File: /home/cafsindia/hrms_cafsinfotech_in/application_bk14FEB2026/controllers/Secure_Controller.php
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
#[\AllowDynamicProperties]
class Secure_Controller extends CI_Controller{
public function __construct($module_id = NULL, $submodule_id = NULL){
parent::__construct();
if(!$this->is_logged_in()){
redirect('login');
}
$logged_user = $this->get_logged_user_info();
if((int)$this->session->userdata('logged_role') === 12){
$logged_id = $logged_user->prime_cumstomer_id;
}else{
$logged_id = $logged_user->prime_employees_id;
}
if(!$this->has_module_grant($module_id, $logged_id)){
redirect('no_access/' . $module_id . '/' . $submodule_id);
}
$data['allowed_modules'] = $this->Module->get_allowed_modules($logged_id);
$data['header_menu'] = $this->Module->get_header_menu($logged_id);
$data['report_menu'] = $this->Module->get_report_menu($logged_user);
$data['template_menu'] = $this->Module->get_template_menu($logged_user);
$data['notification_menu'] = $this->Module->get_notification_count();
$data['company_info'] = $this->Module->get_company_info();
$data['user_info'] = $logged_user;
$data['controller_name'] = $module_id;
$this->load->vars($data);
}
public function is_logged_in(){
return ($this->session->userdata('logged_id') != FALSE);
}
public function get_logged_user_info(){
if($this->is_logged_in()){
return $this->get_info($this->session->userdata('logged_id'));
}
return FALSE;
}
public function get_info($logged_id){
if((int)$this->session->userdata('logged_role') === 12){
$this->db->from('cumstomer');
$this->db->join('cumstomer_cf', 'cumstomer_cf.prime_cumstomer_id = cumstomer.prime_cumstomer_id');
$this->db->join('category', 'category.prime_category_id = 12');
$this->db->where('cumstomer.prime_cumstomer_id', $logged_id);
$query = $this->db->get();
}else{
$this->db->from('employees');
$this->db->where('employees.prime_employees_id', $logged_id);
$this->db->join('category', 'category.prime_category_id = employees.role');
$query = $this->db->get();
}
if((int)$query->num_rows() === 1){
return $query->row();
}else{
$person_obj = "";
return $person_obj;
}
}
public function has_module_grant($permission_id, $logged_id){
if((int)$this->session->userdata('logged_role') === 12){
$this->db->from('grants_customer');
$this->db->like('permission_id', $permission_id, 'after');
$this->db->where('prime_customer_id', $logged_id);
$query = $this->db->get();
}else{
$this->db->from('grants');
$this->db->like('permission_id', $permission_id, 'after');
$this->db->where('prime_employees_id', $logged_id);
$query = $this->db->get();
}
if((int)$query->num_rows() > 0){
return true;
}else{
return false;
}
}
protected function xss_clean($str, $is_image = FALSE){
if($this->config->item('cw_xss_clean') == FALSE){
return $str;
}else{
return $this->security->xss_clean($str, $is_image);
}
}
// public function index() { return FALSE; }
// public function search() { return FALSE; }
// public function suggest_search() { return FALSE; }
// public function view($data_item_id = -1) { return FALSE; }
// public function save($data_item_id = -1) { return FALSE; }
// public function delete() { return FALSE; }
//DR FUNCTION FOR INSERT A FORM SETTING CREATE AND ALTER QRY TO (ALL SETTING QUERIES) TABLE
public function setting_cr_alt_queries_insert($table_qry){
$created_on = date("Y-m-d H:i:s");
$logged_user = $this->get_logged_user_info();
$logged_id = $logged_user->prime_employees_id;
$from_create_qry = 'insert into cw_all_setting_queries (all_setting_query,trans_created_by,trans_created_date) values ("'.$table_qry.'","'.$logged_id.'","'.$created_on.'")';
$this->db->query($from_create_qry);
}
//DR FUNCTION FOR INSERT A FORM SETTING INSERT AND UPDATE QRY TO (ALL SETTING QUERIES) TABLE
public function setting_qry_ins_upd_function($table_qry){
$created_on = date("Y-m-d H:i:s");
$logged_user = $this->get_logged_user_info();
$logged_id = $logged_user->prime_employees_id;
$this->db->query("CALL sp_setting_queries_insert ('$table_qry','$logged_id')");
}
//TL AND PM FETCH BASED ON TEAM
public function tl_pm_fetch(){
$team = $this->input->post("team");
//TEAM TABLE SELECT QUERY
$tl_pm_qry = 'select cw_team.team,cw_team.tl_report,tl.emp_name tl_name,cw_team.manager_report,pm.emp_name pm_name from cw_team inner join cw_employees tl on cw_team.tl_report = tl.employee_code and tl.termination_status = 0 inner join cw_employees pm on cw_team.manager_report = pm.employee_code and pm.termination_status = 0 where cw_team.prime_team_id = "'.$team.'" and tl.trans_status = 1 and pm.trans_status = 1 and cw_team.trans_status = 1';
$tl_pm_info = $this->db->query("CALL sp_a_run ('SELECT','$tl_pm_qry')");
$tl_pm_rslt = $tl_pm_info->result_array();
$tl_pm_info->next_result();
echo json_encode(array('success' => true,'message' => 'Proceed.!','tl_pm_arr' => $tl_pm_rslt));
}
//Generate Key
public function generateKey(){
$sess_id = $this->session->userdata('__ci_last_regenerate');
$employee_code = $this->session->userdata('logged_emp_code');
$encKey = $this->config->item("encKey");
$combineKey = $sess_id."||".$employee_code."||".$encKey;
$key = hash('sha512', $combineKey);
return $key;
}
//Decrypt Encrypted string from Javascript
public function cryptoDecrypt($encString){
try{
$key = $this->generateKey();
$password = hash('sha512', $key);
$keySize = 256;
$iterations = 1000;
$decSalt = substr($encString, 0, 32);
$decIvhex = substr($encString, 32, 32);
$encrypted = substr($encString, 64);
$decKey = hash_pbkdf2( 'sha1', $password, hex2bin($decSalt), $iterations, $keySize / 8, true);
// AES decryption using OpenSSL in PHP
$decrypted = openssl_decrypt(
base64_decode($encrypted), // Encrypted data (decode from Base64)
'AES-256-CBC', // Cipher method (AES-256-CBC for 256-bit key size)
$decKey, // Decryption key
OPENSSL_RAW_DATA, // Options: raw data output
hex2bin($decIvhex) // Initialization vector
);
if(!$decrypted){
throw new Exception('Error0001..');
}else{
return json_decode($decrypted,TRUE);
}
}catch(Exception $e){
// Log the error or handle it as needed
error_log("Decryption Error: " . $e->getMessage()); // Log the error for debugging
return false;
}
}
//Upload Files
public function upload_files(){
$send_for = $this->input->post('send_for'); //import or upload
$send_from = $this->input->post('send_from'); //module name
$file_name = $this->input->post('fileName');
$file_data = base64_decode($this->input->post('file_data'));
$finfo = new finfo(FILEINFO_MIME_TYPE);
$file_type = $finfo->buffer($file_data); // Get the MIME type from the binary data
if($send_from === 'offer_upload'){
$send_from = 'offer_letter';
}
$upload_dir = "upload_files/$send_from";
if(($send_for !== "") && ($send_from !== "")){
if(!file_exists($upload_dir)){
mkdir($upload_dir, 0755, true);
chmod($upload_dir, 0755);
}
// Ensure the directory is writable
if (!is_writable($upload_dir)) {
echo json_encode(array('success' => false, 'msg' => "Error: Upload directory is not writable."));
exit(0);
}
$label_id = $this->input->post('label_id');
$file_size = $this->input->post('size');
//MIME Types
$mime_types = [ 'jpg' => 'image/jpeg', 'jpeg' => 'image/jpeg', 'png' => 'image/png', 'gif' => 'image/gif', 'html' => 'text/html', 'pdf' => 'application/pdf', 'doc' => 'application/msword', 'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'xls' => 'application/vnd.ms-excel', 'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', 'mp3' => 'audio/mpeg', 'mp4' => 'video/mp4', 'zip' => 'application/zip', 'txt' => 'text/plain'];
if($send_from != 'module_setting'){
//Get info from Form Settings
$from_query = 'select upload_extension,upload_file_size from cw_form_setting where prime_module_id = "'.$send_from.'" and field_show = "1" and field_type = 10 and label_name = "'.$label_id.'" and trans_status = "1" and FIND_IN_SET("'.$this->logged_role.'",field_for) ORDER BY input_for,field_sort asc';
$form_data = $this->db->query("CALL sp_a_run ('SELECT','$from_query')");
$form_result = $form_data->result();
$form_data->next_result();
if(count($form_result ?? []) === 0){
echo json_encode(array('success' => false, 'msg' =>"Invalid Request.."));
exit(0);
}
$upload_filesize = $form_result[0]->upload_file_size;
$upload_extension = $form_result[0]->upload_extension;
}else{
// FOR MODULE SETTING STATIC PURPOSE
$upload_filesize = '500';
$upload_extension = "image/png,pdf,jpeg,jpg,png";
}
$allowed_ext = explode(",",$upload_extension);
// Find elements in $array1 that match the keys in $array2
$array_flip = array_flip($allowed_ext);
$allowed_mimes = array_intersect_key($mime_types,$array_flip);
if (!in_array($file_type, $allowed_mimes)) {
echo json_encode(array('success' => false, 'msg' =>"Please upload valid Mime type file such as $upload_extension"));
exit(0);
}
$file_name = str_replace(" ","_", $file_name);
$file_size = $file_size/1000;
if((int)$upload_filesize === 0){
$upload_filesize = 500;
}
if((int)$file_size <= (int)$upload_filesize){
if($file_name){
$ext = pathinfo($file_name, PATHINFO_EXTENSION);
if(in_array($ext, $allowed_ext)){
$random_digit = rand(0000,99999999999);
$new_file_name = "upload_files/$send_from/".$random_digit."_".$file_name;
$path = $this->sanitize_input($new_file_name, 10);
file_put_contents($path, $file_data);
echo json_encode(array('success' => true, 'msg' =>"File moved to server","path"=>$path));
}else{
echo json_encode(array('success' => false, 'msg' =>"Please upload valid file such as $upload_extension"));
}
}else{
echo json_encode(array('success' => false, 'msg' =>"Please upload valid file"));
}
}else{
echo json_encode(array('success' => false, 'msg' =>"File Size Must be below ".$upload_filesize."kb"));
}
}else{
echo json_encode(array('success' => false, 'msg' =>"Please refresh page and retry"));
}
}
// SANITIZE INPUT
public function sanitize_input($input, $field_type){
switch ($field_type){
case 3 ://INT
case 11://Mobile Number
// Sanitize integer values
return filter_var($input, FILTER_SANITIZE_NUMBER_INT);
case 2://Decimal
// Sanitize float values
return filter_var($input, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION | FILTER_FLAG_ALLOW_THOUSAND);
case 12://email
// Sanitize and validate email
$sanitized_email = filter_var($input, FILTER_SANITIZE_EMAIL);
return filter_var($sanitized_email, FILTER_VALIDATE_EMAIL) ? $sanitized_email : null;
case 10://url
// Sanitize and validate URL
$sanitized_url = filter_var($input, FILTER_SANITIZE_URL);
return $sanitized_url;
//return filter_var($sanitized_url, FILTER_VALIDATE_URL) ? $sanitized_url : null;
case 'array'://url
// Sanitize each element in an array recursively
if(is_array($input)){
return array_map(function($item) {
$sanitized_string = filter_var($item, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
return htmlspecialchars($sanitized_string, ENT_QUOTES, 'UTF-8');
}, $input);
}
return null;
case 1://TEXT
case 4://DATE
case 5://PICKLIST
case 6://CHECKBOX
case 7://MULTIPICK
case 8://SUMMARY
case 9://AUTOCOMPLETE
case 10://FILE UPLOAD
case 13://DATE & TIME
case 15://TIME
default:
// Sanitize general strings (strips HTML tags, encodes special characters)
$sanitized_string = filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_NO_ENCODE_QUOTES);
return htmlspecialchars($sanitized_string, ENT_QUOTES, 'UTF-8');
}
}
}
?>