From 2af58c77572fbc32c1c617764ebdd0252be24292 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Tue, 14 Apr 2015 12:54:42 -0400
Subject: [PATCH] - finished rewriting of sql statements
---
interface/lib/classes/tform.inc.php | 24 +++++++++++-------------
1 files changed, 11 insertions(+), 13 deletions(-)
diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
index 8905be0..30a71db 100644
--- a/interface/lib/classes/tform.inc.php
+++ b/interface/lib/classes/tform.inc.php
@@ -79,8 +79,8 @@
$escape = '`';
}
- $sql = "SELECT ".$this->formDef['db_table_idx']." FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$this->formDef['db_table_idx']." = ".$record_id." AND ".$this->getAuthSQL($perm);
- if($record = $app->db->queryOneRecord($sql)) {
+ $sql = "SELECT ?? FROM ?? WHERE ?? = ? AND ".$this->getAuthSQL($perm);
+ if($record = $app->db->queryOneRecord($sql, $this->formDef['db_table_idx'], $this->formDef['db_table'], $this->formDef['db_table_idx'], $record_id)) {
return true;
} else {
return false;
@@ -133,8 +133,8 @@
$escape = '`';
}
- $sql = "SELECT sys_userid FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$this->formDef['db_table_idx']." = ".$primary_id;
- $record = $app->db->queryOneRecord($sql);
+ $sql = "SELECT sys_userid FROM ?? WHERE ?? = ?";
+ $record = $app->db->queryOneRecord($sql, $this->formDef['db_table'], $this->formDef['db_table_idx'], $primary_id);
// return true if the readonly flag of the form is set and the current loggedin user is not the owner of the record.
if(isset($this->formDef['tabs'][$tab]['readonly']) && $this->formDef['tabs'][$tab]['readonly'] == true && $record['sys_userid'] != $_SESSION["s"]["user"]["userid"]) {
@@ -161,18 +161,17 @@
global $app;
$check_passed = true;
- $limit_name = $app->db->quote($limit_name);
if($limit_name == '') $app->error('Limit name missing in function checkClientLimit.');
// Get the limits of the client that is currently logged in
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
- $client = $app->db->queryOneRecord("SELECT $limit_name as number, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
+ $client = $app->db->queryOneRecord("SELECT ?? as number, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $limit_name, $client_group_id);
// Check if the user may add another item
if($client["number"] >= 0) {
- $sql = "SELECT count(".$this->formDef['db_table_idx'].") as number FROM ".$this->formDef['db_table']." WHERE ".$this->getAuthSQL('u');
+ $sql = "SELECT count(??) as number FROM ?? WHERE ".$this->getAuthSQL('u');
if($sql_where != '') $sql .= ' and '.$sql_where;
- $tmp = $app->db->queryOneRecord($sql);
+ $tmp = $app->db->queryOneRecord($sql, $this->formDef['db_table_idx'], $this->formDef['db_table']);
if($tmp["number"] >= $client["number"]) $check_passed = false;
}
@@ -183,7 +182,6 @@
global $app;
$check_passed = true;
- $limit_name = $app->db->quote($limit_name);
if($limit_name == '') $app->error('Limit name missing in function checkClientLimit.');
// Get the limits of the client that is currently logged in
@@ -194,19 +192,19 @@
if($client['parent_client_id'] != 0) {
//* first we need to know the groups of this reseller
- $tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ".$client['parent_client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ?", $client['parent_client_id']);
$reseller_groups = $tmp["groups"];
$reseller_userid = $tmp["userid"];
// Get the limits of the reseller of the logged in client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
- $reseller = $app->db->queryOneRecord("SELECT $limit_name as number FROM client WHERE client_id = ".$client['parent_client_id']);
+ $reseller = $app->db->queryOneRecord("SELECT $limit_name as number FROM client WHERE client_id = ?", $client['parent_client_id']);
// Check if the user may add another item
if($reseller["number"] >= 0) {
- $sql = "SELECT count(".$this->formDef['db_table_idx'].") as number FROM ".$this->formDef['db_table']." WHERE (sys_groupid IN (".$reseller_groups.") or sys_userid = ".$reseller_userid.")";
+ $sql = "SELECT count(??) as number FROM ?? WHERE (sys_groupid IN ? or sys_userid = ?)";
if($sql_where != '') $sql .= ' and '.$sql_where;
- $tmp = $app->db->queryOneRecord($sql);
+ $tmp = $app->db->queryOneRecord($sql, $this->formDef['db_table_idx'], $this->formDef['db_table'], explode(',', $reseller_groups), $reseller_userid);
if($tmp["number"] >= $reseller["number"]) $check_passed = false;
}
}
--
Gitblit v1.9.1