diff --git a/include/class.client.php b/include/class.client.php
index bfcffeaca09f2a1251a0d3ae7fd8125cd5d08e1b..097f2d2b19ecd969f528be838a17992efbc380fd 100644
--- a/include/class.client.php
+++ b/include/class.client.php
@@ -40,9 +40,13 @@ abstract class TicketUser {
$tag = substr($name, 3);
switch (strtolower($tag)) {
case 'ticket_link':
- return sprintf('%s/view.php?auth=%s',
+ return sprintf('%s/view.php?%s',
$cfg->getBaseUrl(),
- urlencode($this->getAuthToken()));
+ Http::build_query(
+ array('auth' => $this->getAuthToken()),
+ false
+ )
+ );
break;
}
diff --git a/include/class.format.php b/include/class.format.php
index b1bc85b68921e16cd656da461cb5e70f9c93f122..7ac9f1e297dd7022a1ee9e81545a71e9b04bc646 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -218,7 +218,7 @@ class Format {
}
unset($s);
if ($styles)
- $attributes['style'] = Format::htmlencode(implode(';', $styles));
+ $attributes['style'] = Format::htmlchars(implode(';', $styles));
else
unset($attributes['style']);
}
@@ -275,15 +275,14 @@ class Format {
return $striptags?Format::striptags($text, false):$text;
}
- function htmlchars($var) {
- return Format::htmlencode($var);
- }
-
- function htmlencode($var) {
+ function htmlchars($var, $sanitize = false) {
static $phpversion = null;
if (is_array($var))
- return array_map(array('Format', 'htmlencode'), $var);
+ return array_map(array('Format', 'htmlchars'), $var);
+
+ if ($sanitize)
+ $var = Format::sanitize($var);
if (!isset($phpversion))
$phpversion = phpversion();
@@ -293,7 +292,7 @@ class Format {
$flags |= ENT_HTML401;
try {
- return htmlentities( (string) $var, $flags, 'UTF-8', false);
+ return htmlspecialchars( (string) $var, $flags, 'UTF-8', false);
} catch(Exception $e) {
return $var;
}
@@ -308,11 +307,11 @@ class Format {
if (phpversion() >= '5.4.0')
$flags |= ENT_HTML401;
- return html_entity_decode($var, $flags, 'UTF-8');
+ return htmlspecialchars_decode($var, $flags);
}
function input($var) {
- return Format::htmlencode($var);
+ return Format::htmlchars($var);
}
//Format text for display..
diff --git a/include/class.http.php b/include/class.http.php
index 3baea958a9495b3e8967510818f36cb561069ec4..d45218051a12e3c9d5bbf1ddf24ade23d2760c2c 100644
--- a/include/class.http.php
+++ b/include/class.http.php
@@ -111,5 +111,10 @@ class Http {
exit;
}
}
+
+ static function build_query($vars, $encode=true, $separator='&') {
+ return http_build_query(
+ ($encode ? Format::htmlchars($vars) : $vars), '', $separator);
+ }
}
?>
diff --git a/include/class.pagenate.php b/include/class.pagenate.php
index 361d21f89855a4982661ffdf6421bbeae360a203..f6446dd92a9d2647882fb0155b9a572f22c472d2 100644
--- a/include/class.pagenate.php
+++ b/include/class.pagenate.php
@@ -38,14 +38,19 @@ class PageNate {
}
$this->setURL($url);
}
- function setURL($url='',$vars=''){
- if($url){
- if(strpos($url,'?')===false)
- $url=$url.'?';
- }else{
- $url=THISPAGE.'?';
+
+ function setURL($url='',$vars='') {
+ if ($url) {
+ if (strpos($url, '?')===false)
+ $url .= '?';
+ } else {
+ $url = THISPAGE.'?';
}
- $this->url=$url.$vars;
+
+ if ($vars && is_array($vars))
+ $vars = Http::build_query($vars);
+
+ $this->url = $url.$vars;
}
function getStart() {
diff --git a/include/client/tickets.inc.php b/include/client/tickets.inc.php
index 6b8e9df1af38ee40b56dcc831ad260c156d5e235..2adfa33e2d25202ee24d2534914091a21a524d01 100644
--- a/include/client/tickets.inc.php
+++ b/include/client/tickets.inc.php
@@ -1,10 +1,10 @@
<?php
if(!defined('OSTCLIENTINC') || !is_object($thisclient) || !$thisclient->isValid()) die('Access Denied');
-$qstr='&'; //Query string collector
+$qs = array();
$status=null;
if(isset($_REQUEST['status'])) { //Query string status has nothing to do with the real status used below.
- $qstr.='status='.urlencode($_REQUEST['status']);
+ $qs += array('status' => $_REQUEST['status']);
//Status we are actually going to use on the query...making sure it is clean!
$status=strtolower($_REQUEST['status']);
switch(strtolower($_REQUEST['status'])) {
@@ -69,7 +69,7 @@ if($status && isset($states[$status])){
$search=($_REQUEST['a']=='search' && $_REQUEST['q']);
if($search) {
- $qstr.='&a='.urlencode($_REQUEST['a']).'&q='.urlencode($_REQUEST['q']);
+ $qs += array('a' => $_REQUEST['a'], 'q' => $_REQUEST['q']);
if(is_numeric($_REQUEST['q'])) {
$qwhere.=" AND ticket.`number` LIKE '$queryterm%'";
} else {//Deep search!
@@ -90,7 +90,9 @@ TicketForm::ensureDynamicDataView();
$total=db_count('SELECT count(DISTINCT ticket.ticket_id) '.$qfrom.' '.$qwhere);
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('tickets.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('tickets.php', $qs);
//more stuff...
$qselect.=' ,count(attach_id) as attachments ';
diff --git a/include/staff/apikey.inc.php b/include/staff/apikey.inc.php
index 1e6f845cf05beb9c4d65710b951346fc239a3fcc..fdf30da4bc844ed0cbdef37c3902a3916eca2716 100644
--- a/include/staff/apikey.inc.php
+++ b/include/staff/apikey.inc.php
@@ -1,24 +1,23 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info=$qs = array();
if($api && $_REQUEST['a']!='add'){
$title=__('Update API Key');
$action='update';
$submit_text=__('Save Changes');
$info=$api->getHashtable();
- $qstr.='&id='.$api->getId();
+ $qs += array('id' => $api->getId());
}else {
$title=__('Add New API Key');
$action='add';
$submit_text=__('Add Key');
$info['isactive']=isset($info['isactive'])?$info['isactive']:1;
- $qstr.='&a='.urlencode($_REQUEST['a']);
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="apikeys.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="apikeys.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/apikeys.inc.php b/include/staff/apikeys.inc.php
index ba45adccef44860eec3ec52136b60950971b9289..ca0ab622aac2bca72bcb0739b647ec77dbd93128 100644
--- a/include/staff/apikeys.inc.php
+++ b/include/staff/apikeys.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT * FROM '.API_KEY_TABLE.' WHERE 1';
$sortOptions=array('key'=>'apikey','status'=>'isactive','ip'=>'ipaddr','date'=>'created','created'=>'created','updated'=>'updated');
$orderWays=array('DESC'=>'DESC','ASC'=>'ASC');
@@ -27,9 +27,11 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(*) FROM '.API_KEY_TABLE.' ');
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total,$page,PAGE_LIMIT);
-$pageNav->setURL('apikeys.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('apikeys.php', $qs);
+
+$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
$query="$sql ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/banlist.inc.php b/include/staff/banlist.inc.php
index 26e1d074d2fb070cedbc4242e03ad082cf023c71..a858c227ba2fe8ccba4b2797343aeb43ef8d3f6b 100644
--- a/include/staff/banlist.inc.php
+++ b/include/staff/banlist.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin() || !$filter) die('Access Denied');
-$qstr='';
+$qs = array();
$select='SELECT rule.* ';
$from='FROM '.FILTER_RULE_TABLE.' rule ';
$where='WHERE rule.filter_id='.db_input($filter->getId());
@@ -41,8 +41,10 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(DISTINCT rule.id) '.$from.' '.$where);
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('banlist.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('banlist.php', $qs);
+$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
$query="$select $from $where ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
//echo $query;
?>
diff --git a/include/staff/banrule.inc.php b/include/staff/banrule.inc.php
index b3fe52347ccc875025eaa05fb490bd3b4a5be7a5..4f98cd148511d0787873a81f07b75e5ddc6c8275 100644
--- a/include/staff/banrule.inc.php
+++ b/include/staff/banrule.inc.php
@@ -1,25 +1,25 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info=$qs= array();
if($rule && $_REQUEST['a']!='add'){
$title=__('Update Ban Rule');
$action='update';
$submit_text=__('Update');
$info=$rule->getInfo();
$info['id']=$rule->getId();
- $qstr.='&id='.$rule->getId();
+ $qs += array('id' => $rule->getId());
}else {
$title=__('Add New Email Address to Ban List');
$action='add';
$submit_text=__('Add');
$info['isactive']=isset($info['isactive'])?$info['isactive']:1;
- $qstr.='&a='.urlencode($_REQUEST['a']);
+ $qs += array('a' => $_REQUEST['a']);
}
+
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="banlist.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="banlist.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/cannedresponse.inc.php b/include/staff/cannedresponse.inc.php
index 6be5a63b1e7b2834971715c939e1e3073af0d78c..b2c851210713a304470f6773e8b4f79ec240f5c0 100644
--- a/include/staff/cannedresponse.inc.php
+++ b/include/staff/cannedresponse.inc.php
@@ -1,14 +1,13 @@
<?php
if(!defined('OSTSCPINC') || !$thisstaff) die('Access Denied');
-$info=array();
-$qstr='';
+$info=$qs = array();
if($canned && $_REQUEST['a']!='add'){
$title=__('Update Canned Response');
$action='update';
$submit_text=__('Save Changes');
$info=$canned->getInfo();
$info['id']=$canned->getId();
- $qstr.='&id='.$canned->getId();
+ $qs += array('id' => $canned->getId());
// Replace cid: scheme with downloadable URL for inline images
$info['response'] = $canned->getResponseWithImages();
$info['notes'] = Format::viewableImages($info['notes']);
@@ -17,12 +16,12 @@ if($canned && $_REQUEST['a']!='add'){
$action='create';
$submit_text=__('Add Response');
$info['isenabled']=isset($info['isenabled'])?$info['isenabled']:1;
- $qstr.='&a='.$_REQUEST['a'];
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="canned.php?<?php echo $qstr; ?>" method="post" id="save" enctype="multipart/form-data">
+<form action="canned.php?<?php echo Http::build_query($qs); ?>" method="post" id="save" enctype="multipart/form-data">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/cannedresponses.inc.php b/include/staff/cannedresponses.inc.php
index 70645010559a65e2aadf5469715945d6498b63c3..65de3378bcee0989c2cd4a9ec1ce10d3a981f663 100644
--- a/include/staff/cannedresponses.inc.php
+++ b/include/staff/cannedresponses.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTSCPINC') || !$thisstaff) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT canned.*, count(attach.file_id) as files, dept.dept_name as department '.
' FROM '.CANNED_TABLE.' canned '.
' LEFT JOIN '.DEPT_TABLE.' dept ON (dept.dept_id=canned.dept_id) '.
@@ -36,9 +36,11 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(*) FROM '.CANNED_TABLE.' canned ');
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('canned.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('canned.php', $qs);
//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr .= '&order='.($order=='DESC'?'ASC':'DESC');
$query="$sql GROUP BY canned.canned_id ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/categories.inc.php b/include/staff/categories.inc.php
index a948f4976ca123a275e5c3dc0b663db2788e55d7..f561dcd1aca9aa8ad9fa5eca1e48c3349d3e9ae6 100644
--- a/include/staff/categories.inc.php
+++ b/include/staff/categories.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTSCPINC') || !$thisstaff) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT cat.category_id, cat.name, cat.ispublic, cat.updated, count(faq.faq_id) as faqs '.
' FROM '.FAQ_CATEGORY_TABLE.' cat '.
' LEFT JOIN '.FAQ_TABLE.' faq ON (faq.category_id=cat.category_id) ';
@@ -30,8 +30,9 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(*) FROM '.FAQ_CATEGORY_TABLE.' cat ');
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('categories.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('categories.php', $qs);
+$qstr = '&order='.($order=='DESC'?'ASC':'DESC');
$query="$sql GROUP BY cat.category_id ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/category.inc.php b/include/staff/category.inc.php
index ff1ef1f93e558c31c96dd43e800a300519bf333f..e67bfd4dc14779d0172a6e44b241777c3e2445cb 100644
--- a/include/staff/category.inc.php
+++ b/include/staff/category.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->canManageFAQ()) die('Access Denied');
$info=array();
-$qstr='';
+$qs = array();
if($category && $_REQUEST['a']!='add'){
$title=__('Update Category').': '.$category->getName();
$action='update';
@@ -9,17 +9,17 @@ if($category && $_REQUEST['a']!='add'){
$info=$category->getHashtable();
$info['id']=$category->getId();
$info['notes'] = Format::viewableImages($category->getNotes());
- $qstr.='&id='.$category->getId();
+ $qs += array('id' => $category->getId());
}else {
$title=__('Add New Category');
$action='create';
$submit_text=__('Add');
- $qstr.='&a='.$_REQUEST['a'];
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="categories.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="categories.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/department.inc.php b/include/staff/department.inc.php
index 53d30908c9b324be7e0a1ce3db0554cc15e0c30f..3e5aa6c9406d3e40840a8e0bfa04b5a5f71ab92d 100644
--- a/include/staff/department.inc.php
+++ b/include/staff/department.inc.php
@@ -1,7 +1,6 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($dept && $_REQUEST['a']!='add') {
//Editing Department.
$title=__('Update Department');
@@ -10,8 +9,7 @@ if($dept && $_REQUEST['a']!='add') {
$info=$dept->getInfo();
$info['id']=$dept->getId();
$info['groups'] = $dept->getAllowedGroups();
-
- $qstr.='&id='.$dept->getId();
+ $qs += array('id' => $dept->getId());
} else {
$title=__('Add New Department');
$action='create';
@@ -22,11 +20,11 @@ if($dept && $_REQUEST['a']!='add') {
if (!isset($info['group_membership']))
$info['group_membership'] = 1;
- $qstr.='&a='.$_REQUEST['a'];
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="departments.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="departments.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/departments.inc.php b/include/staff/departments.inc.php
index ba2d04707bc23d6c699951a048ad75d6fe07dcc1..c6936ec02622011de508bdf5fc161382163dc54a 100644
--- a/include/staff/departments.inc.php
+++ b/include/staff/departments.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT dept.dept_id,dept_name,email.email_id,email.email,email.name as email_name,ispublic,count(staff.staff_id) as users '.
',CONCAT_WS(" ",mgr.firstname,mgr.lastname) as manager,mgr.staff_id as manager_id,dept.created,dept.updated FROM '.DEPT_TABLE.' dept '.
' LEFT JOIN '.STAFF_TABLE.' mgr ON dept.manager_id=mgr.staff_id '.
@@ -30,7 +30,8 @@ $x=$sort.'_sort';
$$x=' class="'.strtolower($order).'" ';
$order_by="$order_column $order ";
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qs += array('order' => ($order=='DESC' ? 'ASC' : 'DESC'));
+$qstr = '&'. Http::build_query($qs);
$query="$sql GROUP BY dept.dept_id ORDER BY $order_by";
$res=db_query($query);
diff --git a/include/staff/directory.inc.php b/include/staff/directory.inc.php
index 6d127962a2f9d30a9b5ed655333f170cac453ce9..622d4d371a56a3c57c2aaaadd0c6611106b77919 100644
--- a/include/staff/directory.inc.php
+++ b/include/staff/directory.inc.php
@@ -1,6 +1,6 @@
<?php
if(!defined('OSTSTAFFINC') || !$thisstaff || !$thisstaff->isStaff()) die('Access Denied');
-$qstr='';
+$qs = array();
$select='SELECT staff.*,CONCAT_WS(" ",firstname,lastname) as name,dept.dept_name as dept ';
$from='FROM '.STAFF_TABLE.' staff '.
'LEFT JOIN '.DEPT_TABLE.' dept ON(staff.dept_id=dept.dept_id) ';
@@ -25,7 +25,7 @@ if($_REQUEST['q']) {
if($_REQUEST['did'] && is_numeric($_REQUEST['did'])) {
$where.=' AND staff.dept_id='.db_input($_REQUEST['did']);
- $qstr.='&did='.urlencode($_REQUEST['did']);
+ $qs += array('did' => $_REQUEST['did']);
}
$sortOptions=array('name'=>'staff.firstname,staff.lastname','email'=>'staff.email','dept'=>'dept.dept_name',
@@ -54,9 +54,11 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(DISTINCT staff.staff_id) '.$from.' '.$where);
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('directory.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('directory.php', $qs);
//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr.='&order='.($order=='DESC' ? 'ASC' : 'DESC');
$query="$select $from $where GROUP BY staff.staff_id ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
//echo $query;
?>
diff --git a/include/staff/dynamic-list.inc.php b/include/staff/dynamic-list.inc.php
index 0b4ed80996b418ff19d6bf020dc7bc190e08ef37..8d21a4aa4a883917c3b17d022eb4be469a9bf758 100644
--- a/include/staff/dynamic-list.inc.php
+++ b/include/staff/dynamic-list.inc.php
@@ -213,7 +213,7 @@ $info=Format::htmlchars(($errors && $_POST) ? array_merge($info,$_POST) : $info)
$page = ($_GET['p'] && is_numeric($_GET['p'])) ? $_GET['p'] : 1;
$count = $list->getNumItems();
$pageNav = new Pagenate($count, $page, PAGE_LIMIT);
- $pageNav->setURL('list.php', 'id='.urlencode($list->getId()));
+ $pageNav->setURL('list.php', array('id' => $list->getId()));
$showing=$pageNav->showing().' '.__('list items');
?>
<?php }
diff --git a/include/staff/email.inc.php b/include/staff/email.inc.php
index 9d2e3f89c566b28d2df5eae293b548de28732bf0..1ae20c19f740ebb5de7fffd58d1bd640b85fa676 100644
--- a/include/staff/email.inc.php
+++ b/include/staff/email.inc.php
@@ -1,7 +1,6 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($email && $_REQUEST['a']!='add'){
$title=__('Update Email');
$action='update';
@@ -17,7 +16,7 @@ if($email && $_REQUEST['a']!='add'){
if($info['userpass'])
$passwdtxt=__('To change password enter new password above.');
- $qstr.='&id='.$email->getId();
+ $qs += array('id' => $email->getId());
}else {
$title=__('Add New Email');
$action='create';
@@ -31,12 +30,12 @@ if($email && $_REQUEST['a']!='add'){
$info['mail_fetchmax'] = 10;
if (!isset($info['smtp_auth']))
$info['smtp_auth'] = 1;
- $qstr.='&a='.$_REQUEST['a'];
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
<h2><?php echo __('Email Address');?></h2>
-<form action="emails.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="emails.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/emails.inc.php b/include/staff/emails.inc.php
index 62900ab33f615399d02c50a1a92df8115f05fe7c..e02d178d266db868683105ae7188a34dc340f40c 100644
--- a/include/staff/emails.inc.php
+++ b/include/staff/emails.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT email.*,dept.dept_name as department,priority_desc as priority '.
' FROM '.EMAIL_TABLE.' email '.
' LEFT JOIN '.DEPT_TABLE.' dept ON (dept.dept_id=email.dept_id) '.
@@ -31,9 +31,9 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(*) FROM '.EMAIL_TABLE.' email ');
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('emails.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('emails.php', $qs);
+$qstr = '&order='.($order=='DESC' ? 'ASC' : 'DESC');
$query="$sql GROUP BY email.email_id ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/faq.inc.php b/include/staff/faq.inc.php
index 4fcea8138b348ae8bdd24ddd3316cc4e940826ab..8e3bc57305e330c2dfe1dbb7a2e6e17a4a0e9fdd 100644
--- a/include/staff/faq.inc.php
+++ b/include/staff/faq.inc.php
@@ -1,7 +1,6 @@
<?php
if(!defined('OSTSCPINC') || !$thisstaff || !$thisstaff->canManageFAQ()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($faq){
$title=__('Update FAQ').': '.$faq->getQuestion();
$action='update';
@@ -11,18 +10,19 @@ if($faq){
$info['topics']=$faq->getHelpTopicsIds();
$info['answer']=Format::viewableImages($faq->getAnswer());
$info['notes']=Format::viewableImages($faq->getNotes());
- $qstr='id='.$faq->getId();
+ $qs += array('id' => $faq->getId());
}else {
$title=__('Add New FAQ');
$action='create';
$submit_text=__('Add FAQ');
if($category) {
- $qstr='cid='.$category->getId();
+ $qs += array('cid' => $category->getId());
$info['category_id']=$category->getId();
}
}
//TODO: Add attachment support.
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
+$qstr = Http::build_query($qs);
?>
<form action="faq.php?<?php echo $qstr; ?>" method="post" id="save" enctype="multipart/form-data">
<?php csrf_token(); ?>
diff --git a/include/staff/filter.inc.php b/include/staff/filter.inc.php
index 3bda64e043f56e6106e758ebdcc36988a217e4ce..75041070a9ecb95ecae9a64a2d713dde9df5ad75 100644
--- a/include/staff/filter.inc.php
+++ b/include/staff/filter.inc.php
@@ -4,25 +4,24 @@ if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access
$matches=Filter::getSupportedMatches();
$match_types=Filter::getSupportedMatchTypes();
-$info=array();
-$qstr='';
+$info = $qs = array();
if($filter && $_REQUEST['a']!='add'){
$title=__('Update Filter');
$action='update';
$submit_text=__('Save Changes');
$info=array_merge($filter->getInfo(),$filter->getFlatRules());
$info['id']=$filter->getId();
- $qstr.='&id='.$filter->getId();
+ $qs += array('id' => $filter->getId());
}else {
$title=__('Add New Filter');
$action='add';
$submit_text=__('Add Filter');
$info['isactive']=isset($info['isactive'])?$info['isactive']:0;
- $qstr.='&a='.urlencode($_REQUEST['a']);
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="filters.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="filters.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/filters.inc.php b/include/staff/filters.inc.php
index 76a62a107b0a868d1dcadf1131cae562c8110561..4f0212794a84d13ee1f56e836bcb2935b68b151b 100644
--- a/include/staff/filters.inc.php
+++ b/include/staff/filters.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
$targets = Filter::getTargets();
-$qstr='';
+$qs = array();
$sql='SELECT filter.*,count(rule.id) as rules '.
'FROM '.FILTER_TABLE.' filter '.
'LEFT JOIN '.FILTER_RULE_TABLE.' rule ON(rule.filter_id=filter.id) '.
@@ -32,9 +32,10 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(*) FROM '.FILTER_TABLE.' filter ');
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('filters.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('filters.php', $qs);
+$qstr.='&order='.($order=='DESC' ? 'ASC' : 'DESC');
$query="$sql ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/group.inc.php b/include/staff/group.inc.php
index 27546e764e2bdad1edea44239281a20ac5a312ed..bbadcc066a8b9635e4df61ecf16840d43927af02 100644
--- a/include/staff/group.inc.php
+++ b/include/staff/group.inc.php
@@ -1,7 +1,6 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($group && $_REQUEST['a']!='add'){
$title=__('Update Group');
$action='update';
@@ -9,18 +8,18 @@ if($group && $_REQUEST['a']!='add'){
$info=$group->getInfo();
$info['id']=$group->getId();
$info['depts']=$group->getDepartments();
- $qstr.='&id='.$group->getId();
+ $qs += array('id' => $group->getId());
}else {
$title=__('Add New Group');
$action='create';
$submit_text=__('Create Group');
$info['isactive']=isset($info['isactive'])?$info['isactive']:1;
$info['can_create_tickets']=isset($info['can_create_tickets'])?$info['can_create_tickets']:1;
- $qstr.='&a='.$_REQUEST['a'];
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="groups.php?<?php echo $qstr; ?>" method="post" id="save" name="group">
+<form action="groups.php?<?php echo Http::build_query($qs); ?>" method="post" id="save" name="group">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/groups.inc.php b/include/staff/groups.inc.php
index 4b47dba87554fceda68666db180f1d2a4fbc30d1..7c358fa23e04b724964a7e89504ff44512b0e40e 100644
--- a/include/staff/groups.inc.php
+++ b/include/staff/groups.inc.php
@@ -1,8 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
-
+$qs = array();
$sql='SELECT grp.*,count(DISTINCT staff.staff_id) as users, count(DISTINCT dept.dept_id) as depts '
.' FROM '.GROUP_TABLE.' grp '
.' LEFT JOIN '.STAFF_TABLE.' staff ON(staff.group_id=grp.group_id) '
@@ -30,7 +29,7 @@ $x=$sort.'_sort';
$$x=' class="'.strtolower($order).'" ';
$order_by="$order_column $order ";
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qs += array('order' => ($order=='DESC' ? 'ASC' : 'DESC'));
$query="$sql GROUP BY grp.group_id ORDER BY $order_by";
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
@@ -38,6 +37,9 @@ if($res && ($num=db_num_rows($res)))
else
$showing=__('No groups found!');
+
+$qstr = '&'.Http::build_query($qs);
+
?>
<div class="pull-left" style="width:700px;padding-top:5px;">
<h2><?php echo __('Agent Groups');?>
diff --git a/include/staff/helptopic.inc.php b/include/staff/helptopic.inc.php
index bd254cd2db7e1b7a1bc5d06ac42706cb5b6b3375..ca3090443c7d5c75d61dcecbb57094557a2c1d0a 100644
--- a/include/staff/helptopic.inc.php
+++ b/include/staff/helptopic.inc.php
@@ -1,7 +1,6 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($topic && $_REQUEST['a']!='add') {
$title=__('Update Help Topic');
$action='update';
@@ -9,7 +8,7 @@ if($topic && $_REQUEST['a']!='add') {
$info=$topic->getInfo();
$info['id']=$topic->getId();
$info['pid']=$topic->getPid();
- $qstr.='&id='.$topic->getId();
+ $qs += array('id' => $topic->getId());
} else {
$title=__('Add New Help Topic');
$action='create';
@@ -17,11 +16,11 @@ if($topic && $_REQUEST['a']!='add') {
$info['isactive']=isset($info['isactive'])?$info['isactive']:1;
$info['ispublic']=isset($info['ispublic'])?$info['ispublic']:1;
$info['form_id'] = Topic::FORM_USE_PARENT;
- $qstr.='&a='.$_REQUEST['a'];
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="helptopics.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="helptopics.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/orgs.inc.php b/include/staff/orgs.inc.php
index 862da34be7722441fb1b6f1c447edf3ec8b0d868..7edaa7bc590aa57dcbfb0d7d2e8be4a13b1615fe 100644
--- a/include/staff/orgs.inc.php
+++ b/include/staff/orgs.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTSCPINC') || !$thisstaff) die('Access Denied');
-$qstr='';
+$qs = array();
$select = 'SELECT org.*
,COALESCE(team.name,
@@ -27,7 +27,7 @@ if ($_REQUEST['query']) {
org.name LIKE \'%'.$search.'%\' OR value.value LIKE \'%'.$search.'%\'
)';
- $qstr.='&query='.urlencode($_REQUEST['query']);
+ $qs += array('query' => $_REQUEST['query']);
}
$sortOptions = array('name' => 'org.name',
@@ -56,9 +56,10 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(DISTINCT org.id) '.$from.' '.$where);
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total,$page,PAGE_LIMIT);
-$pageNav->setURL('orgs.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('orgs.php', $qs);
+$qstr.='&order='.($order=='DESC' ? 'ASC' : 'DESC');
$select .= ', count(DISTINCT user.id) as users ';
diff --git a/include/staff/page.inc.php b/include/staff/page.inc.php
index 532bfc0af8c4c9b9435b9be741ec01c433e2f3c9..c98dc4188f0522962a113713afddd00bf65bef30 100644
--- a/include/staff/page.inc.php
+++ b/include/staff/page.inc.php
@@ -6,8 +6,7 @@ $pageTypes = array(
'thank-you' => __('Thank you page'),
'other' => __('Other'),
);
-$info=array();
-$qstr='';
+$info = $qs = array();
if($page && $_REQUEST['a']!='add'){
$title=__('Update Page');
$action='update';
@@ -16,17 +15,17 @@ if($page && $_REQUEST['a']!='add'){
$info['body'] = Format::viewableImages($page->getBody());
$info['notes'] = Format::viewableImages($info['notes']);
$slug = Format::slugify($info['name']);
- $qstr.='&id='.$page->getId();
+ $qs += array('id' => $page->getId());
}else {
$title=__('Add New Page');
$action='add';
$submit_text=__('Add Page');
$info['isactive']=isset($info['isactive'])?$info['isactive']:0;
- $qstr.='&a='.urlencode($_REQUEST['a']);
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="pages.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="pages.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
@@ -111,7 +110,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
</tr>
<tr>
<th colspan="2">
- <em><strong><?php echo __('Internal Notes'); ?></strong>:
+ <em><strong><?php echo __('Internal Notes'); ?></strong>:
<?php echo __("be liberal, they're internal"); ?></em>
</th>
</tr>
diff --git a/include/staff/pages.inc.php b/include/staff/pages.inc.php
index 19a307f93e2ec9d30fbb94d448f463c5e2e9b438..5f808b7b1987ee3773b8894335fac99b8bd806f2 100644
--- a/include/staff/pages.inc.php
+++ b/include/staff/pages.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT page.id, page.isactive, page.name, page.created, page.updated, '
.'page.type, count(topic.topic_id) as topics '
.' FROM '.PAGE_TABLE.' page '
@@ -36,9 +36,10 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(*) FROM '.PAGE_TABLE.' page '.$where);
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('pages.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('pages.php', $qs);
+$qstr .= '&order='.($order=='DESC' ? 'ASC' : 'DESC');
$query="$sql $where GROUP BY page.id ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/plugin.inc.php b/include/staff/plugin.inc.php
index f76b0f27c749e889b0a8170875798a3d2f932292..f27e21333aabc78535863ccb2e9c403851ac8a01 100644
--- a/include/staff/plugin.inc.php
+++ b/include/staff/plugin.inc.php
@@ -14,10 +14,11 @@ if($plugin && $_REQUEST['a']!='add') {
$submit_text = __('Save Changes');
$info = $plugin->ht;
}
-$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
+
+$info = Format::htmlchars(($errors && $_POST) ? $_POST : $info);
?>
-<form action="?id=<?php echo urlencode($_REQUEST['id']); ?>" method="post" id="save">
+<form action="?<?php echo Http::build_query(array('id' => $_REQUEST['id'])); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="id" value="<?php echo $info['id']; ?>">
diff --git a/include/staff/slaplan.inc.php b/include/staff/slaplan.inc.php
index 2e72720b8f2cd8030b70e039a321177196eb282a..494fecf180f27667cf3c2e8536dd18852cb45b78 100644
--- a/include/staff/slaplan.inc.php
+++ b/include/staff/slaplan.inc.php
@@ -1,14 +1,13 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($sla && $_REQUEST['a']!='add'){
$title=__('Update SLA Plan' /* SLA is abbreviation for Service Level Agreement */);
$action='update';
$submit_text=__('Save Changes');
$info=$sla->getInfo();
$info['id']=$sla->getId();
- $qstr.='&id='.$sla->getId();
+ $qs += array('id' => $sla->getId());
}else {
$title=__('Add New SLA Plan' /* SLA is abbreviation for Service Level Agreement */);
$action='add';
@@ -16,11 +15,11 @@ if($sla && $_REQUEST['a']!='add'){
$info['isactive']=isset($info['isactive'])?$info['isactive']:1;
$info['enable_priority_escalation']=isset($info['enable_priority_escalation'])?$info['enable_priority_escalation']:1;
$info['disable_overdue_alerts']=isset($info['disable_overdue_alerts'])?$info['disable_overdue_alerts']:0;
- $qstr.='&a='.urlencode($_REQUEST['a']);
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="slas.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="slas.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/slaplans.inc.php b/include/staff/slaplans.inc.php
index 4acf6763ce198faa5d051e784f32aef46c7c6ecd..f8f6a6400161594411c3ace879e0b380fbd2b157 100644
--- a/include/staff/slaplans.inc.php
+++ b/include/staff/slaplans.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT * FROM '.SLA_TABLE.' sla WHERE 1';
$sortOptions=array('name'=>'sla.name','status'=>'sla.isactive','period'=>'sla.grace_period','date'=>'sla.created','updated'=>'sla.updated');
$orderWays=array('DESC'=>'DESC','ASC'=>'ASC');
@@ -27,9 +27,12 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(*) FROM '.SLA_TABLE.' sla ');
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('slas.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+
+$pageNav->setURL('slas.php', $qs);
//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr .= '&order='.($order=='DESC' ? 'ASC' : 'DESC');
$query="$sql ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/staff.inc.php b/include/staff/staff.inc.php
index 1dd7d105ada2a28c76b917221460563b6604c9f7..e036540459d07e3a1913e67bbc65e49ab09bc0b3 100644
--- a/include/staff/staff.inc.php
+++ b/include/staff/staff.inc.php
@@ -1,8 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($staff && $_REQUEST['a']!='add'){
//Editing Department.
$title=__('Update Agent');
@@ -13,7 +12,7 @@ if($staff && $_REQUEST['a']!='add'){
$info['id']=$staff->getId();
$info['teams'] = $staff->getTeams();
$info['signature'] = Format::viewableImages($info['signature']);
- $qstr.='&id='.$staff->getId();
+ $qs += array('id' => $staff->getId());
}else {
$title=__('Add New Agent');
$action='create';
@@ -27,11 +26,11 @@ if($staff && $_REQUEST['a']!='add'){
$info['isadmin']=0;
$info['timezone_id'] = $cfg->getDefaultTimezoneId();
$info['daylight_saving'] = $cfg->observeDaylightSaving();
- $qstr.='&a=add';
+ $qs += array('a' => 'add');
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="staff.php?<?php echo $qstr; ?>" method="post" id="save" autocomplete="off">
+<form action="staff.php?<?php echo Http::build_query($qs); ?>" method="post" id="save" autocomplete="off">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/staffmembers.inc.php b/include/staff/staffmembers.inc.php
index f440ea3965badfe2218106765adfa496e6dfc514..34681d2eb081c0a67e3d140342d0e8d422ae82c1 100644
--- a/include/staff/staffmembers.inc.php
+++ b/include/staff/staffmembers.inc.php
@@ -1,6 +1,6 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
$select='SELECT staff.*,CONCAT_WS(" ",firstname,lastname) as name, grp.group_name, dept.dept_name as dept,count(m.team_id) as teams ';
$from='FROM '.STAFF_TABLE.' staff '.
'LEFT JOIN '.GROUP_TABLE.' grp ON(staff.group_id=grp.group_id) '.
@@ -10,17 +10,17 @@ $where='WHERE 1 ';
if($_REQUEST['did'] && is_numeric($_REQUEST['did'])) {
$where.=' AND staff.dept_id='.db_input($_REQUEST['did']);
- $qstr.='&did='.urlencode($_REQUEST['did']);
+ $qs += array('did' => $_REQUEST['did']);
}
if($_REQUEST['gid'] && is_numeric($_REQUEST['gid'])) {
$where.=' AND staff.group_id='.db_input($_REQUEST['gid']);
- $qstr.='&gid='.urlencode($_REQUEST['gid']);
+ $qs += array('gid' => $_REQUEST['gid']);
}
if($_REQUEST['tid'] && is_numeric($_REQUEST['tid'])) {
$where.=' AND m.team_id='.db_input($_REQUEST['tid']);
- $qstr.='&tid='.urlencode($_REQUEST['tid']);
+ $qs += array('tid' => $_REQUEST['tid']);
}
$sortOptions=array('name'=>'staff.firstname,staff.lastname','username'=>'staff.username','status'=>'isactive',
@@ -48,9 +48,11 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(DISTINCT staff.staff_id) '.$from.' '.$where);
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total,$page,PAGE_LIMIT);
-$pageNav->setURL('staff.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+
+$pageNav->setURL('staff.php', $qs);
+$qstr .= '&order='.($order=='DESC' ? 'ASC' : 'DESC');
$query="$select $from $where GROUP BY staff.staff_id ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
//echo $query;
?>
diff --git a/include/staff/syslogs.inc.php b/include/staff/syslogs.inc.php
index b264ffa05386b762926f28c26270f1634c580ae8..e364a92ea83c28172fd5cb0667db7adc20d40dfb 100644
--- a/include/staff/syslogs.inc.php
+++ b/include/staff/syslogs.inc.php
@@ -1,9 +1,9 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
if($_REQUEST['type']) {
- $qstr.='&type='.urlencode($_REQUEST['type']);
+ $qs += array('type' => $_REQUEST['type']);
}
$type=null;
switch(strtolower($_REQUEST['type'])){
@@ -38,11 +38,11 @@ if( ($startTime && $startTime>time()) or ($startTime>$endTime && $endTime>0)){
}else{
if($startTime){
$qwhere.=' AND created>=FROM_UNIXTIME('.$startTime.')';
- $qstr.='&startDate='.urlencode($_REQUEST['startDate']);
+ $qs += array('startDate' => $_REQUEST['startDate']);
}
if($endTime){
$qwhere.=' AND created<=FROM_UNIXTIME('.$endTime.')';
- $qstr.='&endDate='.urlencode($_REQUEST['endDate']);
+ $qs += array('endDate' => $_REQUEST['endDate']);
}
}
$sortOptions=array('id'=>'log.log_id', 'title'=>'log.title','type'=>'log_type','ip'=>'log.ip_address'
@@ -73,8 +73,9 @@ $total=db_count("SELECT count(*) $qfrom $qwhere");
$page = ($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
//pagenate
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('logs.php',$qstr);
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$pageNav->setURL('logs.php',$qs);
+$qs += array('order' => ($order=='DESC' ? 'ASC' : 'DESC'));
+$qstr = '&'. Http::build_query($qs);
$query="$qselect $qfrom $qwhere ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/team.inc.php b/include/staff/team.inc.php
index 4b2feacbfd06c1898990ce90cfc9ce13f5b05321..db953b5a060c0954fab412ab2b5b9668e54e4310 100644
--- a/include/staff/team.inc.php
+++ b/include/staff/team.inc.php
@@ -1,7 +1,6 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($team && $_REQUEST['a']!='add'){
//Editing Team
$title=__('Update Team');
@@ -9,18 +8,18 @@ if($team && $_REQUEST['a']!='add'){
$submit_text=__('Save Changes');
$info=$team->getInfo();
$info['id']=$team->getId();
- $qstr.='&id='.$team->getId();
+ $qs += array('id' => $team->getId());
}else {
$title=__('Add New Team');
$action='create';
$submit_text=__('Create Team');
$info['isenabled']=1;
$info['noalerts']=0;
- $qstr.='&a='.$_REQUEST['a'];
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="teams.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="teams.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/teams.inc.php b/include/staff/teams.inc.php
index de08d25e88911eadac668e7c6f25e56610f42d2d..f18edbeacf431673f5cc54d84016ac5bd67c2fb8 100644
--- a/include/staff/teams.inc.php
+++ b/include/staff/teams.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT team.*,count(m.staff_id) as members,CONCAT_WS(" ",lead.firstname,lead.lastname) as team_lead '.
' FROM '.TEAM_TABLE.' team '.
' LEFT JOIN '.TEAM_MEMBER_TABLE.' m ON(m.team_id=team.team_id) '.
@@ -28,7 +28,8 @@ $x=$sort.'_sort';
$$x=' class="'.strtolower($order).'" ';
$order_by="$order_column $order ";
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qs += array('order' => ($order=='DESC' ? 'ASC' : 'DESC'));
+$qstr = '&'. Http::build_query($qs);
$query="$sql GROUP BY team.team_id ORDER BY $order_by";
$res=db_query($query);
diff --git a/include/staff/template.inc.php b/include/staff/template.inc.php
index 4f423bb8714fd7fd5cbd310d80f73a79fa743a0e..814ce16c90e76be4fddf97c1e2b806058811e623 100644
--- a/include/staff/template.inc.php
+++ b/include/staff/template.inc.php
@@ -1,26 +1,25 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff || !$thisstaff->isAdmin()) die('Access Denied');
-$info=array();
-$qstr='';
+$info = $qs = array();
if($template && $_REQUEST['a']!='add'){
$title=__('Update Template');
$action='update';
$submit_text=__('Save Changes');
$info=$template->getInfo();
$info['tpl_id']=$template->getId();
- $qstr.='&tpl_id='.$template->getId();
+ $qs += array('tpl_id' => $template->getId());
}else {
$title=__('Add New Template');
$action='add';
$submit_text=__('Add Template');
$info['isactive']=isset($info['isactive'])?$info['isactive']:0;
$info['lang_id'] = $cfg->getSystemLanguage();
- $qstr.='&a='.urlencode($_REQUEST['a']);
+ $qs += array('a' => $_REQUEST['a']);
}
$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
?>
-<form action="templates.php?<?php echo $qstr; ?>" method="post" id="save">
+<form action="templates.php?<?php echo Http::build_query($qs); ?>" method="post" id="save">
<?php csrf_token(); ?>
<input type="hidden" name="do" value="<?php echo $action; ?>">
<input type="hidden" name="a" value="<?php echo Format::htmlchars($_REQUEST['a']); ?>">
diff --git a/include/staff/templates.inc.php b/include/staff/templates.inc.php
index 3fb2c49b5fab00a2953940c18e248e1e68e6c17c..1c042fdd54e8652f0714079a375512c271cd3517 100644
--- a/include/staff/templates.inc.php
+++ b/include/staff/templates.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTADMININC') || !$thisstaff->isAdmin()) die('Access Denied');
-$qstr='';
+$qs = array();
$sql='SELECT tpl.*,count(dept.tpl_id) as depts '.
'FROM '.EMAIL_TEMPLATE_GRP_TABLE.' tpl '.
'LEFT JOIN '.DEPT_TABLE.' dept USING(tpl_id) '.
@@ -30,9 +30,10 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(*) FROM '.EMAIL_TEMPLATE_GRP_TABLE.' tpl ');
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total, $page, PAGE_LIMIT);
-$pageNav->setURL('templates.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('templates.php', $qs);
+$qstr .= '&order='.($order=='DESC' ? 'ASC' : 'DESC');
$query="$sql GROUP BY tpl.tpl_id ORDER BY $order_by LIMIT ".$pageNav->getStart().",".$pageNav->getLimit();
$res=db_query($query);
if($res && ($num=db_num_rows($res)))
diff --git a/include/staff/templates/users.tmpl.php b/include/staff/templates/users.tmpl.php
index 40a2d4952e1c2043917b961b9601cf3a0f0d6c81..f65f529eef1b3b019988d480aede6c1be64f7ac3 100644
--- a/include/staff/templates/users.tmpl.php
+++ b/include/staff/templates/users.tmpl.php
@@ -1,5 +1,5 @@
<?php
-$qstr='';
+$qs = array();
$select = 'SELECT user.*, email.address as email ';
$from = 'FROM '.USER_TABLE.' user '
@@ -33,9 +33,12 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(DISTINCT user.id) '.$from.' '.$where);
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total,$page,PAGE_LIMIT);
-$pageNav->setURL('users.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+
+$pageNav->setURL('users.php', $qs);
//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr .= '&order='.($order=='DESC' ? 'ASC' : 'DESC');
$select .= ', count(DISTINCT ticket.ticket_id) as tickets ';
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index 64ea71ab83a9090be4955d2d24d3cfc39a591ea0..5f436a054bd102abed26809a791f695316ca81cb 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -1,9 +1,9 @@
<?php
if(!defined('OSTSCPINC') || !$thisstaff || !@$thisstaff->isStaff()) die('Access Denied');
-$qstr='&'; //Query string collector
+$qs= array(); //Query string collector
if($_REQUEST['status']) { //Query string status has nothing to do with the real status used below; gets overloaded.
- $qstr.='status='.urlencode($_REQUEST['status']);
+ $qs += array('status' => $_REQUEST['status']);
}
//See if this is a search
@@ -90,7 +90,7 @@ if($status && isset($states[$status])) {
if (isset($_REQUEST['uid']) && $_REQUEST['uid']) {
$qwhere .= ' AND (ticket.user_id='.db_input($_REQUEST['uid'])
.' OR collab.user_id='.db_input($_REQUEST['uid']).') ';
- $qstr .= '&uid='.urlencode($_REQUEST['uid']);
+ $qs += array('uid' => $_REQUEST['uid']);
}
//Queues: Overloaded sub-statuses - you've got to just have faith!
@@ -120,12 +120,10 @@ if($staffId && ($staffId==$thisstaff->getId())) { //My tickets
$deep_search=false;
$order_by=$order=null;
if($search):
- $qstr.='&a='.urlencode($_REQUEST['a']);
- $qstr.='&t='.urlencode($_REQUEST['t']);
-
+ $qs += array('a' => $_REQUEST['a'], 't' => $_REQUEST['t']);
//query
if($searchTerm){
- $qstr.='&query='.urlencode($searchTerm);
+ $qs += array('query' => $searchTerm);
$queryterm=db_real_escape($searchTerm,false); //escape the term ONLY...no quotes.
if (is_numeric($searchTerm)) {
$qwhere.=" AND ticket.`number` LIKE '$queryterm%'";
@@ -155,7 +153,7 @@ endif;
if ($_REQUEST['advsid'] && isset($_SESSION['adv_'.$_REQUEST['advsid']])) {
$ticket_ids = implode(',', db_input($_SESSION['adv_'.$_REQUEST['advsid']]));
- $qstr.='advsid='.$_REQUEST['advsid'];
+ $qs += array('advsid' => $_REQUEST['advsid']);
$qwhere .= ' AND ticket.ticket_id IN ('.$ticket_ids.')';
// Thanks, http://stackoverflow.com/a/1631794
$order_by = 'FIELD(ticket.ticket_id, '.$ticket_ids.')';
@@ -211,7 +209,7 @@ $x=$sort.'_sort';
$$x=' class="'.strtolower($order).'" ';
if($_GET['limit'])
- $qstr.='&limit='.urlencode($_GET['limit']);
+ $qs += array('limit' => $_GET['limit']);
$qselect ='SELECT ticket.ticket_id,tlock.lock_id,ticket.`number`,ticket.dept_id,ticket.staff_id,ticket.team_id '
.' ,user.name'
@@ -242,7 +240,10 @@ $total=db_count("SELECT count(DISTINCT ticket.ticket_id) $qfrom $sjoin $qwhere")
$pagelimit=($_GET['limit'] && is_numeric($_GET['limit']))?$_GET['limit']:PAGE_LIMIT;
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total,$page,$pagelimit);
-$pageNav->setURL('tickets.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
+
+$qstr = '&'.http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('tickets.php', $qs);
//ADD attachment,priorities, lock and other crap
$qselect.=' ,IF(ticket.duedate IS NULL,IF(sla.id IS NULL, NULL, DATE_ADD(ticket.created, INTERVAL sla.grace_period HOUR)), ticket.duedate) as duedate '
@@ -313,7 +314,9 @@ if ($results) {
<input type="hidden" name="a" value="search">
<table>
<tr>
- <td><input type="text" id="basic-ticket-search" name="query" size=30 value="<?php echo Format::htmlchars($_REQUEST['query']); ?>"
+ <td><input type="text" id="basic-ticket-search" name="query"
+ size=30 value="<?php echo Format::htmlchars($_REQUEST['query'],
+ true); ?>"
autocomplete="off" autocorrect="off" autocapitalize="off"></td>
<td><input type="submit" name="basic_search" class="button" value="<?php echo __('Search'); ?>"></td>
<td> <a href="#" id="go-advanced">[<?php echo __('advanced'); ?>]</a> <i class="help-tip icon-question-sign" href="#advanced"></i></td>
@@ -351,7 +354,8 @@ if ($results) {
<?php csrf_token(); ?>
<input type="hidden" name="a" value="mass_process" >
<input type="hidden" name="do" id="action" value="" >
- <input type="hidden" name="status" value="<?php echo Format::htmlchars($_REQUEST['status']); ?>" >
+ <input type="hidden" name="status" value="<?php echo
+ Format::htmlchars($_REQUEST['status'], true); ?>" >
<table class="list" border="0" cellspacing="1" cellpadding="2" width="940">
<thead>
<tr>
@@ -510,10 +514,14 @@ if ($results) {
</tfoot>
</table>
<?php
- if($num>0){ //if we actually had any tickets returned.
+ if ($num>0) { //if we actually had any tickets returned.
echo '<div> '.__('Page').':'.$pageNav->getPageLinks().' ';
- echo '<a class="export-csv no-pjax" href="?a=export&h='
- .$hash.'&status='.$_REQUEST['status'] .'">'.__('Export').'</a> <i class="help-tip icon-question-sign" href="#export"></i></div>';
+ echo sprintf('<a class="export-csv no-pjax" href="?%s">%s</a>',
+ Http::build_query(array(
+ 'a' => 'export', 'h' => $hash,
+ 'status' => $_REQUEST['status'])),
+ __('Export'));
+ echo ' <i class="help-tip icon-question-sign" href="#export"></i></div>';
} ?>
</form>
</div>
diff --git a/include/staff/users.inc.php b/include/staff/users.inc.php
index ec35f2205af0052a6cf6eab62716870e59f82a06..deae27b5ea5ff1a10597ff78139d3b0490988de5 100644
--- a/include/staff/users.inc.php
+++ b/include/staff/users.inc.php
@@ -1,7 +1,7 @@
<?php
if(!defined('OSTSCPINC') || !$thisstaff) die('Access Denied');
-$qstr='';
+$qs = array();
$select = 'SELECT user.*, email.address as email, org.name as organization
, account.id as account_id, account.status as account_status ';
@@ -29,7 +29,7 @@ if ($_REQUEST['query']) {
OR value.value LIKE \'%'.$search.'%\'
)';
- $qstr.='&query='.urlencode($_REQUEST['query']);
+ $qs += array('query' => $_REQUEST['query']);
}
$sortOptions = array('name' => 'user.name',
@@ -59,9 +59,10 @@ $order_by="$order_column $order ";
$total=db_count('SELECT count(DISTINCT user.id) '.$from.' '.$where);
$page=($_GET['p'] && is_numeric($_GET['p']))?$_GET['p']:1;
$pageNav=new Pagenate($total,$page,PAGE_LIMIT);
-$pageNav->setURL('users.php',$qstr.'&sort='.urlencode($_REQUEST['sort']).'&order='.urlencode($_REQUEST['order']));
-//Ok..lets roll...create the actual query
-$qstr.='&order='.($order=='DESC'?'ASC':'DESC');
+$qstr = '&'. Http::build_query($qs);
+$qs += array('sort' => $_REQUEST['sort'], 'order' => $_REQUEST['order']);
+$pageNav->setURL('users.php', $qs);
+$qstr.='&order='.($order=='DESC' ? 'ASC' : 'DESC');
$select .= ', count(DISTINCT ticket.ticket_id) as tickets ';