OS4ED · Jan 16, 2020
diff --git a/‎Bottom.php
+8-2 b/‎Bottom.php
+8-2
diff --git a/‎CalendarModal.php
+4-3 b/‎CalendarModal.php
+4-3
diff --git a/‎Data.php
+8 b/‎Data.php
+8
diff --git a/‎HoldAddressFields.php
+97 b/‎HoldAddressFields.php
+97
diff --git a/‎ParentLookup.php
+92-64 b/‎ParentLookup.php
+92-64
diff --git a/‎api/SchoolInfo.php
+4-3 b/‎api/SchoolInfo.php
+4-3
@@ -26,6 +26,8 @@
 #
 #***************************************************************************************
 error_reporting(0);
+include("functions/ParamLibFnc.php");
+require_once("Data.php");
 include "./Warehouse.php";
 $url=validateQueryString(curPageURL());
 if($url===FALSE)
@@ -35,12 +37,16 @@
 
 if(clean_param($_REQUEST['modfunc'],PARAM_ALPHA)=='print')
 {
+     $connection = new mysqli($DatabaseServer, $DatabaseUsername, $DatabasePassword, $DatabaseName);
 	$_REQUEST = $_SESSION['_REQUEST_vars'];
 	$_REQUEST['_openSIS_PDF'] = true;
+        $_REQUEST['_openSIS_PDF'] = mysqli_real_escape_string($connection,optional_param('_openSIS_PDF', '', PARAM_RAW));
+        $_REQUEST['modname'] = mysqli_real_escape_string($connection,optional_param('modname', '', PARAM_RAW));
+        $_REQUEST['failed_login'] = mysqli_real_escape_string($connection,optional_param('failed_login', '', PARAM_RAW));
 	if(strpos($_REQUEST['modname'],'?')!==false)
-		$modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
+		$modname = substr(mysqli_real_escape_string($connection,optional_param('modname', '', PARAM_RAW)),0,strpos(mysqli_real_escape_string($connection,optional_param('modname', '', PARAM_RAW)),'?'));
 	else
-		$modname = $_REQUEST['modname'];
+		$modname = mysqli_real_escape_string($connection,optional_param('modname', '', PARAM_RAW));
 	ob_start();
 	include('modules/'.$modname);
 	if($htmldocPath)
 
@@ -1,5 +1,6 @@
 <?php
-
+include("functions/ParamLibFnc.php");
+require_once("Data.php");
 include('RedirectRootInc.php');
 include'ConfigInc.php';
 include 'Warehouse.php';
@@ -10,8 +11,8 @@
  */
 
 //----------------------- modal for event start---------------------//
-
-
+$connection = new mysqli($DatabaseServer, $DatabaseUsername, $DatabasePassword, $DatabaseName);
+$_REQUEST['event_id'] = mysqli_real_escape_string($connection,optional_param('event_id', '', PARAM_DATA));
 if (($_REQUEST['event_id'] || !isset($_REQUEST['event_id'])) && !isset($_REQUEST[assignment_id])) {
     if ($_REQUEST['event_id'] != 'new' && isset($_REQUEST['event_id'])) {
         $RET = DBGet(DBQuery("SELECT TITLE,DESCRIPTION,SCHOOL_DATE,CALENDAR_ID FROM calendar_events WHERE ID='$_REQUEST[event_id]'"));
 
@@ -0,0 +1,8 @@
+<?php 
+$DatabaseType = 'mysqli'; 
+$DatabaseServer = 'localhost'; 
+$DatabaseUsername = 'root'; 
+$DatabasePassword = 'Ge0rg1a30097%go'; 
+$DatabaseName = 'bobtest'; 
+$DatabasePort = '3306'; 
+?>
@@ -0,0 +1,97 @@
+<?php
+
+#**************************************************************************
+#  openSIS is a free student information system for public and non-public 
+#  schools from Open Solutions for Education, Inc. web: www.os4ed.com
+#
+#  openSIS is  web-based, open source, and comes packed with features that 
+#  include student demographic info, scheduling, grade book, attendance, 
+#  report cards, eligibility, transcripts, parent portal, 
+#  student portal and more.   
+#
+#  Visit the openSIS web site at http://www.opensis.com to learn more.
+#  If you have question regarding this system or the license, please send 
+#  an email to info@os4ed.com.
+#
+#  This program is released under the terms of the GNU General Public License as  
+#  published by the Free Software Foundation, version 2 of the License. 
+#  See license.txt.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#***************************************************************************************
+
+include('RedirectRootInc.php');
+include('Warehouse.php');
+
+ini_set('memory_limit', '1200000000M');
+ini_set('max_execution_time', '500000');
+
+
+if($_POST['ADDR_CONT_USRN'] != "" && $_POST['ADDR_CONT_PSWD'] != "")
+{
+	$qry_one	=	DBGet(DBQuery('SELECT * FROM login_authentication WHERE username = "'.$_POST['ADDR_CONT_USRN'].'" AND password = "'.$_POST['ADDR_CONT_PSWD'].'"'));
+
+	$counted	=	count($qry_one);
+
+	if($counted > 0)
+	{
+		$this_password	=	$qry_one[1]['PASSWORD'];
+	}
+	else
+	{
+		$this_password	=	md5($_POST['ADDR_CONT_PSWD']);
+	}
+}
+else
+{
+	$this_password		=	"";
+}
+
+
+$addressHoldSet		=	array(
+	"ADDR_PRIM_L1"		=>	$_POST['ADDR_PRIM_L1'],
+	"ADDR_PRIM_L2"		=>	$_POST['ADDR_PRIM_L2'],
+	"ADDR_PRIM_CITY"	=>	$_POST['ADDR_PRIM_CITY'],
+	"ADDR_PRIM_STATE"	=>	$_POST['ADDR_PRIM_STATE'],
+	"ADDR_PRIM_ZIP"		=>	$_POST['ADDR_PRIM_ZIP'],
+	"ADDR_PRIM_BUSNO"	=>	$_POST['ADDR_PRIM_BUSNO'],
+	"ADDR_PRIM_BPU"		=>	$_POST['ADDR_PRIM_BPU'],
+	"ADDR_PRIM_BDO"		=>	$_POST['ADDR_PRIM_BDO'],
+	"ADDR_SAME_HOME"	=>	$_POST['ADDR_SAME_HOME'],
+	"ADDR_SAME_AS"		=>	$_POST['ADDR_SAME_AS'],
+	"ADDR_MAIL_L1"		=>	$_POST['ADDR_MAIL_L1'],
+	"ADDR_MAIL_L2"		=>	$_POST['ADDR_MAIL_L2'],
+	"ADDR_MAIL_CITY"	=>	$_POST['ADDR_MAIL_CITY'],
+	"ADDR_MAIL_STATE"	=>	$_POST['ADDR_MAIL_STATE'],
+	"ADDR_MAIL_ZIP"		=>	$_POST['ADDR_MAIL_ZIP'],
+	"ADDR_CONT_RSHIP"	=>	$_POST['ADDR_CONT_RSHIP'],
+	"ADDR_CONT_FIRST"	=>	$_POST['ADDR_CONT_FIRST'],
+	"ADDR_CONT_LAST"	=>	$_POST['ADDR_CONT_LAST'],
+	"ADDR_CONT_HOME"	=>	$_POST['ADDR_CONT_HOME'],
+	"ADDR_CONT_WORK"	=>	$_POST['ADDR_CONT_WORK'],
+	"ADDR_CONT_CELL"	=>	$_POST['ADDR_CONT_CELL'],
+	"ADDR_CONT_MAIL"	=>	$_POST['ADDR_CONT_MAIL'],
+	"ADDR_CONT_PORTAL"	=>	$_POST['ADDR_CONT_PORTAL'],
+	"ADDR_CONT_USRN"	=>	$_POST['ADDR_CONT_USRN'],
+	"ADDR_CONT_PSWD"	=>	$this_password,
+	"ADDR_CONT_SAHA"	=>	$_POST['ADDR_CONT_SAHA'],
+	"ADDR_CONT_ADNA"	=>	$_POST['ADDR_CONT_ADNA'],
+	"ADDR_CONT_LIN1"	=>	$_POST['ADDR_CONT_LIN1'],
+	"ADDR_CONT_LIN2"	=>	$_POST['ADDR_CONT_LIN2'],
+	"ADDR_CONT_CITY"	=>	$_POST['ADDR_CONT_CITY'],
+	"ADDR_CONT_STAT"	=>	$_POST['ADDR_CONT_STAT'],
+	"ADDR_CONT_ZIP"		=>	$_POST['ADDR_CONT_ZIP'],
+);
+
+$_SESSION["HOLD_ADDR_DATA"]	=	$addressHoldSet;
+
+print_r($addressHoldSet);
+
+?>
@@ -20,73 +20,101 @@
 //echo $_REQUEST['USERINFO_FIRST_NAME'];
 //echo '<br>';
 //echo  $_REQUEST['USERINFO_LAST_NAME'];
-if ($_REQUEST['USERINFO_FIRST_NAME'] || $_REQUEST['USERINFO_LAST_NAME'] || $_REQUEST['USERINFO_EMAIL'] || $_REQUEST['USERINFO_MOBILE'] || $_REQUEST['USERINFO_SADD'] || $_REQUEST['USERINFO_CITY'] || $_REQUEST['USERINFO_STATE'] || $_REQUEST['USERINFO_ZIP']) {
-                        $stf_ids = '';
-                        $sql = 'SELECT distinct stf.STAFF_ID AS BUTTON , stf.STAFF_ID,CONCAT(stf.FIRST_NAME," ",stf.LAST_NAME) AS FULLNAME, CONCAT(s.FIRST_NAME," ",s.LAST_NAME) AS STUFULLNAME,stf.PROFILE,stf.EMAIL FROM people stf';
-                        $sql_where = 'WHERE stf.PROFILE_ID=4 AND s.STUDENT_ID!=' . UserStudentID() . ' ';
-                        if ($_REQUEST['USERINFO_FIRST_NAME'] || $_REQUEST['USERINFO_LAST_NAME'] || $_REQUEST['USERINFO_EMAIL'] || $_REQUEST['USERINFO_MOBILE']) {
-                            if ($_REQUEST['USERINFO_FIRST_NAME']!='')
-                                $sql_where.= 'AND LOWER(stf.FIRST_NAME) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_FIRST_NAME']))) . '%\' ';
-                            if ($_REQUEST['USERINFO_LAST_NAME']!='')
-                                $sql_where.= 'AND LOWER(stf.LAST_NAME) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_LAST_NAME']))) . '%\' ';
-                            if ($_REQUEST['USERINFO_EMAIL']!='')
-                                $sql_where.= 'AND LOWER(stf.EMAIL) = \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_EMAIL']))) . '\' ';
-                            if ($_REQUEST['USERINFO_MOBILE']!='')
-                                $sql_where.= 'AND stf.CELL_PHONE = \'' . str_replace("'", "''", trim($_REQUEST['USERINFO_MOBILE'])) . '\' ';
-                        }
-                        if ($_REQUEST['USERINFO_SADD'] || $_REQUEST['USERINFO_CITY'] || $_REQUEST['USERINFO_STATE'] || $_REQUEST['USERINFO_ZIP']) {
-                            $sql.=' LEFT OUTER JOIN student_address sa on sa.PEOPLE_ID=stf.STAFF_ID';
-                            $sql_where.='  AND sa.TYPE IN (\'Primary\',\'Secondary\',\'Other\') ';
-                            if ($_REQUEST['USERINFO_SADD']!='')
-                                $sql_where.= ' AND LOWER(STREET_ADDRESS_1) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_SADD']))) . '%\' ';
-                            if ($_REQUEST['USERINFO_CITY']!='')
-                                $sql_where.= ' AND LOWER(CITY) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_CITY']))) . '%\' ';
-                            if ($_REQUEST['USERINFO_STATE']!='')
-                                $sql_where.= ' AND LOWER(STATE) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_STATE']))) . '%\' ';
-                            if ($_REQUEST['USERINFO_ZIP']!='')
-                                $sql_where.= ' AND ZIPCODE = \'' . str_replace("'", "''", trim($_REQUEST['USERINFO_ZIP'])) . '\' ';
-                        }
-
-                        $sql.=' Left outer join students_join_people sju on stf.STAFF_ID=sju.PERSON_ID Left outer join students s on s.STUDENT_ID = sju.STUDENT_ID  ';
-                        $sql_where.= '  AND LOWER(stf.FIRST_NAME)<>\'\' AND LOWER(stf.LAST_NAME)<>\'\' AND sju.PERSON_ID NOT IN (SELECT PERSON_ID FROM students_join_people WHERE STUDENT_ID=' . UserStudentID() . ') GROUP BY sju.PERSON_ID';
-
-                        $searched_staffs = DBGet(DBQuery($sql . $sql_where), array('BUTTON' => 'makeChooseCheckbox'));
-                        foreach ($searched_staffs as $key => $value) {
-                            $stf_usrname = DBGet(DBQuery('SELECT USERNAME FROM login_authentication WHERE USER_ID=' . $value['STAFF_ID'] . ' AND PROFILE_ID=4'));
-                            $searched_staffs[$key]['USERNAME'] = $stf_usrname[1]['USERNAME'];
-                        }
-                    } else {
-
-                        $sql = 'SELECT stf.STAFF_ID AS BUTTON , stf.STAFF_ID,CONCAT(stf.FIRST_NAME," ",stf.LAST_NAME) AS FULLNAME, CONCAT(s.FIRST_NAME," ",s.LAST_NAME) AS STUFULLNAME,stf.PROFILE,stf.EMAIL FROM people stf left outer join students_join_people sju on stf.STAFF_ID=sju.PERSON_ID left outer join students s on s.STUDENT_ID = sju.STUDENT_ID  WHERE  s.STUDENT_ID!=' . UserStudentID() . '  AND stf.FIRST_NAME<>\'\' AND stf.LAST_NAME<>\'\' AND sju.PERSON_ID NOT IN (SELECT PERSON_ID FROM students_join_people WHERE STUDENT_ID=' . UserStudentID() . ') Group by stf.STAFF_ID';
-
-                        $searched_staffs = DBGet(DBQuery($sql), array('BUTTON' => 'makeChooseCheckbox'));
-                        foreach ($searched_staffs as $key => $value) {
-                            $stf_usrname = DBGet(DBQuery('SELECT USERNAME FROM login_authentication WHERE USER_ID=' . $value['STAFF_ID'] . ' AND PROFILE_ID=4'));
-                            $searched_staffs[$key]['USERNAME'] = $stf_usrname[1]['USERNAME'];
-                        }
-                    }
+if ($_REQUEST['USERINFO_FIRST_NAME'] || $_REQUEST['USERINFO_LAST_NAME'] || $_REQUEST['USERINFO_EMAIL'] || $_REQUEST['USERINFO_MOBILE'] || $_REQUEST['USERINFO_SADD'] || $_REQUEST['USERINFO_CITY'] || $_REQUEST['USERINFO_STATE'] || $_REQUEST['USERINFO_ZIP'])
+{
+    $stf_ids = '';
+    
+    $sql = 'SELECT distinct stf.STAFF_ID AS BUTTON , stf.STAFF_ID,CONCAT(stf.FIRST_NAME," ",stf.LAST_NAME) AS FULLNAME, CONCAT(s.FIRST_NAME," ",s.LAST_NAME) AS STUFULLNAME,stf.PROFILE,stf.EMAIL FROM people stf';
+    $sql_where = 'WHERE stf.PROFILE_ID=4 AND s.STUDENT_ID!=' . UserStudentID() . ' ';
+    
+    if ($_REQUEST['USERINFO_FIRST_NAME'] || $_REQUEST['USERINFO_LAST_NAME'] || $_REQUEST['USERINFO_EMAIL'] || $_REQUEST['USERINFO_MOBILE'])
+    {
+        if ($_REQUEST['USERINFO_FIRST_NAME']!='')
+            $sql_where.= 'AND LOWER(stf.FIRST_NAME) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_FIRST_NAME']))) . '%\' ';
+        if ($_REQUEST['USERINFO_LAST_NAME']!='')
+            $sql_where.= 'AND LOWER(stf.LAST_NAME) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_LAST_NAME']))) . '%\' ';
+        if ($_REQUEST['USERINFO_EMAIL']!='')
+            $sql_where.= 'AND LOWER(stf.EMAIL) = \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_EMAIL']))) . '\' ';
+        if ($_REQUEST['USERINFO_MOBILE']!='')
+            $sql_where.= 'AND stf.CELL_PHONE = \'' . str_replace("'", "''", trim($_REQUEST['USERINFO_MOBILE'])) . '\' ';
+    }
+
+
+    if ($_REQUEST['USERINFO_SADD'] || $_REQUEST['USERINFO_CITY'] || $_REQUEST['USERINFO_STATE'] || $_REQUEST['USERINFO_ZIP'])
+    {
+        $sql.=' LEFT OUTER JOIN student_address sa on sa.PEOPLE_ID=stf.STAFF_ID';
+        $sql_where.='  AND sa.TYPE IN (\'Primary\',\'Secondary\',\'Other\') ';
+        if ($_REQUEST['USERINFO_SADD']!='')
+            $sql_where.= ' AND LOWER(STREET_ADDRESS_1) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_SADD']))) . '%\' ';
+        if ($_REQUEST['USERINFO_CITY']!='')
+            $sql_where.= ' AND LOWER(CITY) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_CITY']))) . '%\' ';
+        if ($_REQUEST['USERINFO_STATE']!='')
+            $sql_where.= ' AND LOWER(STATE) LIKE \'' . str_replace("'", "''", strtolower(trim($_REQUEST['USERINFO_STATE']))) . '%\' ';
+        if ($_REQUEST['USERINFO_ZIP']!='')
+            $sql_where.= ' AND ZIPCODE = \'' . str_replace("'", "''", trim($_REQUEST['USERINFO_ZIP'])) . '\' ';
+    }
+
+    $sql.=' Left outer join students_join_people sju on stf.STAFF_ID=sju.PERSON_ID Left outer join students s on s.STUDENT_ID = sju.STUDENT_ID  ';
+    $sql_where.= '  AND LOWER(stf.FIRST_NAME)<>\'\' AND LOWER(stf.LAST_NAME)<>\'\' AND sju.PERSON_ID NOT IN (SELECT PERSON_ID FROM students_join_people WHERE STUDENT_ID=' . UserStudentID() . ') GROUP BY sju.PERSON_ID';
+
+    $searched_staffs = DBGet(DBQuery($sql . $sql_where), array('BUTTON' => 'makeChooseCheckbox'));
+    
+    foreach ($searched_staffs as $key => $value)
+    {
+        $stf_usrname = DBGet(DBQuery('SELECT USERNAME FROM login_authentication WHERE USER_ID=' . $value['STAFF_ID'] . ' AND PROFILE_ID=4'));
+        $searched_staffs[$key]['USERNAME'] = $stf_usrname[1]['USERNAME'];
+    }
+}
+else
+{
+    $sql = 'SELECT stf.STAFF_ID AS BUTTON , stf.STAFF_ID,CONCAT(stf.FIRST_NAME," ",stf.LAST_NAME) AS FULLNAME, CONCAT(s.FIRST_NAME," ",s.LAST_NAME) AS STUFULLNAME,stf.PROFILE,stf.EMAIL FROM people stf left outer join students_join_people sju on stf.STAFF_ID=sju.PERSON_ID left outer join students s on s.STUDENT_ID = sju.STUDENT_ID  WHERE  s.STUDENT_ID!=' . UserStudentID() . '  AND stf.FIRST_NAME<>\'\' AND stf.LAST_NAME<>\'\' AND sju.PERSON_ID NOT IN (SELECT PERSON_ID FROM students_join_people WHERE STUDENT_ID=' . UserStudentID() . ') Group by stf.STAFF_ID';
+
+    $searched_staffs = DBGet(DBQuery($sql), array('BUTTON' => 'makeChooseCheckbox'));
+
+    foreach ($searched_staffs as $key => $value)
+    {
+        $stf_usrname = DBGet(DBQuery('SELECT USERNAME FROM login_authentication WHERE USER_ID=' . $value['STAFF_ID'] . ' AND PROFILE_ID=4'));
+        
+        $searched_staffs[$key]['USERNAME'] = $stf_usrname[1]['USERNAME'];
+    }
+}
 
-                $singular = 'User';
-                $plural = 'Users';
-                $options['save'] = false;
-                $options['print'] = false;
-                $options['search'] = false;
-
-                $columns = array('BUTTON' => 'Select any one', 'FULLNAME' => 'Name', 'USERNAME' => 'Username', 'EMAIL' => 'Email', 'STUFULLNAME' => 'Associated Student\'s Name');
-                if ($_REQUEST['add_id'] == 'new')
-                    echo '<FORM name=sel_staff id=sel_staff action="ForWindow.php?modname=' . $_REQUEST[modname] . '&modfunc=lookup&type=' . $_REQUEST['type'] . '&func=search&nfunc=status&ajax=' . $_REQUEST['ajax'] . '&add_id=new&address_id=' . $_REQUEST['address_id'] . '" METHOD=POST>';
-                else
-                    echo '<FORM name=sel_staff id=sel_staff action="ForWindow.php?modname=' . $_REQUEST[modname] . '&modfunc=lookup&type=' . $_REQUEST['type'] . '&func=search&nfunc=status&ajax=' . $_REQUEST['ajax'] . '&add_id=' . $_REQUEST['add_id'] . '&address_id=' . $_REQUEST['address_id'] . '" METHOD=POST>';
-                echo '<span id="sel_err" class="text-danger"></span>';
-//               print_r($searched_staffs);
-                ListOutput($searched_staffs, $columns, $singular, $plural, false, $group = false, $options, 'ForWindow');
-                 unset($_REQUEST['func']);
-                if(!empty($searched_staffs))
-                echo '<div id="select-people-div"><input type="button" value="Select" name="button" onclick="SelectedParent(\''.$_REQUEST['address_id'].'\',\''.$_REQUEST['p_type'].'\',\''.$_REQUEST['other_p_erson_id'].'\')"></div>';
+$singular = 'User';
+$plural = 'Users';
+$options['save'] = false;
+$options['print'] = false;
+$options['search'] = false;
+
+$columns = array('BUTTON' => 'Select any one', 'FULLNAME' => 'Name', 'USERNAME' => 'Username', 'EMAIL' => 'Email', 'STUFULLNAME' => 'Associated Student\'s Name');
+
+// echo "<pre>";
+// print_r($searched_staffs);
+// echo die();
+
+
+if ($_REQUEST['add_id'] == 'new')
+    echo '<FORM name=sel_staff id=sel_staff action="ForWindow.php?modname=' . $_REQUEST[modname] . '&modfunc=lookup&type=' . $_REQUEST['type'] . '&func=search&nfunc=status&ajax=' . $_REQUEST['ajax'] . '&add_id=new&address_id=' . $_REQUEST['address_id'] . '" METHOD=POST>';
+else
+    echo '<FORM name=sel_staff id=sel_staff action="ForWindow.php?modname=' . $_REQUEST[modname] . '&modfunc=lookup&type=' . $_REQUEST['type'] . '&func=search&nfunc=status&ajax=' . $_REQUEST['ajax'] . '&add_id=' . $_REQUEST['add_id'] . '&address_id=' . $_REQUEST['address_id'] . '" METHOD=POST>';
 
-                function makeChooseCheckbox($value, $title) {
+echo '<span id="sel_err" class="text-danger"></span>';
+
+ListOutput($searched_staffs, $columns, $singular, $plural, false, $group = false, $options, 'ForWindow');
+unset($_REQUEST['func']);
+
+// echo "<pre>";
+// print_r($searched_staffs);
+// echo die();
+
+if(!empty($searched_staffs))
+echo '<div id="select-people-div"><br><input type="button" class="btn btn-primary" value="Select" name="button" onclick="SelectedParent(\''.$_REQUEST['address_id'].'\',\''.$_REQUEST['p_type'].'\',\''.$_REQUEST['other_p_erson_id'].'\')"></div>';
+
+function makeChooseCheckbox($value, $title)
+{
     global $THIS_RET;
-    if ($THIS_RET['BUTTON']) {
+
+    if ($THIS_RET['BUTTON'])
+    {
         return "<INPUT type=radio name=staff value=" . $THIS_RET['BUTTON'] . ">";
     }
 }
@@ -362,11 +362,12 @@ function _makeLetterGrade($percent,$course_period_id=0,$staff_id=0,$ret='')
 	}
 }
 
+$connection = new mysqli($DatabaseServer, $DatabaseUsername, $DatabasePassword, $DatabaseName);
 
+$format = mysqli_real_escape_string($connection,strtolower(optional_param('format', '', PARAM_RAW)));
+$api_key= mysqli_real_escape_string($connection,optional_param('api_key', '', PARAM_RAW));
+$api_secret= mysqli_real_escape_string($connection, optional_param('api_secret', '', PARAM_RAW));
 
-$format = strtolower($_REQUEST['format']);
-$api_key= $_REQUEST['api_key'];
-$api_secret= $_REQUEST['api_secret'];
 $validate= DBGet(DBQuery('SELECT * FROM api_info WHERE API_KEY=\''.$api_key.'\' AND API_SECRET=\''.$api_secret.'\''));
 if(count($validate) > 0)
 {
Original file line number	Diff line number	Diff line change
`@@ -362,11 +362,12 @@ function _makeLetterGrade($percent,$course_period_id=0,$staff_id=0,$ret='')`
`362`	`362`	`}`
`363`	`363`	`}`
`364`	`364`
	`365`	`+$connection = new mysqli($DatabaseServer, $DatabaseUsername, $DatabasePassword, $DatabaseName);`
`365`	`366`
	`367`	`+$format = mysqli_real_escape_string($connection,strtolower(optional_param('format', '', PARAM_RAW)));`
	`368`	`+$api_key= mysqli_real_escape_string($connection,optional_param('api_key', '', PARAM_RAW));`
	`369`	`+$api_secret= mysqli_real_escape_string($connection, optional_param('api_secret', '', PARAM_RAW));`
`366`	`370`
`367`		`-$format = strtolower($_REQUEST['format']);`
`368`		`-$api_key= $_REQUEST['api_key'];`
`369`		`-$api_secret= $_REQUEST['api_secret'];`
`370`	`371`	`$validate= DBGet(DBQuery('SELECT * FROM api_info WHERE API_KEY=\''.$api_key.'\' AND API_SECRET=\''.$api_secret.'\''));`
`371`	`372`	`if(count($validate) > 0)`
`372`	`373`	`{`