Merge branch 'main' of http://103.196.222.49:3000/ohctech/ohctech_p8

access.php

@@ -1,41 +1,58 @@
 <?php 
 include_once('includes/functions.php');
 // include_once('includes/config/config.php');
-$menu_key=$_SESSION['menu_key'];
-//echo "<script>alert(".$_SESSION['menu_key'].")</script>";	
-$access_level=getaccesslevel($_SESSION['RoleId'] ,$menu_key);
-$_SESSION['access_key']=$access_level;
-//echo "aceess======".$access_level; 
-if (
-    is_string($__currentPage) &&
-    (
-        (strripos($__currentPage, "interim", 5) !== false) || 
-        (strripos($__currentPage, "review_ohc_selection") !== false)
-    )
-){
 
-}else{
+// Check if session variables exist
-	$acn="";
+$menu_key = isset($_SESSION['menu_key']) ? $_SESSION['menu_key'] : '';
-$acn= $_REQUEST['acn'] or $_REQUEST['frmacn'];
+$role_id = isset($_SESSION['RoleId']) ? $_SESSION['RoleId'] : '';
-$sql_access= "select menu_id from assign_menu where role_id='".$_SESSION['RoleId']."' and menu_id='".$menu_key."'";
-//echo $sql_access;
-//$l->log($sql_access, PEAR_LOG_INFO);
-$result_access = mysqli_query($conn,$sql_access);
-$count_access=@mysqli_num_rows($result_access);
-//echo $count_access;
-if((isset($menu_key) && $menu_key!='') && $count_access==0){
-	//$l->log("inside first check", PEAR_LOG_INFO);
-	echo "<script>location.href='error.php'</script>";	
-}else{
-		if(isset($acn) && ($acn=="delete" ||  $acn=="Delete") && $access_level!='E'){
-			echo "<script>location.href='error.php'</script>";	
-			//$l->log("inside second check", PEAR_LOG_INFO);
-		}else if(isset($acn) &&($acn=="Add" ||  $acn=="Save"||  $acn=="add"||  $acn=="Update"||  $acn=="update") && ($access_level!='W' && $access_level!='E' && $access_level!='R' )){
-			echo "<script>location.href='error.php'</script>";	
-			//$l->log("inside third check", PEAR_LOG_INFO);
-		}
-}
 
-validateRequest();
+if (!empty($role_id) && !empty($menu_key)) {
+    $access_level = getaccesslevel($role_id, $menu_key);
+    $_SESSION['access_key'] = $access_level;
+
+    // Check for specific page conditions
+    if (
+        is_string($__currentPage) &&
+        (
+            (stripos($__currentPage, "interim") !== false) || 
+            (stripos($__currentPage, "review_ohc_selection") !== false)
+        )
+    ) {
+        // Do nothing if condition matches
+    } else {
+        $acn = isset($_REQUEST['acn']) ? $_REQUEST['acn'] : (isset($_REQUEST['frmacn']) ? $_REQUEST['frmacn'] : '');
+
+        // SQL query to check menu access
+        $sql_access = "SELECT menu_id FROM assign_menu WHERE role_id='" . mysqli_real_escape_string($conn, $role_id) . "' AND menu_id='" . mysqli_real_escape_string($conn, $menu_key) . "'";
+        error_log("sql_access".$sql_access);
+        $result_access = mysqli_query($conn, $sql_access);
+        $count_access = mysqli_num_rows($result_access);
+
+        // Access control checks
+        if (!empty($menu_key) && $count_access == 0) {
+echo "<script>location.href='error.php'</script>";
+            exit;
+        } else {
+            if (
+                !empty($acn) && 
+                (($acn == "delete" || $acn == "Delete") && $access_level != 'E')
+            ) {
+               echo "<script>location.href='error.php'</script>";
+                exit;
+            } else if (
+                !empty($acn) && 
+                (in_array(strtolower($acn), ['add', 'save', 'update']) && !in_array($access_level, ['W', 'E', 'R']))
+            ) {
+                echo "<script>location.href='error.php'</script>";
+                exit;
+            }
+        }
+
+        // Validate the request for special characters
+        validateRequest();
+    }
+} else {
+    // echo "<script>location.href='error.php'</script>";
+    // exit;
 }
-?>
+?>

add_employee_details.php

@@ -1493,7 +1493,8 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
 
                                         <?php
 
-                                        $docs_select_query = "select * from employee_docs where emp_id=$emp_id";
+                                        $docs_select_query = "select * from employee_docs where emp_id='$emp_id'";
+                                        error_log($docs_select_query  . " ERROR " . mysqli_error($conn));  
 
                                         $docs_result = @mysqli_query($conn, $docs_select_query);
 
@@ -1550,7 +1551,7 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
 
 
 
-                                                <?php } ?>
+                                                <?php }else { ?>
 
 
 
@@ -1601,6 +1602,7 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
 
 
                                                 <?php $count++;
+                                                } 
                                                 } ?>
 
 

database/changes.txt

@@ -2,3 +2,7 @@ ALTER TABLE `sop_document` ADD `last_renewal_date` DATE NOT NULL AFTER `id`, ADD
 
 -- Dushant
 ALTER TABLE `calibration_item_tbl` ADD `status` VARCHAR(100) NOT NULL AFTER `bill_file_type`;
+
+
+-- Dushant 
+ALTER TABLE `sop_document` ADD `last_renewal_date` DATE NOT NULL AFTER `id`;

includes/functions.php

@@ -3883,36 +3883,33 @@ function getTodayStockCount()
 	}
 }
 function validateRequest()
-
 {
-	$special_chars = "'^<5E>$%()}{~><>,|=_+<2B>-"; // all the special characters you want to check for
+    $special_chars = preg_quote("^$%()}{~><>,|=_+-", '/'); // Use preg_quote to escape special characters for regex
+    $return = array();
+    $return['msg'] = "Internal Server Error";
 
-	$return = array();
+    foreach ($_REQUEST as $formKey => $formKeyVal) {
+        if (
+            preg_match('/[' . $special_chars . ']/', $formKeyVal) || 
+            preg_match('/[' . $special_chars . ']/', $formKey)
+        ) {
+            // Debugging line to log what is triggering the error
+            // echo "<script>alert('Special character detected in: " . $formKey . " = " . $formKeyVal . "')</script>";
 
-	$return['msg'] = "Internal Server Error";
+            if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
+                header('Cache-Control: no-cache, must-revalidate');
+                header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
+                header('Content-type: application/json');
+                die(json_encode($return));
+            }
 
-	foreach ($_REQUEST as $formKey => $formKeyVal) {
+            echo "<script>location.href='error.php'</script>";
-
+            exit;
-		if (preg_match('/' . $special_chars . '/', $formKeyVal) || preg_match('/' . $special_chars . '/', $formKey)) {
+        }
-
+    }
-			// echo "<script>alert('Manoj'+'".$formKey."=".$formKeyVal."')</script>";
-
-			if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
-
-				header('Cache-Control: no-cache, must-revalidate');
-
-				header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
-
-				header('Content-type: application/json');
-
-				die(json_encode($return));
-			}
-
-			echo "<script>location.href='error.php'</script>";
-		}
-	}
 }
 
+
 /**
  *
  * Takes input as array suitable for multiselect form attributes

medical_examination_list.php

@@ -956,7 +956,9 @@
 include('form/checkup_type_modal.php');
 ?>
 <?php include('form/medical_full_view.php'); ?>
-<?php include_once('full_view_medical.php'); ?>
+<?php 
+// include_once('full_view_medical.php');
+ ?>
 <?php include_once('select_checkup_type_s.php'); ?>
 <?php include_once('form/form_o.php'); ?>
 <?php include_once('form/form_33.php'); ?>

shift_details.php

@@ -25,6 +25,7 @@ $ohc_type = $_SESSION['current_ohcttype']?>
 			<!-- End of breadcrumb -->
 <?php  
 
+
 $db_new_date="";
 $last_day="";
 $m=0;
@@ -48,7 +49,10 @@ $y = date('Y',strtotime("".$selectedShiftYear."-".($selectedShiftMonth+1)."-01")
 
 $shift_status_options = generateOption('shift_status','status_name','shift_status_id','','','');
 // generateOptionForMultipleWithWhereClause('shift_status','status_name','shift_status_id','','','is_shift','Y'); 
-                      
+    error_log("MONTh " . $m);
+	error_log("Year " . $y);
+	error_log("LAST DATE " . $last_day);   
+	$last_day = date_format(date_create($last_day), 'd');              
 ?>
 <script>
 var jsonArrayShiftData = <?php  echo json_encode($shift_data); ?>;
@@ -61,7 +65,7 @@ var jsonArrayShiftData = <?php  echo json_encode($shift_data); ?>;
 			<div class="page-content">
 				<div class="box box-primary"
 					style="padding: 10px; margin: 2px 0px 50px 5px; width: 99.5%;">
-					<form id="shift_form" method="post">
+					<form id="shift_form" action="shift_details.php" method="post">
 						<!-- box-body-->
 						<div class="box-body" id="reload_amb">
 
@@ -115,10 +119,12 @@ var jsonArrayShiftData = <?php  echo json_encode($shift_data); ?>;
 								</div>
 
 
-								<button class="btn btn-primary " type="button"
+								<!-- <button class="btn btn-primary " type="button"
-									id="submit_button" onclick="$('#shift_form').attr('action', '');$('#shift_form').submit()">
+									id="submit_button">
 									<i class="ace-icon fa fa-send"></i> Submit
-								</button>
+								</button> -->
+
+								<input type="submit" value="Submit" class="btn btn-primary" id="submit_button" />
 
 								<button class="btn btn-danger " type="button"
 									id="pdf_print" onclick="print_pdf('p')">

techsyn_header.php

@@ -43,6 +43,7 @@ $result_menu_exists = mysqli_query($conn,$sql_menu_exists);
 $countAccessibleMenuPages_exists=mysqli_num_rows($result_menu_exists);
 
 $sql_menu= "select menu_id from menu_master where  upper(menu_url)=upper('".$__currentPage."') and menu_id in(select menu_id from assign_menu where role_id='".$_SESSION['RoleId']."')";
+error_log("sql_menu".$sql_menu);
 $result_menu = mysqli_query($conn,$sql_menu);
 $countAccessibleMenuPages=mysqli_num_rows($result_menu);
 
@@ -56,7 +57,7 @@ if($row_menu = mysqli_fetch_array($result_menu)){
     }
 }
 $_SESSION['menu_current_page'] = $__currentPage;
-include_once ('access.php');
+// include_once ('access.php');
 
 // echo "top_user:".$top_user.":Manoj";