phpBMS

Changeset 720 for trunk/phpbms/common

Show
Ignore:
Timestamp:
01/06/10 17:04:26 (2 years ago)
Author:
brieb
Message:
  • fixed checkunique breaking with uuids and possible SQL injection
  • fixed backslashes in searches
  • fixed mark_as in invoice search commands incorrectly setting value to string 'NULL'
Files:
1 modified

Legend:

Unmodified
Added
Removed

  • trunk/phpbms/common/javascript/fields.js

    r703 r720  
    237237} 
    238238 
    239 function checkUnique(tabledefid,column,checkvalue,excludeid){ 
    240  
    241         var theurl=APP_PATH+"checkunique.php?tdid="+parseInt(tabledefid); 
    242         theurl=theurl+"&c="+encodeURIComponent(column); 
    243         theurl=theurl+"&val="+encodeURIComponent(checkvalue); 
    244         theurl=theurl+"&xid="+parseInt(excludeid); 
    245  
     239function checkUnique(tabledefuuid , columnName, value, excludeuuid){ 
     240 
     241        var theurl= APP_PATH + "checkunique.php?tduuid=" + encodeURIComponent(tabledefuuid); 
     242 
     243        theurl=theurl+"&cname="+encodeURIComponent(columnName); 
     244        theurl=theurl+"&value="+encodeURIComponent(value); 
     245        theurl=theurl+"&xuuid="+encodeURIComponent(excludeuuid); 
    246246 
    247247        loadXMLDoc(theurl,null,false); 
    248248 
    249         response = req.responseXML.documentElement; 
    250         thevalue = response.getElementsByTagName('isunique')[0].firstChild.data; 
    251  
    252         if(thevalue==1) return true; else return false; 
    253 } 
     249        var isUnique = false; 
     250 
     251        try { 
     252 
     253            isUnique = eval("(" + req.responseText + ")") 
     254 
     255        } catch(err) { 
     256 
     257            isUnique = false; 
     258 
     259        } 
     260 
     261        return isUnique; 
     262 
     263} 
phpBMS vulnerability assesment provided by Orvant Inc. Copyright © 2010 Kreotek, LLC. All Rights reserved.