Context Navigation

clients_addresses.php

Revision 704, 7.9 KB (checked in by brieb, 2 years ago)
Fixed several SQL injection vulnerabilities Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI Fixed severa path disclosure errors

Line
1	<?php
2	/*
3	$Rev: 346 $ \| $LastChangedBy: brieb $
4	$LastChangedDate: 2007-10-20 13:44:04 -0600 (Sat, 20 Oct 2007) $
5	+-------------------------------------------------------------------------+
6	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
7	\| All rights reserved. \|
8	+-------------------------------------------------------------------------+
9	\| \|
10	\| Redistribution and use in source and binary forms, with or without \|
11	\| modification, are permitted provided that the following conditions are \|
12	\| met: \|
13	\| \|
14	\| - Redistributions of source code must retain the above copyright \|
15	\| notice, this list of conditions and the following disclaimer. \|
16	\| \|
17	\| - Redistributions in binary form must reproduce the above copyright \|
18	\| notice, this list of conditions and the following disclaimer in the \|
19	\| documentation and/or other materials provided with the distribution. \|
20	\| \|
21	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
22	\| be used to endorse or promote products derived from this software \|
23	\| without specific prior written permission. \|
24	\| \|
25	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
26	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
27	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
28	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
29	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
30	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
31	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
32	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
33	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
34	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
35	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
36	\| \|
37	+-------------------------------------------------------------------------+
38	*/
39
40	include("../../include/session.php");
41	require_once("../../include/search_class.php");
42	include("include/clients_addresses.php");
43
44	if(isset($_GET["refid"])) $_GET["id"]=$_GET["refid"];
45	if(!isset($_GET["id"])) $error = new appError(300,"Passed variable not set (id)");
46
47	$clientAddress = new clientAddress($db, $_GET["id"]);
48
49	$pageTitle = $clientAddress->getPageTitle();
50
51	// clients table definition uuid
52	$reftableid = "tbld:6d290174-8b73-e199-fe6c-bcf3d4b61083";
53
54	$whereclause = "
55	tabledefid = '".$reftableid."'
56	AND recordid = '".$clientAddress->clientuuid."'";
57
58	$backurl="../bms/clients_addresses.php";
59	$base="../../";
60
61	$displayTable= new displaySearchTable($db);
62	$displayTable->base = $base;
63	$displayTable->initialize("tbld:e3ce122f-7c43-cfca-fd32-11c663567a2a");
64	$displayTable->querywhereclause = $whereclause;
65
66	if(isset($_POST["deleteCommand"]))
67	if($_POST["deleteCommand"]) $_POST["command"] = $_POST["deleteCommand"];
68
69	if(!isset($_POST["othercommands"])) $_POST["othercommands"]="";
70	if($_POST["othercommands"]) $_POST["command"]="other";
71
72	if(isset($_POST["command"])){
73
74	switch($_POST["command"]){
75
76	case "delete":
77	//=====================================================================================================
78
79	$_POST["othercommands"] = -1;
80
81	case "other":
82	$displayTable->recordoffset=0;
83	// process table specific commands (passed by settings)
84	//=====================================================================================================
85	$theids=explode(",",$_POST["theids"]);
86
87	include_once("modules/bms/include/addresstorecord.php");
88
89	//next, see if the searchclass exists
90	if(class_exists($displayTable->thetabledef["maintable"]."SearchFunctions")){
91	$classname = $displayTable->thetabledef["maintable"]."SearchFunctions";
92	$searchFunctions = new $classname($db,$displayTable->thetabledef["uuid"],$theids);
93	} else
94	$searchFunctions = new searchFunctions($db,$displayTable->thetabledef["uuid"],$theids);
95
96	//grab the method name
97	if(((int) $_POST["othercommands"]) === -1)
98	$functionname = "delete_record";
99	else {
100	$querystatement = "SELECT name FROM tableoptions WHERE id=".((int) $_POST["othercommands"]);
101	$queryresult = $db->query($querystatement);
102	$therecord = $db->fetchArray($queryresult);
103	$functionname = $therecord["name"];
104	}
105
106	if(method_exists($searchFunctions,$functionname))
107	$statusmessage = $searchFunctions->$functionname();
108	else
109	$statusmessage = "Function ".$functionname." not defined";
110
111	break;
112
113	case "omit":
114	// omit selected from current query
115	//=====================================================================================================
116	$displayTable->recordoffset=0;
117	$tempwhere="";
118	$theids=explode(",",$_POST["theids"]);
119	foreach($theids as $theid){
120	$tempwhere.=" or ".$displayTable->thetabledef["maintable"].".id=".$theid;
121	}
122	$tempwhere=substr($tempwhere,3);
123	$displayTable->querywhereclause="(".$displayTable->querywhereclause.") and not (".$tempwhere.")";
124	break;
125
126	case "keep":
127	// keep only those ids
128	//=====================================================================================================
129	$displayTable->recordoffset=0;
130	$tempwhere="";
131	$theids=explode(",",$_POST["theids"]);
132	foreach($theids as $theid){
133	$tempwhere.=" or ".$displayTable->thetabledef["maintable"].".id=".$theid;
134	}
135	$tempwhere=substr($tempwhere,3);
136	$displayTable->querywhereclause=$tempwhere;
137	break;
138
139	}//end switch
140
141	}//endif
142
143	//on the fly sorting... this needs to be done after command processing or the querystatement will not work.
144	if(!isset($_POST["newsort"])) $_POST["newsort"]="";
145	if(!isset($_POST["desc"])) $_POST["desc"]="";
146
147	if($_POST["newsort"]!="") {
148	//$displayTable->setSort($_POST["newsort"]);
149	foreach ($displayTable->thecolumns as $therow){
150	if ($_POST["newsort"]==$therow["name"]) $therow["sortorder"]? $displayTable->querysortorder=$therow["sortorder"] : $displayTable->querysortorder=$therow["column"];
151	}
152	$_POST["startnum"]=1;
153	} elseif($_POST["desc"]!="") $displayTable->querysortorder.=" DESC";
154
155	if($displayTable->querytype!="new" and $displayTable->querytype!="edit") {
156
157	//record offset?
158	if(isset($_POST["offset"])) if($_POST["offset"]!="") $displayTable->recordoffset=$_POST["offset"];
159
160	$displayTable->issueQuery();
161
162	$phpbms->cssIncludes[] = "pages/search.css";
163	$phpbms->cssIncludes[] = "pages/bms/clientaddresses.css";
164	$phpbms->jsIncludes[] = "common/javascript/queryfunctions.js";
165	$phpbms->topJS[] = 'xtraParamaters="backurl="+encodeURIComponent("'.$backurl.'")+String.fromCharCode(38)+"tabledefid="+encodeURIComponent("'.$reftableid.'")+String.fromCharCode(38)+"refid="+encodeURIComponent("'.$clientAddress->clientid.'");';
166
167	include("header.php");
168
169	$phpbms->showTabs("clients entry", "tab:625192d0-00e6-ae2c-5b8c-f433bbf6e546", ((int) $_GET["id"]));?><div class="bodyline">
170
171	<h1 id="h1Title"><?php echo $pageTitle?></h1>
172
173	<form name="search" id="search" action="<?php echo htmlentities($_SERVER["REQUEST_URI"])?>" method="post" onsubmit="setSelIDs(this);return true;">
174	<input name="command" id="reset" type="submit"/>
175	<input name="theids" id="theids" type="hidden" />
176	<?php
177	$displayTable->displayQueryButtons();
178
179	$displayTable->displayResultTable();
180	?>
181	</form>
182
183	</div>
184	<?php include("footer.php"); }//end if -> querytype?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/bms/clients_addresses.php

Download in other formats: