Context Navigation

tabledefs_quicksearch.php

Revision 704, 8.0 KB (checked in by brieb, 2 years ago)
Fixed several SQL injection vulnerabilities Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI Fixed severa path disclosure errors
Property svn:keywords set to `LastChangedBy LastChangedDate LastChangedRevision`

Line
1	<?php
2	/*
3	$Rev$ \| $LastChangedBy$
4	$LastChangedDate$
5	+-------------------------------------------------------------------------+
6	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
7	\| All rights reserved. \|
8	+-------------------------------------------------------------------------+
9	\| \|
10	\| Redistribution and use in source and binary forms, with or without \|
11	\| modification, are permitted provided that the following conditions are \|
12	\| met: \|
13	\| \|
14	\| - Redistributions of source code must retain the above copyright \|
15	\| notice, this list of conditions and the following disclaimer. \|
16	\| \|
17	\| - Redistributions in binary form must reproduce the above copyright \|
18	\| notice, this list of conditions and the following disclaimer in the \|
19	\| documentation and/or other materials provided with the distribution. \|
20	\| \|
21	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
22	\| be used to endorse or promote products derived from this software \|
23	\| without specific prior written permission. \|
24	\| \|
25	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
26	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
27	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
28	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
29	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
30	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
31	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
32	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
33	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
34	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
35	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
36	\| \|
37	+-------------------------------------------------------------------------+
38	*/
39
40	include("../../include/session.php");
41	include("include/fields.php");
42
43	include("include/tabledefs_quicksearch_include.php");
44
45	if(!hasRights("Admin"))
46	goURL(APP_PATH."noaccess.php");
47
48	if(!isset($_GET["id"]))
49	$error = new appError(-200, "Passed parameter missing", "Invalid request", true);
50
51	$quicksearches = new quickSearches($db, $_GET["id"]);
52
53	//grab the table name
54	$querystatement = "SELECT displayname FROM tabledefs WHERE id=".((int) $_GET["id"]);
55	$queryresult = $db->query($querystatement);
56	$tableRecord = $db->fetchArray($queryresult);
57
58	//process page
59	$thecommand="";
60	$action="add quick search item";
61	$thequicksearch = $quicksearches->getDefaults();
62
63	if (isset($_GET["command"])) $thecommand=$_GET["command"];
64	if (isset($_POST["command"])) $thecommand=$_POST["command"];
65
66	switch($thecommand){
67	case "edit":
68	$singlequicksearchsquery = $quicksearches->get($_GET["quicksearchid"]);
69	$thequicksearch = $db->fetchArray($singlequicksearchsquery);
70	$action = "edit quick search item";
71	break;
72
73	case "delete":
74	$statusmessage = $quicksearches->delete($_GET["quicksearchid"]);
75	break;
76
77	case "add quick search item":
78	$statusmessage = $quicksearches->add(addSlashesToArray($_POST));
79	break;
80
81	case "edit quick search item":
82	$statusmessage = $quicksearches->update(addSlashesToArray($_POST));
83	break;
84
85	case "moveup":
86	$statusmessage = $quicksearches->move($_GET["quicksearchid"],"up");
87	break;
88
89	case "movedown":
90	$statusmessage = $quicksearches->move($_GET["quicksearchid"],"down");
91	break;
92
93	}//end switch
94
95	$quicksearchsquery = $quicksearches->get();
96
97	$pageTitle="Table Definition Quick Search: ".$tableRecord["displayname"];
98
99	$phpbms->cssIncludes[] = "pages/tablequicksearch.css";
100
101	//Form Elements
102	//==============================================================
103	$theform = new phpbmsForm();
104
105	$theinput = new inputField("name",$thequicksearch["name"],NULL,true,NULL,28,64);
106	$theinput->setAttribute("class","important");
107	$theform->addField($theinput);
108
109	$theinput = new inputRolesList($db,"roleid",$thequicksearch["roleid"],"access (role)");
110	$theform->addField($theinput);
111
112	$theform->jsMerge();
113	//==============================================================
114	//End Form Elements
115
116	include("header.php");
117
118	$phpbms->showTabs("tabledefs entry","tab:276dacd4-4a37-d979-aeda-a7982f632559",$_GET["id"])?><div class="bodyline">
119	<h1 id="topTitle"><span><?php echo $pageTitle?></span></h1>
120	<div class="fauxP">
121	<table border="0" cellpadding="3" cellspacing="0" class="querytable">
122	<tr>
123	<th nowrap="nowrap">move</th>
124	<th width="100%" align="left">item</th>
125	<th nowrap="nowrap"class="queryheader" align="left">access role</th>
126	<th nowrap="nowrap"> </th>
127	</tr>
128	<?php
129	$topdisplayorder=-1;
130	$row=1;
131	while($therecord=$db->fetchArray($quicksearchsquery)){
132	$topdisplayorder=$therecord["displayorder"];
133	if($row==1) $row=2; else $row=1;
134	?>
135	<tr class="qr<?php echo $row?> noselects">
136	<td nowrap="nowrap"valign="top">
137	<button type="button" class="graphicButtons buttonUp" onclick="document.location='<?php echo $_SERVER["PHP_SELF"]."?id=".$_GET["id"]."&command=moveup&quicksearchid=".$therecord["id"]?>';"><span>up</span></button>
138	<button type="button" class="graphicButtons buttonDown" onclick="document.location='<?php echo $_SERVER["PHP_SELF"]."?id=".$_GET["id"]."&command=movedown&quicksearchid=".$therecord["id"]?>';"><span>dn</span></button>
139	<?php echo $therecord["displayorder"]?>
140	</td>
141	<td valign="top">
142	<strong><?php echo htmlQuotes($therecord["name"])?></strong><br />
143	<?php echo htmlQuotes($therecord["search"])?>
144	</td>
145	<td valign="top" class="small" nowrap="nowrap"><?php echo $phpbms->displayRights($therecord["roleid"])?></td>
146	<td nowrap="nowrap" valign="top">
147	<button id="edit<?php echo $therecord["id"]?>" type="button" onclick="document.location='<?php echo $_SERVER["PHP_SELF"]."?id=".$_GET["id"]."&command=edit&quicksearchid=".$therecord["id"]?>';" class="graphicButtons buttonEdit"><span>edit</span></button>
148	<button id="delete<?php echo $therecord["id"]?>" type="button" onclick="document.location='<?php echo $_SERVER["PHP_SELF"]."?id=".$_GET["id"]."&command=delete&quicksearchid=".$therecord["id"]?>';" class="graphicButtons buttonDelete"><span>delete</span></button>
149	</td>
150	</tr>
151	<?php } ?>
152	<tr class="queryfooter">
153	<td> </td>
154	<td> </td>
155	<td> </td>
156	<td> </td>
157	</tr>
158	</table>
159	</div>
160	<form action="<?php echo htmlentities($_SERVER["PHP_SELF"])."?id=".$_GET["id"] ?>" method="post" name="record" onsubmit="return validateForm(this);">
161	<fieldset>
162	<legend><?php echo $action?></legend>
163	<input name="quicksearchid" type="hidden" value="<?php echo $thequicksearch["id"]?>" />
164	<input name="displayorder" type="hidden" value="<?php if($action=="add quick search item") echo $topdisplayorder+1; else echo $thequicksearch["displayorder"]?>" />
165
166	<p><?php $theform->showField("name");?></p>
167
168	<p><?php $theform->showField("roleid");?></p>
169
170	<p>
171	<label for="search">search</label> <span class="notes">(SQL WHERE clause)</span><br />
172	<textarea id="search" name="search" cols="32" rows="2"><?php echo htmlQuotes($thequicksearch["search"]) ?></textarea>
173	</p>
174	</fieldset>
175
176	<p align="right">
177	<input name="command" id="save" type="submit" value="<?php echo $action?>" class="Buttons" />
178	<?php if($action == "edit quick search item"){?>
179	<input name="command" id="cancel" type="submit" value="cancel edit" class="Buttons" />
180	<?php }?>
181	</p>
182
183	</form>
184	</div>
185	<?php include("footer.php")?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/base/tabledefs_quicksearch.php

Download in other formats: