From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty

---
 interface/lib/classes/tform_actions.inc.php |   31 ++++++++++++++++---------------
 1 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/interface/lib/classes/tform_actions.inc.php b/interface/lib/classes/tform_actions.inc.php
index 82d747f..f172fea 100644
--- a/interface/lib/classes/tform_actions.inc.php
+++ b/interface/lib/classes/tform_actions.inc.php
@@ -82,7 +82,7 @@
 		// check if the client is locked - he may not change anything, then.
 		if(!$app->auth->is_admin()) {
 			$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
-			$client = $app->db->queryOneRecord("SELECT client.locked FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($client_group_id));
+			$client = $app->db->queryOneRecord("SELECT client.locked FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
 			if(is_array($client) && $client['locked'] == 'y') {
 				$app->tform->errorMessage .= $app->lng("client_you_are_locked")."<br />";
 			}
@@ -106,6 +106,7 @@
 		global $app, $conf;
 
 		$this->onBeforeUpdate();
+		$app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'].':'.'on_before_update', $this);
 
 		$ext_where = '';
 		$sql = $app->tform->getSQL($this->dataRecord, $app->tform->getCurrentTab(), 'UPDATE', $this->id, $ext_where);
@@ -190,6 +191,7 @@
 		global $app, $conf;
 
 		$this->onBeforeInsert();
+		$app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'].':'.'on_before_insert', $this);
 
 		$ext_where = '';
 		$sql = $app->tform->getSQL($this->dataRecord, $app->tform->getCurrentTab(), 'INSERT', $this->id, $ext_where);
@@ -309,7 +311,6 @@
 				if($app->tform->checkPerm($this->id, 'd') == false) $app->error($app->lng('error_no_delete_permission'));
 			}
 
-			//$this->dataRecord = $app->db->queryOneRecord("SELECT * FROM ".$liste["table"]." WHERE ".$liste["table_idx"]." = ".$this->id);
 			$this->dataRecord = $app->tform->getDataRecord($this->id);
 
 			$app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'].':'.'on_check_delete', $this);
@@ -322,7 +323,7 @@
 				$app->tform->datalogSave('DELETE', $this->id, $this->dataRecord, array());
 			}
 
-			$app->db->query("DELETE FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." LIMIT 1");
+			$app->db->query("DELETE FROM ?? WHERE ?? = ? LIMIT 1", $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id);
 
 
 			// loading plugins
@@ -377,11 +378,11 @@
 		$app->tpl->setInclude("content_tpl", $app->tform->formDef['template_print']);
 
 		if($app->tform->formDef['auth'] == 'no') {
-			$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id;
+			$sql = "SELECT * FROM ?? WHERE ?? = ?";
 		} else {
-			$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r');
+			$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r');
 		}
-		if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission'));
+		if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission'));
 
 		$record["datum"] = date("d.m.Y");
 
@@ -421,11 +422,11 @@
 			$app->tpl->setInclude("content_tpl", $app->tform->formDef['template_mailsend']);
 			$app->tpl->setVar('show_mail', 1);
 			if($app->tform->formDef['auth'] == 'no') {
-				$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id;
+				$sql = "SELECT * FROM ?? WHERE ?? = ?";
 			} else {
-				$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r');
+				$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r');
 			}
-			if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission'));
+			if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission'));
 
 			$record["datum"] = date("d.m.Y");
 			$record["mailmessage"] = $_POST["message"];
@@ -457,11 +458,11 @@
 
 
 		if($app->tform->formDef['auth'] == 'no') {
-			$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id;
+			$sql = "SELECT * FROM ?? WHERE ?? = ?";
 		} else {
-			$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r');
+			$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r');
 		}
-		if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission'));
+		if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission'));
 
 		$record["datum"] = date("d.m.Y");
 
@@ -558,11 +559,11 @@
 		// bestehenden Datensatz anzeigen
 		if($app->tform->errorMessage == '') {
 			if($app->tform->formDef['auth'] == 'yes' && $_SESSION["s"]["user"]["typ"] != 'admin') {
-				$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r');
+				$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r');
 			} else {
-				$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id;
+				$sql = "SELECT * FROM ?? WHERE ?? = ?";
 			}
-			if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission'));
+			if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission'));
 		} else {
 			// $record = $app->tform->encode($_POST,$this->active_tab);
 			$record = $app->tform->encode($this->dataRecord, $this->active_tab, false);

--
Gitblit v1.9.1