phpBMS

root/trunk/phpbms/modules/bms/post.php

Revision 704, 4.7 KB (checked in by brieb, 2 years ago)
  • Fixed several SQL injection vulnerabilities
  • Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI
  • Fixed severa path disclosure errors
Line 
1<?php
2/*
3 $Rev: 311 $ | $LastChangedBy: brieb $
4 $LastChangedDate: 2007-10-02 19:51:27 -0600 (Tue, 02 Oct 2007) $
5 +-------------------------------------------------------------------------+
6 | Copyright (c) 2004 - 2010, Kreotek LLC                                  |
7 | All rights reserved.                                                    |
8 +-------------------------------------------------------------------------+
9 |                                                                         |
10 | Redistribution and use in source and binary forms, with or without      |
11 | modification, are permitted provided that the following conditions are  |
12 | met:                                                                    |
13 |                                                                         |
14 | - Redistributions of source code must retain the above copyright        |
15 |   notice, this list of conditions and the following disclaimer.         |
16 |                                                                         |
17 | - Redistributions in binary form must reproduce the above copyright     |
18 |   notice, this list of conditions and the following disclaimer in the   |
19 |   documentation and/or other materials provided with the distribution.  |
20 |                                                                         |
21 | - Neither the name of Kreotek LLC nor the names of its contributore may |
22 |   be used to endorse or promote products derived from this software     |
23 |   without specific prior written permission.                            |
24 |                                                                         |
25 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS     |
26 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT       |
27 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A |
28 | PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT      |
29 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,   |
30 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT        |
31 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,   |
32 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY   |
33 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT     |
34 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE   |
35 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.    |
36 |                                                                         |
37 +-------------------------------------------------------------------------+
38*/
39require_once("../../include/session.php");
40
41require_once("include/fields.php");
42require_once("include/post.php");
43require_once("include/post_class.php");
44
45if(!isset($_POST["startdate"]))
46   $_POST["startdate"] = dateToString(mktime(0,0,0, date("m"), 1, date("y")));
47
48if(!isset($_POST["enddate"]))
49   $_POST["enddate"] = dateToString(mktime(0,0,0));
50
51$poster = new poster($db, stringToDate($_POST["startdate"]), stringToDate($_POST["enddate"]));
52$poster->getSections();
53
54if(isset($_POST["cmd"]))
55    $statusmessage = $poster->process($_POST);
56
57$pageTitle="Post Records";
58
59        $phpbms->cssIncludes[] = "pages/bms/post.css";
60        $phpbms->jsIncludes[] = "modules/bms/javascript/post.js";
61
62                //Form Elements
63                //==============================================================
64                $theform = new phpbmsForm();
65
66                $theinput = new inputDatePicker("startdate", dateToString($poster->startdate, "SQL"), "start date");
67                $theform->addField($theinput);
68
69                $theinput = new inputDatePicker("enddate", dateToString($poster->enddate, "SQL"), "end date");
70                $theform->addField($theinput);
71
72                $theform->jsMerge();
73                //==============================================================
74                //End Form Elements
75
76        include("header.php");
77
78?><div class="bodyline" id="mainline">
79        <form action="<?php echo htmlentities($_SERVER["PHP_SELF"])?>" method="post" name="record" id="record" onsubmit="return false">
80        <input type="hidden" id="cmd" name="cmd" value=""/>
81
82        <h1><span><?php echo $pageTitle ?></span></h1>
83
84        <fieldset>
85                <legend>posting date range</legend>
86
87                <p class="dateranges"><?php $theform->showField("startdate")?></p>
88
89                <p class="dateranges"><?php $theform->showField("enddate")?></p>
90
91                <p>
92                    <br />
93                    <button id="changeDateRange" type="button" class="Buttons">find</button>
94                </p>
95        </fieldset>
96
97        <fieldset>
98                <legend>Post Transactions</legend>
99                <?php echo $poster->showSections(); ?>
100        </fieldset>
101
102        <p id="bottomButtonsP">
103            <button type="button" class="Buttons" id="postRecordsButton">post records</button>
104        </p>
105
106        </form>
107</div>
108
109<?php include("footer.php"); ?>
Note: See TracBrowser for help on using the browser.
phpBMS vulnerability assesment provided by Orvant Inc. Copyright © 2010 Kreotek, LLC. All Rights reserved.