next fixes in group operations

html/utils/auth_apply.php

@@ -32,10 +32,11 @@ if (getPOST("ApplyForAll", $page_url)) {
     $all_ok = true;
 
     foreach ($auth_id as $val) {
-        if (!$val = (int)$val) continue;
+        $id = (int)$val;
+        if ($id <= 0) continue;
 
         // Получаем текущую авторизацию и пользователя
-        $cur_auth = get_record_sql($db_link, "SELECT * FROM user_auth WHERE id = ?", [$val]);
+        $cur_auth = get_record_sql($db_link, "SELECT * FROM user_auth WHERE id = ?", [$id]);
         if (!$cur_auth) continue;
 
         $user_info = get_record_sql($db_link, "SELECT * FROM user_list WHERE id = ?", [(int)$cur_auth["user_id"]]);
@@ -77,7 +78,7 @@ if (getPOST("ApplyForAll", $page_url)) {
 
         // Обновляем запись в user_auth
         if (!empty($auth_updates)) {
-            $ret = update_record($db_link, "user_auth", "id = ?", $auth_updates, [$val]);
+            $ret = update_record($db_link, "user_auth", "id = ?", $auth_updates, [$id]);
             if (!$ret) $all_ok = false;
         }
 
@@ -100,59 +101,55 @@ if (getPOST("ApplyForAll", $page_url)) {
 
         // Правило привязки MAC
         if (getPOST("e_bind_mac", $page_url) !== null) {
-            $first_auth = get_record_sql($db_link, "SELECT user_id, mac FROM user_auth WHERE id = ?", [$val]);
-            
-            if ($first_auth && !empty($first_auth['mac'])) {
+            if ($cur_auth && !empty($cur_auth['mac'])) {
                 if ($a_bind_mac) {
-                    $user_rule = get_record_sql($db_link, "SELECT * FROM auth_rules WHERE user_id = ? AND rule_type = 2", [(int)$first_auth['user_id']]);
-                    $mac_rule = get_record_sql($db_link, "SELECT * FROM auth_rules WHERE rule = ? AND rule_type = 2", [$first_auth['mac']]);
+                    $user_rule = get_record_sql($db_link, "SELECT * FROM auth_rules WHERE user_id = ? AND rule_type = 2", [(int)$cur_auth['user_id']]);
+                    $mac_rule = get_record_sql($db_link, "SELECT * FROM auth_rules WHERE rule = ? AND rule_type = 2", [$cur_auth['mac']]);
                     
                     if (!$user_rule && !$mac_rule) {
                         $new_rule = [
-                            'user_id' => (int)$first_auth['user_id'],
+                            'user_id' => (int)$cur_auth['user_id'],
                             'rule_type' => 2,
-                            'rule' => $first_auth['mac']
+                            'rule' => $cur_auth['mac']
                         ];
                         insert_record($db_link, "auth_rules", $new_rule);
-                        LOG_INFO($db_link, "Created auto rule for user_id: " . $first_auth['user_id'] . " and mac " . $first_auth['mac']);
+                        LOG_INFO($db_link, "Created auto rule for user_id: " . $cur_auth['user_id'] . " and mac " . $cur_auth['mac']);
                     } else {
-                        LOG_INFO($db_link, "Auto rule for user_id: " . $first_auth['user_id'] . " and mac " . $first_auth['mac'] . " already exists");
+                        LOG_INFO($db_link, "Auto rule for user_id: " . $cur_auth['user_id'] . " and mac " . $cur_auth['mac'] . " already exists");
                     }
                 } else {
-                    run_sql($db_link, "DELETE FROM auth_rules WHERE user_id = ? AND rule_type = 2", [(int)$first_auth['user_id']]);
-                    LOG_INFO($db_link, "Remove auto rule for user_id: " . $first_auth['user_id'] . " and mac " . $first_auth['mac']);
+                    run_sql($db_link, "DELETE FROM auth_rules WHERE user_id = ? AND rule_type = 2", [(int)$cur_auth['user_id']]);
+                    LOG_INFO($db_link, "Remove auto rule for user_id: " . $cur_auth['user_id'] . " and mac " . $cur_auth['mac']);
                 }
             } else {
-                LOG_ERROR($db_link, "Auto rule for user_id: " . ($first_auth['user_id'] ?? 'N/A') . " not created. Record not found or empty mac.");
+                LOG_ERROR($db_link, "Auto rule for user_id: " . ($cur_auth['user_id'] ?? 'N/A') . " not created. Record not found or empty mac.");
             }
         }
 
         // Правило привязки IP
         if (getPOST("e_bind_ip", $page_url) !== null) {
-            $first_auth = get_record_sql($db_link, "SELECT user_id, ip FROM user_auth WHERE id = ?", [$val]);
-            
-            if ($first_auth && !empty($first_auth['ip'])) {
+            if ($cur_auth && !empty($cur_auth['ip'])) {
                 if ($a_bind_ip) {
-                    $user_rule = get_record_sql($db_link, "SELECT * FROM auth_rules WHERE user_id = ? AND rule_type = 1", [(int)$first_auth['user_id']]);
-                    $ip_rule = get_record_sql($db_link, "SELECT * FROM auth_rules WHERE rule = ? AND rule_type = 1", [$first_auth['ip']]);
+                    $user_rule = get_record_sql($db_link, "SELECT * FROM auth_rules WHERE user_id = ? AND rule_type = 1", [(int)$cur_auth['user_id']]);
+                    $ip_rule = get_record_sql($db_link, "SELECT * FROM auth_rules WHERE rule = ? AND rule_type = 1", [$cur_auth['ip']]);
                     
                     if (!$user_rule && !$ip_rule) {
                         $new_rule = [
-                            'user_id' => (int)$first_auth['user_id'],
+                            'user_id' => (int)$cur_auth['user_id'],
                             'rule_type' => 1,
-                            'rule' => $first_auth['ip']
+                            'rule' => $cur_auth['ip']
                         ];
                         insert_record($db_link, "auth_rules", $new_rule);
-                        LOG_INFO($db_link, "Created auto rule for user_id: " . $first_auth['user_id'] . " and ip " . $first_auth['ip']);
+                        LOG_INFO($db_link, "Created auto rule for user_id: " . $cur_auth['user_id'] . " and ip " . $cur_auth['ip']);
                     } else {
-                        LOG_INFO($db_link, "Auto rule for user_id: " . $first_auth['user_id'] . " and ip " . $first_auth['ip'] . " already exists");
+                        LOG_INFO($db_link, "Auto rule for user_id: " . $cur_auth['user_id'] . " and ip " . $cur_auth['ip'] . " already exists");
                     }
                 } else {
-                    run_sql($db_link, "DELETE FROM auth_rules WHERE user_id = ? AND rule_type = 1", [(int)$first_auth['user_id']]);
-                    LOG_INFO($db_link, "Remove auto rule for user_id: " . $first_auth['user_id'] . " and ip " . $first_auth['ip']);
+                    run_sql($db_link, "DELETE FROM auth_rules WHERE user_id = ? AND rule_type = 1", [(int)$cur_auth['user_id']]);
+                    LOG_INFO($db_link, "Remove auto rule for user_id: " . $cur_auth['user_id'] . " and ip " . $cur_auth['ip']);
                 }
             } else {
-                LOG_ERROR($db_link, "Auto rule for user_id: " . ($first_auth['user_id'] ?? 'N/A') . " not created. Record not found or empty ip.");
+                LOG_ERROR($db_link, "Auto rule for user_id: " . ($cur_auth['user_id'] ?? 'N/A') . " not created. Record not found or empty ip.");
             }
         }
     }

html/utils/auth_export.php

@@ -1,95 +1,79 @@
 <?php
 require_once($_SERVER['DOCUMENT_ROOT'] . "/inc/auth.php");
-require_once($_SERVER['DOCUMENT_ROOT'] . "/inc/languages/" . HTML_LANG . ".php");
+require_once($_SERVER['DOCUMENT_OUT'] . "/inc/languages/" . HTML_LANG . ".php");
 
 if (!defined("CONFIG")) die("Not defined");
 
 $page_url = null;
 
-if (isset($_POST["ExportAuth"])) {
-    // Устанавливаем правильный Content-Type для CSV
+if (getPOST("ExportAuth", $page_url) !== null) {
     header('Content-Type: text/csv; charset=utf-8');
     header('Content-Disposition: attachment; filename="auth_export.csv"');
 
     $out = fopen('php://output', 'w');
     fputcsv($out, ['login', 'ip', 'mac', 'description', 'dns name', 'last_found', 'connected'], ';');
 
-    if (!empty($_POST["a_selected"]) && (int)$_POST["a_selected"]) {
-        // Export selected only
-        $auth_ids = $_POST["fid"] ?? [];
+    $a_selected = getPOST("a_selected", $page_url, null);
+    
+    if ($a_selected !== null && (int)$a_selected) {
+        // Export selected
+        $auth_ids = getPOST("fid", $page_url, []);
         $valid_ids = [];
 
-        // Фильтруем и приводим к целым числам
         foreach ($auth_ids as $id) {
-            if ($id = (int)$id) {
+            $id = (int)$id;
+            if ($id > 0) {
                 $valid_ids[] = $id;
             }
         }
 
         if (!empty($valid_ids)) {
-            // Создаем плейсхолдеры для IN
-            $placeholders = str_repeat('?,', count($valid_ids) - 1) . '?';
-            $sql = "
-                SELECT 
-                    ul.login, 
-                    ua.ip, 
-                    ua.mac, 
-                    ua.description, 
-                    ua.dns_name, 
-                    ua.last_found,
-                    ua.id
-                FROM user_auth ua
-                JOIN user_list ul ON ua.user_id = ul.id
-                WHERE ua.id IN ($placeholders)
-            ";
-            $records = get_records_sql($db_link, $sql, $valid_ids);
-            
-            foreach ($records as $record) {
-                fputcsv($out, [
-                    $record['login'],
-                    $record['ip'],
-                    $record['mac'],
-                    $record['description'],
-                    $record['dns_name'],
-                    $record['last_found'],
-                    get_connection_string($db_link, $record['id'])
-                ], ';');
+            $chunk_size = 500;
+            foreach (array_chunk($valid_ids, $chunk_size) as $chunk) {
+                $placeholders = str_repeat('?,', count($chunk) - 1) . '?';
+                $sql = "SELECT ul.login, ua.ip, ua.mac, ua.description, ua.dns_name, ua.last_found, ua.id
+                    FROM user_auth ua
+                    JOIN user_list ul ON ua.user_id = ul.id
+                    WHERE ua.id IN ($placeholders)
+                ";
+                $records = get_records_sql($db_link, $sql, $chunk);
+                foreach ($records as $record) {
+                    fputcsv($out, [
+                        $record['login'],
+                        $record['ip'],
+                        $record['mac'],
+                        $record['description'],
+                        $record['dns_name'],
+                        $record['last_found'],
+                        get_connection_string($db_link, $record['id'])
+                    ], ';');
+                }
             }
         }
     } else {
         // Export all
-        $conditions = ["ua.deleted = 0"];
-        $params = [];
-        
-        // Фильтр по IP (если передан как часть WHERE условия)
-        // Безопасная сортировка - белый список разрешенных полей
         $allowed_sort_fields = [
-            'user_auth.ip_int', 'ua.ip_int',
-            'user_auth.ip', 'ua.ip',
-            'user_auth.mac', 'ua.mac',
-            'user_list.login', 'ul.login',
+            'ua.ip_int',
+            'ua.mac',
+            'ul.login',
             'ua.last_found'
         ];
-        
+
         $sort_field = 'ua.ip_int';
-        if (!empty($_POST["ip-sort"]) && in_array($_POST["ip-sort"], $allowed_sort_fields, true)) {
-            $sort_field = $_POST["ip-sort"];
+        $ip_sort = getPOST("ip-sort", $page_url, '');
+        if ($ip_sort !== '' && in_array($ip_sort, $allowed_sort_fields, true)) {
+            $sort_field = $ip_sort;
         }
 
         $sql = "
-            SELECT 
-                ua.*, 
-                ul.login, 
-                ul.enabled as UEnabled, 
-                ul.blocked as UBlocked,
-                ua.id
+            SELECT  ul.login, ua.ip, ua.mac, ua.description, ua.dns_name, ua.last_found, ua.id
             FROM user_auth ua
             JOIN user_list ul ON ua.user_id = ul.id
-            WHERE " . implode(' AND ', $conditions) . "
+            WHERE ua.deleted = 0
             ORDER BY $sort_field
         ";
         
-        $records = get_records_sql($db_link, $sql, $params);
+        $records = get_records_sql($db_link, $sql, []);
         
         foreach ($records as $record) {
             fputcsv($out, [

html/utils/auth_remove.php

@@ -6,23 +6,24 @@ if (!defined("CONFIG")) die("Not defined");
 
 $page_url = null;
 
-if (isset($_POST["RemoveAuth"]) && !empty($_POST["f_deleted"])) {
-    $auth_id = $_POST["fid"] ?? [];
+$remove_action = getPOST('RemoveAuth', $page_url, null);
+$f_deleted     = getPOST('f_deleted', $page_url, null);
+
+if ($remove_action !== null && $f_deleted !== '') {
+    $auth_id = getPOST('fid', $page_url, []);
     $all_ok = true;
 
     foreach ($auth_id as $val) {
-        if ($val = (int)$val) { // Приводим к int и проверяем, что не 0
-            $changes = delete_user_auth($db_link, $val);
+        $id = (int)$val;
+        if ($id > 0) { // только положительные ID
+            $changes = delete_user_auth($db_link, $id);
             if (empty($changes)) {
                 $all_ok = false;
             }
         }
     }
 
-    if ($all_ok) {
-        print "Success!";
-    } else {
-        print "Fail!";
-    }
+    echo $all_ok ? 'Success!' : 'Fail!';
 }
+
 ?>

html/utils/devices_apply.php

@@ -6,12 +6,10 @@ if (!defined("CONFIG")) die("Not defined");
 
 $page_url = null;
 
-if (getPOST("ApplyForAll", $page_url)) {
+if (getPOST("ApplyForAll", $page_url) !== null) {
 
-    // Получаем массив ID устройств
     $dev_id = getPOST("fid", $page_url, []);
 
-    // Получаем и валидируем параметры через getPOST
     $a_dev_type = (int)getPOST("a_dev_type", $page_url, 0);
     $a_device_model_id = (int)getPOST("a_device_model_id", $page_url, 0);
     $a_building_id = (int)getPOST("a_building_id", $page_url, 0);
@@ -25,7 +23,8 @@ if (getPOST("ApplyForAll", $page_url)) {
     $all_ok = true;
 
     foreach ($dev_id as $val) {
-        if (!$val = (int)$val) { // Пропускаем неправильные ID
+        $id = (int)$val;
+        if ($id <= 0) {
             continue;
         }
 
@@ -52,18 +51,14 @@ if (getPOST("ApplyForAll", $page_url)) {
         }
 
         if (!empty($device)) {
-            // 🔒 Безопасный вызов: параметризованное условие
-            $ret = update_record($db_link, "devices", "id = ?", $device, [$val]);
+            $ret = update_record($db_link, "devices", "id = ?", $device, [$id]);
             if (!$ret) {
                 $all_ok = false;
             }
         }
     }
 
-    if ($all_ok) {
-        print "Success!";
-    } else {
-        print "Fail!";
-    }
+    echo $all_ok ? "Success!" : "Fail!";
 }
+
 ?>

html/utils/devices_remove.php

@@ -6,23 +6,24 @@ if (!defined("CONFIG")) die("Not defined");
 
 $page_url = null;
 
-if (isset($_POST["RemoveDevice"]) && !empty($_POST["f_deleted"])) {
-    $dev_ids = $_POST["fid"] ?? [];
+$remove_action = getPOST('RemoveDevice', null, null);
+$f_deleted     = getPOST('f_deleted', null, null);
+
+if ($remove_action !== null && $f_deleted !== '') {
+    $dev_ids = getPOST('fid', null, []);
     $all_ok = true;
 
     foreach ($dev_ids as $val) {
-        if ($val = (int)$val) { // Приводим к целому числу и проверяем, что не 0
-            $changes = delete_device($db_link, $val);
+        $id = (int)$val;
+        if ($id > 0) {
+            $changes = delete_device($db_link, $id);
             if (empty($changes)) {
                 $all_ok = false;
             }
         }
     }
 
-    if ($all_ok) {
-        print "Success!";
-    } else {
-        print "Fail!";
-    }
+    echo $all_ok ? 'Success!' : 'Fail!';
 }
+
 ?>