[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-cvs] tts/viewticket_details.php, 1.42.2.6.4.6
|
From: |
nomail |
|
Subject: |
[Phpgroupware-cvs] tts/viewticket_details.php, 1.42.2.6.4.6 |
|
Date: |
Thu, 30 Sep 2004 15:27:27 +0200 |
Update of /tts
Modified Files:
Branch: Version-0_9_16-branch
viewticket_details.php
date: 2004/09/30 13:27:27; author: fipsfuchs; state: Exp; lines: +25 -24
Log Message:
security review
=====================================================================
Index: tts/viewticket_details.php
diff -u tts/viewticket_details.php:1.42.2.6.4.5
tts/viewticket_details.php:1.42.2.6.4.6
--- tts/viewticket_details.php:1.42.2.6.4.5 Thu Aug 12 09:04:24 2004
+++ tts/viewticket_details.php Thu Sep 30 13:27:27 2004
@@ -21,7 +21,7 @@
);
$submit = $_POST['submit'];
$cancel = $_POST['cancel'];
- $ticket_id = $_REQUEST['ticket_id'];
+ $ticket_id = (int) $_REQUEST['ticket_id'];
if($submit)
{
@@ -60,7 +60,7 @@
if(!$submit)
{
// Have they viewed this ticket before ?
- $GLOBALS['phpgw']->db->query("select count(*) from
phpgw_tts_views where view_id='$ticket_id' "
+ $GLOBALS['phpgw']->db->query('select count(*) from
phpgw_tts_views where view_id='.$ticket_id.' '
. "and view_account_id='" .
$GLOBALS['phpgw_info']['user']['account_id'] . "'",__LINE__,__FILE__);
$GLOBALS['phpgw']->db->next_record();
@@ -231,7 +231,7 @@
$GLOBALS['phpgw']->template->set_var('value_date',$GLOBALS['phpgw']->common->show_date($value['datetime']
- ((60*60) *
$GLOBALS['phpgw_info']['user']['preferences']['common']['tz_offset'])));
$GLOBALS['phpgw']->template->set_var('value_user',$value['owner']);
-
$GLOBALS['phpgw']->template->set_var('value_note',nl2br(stripslashes($value['new_value'])));
+
$GLOBALS['phpgw']->template->set_var('value_note',nl2br(htmlspecialchars($value['new_value'])));
$GLOBALS['phpgw']->template->fp('rows_notes','additional_notes_row',True);
}
@@ -350,7 +350,8 @@
$GLOBALS['phpgw']->template->set_var('row_on',
$GLOBALS['phpgw_info']['theme']['row_on']);
$GLOBALS['phpgw']->template->set_var('th_bg',
$GLOBALS['phpgw_info']['theme']['th_bg']);
- $GLOBALS['phpgw']->template->set_var('lang_viewjobdetails',
lang('View Job Detail'));
+ //$GLOBALS['phpgw']->template->set_var('lang_viewjobdetails',
lang('View Job Detail'));
+ $GLOBALS['phpgw_info']['flags']['app_header'] = lang('View Job
Detail');
$GLOBALS['phpgw']->template->set_var('lang_opendate',
lang('Open Date'));
$GLOBALS['phpgw']->template->set_var('value_opendate',$ticket['opened']);
@@ -421,9 +422,9 @@
$GLOBALS['phpgw']->template->set_var('lang_subject',
lang('Subject'));
$GLOBALS['phpgw']->template->set_var('lang_details',
lang('Details'));
- $GLOBALS['phpgw']->template->set_var('value_details',
nl2br(stripslashes($ticket['details'])));
+ $GLOBALS['phpgw']->template->set_var('value_details',
nl2br(htmlspecialchars(stripslashes($ticket['details']))));
- $GLOBALS['phpgw']->template->set_var('value_subject',
stripslashes($ticket['subject']));
+ $GLOBALS['phpgw']->template->set_var('value_subject',
htmlspecialchars(stripslashes($ticket['subject'])));
$GLOBALS['phpgw']->template->set_var('lang_additional_notes',lang('Additional
notes'));
$GLOBALS['phpgw']->template->set_var('lang_ok', lang('Save'));
@@ -499,7 +500,8 @@
if($old_group != $ticket['group'])
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_group='" . $ticket['group']
+ // ticket_group as varchar in database
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_group='" . (int) $ticket['group']
. "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('G',$ticket_id,$ticket['group'],$old_group);
}
@@ -507,7 +509,8 @@
if($oldassigned != $ticket['assignedto'])
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_assignedto='" . $ticket['assignedto']
+ // ticket_assignedto as varchar in database
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_assignedto='" . (int) $ticket['assignedto']
. "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('A',$ticket_id,$ticket['assignedto'],$oldassigned);
}
@@ -515,7 +518,7 @@
if($oldpriority != $ticket['priority'])
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_priority='" . $ticket['priority']
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_priority='" . (int) $ticket['priority']
. "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('P',$ticket_id,$ticket['priority'],$oldpriority);
}
@@ -523,7 +526,8 @@
if($oldcategory != $ticket['category'])
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_category='" . $ticket['category']
+ // ticket_cat as varchar in database
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_category='" . (int) $ticket['category']
. "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('T',$ticket_id,$ticket['category'],$oldcategory);
}
@@ -531,7 +535,7 @@
if($old_billable_hours != $ticket['billable_hours'] &&
$ticket['billable_hours'])
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_billable_hours='" . $ticket['billable_hours']
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_billable_hours='" . (float) $ticket['billable_hours']
. "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('H',$ticket_id,$ticket['billable_hours'],$old_billable_hours);
}
@@ -539,7 +543,7 @@
if($old_billable_rate != $ticket['billable_rate'] &&
$ticket['billable_rate'])
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_billable_rate='" . $ticket['billable_rate']
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_billable_rate='" . (float) $ticket['billable_rate']
. "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('B',$ticket_id,$ticket['billable_rate'],$old_billable_rate);
}
@@ -547,7 +551,7 @@
if ($old_type != $ticket['type'] && $ticket['type'] != "")
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_type='" . $ticket['type']
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_type='" . (int) $ticket['type']
. "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('Y',$ticket_id,$ticket['type'],$old_type);
}
@@ -555,24 +559,22 @@
if ($old_deadline != $ticket['deadline'] && $ticket['deadline']
!= "")
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_deadline='" . $ticket['deadline']
- . "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
+ // unix time stamp would be best
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set
ticket_deadline='".$GLOBALS['phpgw']->db->db_addslashes($ticket['deadline'])."'
where ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('D',$ticket_id,$ticket['deadline'],$old_deadline);
}
if ($old_effort != $ticket['effort'] && $ticket['effort'] != "")
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_effort='" . $ticket['effort']
- . "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_effort='".$GLOBALS['phpgw']->db->db_addslashes($ticket['effort']).
"' where ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('E',$ticket_id,$ticket['effort'],$old_effort);
}
if ($old_platform != $ticket['platform'] && $ticket['platform']
!= "")
{
$fields_updated = True;
- $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set ticket_platform='" . $ticket['platform']
- . "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
+ $GLOBALS['phpgw']->db->query("update phpgw_tts_tickets
set
ticket_platform='".$GLOBALS['phpgw']->db->db_addslashes($ticket['platform'])."'
where ticket_id='$ticket_id'",__LINE__,__FILE__);
$GLOBALS['phpgw']->historylog->add('L',$ticket_id,$ticket['platform'],$old_platform);
}
@@ -612,8 +614,7 @@
$fields_updated = True;
$GLOBALS['phpgw']->historylog->add($_POST['ticket']['status'],$ticket_id,$_POST['ticket']['status'],$old_status);
- $GLOBALS['phpgw']->db->query("update
phpgw_tts_tickets set ticket_status='"
- . $_POST['ticket']['status'] . "' where
ticket_id='$ticket_id'",__LINE__,__FILE__);
+ $GLOBALS['phpgw']->db->query("update
phpgw_tts_tickets set
ticket_status='".$GLOBALS['phpgw']->db->db_addslashes($_POST['ticket']['status'])."'
where ticket_id='$ticket_id'",__LINE__,__FILE__);
}
else
{
@@ -625,7 +626,7 @@
if($ticket['note'])
{
$fields_updated = True;
-
$GLOBALS['phpgw']->historylog->add('C',$ticket_id,$ticket['note'],'');
+ $GLOBALS['phpgw']->historylog->add('C', $ticket_id,
stripslashes($ticket['note']),'');
// Do this before we go into mail_ticket()
$GLOBALS['phpgw']->db->transaction_commit();
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Phpgroupware-cvs] tts/viewticket_details.php, 1.42.2.6.4.6,
nomail <=