[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-cvs] CVS: infolog/inc class.boinfolog.inc.php,1.14.2.3,1.
From: |
Ralf Becker <address@hidden> |
Subject: |
[Phpgroupware-cvs] CVS: infolog/inc class.boinfolog.inc.php,1.14.2.3,1.14.2.4 class.soinfolog.inc.php,1.10.2.1,1.10.2.2 class.uiinfolog.inc.php,1.30.2.12,1.30.2.13 |
Date: |
Wed, 02 Jul 2003 18:57:27 -0400 |
Update of /cvsroot/phpgroupware/infolog/inc
In directory subversions:/tmp/cvs-serv12387
Modified Files:
Tag: Version-0_9_14-branch
class.boinfolog.inc.php class.soinfolog.inc.php
class.uiinfolog.inc.php
Log Message:
prevention of xss and query-insertion
Index: class.boinfolog.inc.php
===================================================================
RCS file: /cvsroot/phpgroupware/infolog/inc/class.boinfolog.inc.php,v
retrieving revision 1.14.2.3
retrieving revision 1.14.2.4
diff -C2 -r1.14.2.3 -r1.14.2.4
*** class.boinfolog.inc.php 5 Nov 2002 15:57:13 -0000 1.14.2.3
--- class.boinfolog.inc.php 2 Jul 2003 22:57:25 -0000 1.14.2.4
***************
*** 231,237 ****
$proj_id,$info_id,$ordermethod,&$start,&$total)
{
! return
$this->so->readIdArray($order,$sort,$filter,$cat_id,$query,
!
$action,$addr_id,$proj_id,$info_id,
!
$ordermethod,$start,$total);
}
--- 231,236 ----
$proj_id,$info_id,$ordermethod,&$start,&$total)
{
! return
$this->so->search($order,$sort,$filter,$cat_id,$query,
! $action,$addr_id ? $addr_id :
$proj_id,$info_id,$ordermethod,$start,$total);
}
Index: class.soinfolog.inc.php
===================================================================
RCS file: /cvsroot/phpgroupware/infolog/inc/class.soinfolog.inc.php,v
retrieving revision 1.10.2.1
retrieving revision 1.10.2.2
diff -C2 -r1.10.2.1 -r1.10.2.2
*** class.soinfolog.inc.php 20 Nov 2002 19:54:03 -0000 1.10.2.1
--- class.soinfolog.inc.php 2 Jul 2003 22:57:25 -0000 1.10.2.2
***************
*** 14,17 ****
--- 14,25 ----
/* $Id$ */
+ /*!
+ @class soinfolog
+ @abstract storage object / db-layer for InfoLog
+ @author Ralf Becker
+ @copyright GPL - GNU General Public License
+ @note all values passed to this class are run either through intval or
addslashes to prevent query-inserting
+ and for pgSql 7.3 compatibility
+ */
class soinfolog // DB-Layer
{
***************
*** 21,27 ****
var $filters = array( );
var $user;
! var $maybe_slashes = array (
!
'info_des'=>1,'info_subject'=>1,'info_from'=>1,'info_addr'=>1
! );
function soinfolog( $info_id = 0)
{
--- 29,37 ----
var $filters = array( );
var $user;
!
! /*!
! @function soinfolog
! @abstract constructor
! */
function soinfolog( $info_id = 0)
{
***************
*** 32,37 ****
$this->read( $info_id );
}
-
function check_access( $info_id,$required_rights )
{
--- 42,54 ----
$this->read( $info_id );
}
+ /*!
+ @function check_access
+ @abstract checks if user has the $required_rights to access
$info_id (private access is handled too)
+ @syntax check_access( $info_id,$required_rights )
+ @param $info_id Id of InfoLog entry
+ @param $required_rights PHPGW_ACL_xyz anded together
+ @returns True if access is granted else False
+ */
function check_access( $info_id,$required_rights )
{
***************
*** 64,71 ****
}
! // sql to be AND into a query to ensure ACL is respected (incl.
_PRIVATE)
! // filter: none|all - list all entrys user have rights to see
! // private|own - list only his personal entrys
! // (incl.
those he is responsible for !!!)
function aclFilter($filter = 'none')
{
--- 81,91 ----
}
! /*!
! @function aclFilter
! @abstract generate sql to be AND'ed into a query to ensure ACL
is respected (incl. _PRIVATE)
! @param $filter: none|all - list all entrys user have rights to
see<br>
! private|own - list only his personal entrys (incl.
those he is responsible for !!!)
! @returns the necesary sql
! */
function aclFilter($filter = 'none')
{
***************
*** 93,98 ****
if (count($private_user_list))
{
! $has_private_access = 'info_owner IN ('.
!
implode(',',$private_user_list).')';
}
}
--- 113,117 ----
if (count($private_user_list))
{
! $has_private_access = 'info_owner IN
('.implode(',',$private_user_list).')';
}
}
***************
*** 121,124 ****
--- 140,150 ----
}
+ /*!
+ @function statusFilter
+ @abstract generate sql to filter based on the status of the
log-entry
+ @syntax statusFilter($filter = '')
+ @param $filter done = done or billed, open = not ()done or
billed), offer = offer
+ @returns the necesary sql
+ */
function statusFilter($filter = '')
{
***************
*** 135,138 ****
--- 161,173 ----
}
+ /*!
+ @function dateFilter
+ @abstract generate sql to filter based on the start- and
enddate of the log-entry
+ @syntax dateFilter($filter = '')
+ @param $filter upcoming = startdate is in the future<br>
+ today startdate < tomorrow<br>
+ overdue enddate < tomorrow
+ @returns the necesary sql
+ */
function dateFilter($filter = '')
{
***************
*** 145,165 ****
switch ($filter)
{
! case 'upcoming': return " AND
info_startdate >= '$tomorrow'";
! case 'today': return " AND
info_startdate < '$tomorrow'";
! case 'overdue': return " AND (info_enddate != 0
AND info_enddate < '$tomorrow')";
}
return '';
}
function init()
{
! $this->data = array( 'info_owner' => $this->user,
!
'info_pri' => 'normal' );
}
!
function read($info_id) // did _not_ ensure ACL
{
if ($info_id <= 0 || $info_id != $this->data['info_id']
&&
!
(!$this->db->query("select * FROM phpgw_infolog where info_id='$info_id'") ||
!$this->db->next_record()))
{
$this->init( );
--- 180,221 ----
switch ($filter)
{
! case 'upcoming':
! return " AND info_startdate >=
'$tomorrow'";
! case 'today':
! return " AND info_startdate <
'$tomorrow'";
! case 'overdue':
! return " AND (info_enddate != 0 AND
info_enddate < '$tomorrow')";
}
return '';
}
+ /*!
+ @function init
+ @abstract initialise the internal $this->data to be empty
+ @discussion only non-empty values got initialised
+ */
function init()
{
! $this->data = array(
! 'info_owner' => $this->user,
! 'info_pri' => 'normal'
! );
}
!
! /*!
! @function read
! @abstract read InfoLog entry $info_id
! @syntax read( $info_id )
! @param $info_id id of log-entry
! @description some cacheing is done to prevent multiple reads of
the same entry
! @returns the entry as array
! */
function read($info_id) // did _not_ ensure ACL
{
+ $info_id = intval($info_id);
+
if ($info_id <= 0 || $info_id != $this->data['info_id']
&&
! (!$this->db->query("select * FROM phpgw_infolog
where info_id=$info_id",__LINE__,__FILE__) ||
! !$this->db->next_record()))
{
$this->init( );
***************
*** 169,176 ****
{
$this->data = $this->db->Record;
! reset($this->maybe_slashes);
! while (list($key) = each($this->maybe_slashes))
{
! $this->data[$key] =
stripslashes($this->data[$key]);
}
}
--- 225,235 ----
{
$this->data = $this->db->Record;
! foreach($this->data as $key => $val)
{
! if (is_numeric($key))
! {
! unset($this->data[$key]);
! }
! $this->data[$key] =
$GLOBALS['phpgw']->strip_html($val);
}
}
***************
*** 178,187 ****
}
function delete($info_id) // did _not_ ensure ACL
{
! $this->db->query("delete FROM phpgw_infolog where
info_id='$info_id' or info_id_parent='"
! . "$info_id' AND ((info_access='public' and
info_owner != '$this->user')"
! . " or (info_owner='$this->user'))"
,__LINE__,__FILE__);
!
if ($this->data['info_id'] == $info_id)
{
--- 237,256 ----
}
+ /*!
+ @function delete
+ @abstract delete InfoLog entry $info_id AND the links to it
+ @syntax delete( $info_id )
+ @param $info_id id of log-entry
+ */
function delete($info_id) // did _not_ ensure ACL
{
! if (($info_id = intval($info_id)) <= 0)
! {
! return;
! }
! $this->db->query("delete FROM phpgw_infolog where
info_id=$info_id or info_id_parent=$info_id" .
! " AND ((info_access='public' and info_owner !=
$this->user) OR (info_owner=$this->user))",
! __LINE__,__FILE__);
!
if ($this->data['info_id'] == $info_id)
{
***************
*** 190,204 ****
}
function change_delete_owner($owner,$new_owner=0) //
new_owner=0 means delete
{
! if (!$new_owner)
{
! $sql = "delete FROM phpgw_infolog where
info_owner='$owner'";
! $sql2 = "update phpgw_infolog set
info_responsible='0' where info_responsible='$owner'";
}
else
{
! $sql = "update phpgw_infolog set
info_owner='$new_owner' where info_owner='$owner'";
! $sql2 = "update phpgw_infolog set
info_responsible='$new_owner' where info_responsible='$owner'";
}
$this->db->query($sql,__LINE__,__FILE__);
--- 259,281 ----
}
+ /*!
+ @function change_delete_owner
+ @abstract changes or deletes entries with a spezified owner
(for hook_delete_account)
+ @syntax change_delete_owner( $owner,$new_owner=0 )
+ @param $owner old owner
+ @param $new_owner new owner or 0 if entries should be deleted
+ */
function change_delete_owner($owner,$new_owner=0) //
new_owner=0 means delete
{
! $owner = intval($owner);
! if (!($new_owner = intval($new_owner)))
{
! $sql = "delete FROM phpgw_infolog where
info_owner=$owner";
! $sql2 = "update phpgw_infolog set
info_responsible=0 where info_responsible=$owner";
}
else
{
! $sql = "update phpgw_infolog set
info_owner=$new_owner where info_owner=$owner";
! $sql2 = "update phpgw_infolog set
info_responsible=$new_owner where info_responsible=$owner";
}
$this->db->query($sql,__LINE__,__FILE__);
***************
*** 206,209 ****
--- 283,293 ----
}
+ /*!
+ @function write
+ @abstract writes the given $values to InfoLog, a new entry gets
created if info_id is not set or 0
+ @syntax write( $values )
+ @param $values array with the data of the log-entry
+ @returns nothing direct, but the info_id gets
+ */
function write($values) // did _not_ ensure ACL
{
***************
*** 216,233 ****
$this->data[$key] = $val; // update
internal data
! if ($this->maybe_slashes[$key])
{
! $val = addslashes($val);
}
$cols .= ($cols ? ',' : '').$key;
! $vals .= ($vals ? ',' : '')."'$val'";
! $query .= ($query ? ',' :
'')."$key='$val'";
}
}
! if ($values['info_id'])
{
! $query = "UPDATE phpgw_infolog SET $query where
info_id='".$values['info_id']."'";
! $this->db->query($query,__LINE__,__FILE__);
! $this->data['info_id'] = $values['info_id'];
}
else
--- 300,321 ----
$this->data[$key] = $val; // update
internal data
! switch($val['type']) // protection
against query-insertion
{
! case 'int': case 'auto':
! $val = intval($val);
! break;
! default:
! $val =
"'".$this->db->db_addslashes($val)."'";
! break;
}
$cols .= ($cols ? ',' : '').$key;
! $vals .= ($vals ? ',' : '').$val;
! $query .= ($query ? ',' :
'')."$key=$val";
}
}
! if (($this->data['info_id'] =
intval($values['info_id'])) > 0)
{
! $query = "UPDATE phpgw_infolog SET $query where
info_id='".$this->data['info_id']."'";
! $this->db->query($query,__LINE__,__FILE__);
}
else
***************
*** 237,246 ****
$this->data['info_id']=$this->db->get_last_insert_id('phpgw_infolog','info_id');
}
}
function anzSubs( $info_id )
{
! $this->db->query('select count(*) FROM phpgw_infolog
where '.
!
"info_id_parent=$info_id",__LINE__,__FILE__);
$this->db->next_record();
--- 325,348 ----
$this->data['info_id']=$this->db->get_last_insert_id('phpgw_infolog','info_id');
}
+ // echo "<p>soinfolog.write values= ";
_debug_array($values);
+ // echo "<p>soinfolog.write this->data= ";
_debug_array($this->data);
+
+ return $this->data['info_id'];
}
+ /*!
+ @function anzSubs
+ @abstract count the sub-entries of $info_id
+ @syntax anzSubs( $info_id )
+ @param $info_id id of log-entry
+ @returns the number of sub-entries
+ */
function anzSubs( $info_id )
{
! if (($info_id = intval($info_id)) <= 0)
! {
! return 0;
! }
! $this->db->query("select count(*) FROM phpgw_infolog
where info_id_parent=$info_id",__LINE__,__FILE__);
$this->db->next_record();
***************
*** 249,258 ****
}
! function
readIdArray($order,$sort,$filter,$cat_id,$query,$action,$addr_id,
!
$proj_id,$info_id,$ordermethod,&$start,&$total)
{
if ($order)
{
! $ordermethod = 'order by ' . $order . ' ' . $sort;
}
else
--- 351,372 ----
}
! /*!
! @function search
! @abstract searches InfoLog for a certain pattern in $query
! @syntax search(
$order,$sort,$filter,$cat_id,$query,$action,$action_id,$ordermethod,&$start,&$total
)
! @param $order comma-separated list of columns to order the
result (no 'ORDER BY'), eg. 'info_subject DESC'
! @param $sort comma-separated list of columns to to sort by
(incl. 'SORT BY') or ''
! @param $filter string with combination of acl-, date- and
status-filters, eg. 'own-open-today' or ''
! @param $cat_id category to use or 0
! @param $query pattern to search, search is done in info_from,
info_subject and info_des
! @param $action / $action_id if only entries linked to a
specified app/entry show be used
! @param &$start, &$total nextmatch-parameters will be used and
set if query returns less entries
! @returns array with id's as key of the matching log-entries
! */
! function
search($order,$sort,$filter,$cat_id,$query,$action,$action_id,$ordermethod,&$start,&$total)
{
if ($order)
{
! $ordermethod = 'ORDER BY ' .
$this->db->db_addslashes($order) . ' ' . $this->db->db_addslashes($sort);
}
else
***************
*** 265,281 ****
// echo "<p>filtermethod='$filtermethod'</p>";
! if ($cat_id)
{
! $filtermethod .= " AND info_cat='$cat_id' ";
}
switch ($action)
{
! case 'addr': $filtermethod .= " AND
info_addr_id=$addr_id ";
break;
! case 'proj': $filtermethod .= " AND
info_proj_id=$proj_id ";
break;
}
if ($query) // we search in
_from, _subject and _des for $query
{
$sql_query = "AND (info_from like '%$query%' OR
info_subject ".
"like
'%$query%' OR info_des like '%$query%') ";
--- 379,396 ----
// echo "<p>filtermethod='$filtermethod'</p>";
! if (intval($cat_id))
{
! $filtermethod .= ' AND info_cat='.intval($cat_id).' ';
}
switch ($action)
{
! case 'addr': $filtermethod .= " AND
info_addr_id=$action_id ";
break;
! case 'proj': $filtermethod .= " AND
info_proj_id=$action_id ";
break;
}
if ($query) // we search in
_from, _subject and _des for $query
{
+ $query = $this->db->db_addslashes($query);
$sql_query = "AND (info_from like '%$query%' OR
info_subject ".
"like
'%$query%' OR info_des like '%$query%') ";
***************
*** 288,293 ****
$pid = '';
}
! $this->db->query("SELECT COUNT(*) FROM phpgw_infolog
WHERE $filtermethod $pid $sql_query",__LINE__,__FILE__);
!
$this->db->next_record();
$total = $this->db->f(0);
--- 403,414 ----
$pid = '';
}
! $ids = array( );
! if ($action == '' || $action == 'sp' || count($links))
! {
! $this->db->query($sql="SELECT COUNT(*) FROM
phpgw_infolog i WHERE ($filtermethod $pid $sql_query)
$link_extra",__LINE__,__FILE__);
!
! $this->db->next_record();
! $total = $this->db->f(0);
! }
$this->db->next_record();
$total = $this->db->f(0);
Index: class.uiinfolog.inc.php
===================================================================
RCS file: /cvsroot/phpgroupware/infolog/inc/class.uiinfolog.inc.php,v
retrieving revision 1.30.2.12
retrieving revision 1.30.2.13
diff -C2 -r1.30.2.12 -r1.30.2.13
*** class.uiinfolog.inc.php 13 Mar 2003 14:19:17 -0000 1.30.2.12
--- class.uiinfolog.inc.php 2 Jul 2003 22:57:25 -0000 1.30.2.13
***************
*** 918,926 ****
$t->set_var('lang_prfrom', lang('From'));
! if (!isset($from)) $from
=$GLOBALS['phpgw']->strip_html($this->bo->so->data['info_from']);
$t->set_var('fromval', $from);
$t->set_var('lang_praddr', lang('Phone/Email'));
! if (!isset($addr)) $addr
=$GLOBALS['phpgw']->strip_html($this->bo->so->data['info_addr']);
$t->set_var('addrval', $addr);
--- 918,926 ----
$t->set_var('lang_prfrom', lang('From'));
! if (!isset($from)) $from =
$this->bo->so->data['info_from'];
$t->set_var('fromval', $from);
$t->set_var('lang_praddr', lang('Phone/Email'));
! if (!isset($addr)) $addr =
$this->bo->so->data['info_addr'];
$t->set_var('addrval', $addr);
***************
*** 933,942 ****
$t->set_var('lang_prsubject', lang('Subject'));
if (!isset($subject)) {
! $subject =
$GLOBALS['phpgw']->strip_html($this->bo->so->data['info_subject']);
}
$t->set_var('subjectval', $subject);
$t->set_var('lang_prdesc', lang('Description'));
! if (!isset($des)) $des =
$GLOBALS['phpgw']->strip_html($this->bo->so->data['info_des']);
$t->set_var('descval', $des);
--- 933,942 ----
$t->set_var('lang_prsubject', lang('Subject'));
if (!isset($subject)) {
! $subject = $this->bo->so->data['info_subject'];
}
$t->set_var('subjectval', $subject);
$t->set_var('lang_prdesc', lang('Description'));
! if (!isset($des)) $des =
$this->bo->so->data['info_des'];
$t->set_var('descval', $des);
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Phpgroupware-cvs] CVS: infolog/inc class.boinfolog.inc.php,1.14.2.3,1.14.2.4 class.soinfolog.inc.php,1.10.2.1,1.10.2.2 class.uiinfolog.inc.php,1.30.2.12,1.30.2.13,
Ralf Becker <address@hidden> <=
- Prev by Date:
[Phpgroupware-cvs] CVS: property/inc class.boinvoice.inc.php,1.20,1.21 class.soinvoice.inc.php,1.29,1.30 class.soXport.inc.php,1.29,1.30
- Next by Date:
[Phpgroupware-cvs] CVS: phpgwapi/templates/default config.tpl,1.2.2.2,1.2.2.3
- Previous by thread:
[Phpgroupware-cvs] CVS: property/inc class.boinvoice.inc.php,1.20,1.21 class.soinvoice.inc.php,1.29,1.30 class.soXport.inc.php,1.29,1.30
- Next by thread:
[Phpgroupware-cvs] CVS: phpgwapi/templates/default config.tpl,1.2.2.2,1.2.2.3
- Index(es):