uuid"];
-
-						//get the dialplan details
-							$sql = "select * from v_dialplan_details ";
-							$sql .= "where dialplan_uuid = '".$dialplan_uuid."' ";
-							$sql .= "and domain_uuid = '".$_SESSION["domain_uuid"]."' ";
-							$sub_prep_statement = $db->prepare(check_sql($sql));
-							$sub_prep_statement->execute();
-							$sub_result = $sub_prep_statement->fetchAll(PDO::FETCH_NAMED);
-							foreach ($sub_result as $field) {
-								$dialplan_detail_uuid = $field["dialplan_detail_uuid"];
-								$dialplan_detail_tag = $field["dialplan_detail_tag"]; //action //condition
-								$dialplan_detail_type = $field["dialplan_detail_type"]; //set
-								$dialplan_detail_data = $field["dialplan_detail_data"];
-								$dialplan_detail_group = $field["dialplan_detail_group"];
-								if ($dialplan_detail_tag == "action" && $dialplan_detail_type == "set") {
-									$data_array = explode("=", $dialplan_detail_data);
-									if ($data_array[0] == "timezone") {
-										$time_zone_found = true;
-										break;
+					if (is_array($result) && sizeof($result) != 0) {
+						foreach ($result as &$row) {
+							//get the dialplan_uuid
+								$dialplan_uuid = $row["dialplan_uuid"];
+
+							//get the dialplan details
+								$sql = "select * from v_dialplan_details ";
+								$sql .= "where dialplan_uuid = :dialplan_uuid ";
+								$sql .= "and domain_uuid = :domain_uuid ";
+								$parameters['dialplan_uuid'] = $dialplan_uuid;
+								$parameters['domain_uuid'] = $_SESSION["domain_uuid"];
+								$database = new database;
+								$sub_result = $database->select($sql, $parameters, 'all');
+								if (is_array($sub_result) && sizeof($sub_result) != 0) {
+									foreach ($sub_result as $sub_row) {
+										$dialplan_detail_uuid = $sub_row["dialplan_detail_uuid"];
+										$dialplan_detail_tag = $sub_row["dialplan_detail_tag"]; //action //condition
+										$dialplan_detail_type = $sub_row["dialplan_detail_type"]; //set
+										$dialplan_detail_data = $sub_row["dialplan_detail_data"];
+										$dialplan_detail_group = $sub_row["dialplan_detail_group"];
+										if ($dialplan_detail_tag == "action" && $dialplan_detail_type == "set") {
+											$data_array = explode("=", $dialplan_detail_data);
+											if ($data_array[0] == "timezone") {
+												$time_zone_found = true;
+												break;
+											}
+										}
 									}
 								}
-							}
-
-						//add the time zone
-							if (!$time_zone_found) {
-								//$dialplan_detail_uuid = uuid();
-								$dialplan_detail_uuid = "eb3b3a4e-88ea-4306-b2a8-9f52d3c95f2f";
-								$sql = "insert into v_dialplan_details ";
-								$sql .= "(";
-								$sql .= "domain_uuid, ";
-								$sql .= "dialplan_uuid, ";
-								$sql .= "dialplan_detail_uuid, ";
-								$sql .= "dialplan_detail_tag, ";
-								$sql .= "dialplan_detail_type, ";
-								$sql .= "dialplan_detail_data, ";
-								$sql .= "dialplan_detail_group, ";
-								$sql .= "dialplan_detail_order ";
-								$sql .= ") ";
-								$sql .= "values ";
-								$sql .= "(";
-								$sql .= "'".$_SESSION["domain_uuid"]."', "; //8cfd9525-6ccf-4c2c-813a-bca5809067cd
-								$sql .= "'$dialplan_uuid', "; //807b4aa6-4478-4663-a661-779397c1d542
-								$sql .= "'$dialplan_detail_uuid', ";
-								$sql .= "'action', ";
-								$sql .= "'set', ";
-								$sql .= "'timezone=$user_setting_value', ";
-								if (strlen($dialplan_detail_group) > 0) {
-									$sql .= "'$dialplan_detail_group', ";
+								unset($sql, $parameters, $sub_result, $sub_row);
+
+							//add the time zone
+								if (!$time_zone_found) {
+									$dialplan_detail_uuid = "eb3b3a4e-88ea-4306-b2a8-9f52d3c95f2f";
+									$array['dialplan_details'][0]['domain_uuid'] = $_SESSION["domain_uuid"];
+									$array['dialplan_details'][0]['dialplan_uuid'] = $dialplan_uuid;
+									$array['dialplan_details'][0]['dialplan_detail_uuid'] = $dialplan_detail_uuid;
+									$array['dialplan_details'][0]['dialplan_detail_tag'] = 'action';
+									$array['dialplan_details'][0]['dialplan_detail_type'] = 'set';
+									$array['dialplan_details'][0]['dialplan_detail_data'] = 'timezone='.$user_setting_value;
+									$array['dialplan_details'][0]['dialplan_detail_group'] = strlen($dialplan_detail_group) > 0 ? $dialplan_detail_group : 'null';
+									$array['dialplan_details'][0]['dialplan_detail_order'] = '15';
+
+									$p = new permissions;
+									$p->add('dialplan_detail_add', 'temp');
+
+									$database = new database;
+									$database->app_name = 'user_settings';
+									$database->app_uuid = '3a3337f7-78d1-23e3-0cfd-f14499b8ed97';
+									$database->save($array);
+									unset($array);
+
+									$p->delete('dialplan_detail_add', 'temp');
 								}
-								else {
-									$sql .= "null, ";
+
+							//update the time zone
+								if ($time_zone_found) {
+									$array['dialplan_details'][0]['dialplan_detail_uuid'] = $dialplan_detail_uuid;
+									$array['dialplan_details'][0]['dialplan_detail_data'] = 'timezone='.$user_setting_value;
+									$array['dialplan_details'][0]['domain_uuid'] = $_SESSION["domain_uuid"];
+									$array['dialplan_details'][0]['dialplan_uuid'] = $dialplan_uuid;
+
+									$p = new permissions;
+									$p->add('dialplan_detail_edit', 'temp');
+
+									$database = new database;
+									$database->app_name = 'user_settings';
+									$database->app_uuid = '3a3337f7-78d1-23e3-0cfd-f14499b8ed97';
+									$database->save($array);
+									unset($array);
+
+									$p->delete('dialplan_detail_edit', 'temp');
 								}
-								$sql .= "'15' ";
-								$sql .= ")";
-								$db->exec(check_sql($sql));
-								unset($sql);
-							}
-
-						//update the time zone
-							if ($time_zone_found) {
-								$sql = "update v_dialplan_details set ";
-								$sql .= "dialplan_detail_data = 'timezone=".$user_setting_value."' ";
-								$sql .= "where domain_uuid = '".$_SESSION["domain_uuid"]."' ";
-								$sql .= "and dialplan_uuid = '$dialplan_uuid' ";
-								$sql .= "and dialplan_detail_uuid = '$dialplan_detail_uuid' ";
-								$db->exec(check_sql($sql));
-								unset($sql);
-							}
+						}
 					}
 				}
 
@@ -326,19 +305,20 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 				}
 				header("Location: /core/users/user_edit.php?id=".$user_uuid);
 				return;
-		} //if ($_POST["persistformvar"] != "true")
-} //(count($_POST)>0 && strlen($_POST["persistformvar"]) == 0)
+		}
+}
 
 //pre-populate the form
-	if (count($_GET)>0 && $_POST["persistformvar"] != "true") {
-		$user_setting_uuid = check_str($_GET["id"]);
+	if (is_uuid($_GET["id"]) && count($_GET)>0 && $_POST["persistformvar"] != "true") {
+		$user_setting_uuid = $_GET["id"];
 		$sql = "select * from v_user_settings ";
-		$sql .= "where user_uuid = '$user_uuid' ";
-		$sql .= "and user_setting_uuid = '$user_setting_uuid' ";
-		$prep_statement = $db->prepare(check_sql($sql));
-		$prep_statement->execute();
-		$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($result as &$row) {
+		$sql .= "where user_uuid = :user_uuid ";
+		$sql .= "and user_setting_uuid = :user_setting_uuid ";
+		$parameters['user_uuid'] = $user_uuid;
+		$parameters['user_setting_uuid'] = $user_setting_uuid;
+		$database = new database;
+		$row = $database->select($sql, $parameters, 'row');
+		if (is_array($row) && sizeof($row) != 0) {
 			$user_setting_category = $row["user_setting_category"];
 			$user_setting_subcategory = $row["user_setting_subcategory"];
 			$user_setting_name = $row["user_setting_name"];
@@ -346,9 +326,8 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 			$user_setting_order = $row["user_setting_order"];
 			$user_setting_enabled = $row["user_setting_enabled"];
 			$user_setting_description = $row["user_setting_description"];
-			break; //limit to 1 row
 		}
-		unset ($prep_statement);
+		unset($sql, $parameters, $row);
 	}
 
 //show the header
@@ -449,18 +428,19 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
 		$sql = "";
 		$sql .= "select * from v_menus ";
 		$sql .= "order by menu_language, menu_name asc ";
-		$sub_prep_statement = $db->prepare(check_sql($sql));
-		$sub_prep_statement->execute();
-		$sub_result = $sub_prep_statement->fetchAll(PDO::FETCH_NAMED);
-		foreach ($sub_result as $sub_row) {
-			if (strtolower($row['user_setting_value']) == strtolower($sub_row["menu_uuid"])) {
-				echo "		<option value='".strtolower($sub_row["menu_uuid"])."' selected='selected'>".escape($sub_row["menu_language"])." - ".escape($sub_row["menu_name"])."\n";
-			}
-			else {
-				echo "		<option value='".strtolower($sub_row["menu_uuid"])."'>".escape($sub_row["menu_language"])." - ".escape($sub_row["menu_name"])."</option>\n";
+		$database = new database;
+		$result = $database->select($sql, null, 'all');
+		if (is_array($result) && sizeof($result) != 0) {
+			foreach ($result as $row) {
+				if (strtolower($row['user_setting_value']) == strtolower($row["menu_uuid"])) {
+					echo "		<option value='".strtolower($row["menu_uuid"])."' selected='selected'>".escape($row["menu_language"])." - ".escape($row["menu_name"])."\n";
+				}
+				else {
+					echo "		<option value='".strtolower($row["menu_uuid"])."'>".escape($row["menu_language"])." - ".escape($row["menu_name"])."</option>\n";
+				}
 			}
 		}
-		unset ($sub_prep_statement);
+		unset($sql, $result, $row);
 		echo "		</select>\n";
 	}
 	elseif ($category == "domain" && $subcategory == "template" && $name == "name" ) {

core/user_settings/user_settings.php

@@ -39,51 +39,58 @@
 	}
 
 //toggle setting enabled
-	if (sizeof($_REQUEST) > 1) {
-		$user_uuid = check_str($_REQUEST["user_id"]);
-		$user_setting_uuids = $_REQUEST["id"];
-		$enabled = check_str($_REQUEST['enabled']);
+	if (
+		is_uuid($_REQUEST["user_id"]) &&
+		is_array($_REQUEST["id"]) &&
+		sizeof($_REQUEST["id"]) == 1 &&
+		($_REQUEST['enabled'] === 'true' || $_REQUEST['enabled'] === 'false')
+		) {
 
-		if ($user_uuid != '' && sizeof($user_setting_uuids) == 1 && $enabled != '') {
-			$sql = "update v_user_settings set ";
-			$sql .= "user_setting_enabled = '".$enabled."' ";
-			$sql .= "where user_uuid = '".$user_uuid."' ";
-			$sql .= "and user_setting_uuid = '".$user_setting_uuids[0]."' ";
-			$db->exec(check_sql($sql));
-			unset($sql);
+		//get input
+			$user_setting_uuids = $_REQUEST["id"];
+			$enabled = $_REQUEST['enabled'];
 
+		//update setting
+			$array['user_settings'][0]['user_setting_uuid'] = $user_setting_uuids[0];
+			$array['user_settings'][0]['user_setting_enabled'] = $enabled;
+			$database = new database;
+			$database->app_name = 'user_settings';
+			$database->app_uuid = '3a3337f7-78d1-23e3-0cfd-f14499b8ed97';
+			$database->save($array);
+			unset($array);
+
+		//redirect
 			message::add($text['message-update']);
-			header("Location: /core/users/user_edit.php?id=".$user_uuid);
+			header("Location: /core/users/user_edit.php?id=".$_REQUEST["user_id"]);
 			exit;
-		}
 	}
 
 //include the paging
 	require_once "resources/paging.php";
 
 //get the variables
-	$order_by = check_str($_GET["order_by"]);
-	$order = check_str($_GET["order"]);
+	$order_by = $_GET["order_by"];
+	$order = $_GET["order"];
 
 //show the content
 	echo "<form name='frm_settings' id='frm_settings' method='get' action='/core/user_settings/user_setting_delete.php'>";
 	echo "<input type='hidden' name='user_uuid' value='".$user_uuid."'>";
 
+//common sql where
+	$sql_where = "where user_uuid = :user_uuid ";
+	$sql_where .= "and not ( ";
+	$sql_where .= "(user_setting_category = 'domain' and user_setting_subcategory = 'language') ";
+	$sql_where .= "or (user_setting_category = 'domain' and user_setting_subcategory = 'time_zone') ";
+	$sql_where .= "or (user_setting_category = 'message' and user_setting_subcategory = 'key') ";
+	$sql_where .= ") ";
+	$parameters['user_uuid'] = $user_uuid;
+
 //prepare to page the results
-	$sql = "select count(*) as num_rows from v_user_settings ";
-	$sql .= "where user_uuid = '$user_uuid' ";
-	$prep_statement = $db->prepare($sql);
-	if ($prep_statement) {
-		$prep_statement->execute();
-		$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-		if ($row['num_rows'] > 0) {
-			$num_rows = $row['num_rows'];
-		}
-		else {
-			$num_rows = '0';
-		}
-		unset ($prep_statement, $sql);
-	}
+	$sql = "select count(*) from v_user_settings ";
+	$sql .= $sql_where;
+	$database = new database;
+	$num_rows = $database->select($sql, $parameters, 'column');
+	unset($sql);
 
 //prepare to page the results
 	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 100;
@@ -95,23 +102,17 @@
 
 //get the list
 	$sql = "select * from v_user_settings ";
-	$sql .= "where user_uuid = '$user_uuid' ";
-	$sql .= "and not ( ";
-	$sql .= "(user_setting_category = 'domain' and user_setting_subcategory = 'language') ";
-	$sql .= "or (user_setting_category = 'domain' and user_setting_subcategory = 'time_zone') ";
-	$sql .= "or (user_setting_category = 'message' and user_setting_subcategory = 'key') ";
-	$sql .= ") ";
-	if (strlen($order_by) == 0) {
+	$sql .= $sql_where;
+	if ($order_by != '') {
 		$sql .= "order by user_setting_category, user_setting_subcategory, user_setting_order asc ";
 	}
 	else {
-		$sql .= "order by $order_by $order ";
+		$sql .= order_by($order_by, $order);
 	}
-	$sql .= "limit $rows_per_page offset $offset ";
-	$prep_statement = $db->prepare(check_sql($sql));
-	$prep_statement->execute();
-	$user_settings = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-	unset ($prep_statement, $sql);
+	$sql .= limit_offset($rows_per_page, $offset);
+	$database = new database;
+	$user_settings = $database->select($sql, $parameters, 'all');
+	unset($sql, $sql_where, $parameters);
 
 	$c = 0;
 	$row_style["0"] = "row_style0";
@@ -120,7 +121,7 @@
 //show the content
 	echo "<table class='tr_hover' width='100%' border='0' cellpadding='0' cellspacing='0'>\n";
 
-	if (is_array($user_settings)) {
+	if (is_array($user_settings) && sizeof($user_settings) != 0) {
 		$previous_category = '';
 		foreach($user_settings as $row) {
 			if ($previous_category != $row['user_setting_category']) {
@@ -190,14 +191,16 @@
 			$name = $row['user_setting_name'];
 			if ($category == "domain" && $subcategory == "menu" && $name == "uuid" ) {
 				$sql = "select * from v_menus ";
-				$sql .= "where menu_uuid = '".$row['user_setting_value']."' ";
-				$sub_prep_statement = $db->prepare(check_sql($sql));
-				$sub_prep_statement->execute();
-				$sub_result = $sub_prep_statement->fetchAll(PDO::FETCH_NAMED);
-				unset ($prep_statement, $sql);
-				foreach ($sub_result as &$sub_row) {
-					echo $sub_row["menu_language"]." - ".$sub_row["menu_name"]."\n";
+				$sql .= "where menu_uuid = :menu_uuid ";
+				$parameters['menu_uuid'] = $row['user_setting_value'];
+				$database = new database;
+				$sub_result = $database->select($sql, $parameters, 'all');
+				if (is_array($sub_result) && sizeof($sub_result) != 0) {
+					foreach ($sub_result as &$sub_row) {
+						echo $sub_row["menu_language"]." - ".$sub_row["menu_name"]."\n";
+					}
 				}
+				unset($sql, $parameters, $sub_result, $sub_row);
 			}
 			elseif ($category == "domain" && $subcategory == "template" && $name == "name" ) {
 				echo "		".ucwords($row['user_setting_value']);
@@ -232,7 +235,7 @@
 			}
 			echo "	</td>\n";
 			echo "	<td valign='top' class='".$row_style[$c]." tr_link_void' style='text-align: center;'>\n";
-			echo "		<a href='?user_id=".$row['user_uuid']."&id[]=".$row['user_setting_uuid']."&enabled=".(($row['user_setting_enabled'] == 'true') ? 'false' : 'true')."'>".$text['label-'.$row['user_setting_enabled']]."</a>\n";
+			echo "		<a href='../user_settings/user_settings.php?user_id=".$row['user_uuid']."&id[]=".$row['user_setting_uuid']."&enabled=".(($row['user_setting_enabled'] == 'true') ? 'false' : 'true')."'>".$text['label-'.$row['user_setting_enabled']]."</a>\n";
 			echo "	</td>\n";
 			echo "	<td valign='top' class='row_stylebg'>".escape($row['user_setting_description'])."&nbsp;</td>\n";
 			echo "	<td class='list_control_icons'>";

core/users/user_delete.php

@@ -43,21 +43,18 @@
 	$text = $language->get();
 
 //get the id
-	$user_uuid = check_str($_GET["id"]);
+	$user_uuid = $_GET["id"];
 
 //validate the uuid
 	if (is_uuid($user_uuid)) {
 		//get the user's domain from v_users
 			if (permission_exists('user_domain')) {
 				$sql = "select domain_uuid from v_users ";
-				$sql .= "where user_uuid = '".$user_uuid."' ";
-				$prep_statement = $db->prepare(check_sql($sql));
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				foreach ($result as &$row) {
-					$domain_uuid = $row["domain_uuid"];
-				}
-				unset ($prep_statement);
+				$sql .= "where user_uuid = :user_uuid ";
+				$parameters['user_uuid'] = $user_uuid;
+				$database = new database;
+				$domain_uuid = $database->select($sql, $parameters, 'column');
+				unset($sql, $parameters);
 			}
 			else {
 				$domain_uuid = $_SESSION['domain_uuid'];
@@ -74,35 +71,37 @@
 			}
 
 		//delete the user settings
-			$sql = "delete from v_user_settings ";
-			$sql .= "where user_uuid = '".$user_uuid."' ";
-			$sql .= "and domain_uuid = '".$domain_uuid."' ";
-			if (!$db->exec($sql)) {
-				$info = $db->errorInfo();
-				print_r($info);
-			}
+			$array['user_settings'][0]['user_uuid'] = $user_uuid;
+			$array['user_settings'][0]['domain_uuid'] = $domain_uuid;
 
 		//delete the groups the user is assigned to
-			$sql = "delete from v_user_groups ";
-			$sql .= "where user_uuid = '".$user_uuid."' ";
-			$sql .= "and domain_uuid = '".$domain_uuid."' ";
-			if (!$db->exec($sql)) {
-				$info = $db->errorInfo();
-				print_r($info);
-			}
+			$array['user_groups'][0]['user_uuid'] = $user_uuid;
+			$array['user_groups'][0]['domain_uuid'] = $domain_uuid;
 
 		//delete the user
-			$sql = "delete from v_users ";
-			$sql .= "where user_uuid = '".$user_uuid."' ";
-			$sql .= "and domain_uuid = '".$domain_uuid."' ";
-			if (!$db->exec($sql)) {
-				$info = $db->errorInfo();
-				print_r($info);
-			}
+			$array['users'][0]['user_uuid'] = $user_uuid;
+			$array['users'][0]['domain_uuid'] = $domain_uuid;
+
+		//execute
+			$p = new permissions;
+			$p->add('user_setting_delete', 'temp');
+			$p->add('user_group_delete', 'temp');
+
+			$database = new database;
+			$database->app_name = 'users';
+			$database->app_uuid = '112124b3-95c2-5352-7e9d-d14c0b88f207';
+			$database->delete($array);
+			unset($array);
+
+			$p->delete('user_setting_delete', 'temp');
+			$p->delete('user_group_delete', 'temp');
+
+		//set message
+			message::add($text['message-delete']);
 	}
 
 //redirect the user
-	message::add($text['message-delete']);
 	header("Location: users.php");
+	exit;
 
 ?>

core/users/user_edit.php

@@ -35,16 +35,17 @@
 	$text = $language->get();
 
 //get user uuid
-	if ((is_uuid($_REQUEST["id"]) && permission_exists('user_edit')) ||
-		(is_uuid($_REQUEST["id"]) && $_REQUEST["id"] == $_SESSION['user_uuid']))  {
+	if (is_uuid($_REQUEST["id"]) && (permission_exists('user_edit') || $_REQUEST["id"] == $_SESSION['user_uuid'])) {
 		$user_uuid = $_REQUEST["id"];
 		$action = 'edit';
 	}
-	elseif (permission_exists('user_add') && !isset($_REQUEST["id"])) {
+	else if (permission_exists('user_add') && !is_uuid($_REQUEST["id"])) {
 		$user_uuid = uuid();
 		$action = 'add';
 	}
 	else {
+		echo 'here';
+		exit;
 		// load users own account
 		header("Location: user_edit.php?id=".$_SESSION['user_uuid']);
 		exit;
@@ -52,13 +53,15 @@
 
 //get total user count from the database, check limit, if defined
 	if (permission_exists('user_add') && $action == 'add' && $_SESSION['limit']['users']['numeric'] != '') {
-		$sql = "select count(user_uuid) as num_rows from v_users where domain_uuid = :domain_uuid ";
+		$sql = "select count(*) ";
+		$sql .= "from v_users ";
+		$sql .= "where domain_uuid = :domain_uuid ";
 		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
 		$database = new database;
-		$total_users = $database->execute($sql, $parameters, 'column');
-		unset($parameters);
+		$num_rows = $database->select($sql, $parameters, 'column');
+		unset($sql, $parameters);
 
-		if ($total_users >= $_SESSION['limit']['users']['numeric']) {
+		if ($num_rows >= $_SESSION['limit']['users']['numeric']) {
 			message::add($text['message-maximum_users'].' '.$_SESSION['limit']['users']['numeric'], 'negative');
 			header('Location: users.php');
 			exit;
@@ -77,26 +80,28 @@
 	}
 
 //delete the group from the user
-	if ($_GET["a"] == "delete" && permission_exists("user_delete")) {
+	if ($_GET["a"] == "delete" && is_uuid($_GET["group_uuid"]) && is_uuid($user_uuid) && permission_exists("user_delete")) {
 		//set the variables
 			$group_uuid = $_GET["group_uuid"];
 		//delete the group from the users
-			if (is_uuid($group_uuid) && is_uuid($user_uuid)) {
-				$sql = "delete from v_user_groups ";
-				$sql .= "where group_uuid = :group_uuid ";
-				$sql .= "and user_uuid = :user_uuid ";
-				$parameters['group_uuid'] = $group_uuid;
-				$parameters['user_uuid'] = $user_uuid;
-				$database = new database;
-				$database->execute($sql, $parameters);
-				unset($parameters);
-			}
+			$array['user_groups'][0]['group_uuid'] = $group_uuid;
+			$array['user_groups'][0]['user_uuid'] = $user_uuid;
+
+			$p = new permissions;
+			$p->add('user_group_delete', 'temp');
+
+			$database = new database;
+			$database->app_name = 'users';
+			$database->app_uuid = '112124b3-95c2-5352-7e9d-d14c0b88f207';
+			$database->delete($array);
+			unset($array);
+
+			$p->delete('user_group_delete', 'temp');
+
 		//redirect the user
 			message::add($text['message-update']);
-			if (is_uuid($user_uuid)) {
-				header("Location: user_edit.php?id=".$user_uuid);
-			}
-			return;
+			header("Location: user_edit.php?id=".$user_uuid);
+			exit;
 	}
 
 //retrieve password requirements
@@ -143,7 +148,7 @@
 			}
 			if (permission_exists('user_edit') && $action == 'edit') {
 				if ($username != $username_old && $username != '') {
-					$sql = "select count(*) as num_rows from v_users where username = :username ";
+					$sql = "select count(*) from v_users where username = :username ";
 					if ($_SESSION["user"]["unique"]["text"] != "global") {
 						$sql .= "and domain_uuid = :domain_uuid ";
 						$parameters['domain_uuid'] = $domain_uuid;
@@ -218,7 +223,7 @@
 			$parameters['user_uuid'] = $user_uuid;
 			$database = new database;
 			$row = $database->select($sql, $parameters, 'row');
-			if ($row['user_setting_uuid'] == '' && $user_language != '') {
+			if (!is_uuid($row['user_setting_uuid']) && $user_language != '') {
 				//add user setting to array for insert
 					$array['user_settings'][$i]['user_setting_uuid'] = uuid();
 					$array['user_settings'][$i]['user_uuid'] = $user_uuid;
@@ -232,14 +237,20 @@
 			}
 			else {
 				if ($row['user_setting_value'] == '' || $user_language == '') {
-					$sql = "delete from v_user_settings ";
-					$sql .= "where user_setting_category = 'domain' ";
-					$sql .= "and user_setting_subcategory = 'language' ";
-					$sql .= "and user_uuid = :user_uuid ";
-					$parameters['user_uuid'] = $user_uuid;
+					$array_delete['user_settings'][0]['user_setting_category'] = 'domain';
+					$array_delete['user_settings'][0]['user_setting_subcategory'] = 'language';
+					$array_delete['user_settings'][0]['user_uuid'] = $user_uuid;
+
+					$p = new permissions;
+					$p->add('user_setting_delete', 'temp');
+
 					$database = new database;
-					$database->execute($sql, $parameters);
-					unset($sql);
+					$database->app_name = 'users';
+					$database->app_uuid = '112124b3-95c2-5352-7e9d-d14c0b88f207';
+					$database->delete($array_delete);
+					unset($array_delete);
+
+					$p->delete('user_setting_delete', 'temp');
 				}
 				else {
 					//add user setting to array for update
@@ -278,13 +289,20 @@
 			}
 			else {
 				if ($row['user_setting_value'] == '' || $user_time_zone == '') {
-					$sql = "delete from v_user_settings ";
-					$sql .= "where user_setting_category = 'domain' ";
-					$sql .= "and user_setting_subcategory = 'time_zone' ";
-					$sql .= "and user_uuid = :user_uuid ";
-					$parameters['user_uuid'] = $user_uuid;
+					$array_delete['user_settings'][0]['user_setting_category'] = 'domain';
+					$array_delete['user_settings'][0]['user_setting_subcategory'] = 'time_zone';
+					$array_delete['user_settings'][0]['user_uuid'] = $user_uuid;
+
+					$p = new permissions;
+					$p->add('user_setting_delete', 'temp');
+
 					$database = new database;
-					$database->execute($sql, $parameters);
+					$database->app_name = 'users';
+					$database->app_uuid = '112124b3-95c2-5352-7e9d-d14c0b88f207';
+					$database->delete($array_delete);
+					unset($array_delete);
+
+					$p->delete('user_setting_delete', 'temp');
 				}
 				else {
 					//add user setting to array for update
@@ -324,14 +342,20 @@
 				}
 				else {
 					if ($row['user_setting_value'] == '' || $message_key == '') {
-						$sql = "delete from v_user_settings ";
-						$sql .= "where user_setting_category = 'message' ";
-						$sql .= "and user_setting_subcategory = 'key' ";
-						$sql .= "and user_uuid = :user_uuid ";
-						$parameters['user_uuid'] = $user_uuid;
+						$array_delete['user_settings'][0]['user_setting_category'] = 'message';
+						$array_delete['user_settings'][0]['user_setting_subcategory'] = 'key';
+						$array_delete['user_settings'][0]['user_uuid'] = $user_uuid;
+
+						$p = new permissions;
+						$p->add('user_setting_delete', 'temp');
+
 						$database = new database;
-						$database->execute($sql, $parameters);
-						unset($sql);
+						$database->app_name = 'users';
+						$database->app_uuid = '112124b3-95c2-5352-7e9d-d14c0b88f207';
+						$database->delete($array_delete);
+						unset($array_delete);
+
+						$p->delete('user_setting_delete', 'temp');
 					}
 					else {
 						//add user setting to array for update
@@ -583,7 +607,7 @@
 					}
 				}
 			}
-			unset($sql, $parameters);
+			unset($sql, $parameters, $result, $row);
 		}
 	}
 
@@ -707,16 +731,19 @@
 	echo "		<option value=''></option>\n";
 	//get all language codes from database
 	$sql = "select * from v_languages order by language asc ";
-	$parameters = null;
 	$database = new database;
-	$languages = $database->select($sql, $parameters, 'all');
-	foreach ($languages as $row) {
-		$language_codes[$row["code"]] = $row["language"];
+	$languages = $database->select($sql, null, 'all');
+	if (is_array($languages) && sizeof($languages) != 0) {
+		foreach ($languages as $row) {
+			$language_codes[$row["code"]] = $row["language"];
+		}
 	}
-	unset($languages);
-	foreach ($_SESSION['app']['languages'] as $code) {
-		$selected = ($code == $user_settings['domain']['language']['code']) ? "selected='selected'" : null;
-		echo "	<option value='".escape($code)."' ".escape($selected).">".escape($language_codes[$code])." [".escape($code)."]</option>\n";
+	unset($sql, $languages, $row);
+	if (is_array($_SESSION['app']['languages']) && sizeof($_SESSION['app']['languages']) != 0) {
+		foreach ($_SESSION['app']['languages'] as $code) {
+			$selected = ($code == $user_settings['domain']['language']['code']) ? "selected='selected'" : null;
+			echo "	<option value='".escape($code)."' ".escape($selected).">".escape($language_codes[$code])." [".escape($code)."]</option>\n";
+		}
 	}
 	echo "		</select>\n";
 	echo "		<br />\n";
@@ -881,7 +908,6 @@
 		$parameters['user_uuid'] = $user_uuid;
 		$database = new database;
 		$user_groups = $database->select($sql, $parameters, 'all');
-		unset($parameters);
 		if (is_array($user_groups)) {
 			echo "<table cellpadding='0' cellspacing='0' border='0'>\n";
 			foreach($user_groups as $field) {
@@ -903,7 +929,7 @@
 			}
 			echo "</table>\n";
 		}
-		unset($sql, $user_groups);
+		unset($sql, $parameters, $user_groups, $field);
 
 		$sql = "select * from v_groups ";
 		$sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) ";
@@ -914,7 +940,6 @@
 		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
 		$database = new database;
 		$groups = $database->select($sql, $parameters, 'all');
-		unset($parameters);
 		if (is_array($groups)) {
 			if (isset($assigned_groups)) { echo "<br />\n"; }
 			echo "<select name='group_uuid_name' class='formfld' style='width: auto; margin-right: 3px;' ".($action == 'add' ? "required='required'" : null).">\n";
@@ -932,7 +957,7 @@
 				echo "<input type='submit' class='btn' value=\"".$text['button-add']."\" >\n";
 			}
 		}
-		unset($sql, $groups);
+		unset($sql, $parameters, $groups, $field);
 
 		echo "		</td>";
 		echo "	</tr>";

core/users/user_imports.php

@@ -42,7 +42,7 @@
 	$language = new text;
 	$text = $language->get();
 
-//built in str_getcsv requires PHP 5.3 or higher, this function can be used to reproduct the functionality but requirs PHP 5.1.0 or higher
+//built in str_getcsv requires PHP 5.3 or higher, this function can be used to reproduce the functionality but requires PHP 5.1.0 or higher
 	if(!function_exists('str_getcsv')) {
 		function str_getcsv($input, $delimiter = ",", $enclosure = '"', $escape = "\\") {
 			$fp = fopen("php://memory", 'r+');
@@ -60,8 +60,6 @@
 //get the http get values and set them as php variables
 	$action = check_str($_POST["action"]);
 	$from_row = check_str($_POST["from_row"]);
-	$order_by = check_str($_POST["order_by"]);
-	$order = check_str($_POST["order"]);
 	$delimiter = check_str($_POST["data_delimiter"]);
 	$enclosure = check_str($_POST["data_enclosure"]);
 
@@ -74,7 +72,7 @@
 
 //copy the csv file
 	//$_POST['submit'] == "Upload" &&
-	if ( is_uploaded_file($_FILES['ulfile']['tmp_name']) && permission_exists('user_imports')) {
+	if (is_uploaded_file($_FILES['ulfile']['tmp_name']) && permission_exists('user_imports')) {
 		if (check_str($_POST['type']) == 'csv') {
 			move_uploaded_file($_FILES['ulfile']['tmp_name'], $_SESSION['server']['temp']['dir'].'/'.$_FILES['ulfile']['name']);
 			$save_msg = "Uploaded file to ".$_SESSION['server']['temp']['dir']."/". htmlentities($_FILES['ulfile']['name']);
@@ -131,10 +129,7 @@
 			$schema[$i]['fields'][] = 'group_name';
 
 		//debug info
-			//echo "<pre>\n";
-			//print_r($schema);
-			//echo "</pre>\n";
-			//exit;
+			//view_array($schema);
 	}
 
 //match the column names to the field names
@@ -252,9 +247,9 @@
 
 		//get the groups
 			$sql = "select * from v_groups where domain_uuid is null ";
-			$prep_statement = $db->prepare($sql);
-			$prep_statement->execute();
-			$groups = $prep_statement->fetchAll(PDO::FETCH_ASSOC);
+			$database = new database;
+			$groups = $database->select($sql, null, 'all');
+			unset($sql);
 
 		//get the contents of the csv file and convert them into an array
 			$handle = @fopen($_SESSION['file'], "r");
@@ -384,6 +379,7 @@
 						$database->app_uuid = '4efa1a1a-32e7-bf83-534b-6c8299958a8e';
 						$database->save($array);
 						//$message = $database->message;
+						unset($array);
 					}
 
 				//send the redirect header

core/users/users.php

@@ -48,24 +48,9 @@
 	$document['title'] = $text['title-user_manager'];
 
 //get variables used to control the order
-	$order_by = $_GET["order_by"];
+	$order_by = $_GET["order_by"] != '' ? $_GET["order_by"] : 'u.username';
 	$order = $_GET["order"];
 
-//validate order by
-	if (strlen($order_by) > 0) {
-		$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', $order_by);
-	}
-
-//validate the order
-	switch ($order) {
-		case 'asc':
-			break;
-		case 'desc':
-			break;
-		default:
-			$order = '';
-	}
-
 //set the variables
 	$search = $_REQUEST["search"];
 	if (strlen($search) > 0) {
@@ -75,28 +60,32 @@
 //get the list of superadmins
 	$superadmins = superadmin_list($db);
 
-//get the user count from the database
-	$sql = "select count(*) from view_users as u where 1 = 1 ";
+//common where clause
+	$sql_where = "where true ";
 	if (!(permission_exists('user_all') && $_GET['show'] == 'all')) {
-		$sql .= "and u.domain_uuid = :domain_uuid \n";
+		$sql_where .= "and u.domain_uuid = :domain_uuid ";
 		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
 	}
 	if (strlen($search) > 0) {
-		$sql .= "and (\n";
-		$sql .= "lower(username) like :search \n";
-		$sql .= "or lower(groups) like :search \n";
-		$sql .= "or lower(contact_organization) like :search \n";
-		$sql .= "or lower(contact_name_given) like :search \n";
-		$sql .= "or lower(contact_name_family) like :search \n";
-		$sql .= ")\n";
+		$sql_where .= "and ( ";
+		$sql_where .= "lower(username) like :search ";
+		$sql_where .= "or lower(groups) like :search ";
+		$sql_where .= "or lower(contact_organization) like :search ";
+		$sql_where .= "or lower(contact_name_given) like :search ";
+		$sql_where .= "or lower(contact_name_family) like :search ";
+		$sql_where .= ") ";
 		$parameters['search'] = '%'.$search.'%';
 	}
+
+//get the user count from the database
+	$sql = "select count(*) from view_users as u ";
+	$sql .= $sql_where;
 	$database = new database;
 	$num_rows = $database->select($sql, $parameters, 'column');
-	unset ($parameters, $sql);
+	unset($sql);
 
 //prepare for paging
-	$rows_per_page = ($_SESSION['domain']['paging']['numeric'] != '') ? $_SESSION['domain']['paging']['numeric'] : 50;
+	$rows_per_page = is_numeric($_SESSION['domain']['paging']['numeric']) ? $_SESSION['domain']['paging']['numeric'] : 50;
 	$param = "search=".escape($search);
 	if (permission_exists('user_all') && $_GET['show'] == 'all') {
 		$param .= "&show=all";
@@ -107,35 +96,14 @@
 	$offset = $rows_per_page * $page;
 
 //get the users from the database
-	$sql = "select u.domain_uuid, u.user_uuid, u.contact_uuid, u.domain_name, u.username, u.user_enabled, u.contact_organization, u.contact_name_given, u.contact_name_family, u.groups \n";
-	$sql .= "from view_users as u \n";
-	$sql .= "where 1 = 1 \n";
-	if (!(permission_exists('user_all') && $_GET['show'] == 'all')) {
-		$sql .= "and u.domain_uuid = :domain_uuid \n";
-		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
-	}
-	if (strlen($search) > 0) {
-		$sql .= "and (\n";
-		$sql .= "lower(username) like :search \n";
-		$sql .= "or lower(groups) like :search \n";
-		$sql .= "or lower(contact_organization) like :search \n";
-		$sql .= "or lower(contact_name_given) like :search \n";
-		$sql .= "or lower(contact_name_family) like :search \n";
-		$sql .= ")\n";
-		$parameters['search'] = '%'.$search.'%';
-	}
-	if (strlen($order_by)> 0) {
-		$sql .= "order by ".$order_by." ".$order." \n";
-	}
-	else {
-		$sql .= "order by u.username asc \n";
-	}
-	$sql .= "limit :rows_per_page offset :offset ";
-	$parameters['rows_per_page'] = $rows_per_page;
-	$parameters['offset'] = $offset;
+	$sql = "select u.domain_uuid, u.user_uuid, u.contact_uuid, u.domain_name, u.username, u.user_enabled, u.contact_organization, u.contact_name_given, u.contact_name_family, u.groups ";
+	$sql .= "from view_users as u ";
+	$sql .= $sql_where;
+	$sql .= order_by($order_by, $order);
+	$sql .= limit_offset($rows_per_page, $offset);
 	$database = new database;
 	$users = $database->select($sql, $parameters, 'all');
-	unset ($parameters, $sql);
+	unset($sql, $sql_where, $parameters);
 
 //page title and description
 	echo "<table width='100%' border='0' cellpadding='0' cellspacing='0'>\n";
@@ -201,7 +169,7 @@
 	echo "</td>\n";
 	echo "</tr>\n";
 
-	if (is_array($users)) {
+	if (is_array($users) && sizeof($users) != 0) {
 		foreach($users as $row) {
 			if (if_superadmin($superadmins, $row['user_uuid']) && !if_group("superadmin")) {
 				//hide
@@ -253,11 +221,11 @@
 				}
 				echo "	</td>\n";
 				echo "</tr>\n";
-				if ($c==0) { $c=1; } else { $c=0; }
+				$c = $c == 0 ? 1 : 0;
 			}
-		} //end foreach
-		unset($sql, $users);
-	} //end if results
+		}
+		unset($users, $row);
+	}
 
 	echo "<tr>\n";
 	echo "</table>\n";

resources/functions.php

@@ -2125,7 +2125,7 @@ function number_pad($number,$n) {
 //validate and format order by clause of select statement
 	if (!function_exists('order_by')) {
 		function order_by($col, $dir) {
-			$col = preg_replace('#[^a-zA-Z0-9-_]#', '', $col);
+			$col = preg_replace('#[^a-zA-Z0-9-_.]#', '', $col);
 			$dir = strtolower($dir) == 'desc' ? 'desc' : 'asc';
 			if ($col != '') { return ' order by '.$col.' '.$dir.' '; }
 		}