phpBMS

root/trunk/phpbms/include/relationships.php

Revision 728, 4.6 KB (checked in by brieb, 2 years ago)
  • Fixed possible security loopholes in search screen (SQL Manipulation)
  • Property svn:keywords set to LastChangedBy LastChangedDate LastChangedRevision
Line 
1<?php
2/*
3 $Rev$ | $LastChangedBy$
4 $LastChangedDate$
5 +-------------------------------------------------------------------------+
6 | Copyright (c) 2004 - 2010, Kreotek LLC                                  |
7 | All rights reserved.                                                    |
8 +-------------------------------------------------------------------------+
9 |                                                                         |
10 | Redistribution and use in source and binary forms, with or without      |
11 | modification, are permitted provided that the following conditions are  |
12 | met:                                                                    |
13 |                                                                         |
14 | - Redistributions of source code must retain the above copyright        |
15 |   notice, this list of conditions and the following disclaimer.         |
16 |                                                                         |
17 | - Redistributions in binary form must reproduce the above copyright     |
18 |   notice, this list of conditions and the following disclaimer in the   |
19 |   documentation and/or other materials provided with the distribution.  |
20 |                                                                         |
21 | - Neither the name of Kreotek LLC nor the names of its contributore may |
22 |   be used to endorse or promote products derived from this software     |
23 |   without specific prior written permission.                            |
24 |                                                                         |
25 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS     |
26 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT       |
27 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A |
28 | PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT      |
29 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,   |
30 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT        |
31 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,   |
32 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY   |
33 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT     |
34 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE   |
35 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.    |
36 |                                                                         |
37 +-------------------------------------------------------------------------+
38*/
39class relationship{
40
41    var $db;
42    var $id;
43
44    /**
45     * Initializes object
46     *
47     * @param object $db database object
48     * @param integer $id relationship id
49     */
50    function relationship($db, $id){
51
52        $this->db = $db;
53        $this->id = ((int) $id);
54
55    }//end function init
56
57
58    /**
59     * create's and runs the  relationship
60     *
61     * @param string $theids comma separated list of record ids
62     *
63     * @return string returns the URL of the new search screen to go to.
64     */
65    function execute($theids){
66
67        $_SESSION["passedjoinclause"] = "";
68        $_SESSION["passedjoinwhere"] = "";
69
70        $querystatement = "
71            SELECT
72                fromtable.maintable AS fromtable,
73                relationships.totableid,
74                totable.maintable AS totable,
75                relationships.tofield,
76                relationships.fromfield,
77                relationships.inherint
78            FROM
79                (relationships INNER JOIN tabledefs AS fromtable ON relationships.fromtableid = fromtable.uuid)
80                INNER JOIN tabledefs AS totable ON relationships.totableid = totable.uuid
81            WHERE
82                relationships.id=".$this->id;
83
84        $queryresult = $this->db->query($querystatement);
85
86        $therecord = $this->db->fetchArray($queryresult);
87
88        /*
89         if the relationship is inherent (already exists due to the display
90         nature of the table) then the join clause is not needed
91        */
92        if($therecord["inherint"] == 0){
93
94            $_SESSION["passedjoinclause"] = "
95                INNER JOIN ".$therecord["fromtable"]." ON ".$therecord["totable"].".".$therecord["tofield"]." = ".$therecord["fromtable"].".".$therecord["fromfield"];
96
97        }//end if
98
99        /*
100          make the passed where clause for passed id's this will pass the
101          saved where clause.
102        */
103        foreach($theids as $theid)
104            $_SESSION["passedjoinwhere"] .= " OR ".$therecord["fromtable"].".id = ".((int) $theid);
105
106        $_SESSION["passedjoinwhere"] = substr($_SESSION["passedjoinwhere"], 3);
107
108        return "search.php?id=".urlencode($therecord["totableid"]);
109
110    }//end function execute
111
112}//end class relationship
113?>
Note: See TracBrowser for help on using the browser.
Scanned by Orvant Copyright © 2010 Kreotek, LLC. All Rights reserved.