Context Navigation

products_addedit.php

Revision 704, 12.6 KB (checked in by brieb, 2 years ago)
Fixed several SQL injection vulnerabilities Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI Fixed severa path disclosure errors
Property svn:keywords set to `LastChangedBy LastChangedDate LastChangedRevision`

Line
1	<?php
2	/*
3	$Rev$ \| $LastChangedBy$
4	$LastChangedDate$
5	+-------------------------------------------------------------------------+
6	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
7	\| All rights reserved. \|
8	+-------------------------------------------------------------------------+
9	\| \|
10	\| Redistribution and use in source and binary forms, with or without \|
11	\| modification, are permitted provided that the following conditions are \|
12	\| met: \|
13	\| \|
14	\| - Redistributions of source code must retain the above copyright \|
15	\| notice, this list of conditions and the following disclaimer. \|
16	\| \|
17	\| - Redistributions in binary form must reproduce the above copyright \|
18	\| notice, this list of conditions and the following disclaimer in the \|
19	\| documentation and/or other materials provided with the distribution. \|
20	\| \|
21	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
22	\| be used to endorse or promote products derived from this software \|
23	\| without specific prior written permission. \|
24	\| \|
25	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
26	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
27	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
28	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
29	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
30	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
31	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
32	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
33	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
34	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
35	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
36	\| \|
37	+-------------------------------------------------------------------------+
38	*/
39
40	include("../../include/session.php");
41	include("include/tables.php");
42	include("include/fields.php");
43	include("include/products.php");
44
45	if(!isset($_GET["backurl"]))
46	$backurl = NULL;
47	else{
48	$backurl = $_GET["backurl"];
49	if(isset($_GET["refid"]))
50	$backurl .= "?refid=".$_GET["refid"];
51	}
52
53	$thetable = new products($db,"tbld:7a9e87ed-d165-c4a4-d9b9-0a4adc3c5a34", $backurl);
54	$therecord = $thetable->processAddEditPage();
55
56	if(isset($therecord["phpbmsStatus"]))
57	$statusmessage = $therecord["phpbmsStatus"];
58
59	$pageTitle="Product";
60
61	$phpbms->cssIncludes[] = "pages/products.css";
62	$phpbms->jsIncludes[] = "modules/bms/javascript/product.js";
63
64	//Form Elements
65	//==============================================================
66	$theform = new phpbmsForm();
67	$theform->enctype = "multipart/form-data";
68
69	$theinput = new inputCheckbox("inactive",$therecord["inactive"]);
70	$theform->addField($theinput);
71
72	$theinput = new inputCheckbox("taxable",$therecord["taxable"]);
73	$theform->addField($theinput);
74
75	$temparray = array("Inventory"=>"Inventory","Non-Inventory"=>"Non-Inventory","Service"=>"Service","Kit"=>"Kit","Assembly"=>"Assembly");
76	$theinput = new inputBasicList("type",$therecord["type"],$temparray);
77	$theform->addField($theinput);
78
79	$temparray = array("In Stock (Available)"=>"In Stock","Out of Stock (Unavailable)"=>"Out of Stock","Back Ordered"=>"Backordered");
80	$theinput = new inputBasicList("status",$therecord["status"],$temparray,"availablity");
81	$theform->addField($theinput);
82
83	$theinput = new inputField("partname",$therecord["partname"],"name");
84	$theform->addField($theinput);
85
86	$theinput = new inputField("partnumber",$therecord["partnumber"],"part number",true);
87	$theform->addField($theinput);
88
89	$theinput = new inputField("upc",$therecord["upc"],"UPC");
90	$theform->addField($theinput);
91
92	$theinput = new inputField("description",$therecord["description"],"description",false,NULL,96,255);
93	$theform->addField($theinput);
94
95	$theinput = new inputCurrency("unitprice", $therecord["unitprice"], "unit price" ,true);
96	$theinput->setAttribute("class", "important");
97	$theform->addField($theinput);
98
99	$theinput = new inputCurrency("unitcost", $therecord["unitcost"], "unit cost");
100	$theform->addField($theinput);
101
102	$markup=0;
103	if($therecord["unitcost"]!=0)
104	$markup=round(($therecord["unitprice"]/$therecord["unitcost"])-1,4)*100;
105
106	$theinput = new inputPercentage("markup", $markup, "mark-up",2);
107	$theinput->setAttribute("size","10");
108	$theform->addField($theinput);
109
110	$theinput = new inputField("unitofmeasure",$therecord["unitofmeasure"],"unit of measure");
111	$theform->addField($theinput);
112
113	$theinput = new inputField("weight",$therecord["weight"],NULL,false,"real");
114	$theform->addField($theinput);
115
116	if ($therecord["packagesperitem"])
117	$itemsperpackage=1/$therecord["packagesperitem"];
118	else
119	$itemsperpackage=NULL;
120
121	$theinput = new inputField("packagesperitem",$itemsperpackage,NULL,false,"real",10,16,false);
122	$theform->addField($theinput);
123
124	$theinput = new inputCheckbox("isprepackaged",$therecord["isprepackaged"],"prepackaged");
125	$theform->addField($theinput);
126
127	$theinput = new inputCheckbox("isoversized",$therecord["isoversized"],"oversized");
128	$theform->addField($theinput);
129
130	$theinput = new inputCheckbox("webenabled",$therecord["webenabled"],"web enabled");
131	$theform->addField($theinput);
132
133	$theinput = new inputSmartSearch($db, "morecategories", "Pick Product Category For Product", "", "category");
134	$theform->addField($theinput);
135
136	$theinput = new inputTextarea("memo", $therecord["memo"], "memo", false, 4, 48, false);
137	$theform->addField($theinput);
138
139	$thetable->getCustomFieldInfo();
140	$theform->prepCustomFields($db, $thetable->customFieldsQueryResult, $therecord);
141	$theform->jsMerge();
142	//==============================================================
143	//End Form Elements
144
145	include("header.php");
146	?>
147	<form action="<?php echo htmlentities($_SERVER["REQUEST_URI"]) ?>" method="post" enctype="multipart/form-data" name="record" id="record" onsubmit="return false;">
148	<?php $phpbms->showTabs("products entry","tab:17346362-261b-4d1d-fa77-99e84cfd9b8a",$therecord["id"]);?><div class="bodyline">
149	<input type="hidden" value="" name="command" id="hiddenCommand"/>
150
151	<div id="topButtons"><?php showSaveCancel(1); ?></div>
152	<h1 id="topTitle"><?php echo $pageTitle ?></h1>
153
154	<div id="rightsideDiv">
155	<fieldset>
156	<legend>attributes</legend>
157
158
159	<p><?php $theform->showField("inactive")?></p>
160
161	<p>
162	<label for="categoryid">master category</label><br />
163	<?php $thetable->displayProductCategories($therecord["categoryid"]) ?>
164	</p>
165
166	<p><?php $theform->showField("type")?></p>
167
168	<p><?php $theform->showField("status")?></p>
169
170	<p><?php $theform->showField("taxable")?></p>
171
172	</fieldset>
173
174	<fieldset>
175	<legend>Additional Categories</legend>
176	<p>
177	<?php $theform->showField("morecategories")?>
178	<button type="button" id="addCatButton" class="graphicButtons buttonPlus" title="Add Category"><span>+</span></button>
179	</p>
180
181	<?php $thetable->displayAdditionalCategories($therecord["addcats"]) ?>
182
183	</fieldset>
184
185	</div>
186
187	<div id="leftsideDiv">
188	<fieldset>
189	<legend>identification</legend>
190
191	<p class="big" id="partNameP"><?php $theform->showField("partname")?></p>
192
193	<p class="big"><?php $theform->showField("partnumber") ?></p>
194
195
196	<p><?php $theform->showField("description") ?></p>
197
198	<p><?php $theform->showField("upc") ?></p>
199
200	</fieldset>
201
202	<fieldset>
203	<legend>price / cost</legend>
204
205
206	<p class="costsP"><?php $theform->showField("unitprice")?> = </p>
207
208	<p class="costsP"><?php $theform->showField("unitcost")?> + </p>
209
210	<p class="costsP"><?php $theform->showField("markup")?></p>
211
212	<p>
213	<br />
214	<button type="button" id="updatePrice" class="Buttons">calculate price</button>
215	</p>
216
217	</fieldset>
218
219	<fieldset>
220	<legend>Weight / Measurements</legend>
221
222	<p><?php $theform->showField("weight")?></p>
223
224	<p><?php $theform->showField("unitofmeasure")?></p>
225
226	</fieldset>
227
228	<fieldset>
229	<legend>shipping</legend>
230	<p>
231	<label for="packagesperitem">items per package <span class="notes">(number of product items that can fit in a shipping package)</span></label><br />
232	<?php $theform->showfield("packagesperitem")?>
233	</p>
234
235	<p><?php $theform->showfield("isprepackaged");?> <span class="notes">(product is not packed with any other product.)</span></p>
236
237	<p><?php $theform->showfield("isoversized");?> <span class="notes">(product must be delivered in a box designated as oversized for shipping purposes.)</span></p>
238
239	</fieldset>
240
241	<fieldset>
242	<legend><label for="memo">memo</label></legend>
243
244	<p><?php $theform->showField("memo");?></p>
245
246	</fieldset>
247
248	<fieldset>
249	<legend>web</legend>
250	<p>
251	<?php $theform->showfield("webenabled");?>
252	</p>
253
254	<div style=" <?php if(!$therecord["webenabled"]) echo "display:none;" ?>" id="webstuff">
255	<p>
256	<label for="keywords">keywords <span class="notes">(comma separated key word list)</span></label><br />
257	<input type="text" id="keywords" name="keywords" value="<?php echo htmlQuotes($therecord["keywords"])?>" size="40" maxlength="255"/>
258	</p>
259	<div class="fauxP">
260	<label for="webdescription">web description <span class="notes">(HTML acceptable)</span></label><br />
261
262	<div style=" <?php if($therecord["webdescription"]) echo "display:none;"?>" id="webDescEdit">
263	<textarea id="webdescription" name="webdescription" cols="60" rows="6"><?php echo $therecord["webdescription"] ?></textarea>
264	</div>
265	<div style=" <?php if(!$therecord["webdescription"]) echo "display:none;"?>" id="webDescPreview">
266	<?php echo $therecord["webdescription"] ?>
267	</div>
268	<div><button id="buttonWebPreview" type="button" class="Buttons"><?php if(!$therecord["webdescription"]) echo "preview"; else echo "edit"?></button></div>
269
270	</div>
271
272	<div class="fauxP">
273	thumbnail graphic<br />
274	<?php if($therecord["thumbnailmime"]) {?>
275	<img id="thumbpic" src="<?php echo APP_PATH ?>dbgraphic.php?t=productThumb&r=<?php echo $therecord["id"]?>" style="border: 1px solid black; display: block; margin: 3px;;" />
276	<?php } else {?>
277	<div id="noThumb" class="tiny" align="center">no thumbnail</div>
278	<?php } ?>
279	upload thumbnail<br />
280	<input type="hidden" id="thumbchange" name="thumbchange" value="" />
281	<div id="thumbdelete" style="display:<?php if($therecord["thumbnailmime"]) echo "block"; else echo "none";?>"><button id="deleteThumbButton" type="button" class="Buttons">delete thumbnail</button></div>
282	<div id="thumbadd" style="display:<?php if($therecord["thumbnailmime"]) echo "none"; else echo "block";?>"><input id="thumbnailupload" name="thumbnailupload" type="file" size="40"/></div>
283	</div>
284
285	<div class="fauxP">
286	main picture<br />
287	<?php if($therecord["picturemime"]) {?>
288	<img id="picturepic" src="<?php echo APP_PATH ?>dbgraphic.php?t=productPic&r=<?php echo $therecord["id"]?>" style="border: 1px solid black; display: block; margin: 3px;;" />
289	<?php } else {?>
290	<div id="noPicture" class="tiny" align="center">no picture</div>
291	<?php } ?>
292	upload picture <br />
293	<input type="hidden" id="picturechange" name="picturechange" value="" />
294	<div id="picturedelete" style="display:<?php if($therecord["picturemime"]) echo "block"; else echo "none";?>"><button id="deletePictureButton" type="button" class="Buttons">delete picture</button></div>
295	<div id="pictureadd" style="display:<?php if($therecord["picturemime"]) echo "none"; else echo "block";?>"><input id="pictureupload" name="pictureupload" type="file" size="40" onchange="updatePictureStatus('picture','upload')" tabindex="270"/></div>
296	</div>
297	</div>
298	</fieldset>
299
300	<?php $theform->showCustomFields($db, $thetable->customFieldsQueryResult) ?>
301
302	</div>
303
304
305	<?php $theform->showGeneralInfo($phpbms,$therecord);?>
306	</div>
307	</form>
308	<?php include("footer.php");?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/bms/products_addedit.php

Download in other formats: