From 76c0bd312d2db7f30dbf93552151dbee1abeb365 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Tue, 26 May 2015 08:22:14 -0400
Subject: [PATCH] - fixed FS#3907 - "Reset password" generates too short passwords
---
interface/lib/classes/tform_base.inc.php | 61 ++++++++++++++++++------------
1 files changed, 36 insertions(+), 25 deletions(-)
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index 65f10c5..f5de558 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -98,6 +98,7 @@
var $errorMessage = '';
var $dateformat = "d.m.Y";
+ var $datetimeformat = 'd.m.Y H:i';
var $formDef = array();
var $wordbook;
var $module;
@@ -153,6 +154,7 @@
$this->wordbook = $wb;
$this->dateformat = $app->lng('conf_format_dateshort');
+ $this->datetimeformat = $app->lng('conf_format_datetime');
return true;
}
@@ -270,7 +272,7 @@
unset($tmp_recordid);
$querystring = str_replace("{AUTHSQL}", $this->getAuthSQL('r'), $querystring);
- $querystring = preg_replace_callback('@{AUTHSQL::(.+?)}@', "self::table_auth_sql", $querystring);
+ $querystring = preg_replace_callback('@{AUTHSQL::(.+?)}@', create_function('$matches','global $app; $tmp = $app->tform->getAuthSQL("r", $matches[1]); return $tmp;'), $querystring);
// Getting the records
$tmp_records = $app->db->queryAllRecords($querystring);
@@ -312,7 +314,12 @@
}
-
+ /*
+ function table_auth_sql($matches){
+ return $this->getAuthSQL('r', $matches[1]);
+ }
+ */
+
/**
* Get the key => value array of a form filled from a datasource definitiom
*
@@ -342,7 +349,7 @@
return $values;
} else {
$client_group_id = $_SESSION["s"]["user"]["default_group"];
- $client = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+ $client = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
$allowed = explode(',', $client['lm']);
}
}
@@ -354,19 +361,19 @@
} else {
//* Get the limits of the client that is currently logged in
$client_group_id = $_SESSION["s"]["user"]["default_group"];
- $client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+ $client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
//echo "SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id";
//* If the client belongs to a reseller, we will check against the reseller Limit too
if($client['parent_client_id'] != 0) {
//* first we need to know the groups of this reseller
- $tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ".$client['parent_client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ?", $client['parent_client_id']);
$reseller_groups = $tmp["groups"];
$reseller_userid = $tmp["userid"];
// Get the limits of the reseller of the logged in client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
- $reseller = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM client WHERE client_id = ".$client['parent_client_id']);
+ $reseller = $app->db->queryOneRecord("SELECT ".$limit_parts[1]." as lm FROM client WHERE client_id = ?", $client['parent_client_id']);
$allowed = explode(',', $reseller['lm']);
} else {
return $values;
@@ -440,7 +447,7 @@
if(is_array($field['value'])) {
foreach($field['value'] as $k => $v) {
$selected = ($k == $val)?' SELECTED':'';
- if(!empty($this->wordbook[$v]))
+ if(isset($this->wordbook[$v]))
$v = $this->wordbook[$v];
$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
}
@@ -703,13 +710,8 @@
if($record[$key] != '' && $record[$key] != '0000-00-00') {
if(function_exists('date_parse_from_format')) {
$date_parts = date_parse_from_format($this->dateformat, $record[$key]);
- //list($tag,$monat,$jahr) = explode('.',$record[$key]);
- $new_record[$key] = $date_parts['year'].'-'.$date_parts['month'].'-'.$date_parts['day'];
- //$tmp = strptime($record[$key],$this->dateformat);
- //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
+ $new_record[$key] = $date_parts['year'].'-'.str_pad($date_parts['month'], 2, "0", STR_PAD_LEFT).'-'.str_pad($date_parts['day'], 2, "0", STR_PAD_LEFT);
} else {
- //$tmp = strptime($record[$key],$this->dateformat);
- //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
$tmp = strtotime($record[$key]);
$new_record[$key] = date('Y-m-d', $tmp);
}
@@ -719,8 +721,6 @@
break;
case 'INTEGER':
$new_record[$key] = (isset($record[$key]))?$app->functions->intval($record[$key]):0;
- //if($new_record[$key] != $record[$key]) $new_record[$key] = $field['default'];
- //if($key == 'refresh') die($record[$key]);
break;
case 'DOUBLE':
$new_record[$key] = $record[$key];
@@ -730,7 +730,7 @@
break;
case 'DATETIME':
- if (is_array($record[$key]))
+ /*if (is_array($record[$key]))
{
$filtered_values = array_map(create_function('$item', 'return (int)$item;'), $record[$key]);
extract($filtered_values, EXTR_PREFIX_ALL, '_dt');
@@ -738,7 +738,14 @@
if ($_dt_day != 0 && $_dt_month != 0 && $_dt_year != 0) {
$new_record[$key] = date( 'Y-m-d H:i:s', mktime($_dt_hour, $_dt_minute, $_dt_second, $_dt_month, $_dt_day, $_dt_year) );
}
- }
+ } else {*/
+ if($record[$key] != '' && $record[$key] != '0000-00-00 00:00:00') {
+ $tmp = strtotime($record[$key]);
+ $new_record[$key] = date($this->datetimeformat, $tmp);
+ } else {
+ $new_record[$key] = '0000-00-00 00:00:00';
+ }
+ /*}*/
break;
}
@@ -805,6 +812,9 @@
case 'IDNTOUTF8':
$returnval = $app->functions->idn_decode($returnval);
break;
+ case 'TRIM':
+ $returnval = trim($returnval);
+ break;
default:
$this->errorMessage .= "Unknown Filter: ".$filter['type'];
break;
@@ -848,7 +858,7 @@
if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
if($validator['allowempty'] == 'n' || ($validator['allowempty'] == 'y' && $field_value != '')){
if($this->action == 'NEW') {
- $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ".$escape.$this->formDef['db_table'].$escape. " WHERE $field_name = '".$app->db->quote($field_value)."'");
+ $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ?? WHERE ?? = ?", $this->formDef['db_table'], $field_name, $field_value);
if($num_rec["number"] > 0) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -858,7 +868,7 @@
}
}
} else {
- $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ".$escape.$this->formDef['db_table'].$escape. " WHERE $field_name = '".$app->db->quote($field_value)."' AND ".$this->formDef['db_table_idx']." != ".$this->primary_id);
+ $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ?? WHERE ?? = ? AND ?? != ?", $this->formDef['db_table'], $field_name, $field_value, $this->formDef['db_table_idx'], $this->primary_id);
if($num_rec["number"] > 0) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
@@ -871,7 +881,7 @@
}
break;
case 'NOTEMPTY':
- if(empty($field_value)) {
+ if(!isset($field_value) || $field_value === '') {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
$this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
@@ -1103,6 +1113,7 @@
* @param primary_id
* @return record
*/
+ /* TODO: check for double quoting */
protected function _getSQL($record, $tab, $action = 'INSERT', $primary_id = 0, $sql_ext_where = '', $api = false) {
global $app;
@@ -1134,7 +1145,7 @@
$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
- $tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+ $tmp = $app->db->queryOneRecord("SELECT PASSWORD(?) as `crypted`", stripslashes($record[$key]));
$record[$key] = $tmp['crypted'];
$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
} else {
@@ -1162,7 +1173,7 @@
$record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
- $tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+ $tmp = $app->db->queryOneRecord("SELECT PASSWORD(?) as `crypted`", stripslashes($record[$key]));
$record[$key] = $tmp['crypted'];
$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
} else {
@@ -1354,8 +1365,8 @@
function getDataRecord($primary_id) {
global $app;
$escape = '`';
- $sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$this->formDef['db_table_idx']." = ".$primary_id." AND ".$this->getAuthSQL('r', $this->formDef['db_table']);
- return $app->db->queryOneRecord($sql);
+ $sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$this->getAuthSQL('r', $this->formDef['db_table']);
+ return $app->db->queryOneRecord($sql, $this->formDef['db_table'], $this->formDef['db_table_idx'], $primary_id);
}
@@ -1367,7 +1378,7 @@
}
function getAuthSQL($perm, $table = '') {
- if($_SESSION["s"]["user"]["typ"] == 'admin') {
+ if($_SESSION["s"]["user"]["typ"] == 'admin' || $_SESSION['s']['user']['mailuser_id'] > 0) {
return '1';
} else {
if ($table != ''){
--
Gitblit v1.9.1