*** Serious vulnerability

[icedlava]

I think Jo's code on the company names actually breaks this script

Yes it does break the script, as long as that session var is not overwritten, and as long as no company name is passed in. As soon as the latter happens the session is set and ....

In my investigations I noticed there is a var: $AllowAnyone = true
That needs to be set for the above to happen. I'd suggest that is removed and the script is run from log in user only.

Are we sure we need that $AllowAnyone var? A few other scripts use it which may be ok - not tested them. Perhaps we can get around the script requiring AllowAnyone with some changes in the code.

I notice that this AllowAnyone was tested for in session.inc as well - not a fan of it as it allows the script to fall through and accumulate session info as if users are logged in. In fact, it actually allows the script to log in a user although they have no role permissions assigned. it doesn't feel right tho (was useful to find out as I've been investigating some other session issues resulting in users iogged in with no permissions and unable to get out of it).

I also wondered why there was the ConnectDB :
/* Scripts that do not require a login must have the $DatabaseName variable set in hard code */
Not really a fan of that - I'm sure there must be some other way around it to do the job required.

Does anyone mind me taking out the AllowAnyone from the GLTrialBalance_csv.php script at least for now?

We can then look at fixing the said function to run, with a logged in user. If that causes problems there could be a way around it depending on what is calling the script.

Thanks