From baf5dda4cc07aa35eb9e41dda90aee0d2cdecf23 Mon Sep 17 00:00:00 2001
From: Sergio Cambra <sergio@programatica.es>
Date: Tue, 08 Jul 2014 09:53:13 -0400
Subject: [PATCH] fix escaping in sql query
---
interface/web/mail/mail_domain_edit.php | 45 +++++++++++++++++++++++++++++++++++++--------
1 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php
index 01773cb..6f48c7f 100644
--- a/interface/web/mail/mail_domain_edit.php
+++ b/interface/web/mail/mail_domain_edit.php
@@ -71,7 +71,7 @@
if($_SESSION["s"]["user"]["typ"] == 'admin') {
// Getting Clients of the user
- $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY sys_group.name";
+ $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name";
$clients = $app->db->queryAllRecords($sql);
$client_select = '';
@@ -97,7 +97,7 @@
unset($tmp);
// Fill the client select field
- $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id'])." ORDER BY sys_group.name";
+ $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id'])." ORDER BY client.company_name, client.contact_name, sys_group.name";
$clients = $app->db->queryAllRecords($sql);
$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
@@ -112,6 +112,34 @@
}
+ if($_SESSION["s"]["user"]["typ"] != 'admin')
+ {
+ $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_mail = $app->db->queryOneRecord("SELECT mail_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+
+ $client_mail['mail_servers_ids'] = explode(',', $client_mail['mail_servers']);
+
+ $only_one_server = count($client_mail['mail_servers_ids']) === 1;
+ $app->tpl->setVar('only_one_server', $only_one_server);
+
+ if ($only_one_server) {
+ $app->tpl->setVar('server_id_value', $client_mail['mail_servers_ids'][0]);
+ }
+
+ $sql = "SELECT server_id, server_name FROM server WHERE server_id IN (" . $client_mail['mail_servers'] . ");";
+ $mail_servers = $app->db->queryAllRecords($sql);
+
+ $options_mail_servers = "";
+
+ foreach ($mail_servers as $mail_server) {
+ $options_mail_servers .= "<option value='$mail_server[server_id]'>$mail_server[server_name]</option>";
+ }
+
+ $app->tpl->setVar("client_server_id", $options_mail_servers);
+ unset($options_mail_servers);
+
+ }
+
/*
* Now we have to check, if we should use the domain-module to select the domain
* or not
@@ -122,7 +150,7 @@
/*
* The domain-module is in use.
*/
- $domains = $app->tools_sites->getDomainModuleDomains();
+ $domains = $app->tools_sites->getDomainModuleDomains("mail_domain", $this->dataRecord["domain"]);
$domain_select = '';
if(is_array($domains) && sizeof($domains) > 0) {
/* We have domains in the list, so create the drop-down-list */
@@ -190,11 +218,9 @@
}
if($_SESSION["s"]["user"]["typ"] != 'admin') {
-
// Get the limits of the client
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_maildomain, default_mailserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
-
// When the record is updated
if($this->id > 0) {
// restore the server ID if the user is not admin and record is edited
@@ -203,10 +229,13 @@
unset($tmp);
// When the record is inserted
} else {
- // set the server ID to the default mailserver of the client
- $this->dataRecord["server_id"] = $client["default_mailserver"];
+ $client['mail_servers_ids'] = explode(',', $client['mail_servers']);
- // Check if the user may add another mail_domain
+ // Check if chosen server is in authorized servers for this client
+ if (!(is_array($client['mail_servers_ids']) && in_array($this->dataRecord["server_id"], $client['mail_servers_ids']))) {
+ $app->error($app->tform->wordbook['error_not_allowed_server_id']);
+ }
+
if($client["limit_maildomain"] >= 0) {
$tmp = $app->db->queryOneRecord("SELECT count(domain_id) as number FROM mail_domain WHERE sys_groupid = $client_group_id");
if($tmp["number"] >= $client["limit_maildomain"]) {
--
Gitblit v1.9.1