From d35b34d03ffe0d92cbaeb4410c913550150fab4e Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Mon, 04 May 2015 13:56:31 -0400
Subject: [PATCH] - prepared layout change for login page

---
 interface/lib/classes/tform_base.inc.php |   30 ++++++++++++++++++------------
 1 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index 329f1ef..fb943c5 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -270,7 +270,7 @@
 			unset($tmp_recordid);
 
 			$querystring = str_replace("{AUTHSQL}", $this->getAuthSQL('r'), $querystring);
-			$querystring = preg_replace_callback('@{AUTHSQL::(.+?)}@', array($this, 'table_auth_sql'), $querystring);
+			$querystring = preg_replace_callback('@{AUTHSQL::(.+?)}@', create_function('$matches','global $app; $tmp = $app->tform->getAuthSQL("r", $matches[1]); return $tmp;'), $querystring);
 
 			// Getting the records
 			$tmp_records = $app->db->queryAllRecords($querystring);
@@ -312,10 +312,12 @@
 
 	}
 
+	/*
 	function table_auth_sql($matches){
 		return $this->getAuthSQL('r', $matches[1]);
 	}
-
+	*/
+	
 	/**
 	 * Get the key => value array of a form filled from a datasource definitiom
 	 *
@@ -345,7 +347,7 @@
 				return $values;
 			} else {
 				$client_group_id = $_SESSION["s"]["user"]["default_group"];
-				$client = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+				$client = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
 				$allowed = explode(',', $client['lm']);
 			}
 		}
@@ -357,19 +359,19 @@
 			} else {
 				//* Get the limits of the client that is currently logged in
 				$client_group_id = $_SESSION["s"]["user"]["default_group"];
-				$client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+				$client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
 				//echo "SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id";
 				//* If the client belongs to a reseller, we will check against the reseller Limit too
 				if($client['parent_client_id'] != 0) {
 
 					//* first we need to know the groups of this reseller
-					$tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ".$client['parent_client_id']);
+					$tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ?", $client['parent_client_id']);
 					$reseller_groups = $tmp["groups"];
 					$reseller_userid = $tmp["userid"];
 
 					// Get the limits of the reseller of the logged in client
 					$client_group_id = $_SESSION["s"]["user"]["default_group"];
-					$reseller = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM client WHERE client_id = ".$client['parent_client_id']);
+					$reseller = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM client WHERE client_id = ?", $client['parent_client_id']);
 					$allowed = explode(',', $reseller['lm']);
 				} else {
 					return $values;
@@ -808,6 +810,9 @@
 				case 'IDNTOUTF8':
 					$returnval = $app->functions->idn_decode($returnval);
 					break;
+				case 'TRIM':
+					$returnval = trim($returnval);
+					break;
 				default:
 					$this->errorMessage .= "Unknown Filter: ".$filter['type'];
 					break;
@@ -851,7 +856,7 @@
 				if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
 				if($validator['allowempty'] == 'n' || ($validator['allowempty'] == 'y' && $field_value != '')){
 					if($this->action == 'NEW') {
-						$num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ".$escape.$this->formDef['db_table'].$escape. " WHERE $field_name = '".$app->db->quote($field_value)."'");
+						$num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ?? WHERE ?? = ?", $this->formDef['db_table'], $field_name, $field_value);
 						if($num_rec["number"] > 0) {
 							$errmsg = $validator['errmsg'];
 							if(isset($this->wordbook[$errmsg])) {
@@ -861,7 +866,7 @@
 							}
 						}
 					} else {
-						$num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ".$escape.$this->formDef['db_table'].$escape. " WHERE $field_name = '".$app->db->quote($field_value)."' AND ".$this->formDef['db_table_idx']." != ".$this->primary_id);
+						$num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ?? WHERE ?? = ? AND ?? != ?", $this->formDef['db_table'], $field_name, $field_value, $this->formDef['db_table_idx'], $this->primary_id);
 						if($num_rec["number"] > 0) {
 							$errmsg = $validator['errmsg'];
 							if(isset($this->wordbook[$errmsg])) {
@@ -1106,6 +1111,7 @@
 	 * @param primary_id
 	 * @return record
 	 */
+	 /* TODO: check for double quoting */
 	protected function _getSQL($record, $tab, $action = 'INSERT', $primary_id = 0, $sql_ext_where = '', $api = false) {
 
 		global $app;
@@ -1137,7 +1143,7 @@
 								$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
 								$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
 							} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
-								$tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+								$tmp = $app->db->queryOneRecord("SELECT PASSWORD(?) as `crypted`", stripslashes($record[$key]));
 								$record[$key] = $tmp['crypted'];
 								$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
 							} else {
@@ -1165,7 +1171,7 @@
 								$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
 								$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
 							} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
-								$tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+								$tmp = $app->db->queryOneRecord("SELECT PASSWORD(?) as `crypted`", stripslashes($record[$key]));
 								$record[$key] = $tmp['crypted'];
 								$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
 							} else {
@@ -1357,8 +1363,8 @@
 	function getDataRecord($primary_id) {
 		global $app;
 		$escape = '`';
-		$sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$this->formDef['db_table_idx']." = ".$primary_id." AND ".$this->getAuthSQL('r', $this->formDef['db_table']);
-		return $app->db->queryOneRecord($sql);
+		$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$this->getAuthSQL('r', $this->formDef['db_table']);
+		return $app->db->queryOneRecord($sql, $this->formDef['db_table'], $this->formDef['db_table_idx'], $primary_id);
 	}
 
 

--
Gitblit v1.9.1