From e1ceb050e19c7574bca146a8da7047ee4ff456b5 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Sun, 10 Jul 2016 05:02:35 -0400
Subject: [PATCH] Merge branch 'stable-3.1'
---
interface/lib/classes/tform_base.inc.php | 308 ++++++++++++++++++++++++++++++++++----------------
1 files changed, 209 insertions(+), 99 deletions(-)
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index 65f10c5..0c9cda5 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -98,6 +98,7 @@
var $errorMessage = '';
var $dateformat = "d.m.Y";
+ var $datetimeformat = 'd.m.Y H:i'; // is set to the correct value in loadFormDef
var $formDef = array();
var $wordbook;
var $module;
@@ -126,6 +127,7 @@
global $app, $conf;
include $file;
+ $app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$form['name'] . ':on_before_formdef', $this);
$this->formDef = $form;
$this->module = $module;
@@ -149,10 +151,13 @@
$wb = $app->functions->array_merge($wb_global, $wb);
}
if(isset($wb_global)) unset($wb_global);
-
+
$this->wordbook = $wb;
+
+ $app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'] . ':on_after_formdef', $this);
$this->dateformat = $app->lng('conf_format_dateshort');
+ $this->datetimeformat = $app->lng('conf_format_datetime');
return true;
}
@@ -201,7 +206,7 @@
break;
case 'DATE':
- if($record[$key] != '' && $record[$key] != '0000-00-00') {
+ if($record[$key] != '' && !is_null($record[$key]) && $record[$key] != '0000-00-00') {
$tmp = explode('-', $record[$key]);
$new_record[$key] = date($this->dateformat, mktime(0, 0, 0, $tmp[1] , $tmp[2], $tmp[0]));
}
@@ -270,7 +275,7 @@
unset($tmp_recordid);
$querystring = str_replace("{AUTHSQL}", $this->getAuthSQL('r'), $querystring);
- $querystring = preg_replace_callback('@{AUTHSQL::(.+?)}@', "self::table_auth_sql", $querystring);
+ $querystring = preg_replace_callback('@{AUTHSQL::(.+?)}@', create_function('$matches','global $app; $tmp = $app->tform->getAuthSQL("r", $matches[1]); return $tmp;'), $querystring);
// Getting the records
$tmp_records = $app->db->queryAllRecords($querystring);
@@ -312,7 +317,12 @@
}
-
+ /*
+ function table_auth_sql($matches){
+ return $this->getAuthSQL('r', $matches[1]);
+ }
+ */
+
/**
* Get the key => value array of a form filled from a datasource definitiom
*
@@ -342,7 +352,7 @@
return $values;
} else {
$client_group_id = $_SESSION["s"]["user"]["default_group"];
- $client = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+ $client = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
$allowed = explode(',', $client['lm']);
}
}
@@ -354,19 +364,19 @@
} else {
//* Get the limits of the client that is currently logged in
$client_group_id = $_SESSION["s"]["user"]["default_group"];
- $client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+ $client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
//echo "SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id";
//* If the client belongs to a reseller, we will check against the reseller Limit too
if($client['parent_client_id'] != 0) {
//* first we need to know the groups of this reseller
- $tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ".$client['parent_client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ?", $client['parent_client_id']);
$reseller_groups = $tmp["groups"];
$reseller_userid = $tmp["userid"];
// Get the limits of the reseller of the logged in client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
- $reseller = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM client WHERE client_id = ".$client['parent_client_id']);
+ $reseller = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM client WHERE client_id = ?", $client['parent_client_id']);
$allowed = explode(',', $reseller['lm']);
} else {
return $values;
@@ -407,6 +417,28 @@
if(!is_array($this->formDef)) $app->error("No form definition found.");
if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");
+ /* CSRF PROTECTION */
+ // generate csrf protection id and key
+ $csrf_token = $app->auth->csrf_token_get($this->formDef['name']);
+ $_csrf_id = $csrf_token['csrf_id'];
+ $_csrf_value = $csrf_token['csrf_key'];
+
+ $this->formDef['tabs'][$tab]['fields']['_csrf_id'] = array(
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'TEXT',
+ 'default' => $_csrf_id,
+ 'value' => $_csrf_id
+ );
+ $this->formDef['tabs'][$tab]['fields']['_csrf_key'] = array(
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'TEXT',
+ 'default' => $_csrf_value,
+ 'value' => $_csrf_value
+ );
+ $record['_csrf_id'] = $_csrf_id;
+ $record['_csrf_key'] = $_csrf_value;
+ /* CSRF PROTECTION */
+
$new_record = array();
if($action == 'EDIT') {
$record = $this->decode($record, $tab);
@@ -440,7 +472,7 @@
if(is_array($field['value'])) {
foreach($field['value'] as $k => $v) {
$selected = ($k == $val)?' SELECTED':'';
- if(!empty($this->wordbook[$v]))
+ if(isset($this->wordbook[$v]))
$v = $this->wordbook[$v];
$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
}
@@ -530,6 +562,18 @@
$new_record[$key] = $this->_getDateTimeHTML($key, $dt_value, $display_seconds);
break;
+ case 'DATE':
+ if (strtotime($val) !== false) {
+ $dt_value = $val;
+ } elseif ( isset($field['default']) && (strtotime($field['default']) !== false) ) {
+ $dt_value = $field['default'];
+ } else {
+ $dt_value = 0;
+ }
+
+ $new_record[$key] = $this->_getDateHTML($key, $dt_value);
+ break;
+
default:
if(isset($record[$key])) {
$new_record[$key] = htmlspecialchars($record[$key]);
@@ -640,6 +684,12 @@
$new_record[$key] = $this->_getDateTimeHTML($key, $dt_value, $display_seconds);
break;
+
+ case 'DATE':
+ $dt_value = (isset($field['default'])) ? $field['default'] : 0;
+
+ $new_record[$key] = $this->_getDateHTML($key, $dt_value);
+ break;
default:
$new_record[$key] = htmlspecialchars($field['default']);
@@ -662,8 +712,46 @@
*/
protected function _encode($record, $tab, $dbencode = true, $api = false) {
global $app;
- if($api == true) $fields = &$this->formDef['fields'];
- else $fields = &$this->formDef['tabs'][$tab]['fields'];
+ if($api == true) {
+ $fields = &$this->formDef['fields'];
+ } else {
+ $fields = &$this->formDef['tabs'][$tab]['fields'];
+ /* CSRF PROTECTION */
+ if(isset($_POST) && is_array($_POST)) {
+ $_csrf_valid = false;
+ if(isset($_POST['_csrf_id']) && isset($_POST['_csrf_key'])) {
+ $_csrf_id = trim($_POST['_csrf_id']);
+ $_csrf_key = trim($_POST['_csrf_key']);
+ if(isset($_SESSION['_csrf']) && isset($_SESSION['_csrf'][$_csrf_id]) && isset($_SESSION['_csrf_timeout']) && isset($_SESSION['_csrf_timeout'][$_csrf_id])) {
+ if($_SESSION['_csrf'][$_csrf_id] === $_csrf_key && $_SESSION['_csrf_timeout'] >= time()) $_csrf_valid = true;
+ }
+ }
+ if($_csrf_valid !== true) {
+ $app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN);
+ $errmsg = 'err_csrf_attempt_blocked';
+ $this->errorMessage .= ($api == true ? $errmsg : $this->wordbook[$errmsg]."<br />") . "\r\n";
+ unset($_POST);
+ unset($record);
+ }
+
+ if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) {
+ $to_unset = array();
+ foreach($_SESSION['_csrf_timeout'] as $_csrf_id => $timeout) {
+ if($timeout < time()) $to_unset[] = $_csrf_id;
+ }
+ foreach($to_unset as $_csrf_id) {
+ $_SESSION['_csrf'][$_csrf_id] = null;
+ $_SESSION['_csrf_timeout'][$_csrf_id] = null;
+ unset($_SESSION['_csrf'][$_csrf_id]);
+ unset($_SESSION['_csrf_timeout'][$_csrf_id]);
+ }
+ unset($to_unset);
+ }
+ }
+ /* CSRF PROTECTION */
+ }
+
+ $new_record = array();
if(is_array($record)) {
foreach($fields as $key => $field) {
@@ -700,27 +788,20 @@
}
break;
case 'DATE':
- if($record[$key] != '' && $record[$key] != '0000-00-00') {
+ if($record[$key] != '' && !is_null($record[$key]) && $record[$key] != '0000-00-00') {
if(function_exists('date_parse_from_format')) {
$date_parts = date_parse_from_format($this->dateformat, $record[$key]);
- //list($tag,$monat,$jahr) = explode('.',$record[$key]);
- $new_record[$key] = $date_parts['year'].'-'.$date_parts['month'].'-'.$date_parts['day'];
- //$tmp = strptime($record[$key],$this->dateformat);
- //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
+ $new_record[$key] = $date_parts['year'].'-'.str_pad($date_parts['month'], 2, "0", STR_PAD_LEFT).'-'.str_pad($date_parts['day'], 2, "0", STR_PAD_LEFT);
} else {
- //$tmp = strptime($record[$key],$this->dateformat);
- //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
$tmp = strtotime($record[$key]);
$new_record[$key] = date('Y-m-d', $tmp);
}
} else {
- $new_record[$key] = '0000-00-00';
+ $new_record[$key] = null;
}
break;
case 'INTEGER':
$new_record[$key] = (isset($record[$key]))?$app->functions->intval($record[$key]):0;
- //if($new_record[$key] != $record[$key]) $new_record[$key] = $field['default'];
- //if($key == 'refresh') die($record[$key]);
break;
case 'DOUBLE':
$new_record[$key] = $record[$key];
@@ -730,7 +811,7 @@
break;
case 'DATETIME':
- if (is_array($record[$key]))
+ /*if (is_array($record[$key]))
{
$filtered_values = array_map(create_function('$item', 'return (int)$item;'), $record[$key]);
extract($filtered_values, EXTR_PREFIX_ALL, '_dt');
@@ -738,7 +819,22 @@
if ($_dt_day != 0 && $_dt_month != 0 && $_dt_year != 0) {
$new_record[$key] = date( 'Y-m-d H:i:s', mktime($_dt_hour, $_dt_minute, $_dt_second, $_dt_month, $_dt_day, $_dt_year) );
}
- }
+ } else {*/
+ if($record[$key] != '' && !is_null($record[$key]) && $record[$key] != '0000-00-00 00:00:00') {
+ //$tmp = strtotime($record[$key]);
+ //$new_record[$key] = date($this->datetimeformat, $tmp);
+ $parsed_date = date_parse_from_format($this->datetimeformat,$record[$key]);
+ if($parsed_date['error_count'] > 0 || ($parsed_date['year'] == 1899 && $parsed_date['month'] == 12 && $parsed_date['day'] == 31)) {
+ // There was an error, set the date to 0
+ $new_record[$key] = null;
+ } else {
+ // Date parsed successfully. Convert it to database format
+ $new_record[$key] = date( 'Y-m-d H:i:s', mktime($parsed_date['hour'], $parsed_date['minute'], $parsed_date['second'], $parsed_date['month'], $parsed_date['day'], $parsed_date['year']) );
+ }
+ } else {
+ $new_record[$key] = null;
+ }
+ /*}*/
break;
}
@@ -753,7 +849,7 @@
}
//* Add slashes to all records, when we encode data which shall be inserted into mysql.
- if($dbencode == true) $new_record[$key] = $app->db->quote($new_record[$key]);
+ if($dbencode == true && !is_null($new_record[$key])) $new_record[$key] = $app->db->quote($new_record[$key]);
}
}
return $new_record;
@@ -805,6 +901,12 @@
case 'IDNTOUTF8':
$returnval = $app->functions->idn_decode($returnval);
break;
+ case 'TRIM':
+ $returnval = trim($returnval);
+ break;
+ case 'NOWHITESPACE':
+ $returnval = preg_replace('/\s+/', '', $returnval);
+ break;
default:
$this->errorMessage .= "Unknown Filter: ".$filter['type'];
break;
@@ -848,7 +950,7 @@
if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
if($validator['allowempty'] == 'n' || ($validator['allowempty'] == 'y' && $field_value != '')){
if($this->action == 'NEW') {
- $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ".$escape.$this->formDef['db_table'].$escape. " WHERE $field_name = '".$app->db->quote($field_value)."'");
+ $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ?? WHERE ?? = ?", $this->formDef['db_table'], $field_name, $field_value);
if($num_rec["number"] > 0) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -858,7 +960,7 @@
}
}
} else {
- $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ".$escape.$this->formDef['db_table'].$escape. " WHERE $field_name = '".$app->db->quote($field_value)."' AND ".$this->formDef['db_table_idx']." != ".$this->primary_id);
+ $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ?? WHERE ?? = ? AND ?? != ?", $this->formDef['db_table'], $field_name, $field_value, $this->formDef['db_table_idx'], $this->primary_id);
if($num_rec["number"] > 0) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -871,7 +973,7 @@
}
break;
case 'NOTEMPTY':
- if(empty($field_value)) {
+ if(!isset($field_value) || $field_value === '') {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
$this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
@@ -889,29 +991,37 @@
$this->errorMessage .= $errmsg."<br />\r\n";
}
}
+ break;
case 'ISEMAIL':
- if(function_exists('filter_var')) {
- if(filter_var($field_value, FILTER_VALIDATE_EMAIL) === false) {
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
- }
- }
+ $error = false;
+ if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
+ if($validator['allowempty'] == 'y' && $field_value == '') {
+ //* Do nothing
} else {
- if(!preg_match("/^\w+[\w\.\-\+]*\w{0,}@\w+[\w.-]*\w+\.[a-zA-Z0-9\-]{2,30}$/i", $field_value)) {
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ if(function_exists('filter_var')) {
+ if(filter_var($field_value, FILTER_VALIDATE_EMAIL) === false) {
+ $error = true;
} else {
- $this->errorMessage .= $errmsg."<br />\r\n";
+ if (!preg_match("/^[^\\+]+$/", $field_value)) { // * disallow + in local-part
+ $error = true;
+ }
}
- }
+ if ($error) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
}
+ unset($error);
break;
case 'ISINT':
- if(function_exists('filter_var') && $field_value < 2147483647) {
+ if(function_exists('filter_var') && $field_value < PHP_INT_MAX) {
+ //if($field_value != '' && filter_var($field_value, FILTER_VALIDATE_INT, array("options" => array('min_range'=>0))) === false) {
if($field_value != '' && filter_var($field_value, FILTER_VALIDATE_INT) === false) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -920,9 +1030,11 @@
$this->errorMessage .= $errmsg."<br />\r\n";
}
}
- } else {
- $tmpval = $app->functions->intval($field_value);
- if($tmpval === 0 and !empty($field_value)) {
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
+ break;
+ case 'ISPOSITIVE':
+ if(function_exists('filter_var')) {
+ if($field_value != '' && filter_var($field_value, FILTER_VALIDATE_INT, array("options" => array('min_range'=>1))) === false) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
$this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
@@ -930,21 +1042,10 @@
$this->errorMessage .= $errmsg."<br />\r\n";
}
}
- }
- break;
- case 'ISPOSITIVE':
- if(!is_numeric($field_value) || $field_value <= 0){
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
- }
- }
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
break;
case 'V6PREFIXEND':
$explode_field_value = explode(':',$field_value);
-// if ($explode_field_value[count($explode_field_value)-1]=='' && $explode_field_value[count($explode_field_value)-2]=='' ){ }
if (!$explode_field_value[count($explode_field_value)-1]=='' && $explode_field_value[count($explode_field_value)-2]!='' ) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -956,7 +1057,7 @@
break;
case 'V6PREFIXLENGTH':
// find shortes ipv6 subnet can`t be longer
- $sql_v6 = $app->db->queryOneRecord("SELECT ip_address FROM server_ip WHERE ip_type = 'IPv6' AND virtualhost = 'y' ORDER BY CHAR_LENGTH(ip_address) ASC LIMIT 0,1;");
+ $sql_v6 = $app->db->queryOneRecord("SELECT ip_address FROM server_ip WHERE ip_type = 'IPv6' AND virtualhost = 'y' ORDER BY CHAR_LENGTH(ip_address) ASC LIMIT 0,1");
$sql_v6_explode=explode(':',$sql_v6['ip_address']);
$explode_field_value = explode(':',$field_value);
if (count($sql_v6_explode) < count($explode_field_value) && isset($sql_v6['ip_address'])) {
@@ -988,26 +1089,32 @@
}
break;
-
-
case 'ISIPV4':
- $vip=1;
- if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){
- $groups=explode(".", $field_value);
- foreach($groups as $group){
- if($group<0 or $group>255)
- $vip=0;
+ if(function_exists('filter_var')) {
+ if(!filter_var($field_value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
}
- }else{$vip=0;}
- if($vip==0) {
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
- }
- }
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
break;
+
+ case 'ISIPV6':
+ if(function_exists('filter_var')) {
+ if(!filter_var($field_value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
+ break;
+
case 'ISIP':
if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
if($validator['allowempty'] == 'y' && $field_value == '') {
@@ -1031,27 +1138,29 @@
$this->errorMessage .= $errmsg."<br />\r\n";
}
}
+ } else $this->errorMessage .= "function filter_var missing <br />\r\n";
+ }
+ }
+ break;
+
+ case 'ISDATETIME':
+ /* Checks a datetime value against the date format of the current language */
+ if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
+ if($validator['allowempty'] == 'y' && $field_value == '') {
+ //* Do nothing
+ } else {
+ $parsed_date = date_parse_from_format($this->datetimeformat,$field_value);
+ if($parsed_date['error_count'] > 0 || ($parsed_date['year'] == 1899 && $parsed_date['month'] == 12 && $parsed_date['day'] == 31)) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- //* Check content with regex, if we use php < 5.2
- $ip_ok = 0;
- if(preg_match("/^(\:\:([a-f0-9]{1,4}\:){0,6}?[a-f0-9]{0,4}|[a-f0-9]{1,4}(\:[a-f0-9]{1,4}){0,6}?\:\:|[a-f0-9]{1,4}(\:[a-f0-9]{1,4}){1,6}?\:\:([a-f0-9]{1,4}\:){1,6}?[a-f0-9]{1,4})(\/\d{1,3})?$/i", $field_value)){
- $ip_ok = 1;
- }
- if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){
- $ip_ok = 1;
- }
- if($ip_ok == 0) {
- $errmsg = $validator['errmsg'];
- if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
- } else {
- $this->errorMessage .= $errmsg."<br />\r\n";
- }
- }
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
}
break;
+
case 'RANGE':
//* Checks if the value is within the given range or above / below a value
//* Range examples: < 10 = ":10", between 2 and 10 = "2:10", above 5 = "5:".
@@ -1103,6 +1212,7 @@
* @param primary_id
* @return record
*/
+ /* TODO: check for double quoting */
protected function _getSQL($record, $tab, $action = 'INSERT', $primary_id = 0, $sql_ext_where = '', $api = false) {
global $app;
@@ -1134,7 +1244,7 @@
$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
- $tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+ $tmp = $app->db->queryOneRecord("SELECT PASSWORD(?) as `crypted`", stripslashes($record[$key]));
$record[$key] = $tmp['crypted'];
$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
} else {
@@ -1152,7 +1262,7 @@
}
} else {
$sql_insert_key .= "`$key`, ";
- $sql_insert_val .= "'".$record[$key]."', ";
+ $sql_insert_val .= (is_null($record[$key]) ? 'NULL' : "'".$record[$key]."'") . ", ";
}
} else {
if($field['formtype'] == 'PASSWORD') {
@@ -1162,7 +1272,7 @@
$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
- $tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+ $tmp = $app->db->queryOneRecord("SELECT PASSWORD(?) as `crypted`", stripslashes($record[$key]));
$record[$key] = $tmp['crypted'];
$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
} else {
@@ -1179,7 +1289,7 @@
$sql_update .= "`$key` = '".$record[$key]."', ";
}
} else {
- $sql_update .= "`$key` = '".$record[$key]."', ";
+ $sql_update .= "`$key` = " . (is_null($record[$key]) ? 'NULL' : "'".$record[$key]."'") . ", ";
}
}
} else {
@@ -1354,8 +1464,8 @@
function getDataRecord($primary_id) {
global $app;
$escape = '`';
- $sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$this->formDef['db_table_idx']." = ".$primary_id." AND ".$this->getAuthSQL('r', $this->formDef['db_table']);
- return $app->db->queryOneRecord($sql);
+ $sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$this->getAuthSQL('r', $this->formDef['db_table']);
+ return $app->db->queryOneRecord($sql, $this->formDef['db_table'], $this->formDef['db_table_idx'], $primary_id);
}
@@ -1367,7 +1477,7 @@
}
function getAuthSQL($perm, $table = '') {
- if($_SESSION["s"]["user"]["typ"] == 'admin') {
+ if($_SESSION["s"]["user"]["typ"] == 'admin' || $_SESSION['s']['user']['mailuser_id'] > 0) {
return '1';
} else {
if ($table != ''){
--
Gitblit v1.9.1