Merge branch 'main' of http://103.196.222.49:3000/ohctech/ohctech_p8

Updated Code
2025-03-04 10:54:38 +05:30 · 2025-02-21 12:14:03 +05:30 · 2025-02-21 11:45:27 +05:30
7 changed files with 97 additions and 68 deletions
--- a/access.php
+++ b/access.php
@ -1,41 +1,58 @@
 <?php 
 include_once('includes/functions.php');
 // include_once('includes/config/config.php');
-$menu_key=$_SESSION['menu_key'];
+
-//echo "<script>alert(".$_SESSION['menu_key'].")</script>";	
+// Check if session variables exist
-$access_level=getaccesslevel($_SESSION['RoleId'] ,$menu_key);
+$menu_key = isset($_SESSION['menu_key']) ? $_SESSION['menu_key'] : '';
-$_SESSION['access_key']=$access_level;
+$role_id = isset($_SESSION['RoleId']) ? $_SESSION['RoleId'] : '';
-//echo "aceess======".$access_level; 
+
-if (
+if (!empty($role_id) && !empty($menu_key)) {
    $access_level = getaccesslevel($role_id, $menu_key);
    $_SESSION['access_key'] = $access_level;
    // Check for specific page conditions
    if (
        is_string($__currentPage) &&
        (
-        (strripos($__currentPage, "interim", 5) !== false) || 
+            (stripos($__currentPage, "interim") !== false) || 
-        (strripos($__currentPage, "review_ohc_selection") !== false)
+            (stripos($__currentPage, "review_ohc_selection") !== false)
        )
-){
+    ) {
        // Do nothing if condition matches
    } else {
        $acn = isset($_REQUEST['acn']) ? $_REQUEST['acn'] : (isset($_REQUEST['frmacn']) ? $_REQUEST['frmacn'] : '');
-}else{
+        // SQL query to check menu access
-	$acn="";
+        $sql_access = "SELECT menu_id FROM assign_menu WHERE role_id='" . mysqli_real_escape_string($conn, $role_id) . "' AND menu_id='" . mysqli_real_escape_string($conn, $menu_key) . "'";
-$acn= $_REQUEST['acn'] or $_REQUEST['frmacn'];
+        error_log("sql_access".$sql_access);
-$sql_access= "select menu_id from assign_menu where role_id='".$_SESSION['RoleId']."' and menu_id='".$menu_key."'";
+        $result_access = mysqli_query($conn, $sql_access);
-//echo $sql_access;
+        $count_access = mysqli_num_rows($result_access);
-//$l->log($sql_access, PEAR_LOG_INFO);
+
-$result_access = mysqli_query($conn,$sql_access);
+        // Access control checks
-$count_access=@mysqli_num_rows($result_access);
+        if (!empty($menu_key) && $count_access == 0) {
-//echo $count_access;
+echo "<script>location.href='error.php'</script>";
-if((isset($menu_key) && $menu_key!='') && $count_access==0){
+            exit;
-	//$l->log("inside first check", PEAR_LOG_INFO);
+        } else {
            if (
                !empty($acn) && 
                (($acn == "delete" || $acn == "Delete") && $access_level != 'E')
            ) {
               echo "<script>location.href='error.php'</script>";
-}else{
+                exit;
-		if(isset($acn) && ($acn=="delete" ||  $acn=="Delete") && $access_level!='E'){
+            } else if (
                !empty($acn) && 
                (in_array(strtolower($acn), ['add', 'save', 'update']) && !in_array($access_level, ['W', 'E', 'R']))
            ) {
                echo "<script>location.href='error.php'</script>";
-			//$l->log("inside second check", PEAR_LOG_INFO);
+                exit;
-		}else if(isset($acn) &&($acn=="Add" ||  $acn=="Save"||  $acn=="add"||  $acn=="Update"||  $acn=="update") && ($access_level!='W' && $access_level!='E' && $access_level!='R' )){
+            }
 			echo "<script>location.href='error.php'</script>";	
 			//$l->log("inside third check", PEAR_LOG_INFO);
        }
 }
-validateRequest();
+        // Validate the request for special characters
        validateRequest();
    }
 } else {
    // echo "<script>location.href='error.php'</script>";
    // exit;
 }
 ?>
--- a/add_employee_details.php
+++ b/add_employee_details.php
@ -1493,7 +1493,8 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
                                        <?php
-                                        $docs_select_query = "select * from employee_docs where emp_id=$emp_id";
+                                        $docs_select_query = "select * from employee_docs where emp_id='$emp_id'";
                                        error_log($docs_select_query  . " ERROR " . mysqli_error($conn));  
                                        $docs_result = @mysqli_query($conn, $docs_select_query);
@ -1550,7 +1551,7 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
-                                                <?php } ?>
+                                                <?php }else { ?>
@ -1601,6 +1602,7 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
                                                <?php $count++;
                                                } 
                                                } ?>
--- a/database/changes.txt
+++ b/database/changes.txt
@ -2,3 +2,7 @@ ALTER TABLE `sop_document` ADD `last_renewal_date` DATE NOT NULL AFTER `id`, ADD
 -- Dushant
 ALTER TABLE `calibration_item_tbl` ADD `status` VARCHAR(100) NOT NULL AFTER `bill_file_type`;
 -- Dushant 
 ALTER TABLE `sop_document` ADD `last_renewal_date` DATE NOT NULL AFTER `id`;
--- a/includes/functions.php
+++ b/includes/functions.php
@ -3883,36 +3883,33 @@ function getTodayStockCount()
 	}
 }
 function validateRequest()
 {
-	$special_chars = "'^<5E>$%()}{~><>,|=_+<2B>-"; // all the special characters you want to check for
+    $special_chars = preg_quote("^$%()}{~><>,|=_+-", '/'); // Use preg_quote to escape special characters for regex
    $return = array();
    $return['msg'] = "Internal Server Error";
    foreach ($_REQUEST as $formKey => $formKeyVal) {
-
+        if (
-		if (preg_match('/' . $special_chars . '/', $formKeyVal) || preg_match('/' . $special_chars . '/', $formKey)) {
+            preg_match('/[' . $special_chars . ']/', $formKeyVal) || 
-
+            preg_match('/[' . $special_chars . ']/', $formKey)
-			// echo "<script>alert('Manoj'+'".$formKey."=".$formKeyVal."')</script>";
+        ) {
            // Debugging line to log what is triggering the error
            // echo "<script>alert('Special character detected in: " . $formKey . " = " . $formKeyVal . "')</script>";
            if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
                header('Cache-Control: no-cache, must-revalidate');
                header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
                header('Content-type: application/json');
                die(json_encode($return));
            }
            echo "<script>location.href='error.php'</script>";
            exit;
        }
    }
 }
 /**
 *
 * Takes input as array suitable for multiselect form attributes
--- a/medical_examination_list.php
+++ b/medical_examination_list.php
@ -956,7 +956,9 @@
 include('form/checkup_type_modal.php');
 ?>
 <?php include('form/medical_full_view.php'); ?>
-<?php include_once('full_view_medical.php'); ?>
+<?php 
 // include_once('full_view_medical.php');
 ?>
 <?php include_once('select_checkup_type_s.php'); ?>
 <?php include_once('form/form_o.php'); ?>
 <?php include_once('form/form_33.php'); ?>
--- a/shift_details.php
+++ b/shift_details.php
@ -25,6 +25,7 @@ $ohc_type = $_SESSION['current_ohcttype']?>
 			<!-- End of breadcrumb -->
 <?php  
 $db_new_date="";
 $last_day="";
 $m=0;
@ -48,7 +49,10 @@ $y = date('Y',strtotime("".$selectedShiftYear."-".($selectedShiftMonth+1)."-01")
 $shift_status_options = generateOption('shift_status','status_name','shift_status_id','','','');
 // generateOptionForMultipleWithWhereClause('shift_status','status_name','shift_status_id','','','is_shift','Y'); 
-                      
+    error_log("MONTh " . $m);
 	error_log("Year " . $y);
 	error_log("LAST DATE " . $last_day);   
 	$last_day = date_format(date_create($last_day), 'd');              
 ?>
 <script>
 var jsonArrayShiftData = <?php  echo json_encode($shift_data); ?>;
@ -61,7 +65,7 @@ var jsonArrayShiftData = <?php  echo json_encode($shift_data); ?>;
 			<div class="page-content">
 				<div class="box box-primary"
 					style="padding: 10px; margin: 2px 0px 50px 5px; width: 99.5%;">
-					<form id="shift_form" method="post">
+					<form id="shift_form" action="shift_details.php" method="post">
 						<!-- box-body-->
 						<div class="box-body" id="reload_amb">
@ -115,10 +119,12 @@ var jsonArrayShiftData = <?php  echo json_encode($shift_data); ?>;
 								</div>
-								<button class="btn btn-primary " type="button"
+								<!-- <button class="btn btn-primary " type="button"
-									id="submit_button" onclick="$('#shift_form').attr('action', '');$('#shift_form').submit()">
+									id="submit_button">
 									<i class="ace-icon fa fa-send"></i> Submit
-								</button>
+								</button> -->
 								<input type="submit" value="Submit" class="btn btn-primary" id="submit_button" />
 								<button class="btn btn-danger " type="button"
 									id="pdf_print" onclick="print_pdf('p')">
--- a/techsyn_header.php
+++ b/techsyn_header.php
@ -43,6 +43,7 @@ $result_menu_exists = mysqli_query($conn,$sql_menu_exists);
 $countAccessibleMenuPages_exists=mysqli_num_rows($result_menu_exists);
 $sql_menu= "select menu_id from menu_master where  upper(menu_url)=upper('".$__currentPage."') and menu_id in(select menu_id from assign_menu where role_id='".$_SESSION['RoleId']."')";
 error_log("sql_menu".$sql_menu);
 $result_menu = mysqli_query($conn,$sql_menu);
 $countAccessibleMenuPages=mysqli_num_rows($result_menu);
@ -56,7 +57,7 @@ if($row_menu = mysqli_fetch_array($result_menu)){
    }
 }
 $_SESSION['menu_current_page'] = $__currentPage;
-include_once ('access.php');
+// include_once ('access.php');
 // echo "top_user:".$top_user.":Manoj";
Author	SHA1	Message	Date
Dushant Mali	6b285ac769	Merge branch 'main' of http://103.196.222.49:3000/ohctech/ohctech_p8	2025-03-04 10:54:38 +05:30
Dushant Mali	c01372a983	Merge branch 'main' of http://103.196.222.49:3000/ohctech/ohctech_p8	2025-02-21 12:14:03 +05:30
Dushant Mali	af854c0a46	Updated Code	2025-02-21 11:45:27 +05:30