Context Navigation

products_prereq.php

Revision 704, 6.9 KB (checked in by brieb, 2 years ago)
Fixed several SQL injection vulnerabilities Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI Fixed severa path disclosure errors
Property svn:keywords set to `LastChangedBy LastChangedDate LastChangedRevision`

Line
1	<?php
2	/*
3	$Rev$ \| $LastChangedBy$
4	$LastChangedDate$
5	+-------------------------------------------------------------------------+
6	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
7	\| All rights reserved. \|
8	+-------------------------------------------------------------------------+
9	\| \|
10	\| Redistribution and use in source and binary forms, with or without \|
11	\| modification, are permitted provided that the following conditions are \|
12	\| met: \|
13	\| \|
14	\| - Redistributions of source code must retain the above copyright \|
15	\| notice, this list of conditions and the following disclaimer. \|
16	\| \|
17	\| - Redistributions in binary form must reproduce the above copyright \|
18	\| notice, this list of conditions and the following disclaimer in the \|
19	\| documentation and/or other materials provided with the distribution. \|
20	\| \|
21	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
22	\| be used to endorse or promote products derived from this software \|
23	\| without specific prior written permission. \|
24	\| \|
25	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
26	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
27	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
28	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
29	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
30	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
31	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
32	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
33	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
34	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
35	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
36	\| \|
37	+-------------------------------------------------------------------------+
38	*/
39	include("../../include/session.php");
40
41	include("../../include/fields.php");
42
43	$refquery = "
44	SELECT
45	`partname`,
46	`uuid`
47	FROM
48	`products`
49	WHERE
50	`id`='".((int) $_GET["id"])."'
51	";
52
53	$refquery=$db->query($refquery);
54	$refrecord=$db->fetchArray($refquery);
55
56	if(isset($_POST["command"])){
57
58	switch($_POST["command"]){
59
60	case"delete":
61	$deletestatement = "
62	DELETE FROM
63	prerequisites
64	WHERE
65	id=".((int) $_POST["deleteid"]);
66
67	$db->query($deletestatement);
68
69	$statusmessage = "Prerequisite removed.";
70	break;
71
72	case"add":
73	if($_POST["productid"]!=$refrecord["uuid"] && $_POST["productid"]!=""){
74
75	$insertstatement = "
76	INSERT INTO
77	prerequisites
78	(parentid,
79	childid)
80	VALUES
81	('".mysql_real_escape_string($refrecord["uuid"])."',
82	'".mysql_real_escape_string($_POST["productid"])."')";
83
84	$db->query($insertstatement);
85
86	$statusmessage = "Prerequisite added.";
87
88	} else {
89
90	$statusmessage = "Prerequisite not added.";
91
92	}//endif
93	break;
94	}//endswitch - comand
95
96	}//endif - command
97
98	$prerequstatement = "
99	SELECT DISTINCT
100	`prerequisites`.`id`,
101	`partnumber`,
102	`partname`,
103	`description`
104	FROM
105	`prerequisites` INNER JOIN `products` ON `prerequisites`.`childid`=`products`.`uuid`
106	WHERE
107	`prerequisites`.`parentid`='".$refrecord["uuid"]."'
108	";
109
110	$prereqresult = $db->query($prerequstatement);
111	$prereqresult? $numrows = $db->numRows($prereqresult): $numrows=0;
112
113	$pageTitle="Product Prerequisites: ".$refrecord["partname"];
114
115	$phpbms->cssIncludes[] = "pages/products.css";
116	$phpbms->jsIncludes[] = "modules/bms/javascript/prereq.js";
117
118	//Form Elements
119	//==============================================================
120	$theform = new phpbmsForm();
121
122	$theinput = new inputSmartSearch($db, "productid", "Pick Product", "", "product", false, 51, 255);
123	$theform->addField($theinput);
124
125	$theform->jsMerge();
126	//==============================================================
127	//End Form Elements
128
129	include("header.php");
130
131	?>
132	<?php $phpbms->showTabs("products entry","tab:9bfc7eea-5abb-f5d8-763f-f78fe499464d",$_GET["id"]);?><div class="bodyline">
133	<h1><span><?php echo $pageTitle ?></span></h1>
134	<form action="<?php echo htmlentities($_SERVER["REQUEST_URI"]) ?>" method="post" name="record">
135	<input id="deleteid" name="deleteid" type="hidden" value="0" />
136	<input id="command" name="command" type="hidden" value="" />
137	<div class="fauxP">
138	<table border="0" cellpadding="3" cellspacing="0" class="querytable">
139	<tr>
140	<th align="left" nowrap="nowrap" class="queryheader">Part Number</th>
141	<th align="left" nowrap="nowrap" class="queryheader">Name</th>
142	<th align="left" width="100%" class="queryheader">Description</th>
143	<th align="center" nowrap="nowrap" class="queryheader"> </th>
144	</tr>
145	<?php
146	$row = 1;
147	if($numrows){
148	while ($prereq=$db->fetchArray($prereqresult)){
149	$row = ($row == 1)? 2: 1;
150	?>
151	<tr class="qr<?php echo $row?>">
152	<td align="left" nowrap="nowrap"><?php echo $prereq["partnumber"] ?></td>
153	<td align="left" nowrap="nowrap"><?php echo $prereq["partname"] ?></td>
154	<td align="left" width="100%"><?php echo $prereq["description"]?$prereq["description"]:" " ?></td>
155	<td align="center">
156	<button type="submit" class="graphicButtons buttonMinus" onclick="return deleteLine(<?php echo $prereq["id"] ?>)"><span>-</span></button>
157	</td>
158	</tr>
159	<?php }//end while
160	?>
161	<tr class="queryfooter">
162	<td> </td>
163	<td> </td>
164	<td> </td>
165	<td> </td>
166	</tr>
167	<?php
168	} else {?>
169	<tr class="norecords"><td colspan="4" align="center">No Prerequisites to Display</td></tr>
170	<?php
171	}//end if
172	?>
173	</table>
174	</div>
175
176	<fieldset>
177	<legend>add new prerequisite</legend>
178
179	<div class="preqAdd fauxP"><?php $theform->showField("productid")?></div>
180
181	<p id="addButtonP"><br />
182	<button type="submit" class="graphicButtons buttonPlus" onclick="return addLine()"><span>+</span></button>
183	</p>
184	</fieldset>
185
186	<fieldset>
187	<legend>notes</legend>
188	<p class="notes">
189	Prerequisites are products that must be purchased by the client
190	on a prior order before this product can be purchased.
191	</p>
192	<p class="notes">
193	For example, if you run a membership organization, a membership (product) might be required
194	before any other products (membership magazine, patches) can be bought.
195	</p>
196	</fieldset>
197	</form>
198	</div>
199	<?php include("footer.php");?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/bms/products_prereq.php

Download in other formats: