From aebc94e92488fa3ecaaebe713560b65986a271d4 Mon Sep 17 00:00:00 2001
From: mrtnzlml <mrtnzlml@ispconfig3>
Date: Fri, 26 Jul 2013 15:41:35 -0400
Subject: [PATCH] fixed bug, see http://www.howtoforge.com/forums/showthread.php?p=298953
---
interface/lib/classes/remoting_lib.inc.php | 400 ++++++++++++++++++++++++++++++++++++++++++--------------
1 files changed, 298 insertions(+), 102 deletions(-)
diff --git a/interface/lib/classes/remoting_lib.inc.php b/interface/lib/classes/remoting_lib.inc.php
index 3f46ef4..5186c3c 100644
--- a/interface/lib/classes/remoting_lib.inc.php
+++ b/interface/lib/classes/remoting_lib.inc.php
@@ -37,39 +37,37 @@
/**
* Formularbehandlung
*
-* Funktionen zur Umwandlung von Formulardaten
-* sowie zum vorbereiten von HTML und SQL
-* Ausgaben
+* Functions to validate, display and save form values
*
-* Tabellendefinition
+* Database table field definitions
*
-* Datentypen:
-* - INTEGER (Wandelt Ausdr�cke in Int um)
+* Datatypes:
+* - INTEGER (Converts data to int automatically)
* - DOUBLE
-* - CURRENCY (Formatiert Zahlen nach W�hrungsnotation)
-* - VARCHAR (kein weiterer Format Check)
-* - DATE (Datumsformat, Timestamp Umwandlung)
+* - CURRENCY (Formats digits in currency notation)
+* - VARCHAR (No format check)
+* - DATE (Date format, converts from and to UNIX timestamps automatically)
*
* Formtype:
-* - TEXT (normales Textfeld)
-* - PASSWORD (Feldinhalt wird nicht angezeigt)
-* - SELECT (Gibt Werte als option Feld aus)
-* - MULTIPLE (Select-Feld mit nehreren Werten)
+* - TEXT (Normal text field)
+* - PASSWORD (password field, the content will not be displayed again to the user)
+* - SELECT (Option fiield)
+* - MULTIPLE (Allows selection of multiple values)
*
* VALUE:
-* - Wert oder Array
+* - Value or array
*
* SEPARATOR
-* - Trennzeichen f�r multiple Felder
+* - separator char used for fileds with multiple values
*
-* Hinweis:
-* Das ID-Feld ist nicht bei den Table Values einzuf�gen.
+* Hint: The auto increment (ID) filed of the table has not be be definied separately.
+*
*/
class remoting_lib {
/**
- * Definition of the database atble (array)
+ * Definition of the database table (array)
* @var tableDef
*/
private $tableDef;
@@ -115,13 +113,15 @@
var $sys_userid;
var $sys_default_group;
var $sys_groups;
+ var $client_id;
+ var $dataRecord;
//* Load the form definition from file.
function loadFormDef($file) {
global $app,$conf;
- include_once($file);
+ include($file);
$this->formDef = $form;
unset($this->formDef['tabs']);
@@ -138,12 +138,12 @@
}
//* Load the user profile
- function loadUserProfile($client_id = 0) {
+ function loadUserProfile($client_id_param = 0) {
global $app,$conf;
- $client_id = intval($client_id);
+ $this->client_id = $app->functions->intval($client_id_param);
- if($client_id == 0) {
+ if($this->client_id == 0) {
$this->sys_username = 'admin';
$this->sys_userid = 1;
$this->sys_default_group = 1;
@@ -161,7 +161,7 @@
}
}*/
- $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = $client_id");
+ $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = $this->client_id");
$this->sys_username = $user['username'];
$this->sys_userid = $user['userid'];
$this->sys_default_group = $user['default_group'];
@@ -176,7 +176,8 @@
/**
- * Converts data in human readable form
+ * Converts the data in the array to human readable format
+ * Datatype conversion e.g. to show the data in lists
*
* @param record
* @return record
@@ -208,7 +209,7 @@
break;
case 'INTEGER':
- $new_record[$key] = intval($record[$key]);
+ $new_record[$key] = $app->functions->intval($record[$key]);
break;
case 'DOUBLE':
@@ -216,7 +217,7 @@
break;
case 'CURRENCY':
- $new_record[$key] = number_format($record[$key], 2, ',', '');
+ $new_record[$key] = $app->functions->currency_format($record[$key]);
break;
default:
@@ -257,7 +258,7 @@
unset($tmp_recordid);
$querystring = str_replace("{AUTHSQL}",$this->getAuthSQL('r'),$querystring);
-
+
// Getting the records
$tmp_records = $app->db->queryAllRecords($querystring);
if($app->db->errorMessage != '') die($app->db->errorMessage);
@@ -279,7 +280,7 @@
$app->uses($datasource_class);
$values = $app->$datasource_class->$datasource_function($field, $record);
} else {
- $this->errorMessage .= "Custom datasource class or function is empty<br>\r\n";
+ $this->errorMessage .= "Custom datasource class or function is empty<br />\r\n";
}
}
@@ -288,29 +289,39 @@
}
/**
- * Converts the data in a format to store it in the database table
+ /**
+ * Rewrite the record data to be stored in the database
+ * and check values with regular expressions.
*
* @param record = Datensatz als Array
* @return record
*/
- function encode($record) {
-
+ function encode($record,$dbencode = true) {
+ global $app;
if(is_array($record)) {
foreach($this->formDef['fields'] as $key => $field) {
- if(isset($field['validators']) && is_array($field['validators'])) $this->validateField($key, (isset($record[$key]))?$record[$key]:'', $field['validators']);
+ //* Apply filter to record value
+ if(isset($field['filters']) && is_array($field['filters'])) {
+ $record[$key] = $this->filterField($key, (isset($record[$key]))?$record[$key]:'', $field['filters'], 'SAVE');
+ }
+
+ //* Validate record value
+ if(isset($field['validators']) && is_array($field['validators'])) {
+ $this->validateField($key, (isset($record[$key]))?$record[$key]:'', $field['validators']);
+ }
switch ($field['datatype']) {
case 'VARCHAR':
if(!@is_array($record[$key])) {
- $new_record[$key] = (isset($record[$key]))?mysql_real_escape_string($record[$key]):'';
+ $new_record[$key] = (isset($record[$key]))?$record[$key]:'';
} else {
$new_record[$key] = implode($field['separator'],$record[$key]);
}
break;
case 'TEXT':
if(!is_array($record[$key])) {
- $new_record[$key] = mysql_real_escape_string($record[$key]);
+ $new_record[$key] = $record[$key];
} else {
$new_record[$key] = implode($field['separator'],$record[$key]);
}
@@ -325,21 +336,29 @@
break;
case 'DATE':
if($record[$key] != '' && $record[$key] != '0000-00-00') {
- list($tag,$monat,$jahr) = explode('.',$record[$key]);
- $new_record[$key] = $jahr.'-'.$monat.'-'.$tag;
- //$tmp = strptime($record[$key],$this->dateformat);
- //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
+ if(function_exists('date_parse_from_format')) {
+ $date_parts = date_parse_from_format($this->dateformat,$record[$key]);
+ //list($tag,$monat,$jahr) = explode('.',$record[$key]);
+ $new_record[$key] = $date_parts['year'].'-'.$date_parts['month'].'-'.$date_parts['day'];
+ //$tmp = strptime($record[$key],$this->dateformat);
+ //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
+ } else {
+ //$tmp = strptime($record[$key],$this->dateformat);
+ //$new_record[$key] = ($tmp['tm_year']+1900).'-'.($tmp['tm_mon']+1).'-'.$tmp['tm_mday'];
+ $tmp = strtotime($record[$key]);
+ $new_record[$key] = date('Y-m-d',$tmp);
+ }
} else {
$new_record[$key] = '0000-00-00';
}
break;
case 'INTEGER':
- $new_record[$key] = (isset($record[$key]))?intval($record[$key]):0;
+ $new_record[$key] = (isset($record[$key]))?$app->functions->intval($record[$key]):0;
//if($new_record[$key] != $record[$key]) $new_record[$key] = $field['default'];
//if($key == 'refresh') die($record[$key]);
break;
case 'DOUBLE':
- $new_record[$key] = mysql_real_escape_string($record[$key]);
+ $new_record[$key] = $record[$key];
break;
case 'CURRENCY':
$new_record[$key] = str_replace(",",".",$record[$key]);
@@ -367,11 +386,54 @@
$this->errorMessage .= $errmsg."\r\n";
}
}
-
-
+
+ //* Add slashes to all records, when we encode data which shall be inserted into mysql.
+ if($dbencode == true) $new_record[$key] = $app->db->quote($new_record[$key]);
}
}
+ if(isset($record['_ispconfig_pw_crypted'])) $new_record['_ispconfig_pw_crypted'] = $record['_ispconfig_pw_crypted']; // this one is not in form definitions!
return $new_record;
+ }
+
+ /**
+ * process the filters for a given field.
+ *
+ * @param field_name = Name of the field
+ * @param field_value = value of the field
+ * @param filters = Array of filters
+ * @param filter_event = 'SAVE'or 'SHOW'
+ * @return record
+ */
+
+ function filterField($field_name, $field_value, $filters, $filter_event) {
+
+ global $app;
+ $returnval = $field_value;
+
+ //* Loop trough all filters
+ foreach($filters as $filter) {
+ if($filter['event'] == $filter_event) {
+ switch ($filter['type']) {
+ case 'TOLOWER':
+ $returnval = strtolower($field_value);
+ break;
+ case 'TOUPPER':
+ $returnval = strtoupper($field_value);
+ break;
+ case 'IDNTOASCII':
+ $returnval = $app->functions->idn_encode($field_value);
+ break;
+ case 'IDNTOUTF8':
+ $returnval = $app->functions->idn_decode($field_value);
+ break;
+ default:
+ $this->errorMessage .= "Unknown Filter: ".$filter['type'];
+ break;
+ }
+ }
+ }
+
+ return $returnval;
}
/**
@@ -398,75 +460,182 @@
if(!preg_match($validator['regex'], $field_value)) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br>\r\n";
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- $this->errorMessage .= $errmsg."<br>\r\n";
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
break;
case 'UNIQUE':
- if($this->action == 'INSERT') {
+ if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
+ if($validator['allowempty'] == 'n' || ($validator['allowempty'] == 'y' && $field_value != '')){
+ if($this->action == 'NEW') {
$num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ".$escape.$this->formDef['db_table'].$escape. " WHERE $field_name = '".$app->db->quote($field_value)."'");
if($num_rec["number"] > 0) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br>\r\n";
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- $this->errorMessage .= $errmsg."<br>\r\n";
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
- } else {
+ } else {
$num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM ".$escape.$this->formDef['db_table'].$escape. " WHERE $field_name = '".$app->db->quote($field_value)."' AND ".$this->formDef['db_table_idx']." != ".$this->primary_id);
if($num_rec["number"] > 0) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br>\r\n";
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- $this->errorMessage .= $errmsg."<br>\r\n";
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
- }
+ }
+ }
break;
case 'NOTEMPTY':
if(empty($field_value)) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br>\r\n";
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- $this->errorMessage .= $errmsg."<br>\r\n";
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
break;
case 'ISEMAIL':
- if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $field_value)) {
+ if(function_exists('filter_var')) {
+ if(filter_var($field_value, FILTER_VALIDATE_EMAIL) === false) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+ } else {
+ if(!preg_match("/^\w+[\w\.\-\+]*\w{0,}@\w+[\w.-]*\w+\.[a-zA-Z0-9\-]{2,30}$/i", $field_value)) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br>\r\n";
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- $this->errorMessage .= $errmsg."<br>\r\n";
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
+ }
break;
case 'ISINT':
- $tmpval = intval($field_value);
+ if(function_exists('filter_var')) {
+ if($field_value != '' && filter_var($field_value, FILTER_VALIDATE_INT) === false) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+ } else {
+ $tmpval = $app->functions->intval($field_value);
if($tmpval === 0 and !empty($field_value)) {
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br>\r\n";
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- $this->errorMessage .= $errmsg."<br>\r\n";
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
+ }
break;
case 'ISPOSITIVE':
if(!is_numeric($field_value) || $field_value <= 0){
$errmsg = $validator['errmsg'];
if(isset($this->wordbook[$errmsg])) {
- $this->errorMessage .= $this->wordbook[$errmsg]."<br>\r\n";
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
} else {
- $this->errorMessage .= $errmsg."<br>\r\n";
+ $this->errorMessage .= $errmsg."<br />\r\n";
}
}
+ break;
+ case 'ISIPV4':
+ $vip=1;
+ if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){
+ $groups=explode(".",$field_value);
+ foreach($groups as $group){
+ if($group<0 OR $group>255)
+ $vip=0;
+ }
+ }else{$vip=0;}
+ if($vip==0) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+ break;
+ case 'ISIP':
+ if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n';
+ if($validator['allowempty'] == 'y' && $field_value == '') {
+ //* Do nothing
+ } else {
+ //* Check if its a IPv4 or IPv6 address
+ if(isset($validator['separator']) && $validator['separator'] != '') {
+ //* When the field may contain several IP addresses, split them by the char defined as separator
+ $field_value_array = explode($validator['separator'],$field_value);
+ } else {
+ $field_value_array[] = $field_value;
+ }
+ foreach($field_value_array as $field_value) {
+ if(function_exists('filter_var')) {
+ if(!filter_var($field_value,FILTER_VALIDATE_IP)) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+ } else {
+ //* Check content with regex, if we use php < 5.2
+ $ip_ok = 0;
+ if(preg_match("/^(\:\:([a-f0-9]{1,4}\:){0,6}?[a-f0-9]{0,4}|[a-f0-9]{1,4}(\:[a-f0-9]{1,4}){0,6}?\:\:|[a-f0-9]{1,4}(\:[a-f0-9]{1,4}){1,6}?\:\:([a-f0-9]{1,4}\:){1,6}?[a-f0-9]{1,4})(\/\d{1,3})?$/i", $field_value)){
+ $ip_ok = 1;
+ }
+ if(preg_match("/^[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}(\.)[0-9]{1,3}$/", $field_value)){
+ $ip_ok = 1;
+ }
+ if($ip_ok == 0) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+ }
+ }
+ }
+ break;
+ case 'RANGE':
+ //* Checks if the value is within the given range or above / below a value
+ //* Range examples: < 10 = ":10", between 2 and 10 = "2:10", above 5 = "5:".
+ $range_parts = explode(':',trim($validator['range']));
+ $ok = true;
+ if($range_parts[0] != '' && $field_value < $range_parts[0]) {
+ $ok = false;
+ }
+ if($range_parts[1] != '' && $field_value > $range_parts[1]) {
+ $ok = false;
+ }
+ if($ok != true) {
+ $errmsg = $validator['errmsg'];
+ if(isset($this->wordbook[$errmsg])) {
+ $this->errorMessage .= $this->wordbook[$errmsg]."<br />\r\n";
+ } else {
+ $this->errorMessage .= $errmsg."<br />\r\n";
+ }
+ }
+ unset($range_parts);
break;
case 'CUSTOM':
// Calls a custom class to validate this record
@@ -476,7 +645,7 @@
$app->uses($validator_class);
$this->errorMessage .= $app->$validator_class->$validator_function($field_name, $field_value, $validator);
} else {
- $this->errorMessage .= "Custom validator class or function is empty<br>\r\n";
+ $this->errorMessage .= "Custom validator class or function is empty<br />\r\n";
}
break;
default:
@@ -504,15 +673,16 @@
$this->action = $action;
$this->primary_id = $primary_id;
+ $this->dataRecord = $record;
- $record = $this->encode($record,$tab);
+ $record = $this->encode($record,true);
$sql_insert_key = '';
$sql_insert_val = '';
$sql_update = '';
- if(!is_array($this->formDef)) $app->error("No form definition found.");
+ if(!is_array($this->formDef)) $app->error("Form definition not found.");
- // gehe durch alle Felder des Tabs
+ // go trough all fields of the tab
if(is_array($record)) {
foreach($this->formDef['fields'] as $key => $field) {
// Wenn es kein leeres Passwortfeld ist
@@ -521,20 +691,20 @@
if($action == "INSERT") {
if($field['formtype'] == 'PASSWORD') {
$sql_insert_key .= "`$key`, ";
- if($field['encryption'] == 'CRYPT') {
- $salt="$1$";
- $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
- for ($n=0;$n<8;$n++) {
- //$salt.=chr(mt_rand(64,126));
- $salt.=$base64_alphabet[mt_rand(0,63)];
- }
- $salt.="$";
- // $salt = substr(md5(time()),0,2);
- $record[$key] = crypt($record[$key],$salt);
+ if ((isset($field['encryption']) && $field['encryption'] == 'CLEARTEXT') || (isset($record['_ispconfig_pw_crypted']) && $record['_ispconfig_pw_crypted'] == 1)) {
+ $sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
+ } elseif(isset($field['encryption']) && $field['encryption'] == 'CRYPT') {
+ $record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
+ $sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
+ } elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
+ $tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+ $record[$key] = $tmp['crypted'];
+ $sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
} else {
- $record[$key] = md5($record[$key]);
+ $record[$key] = md5(stripslashes($record[$key]));
+ $sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
}
- $sql_insert_val .= "'".$record[$key]."', ";
+
} elseif ($field['formtype'] == 'CHECKBOX') {
$sql_insert_key .= "`$key`, ";
if($record[$key] == '') {
@@ -550,20 +720,20 @@
}
} else {
if($field['formtype'] == 'PASSWORD') {
- if($field['encryption'] == 'CRYPT') {
- $salt="$1$";
- $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
- for ($n=0;$n<8;$n++) {
- //$salt.=chr(mt_rand(64,126));
- $salt.=$base64_alphabet[mt_rand(0,63)];
- }
- $salt.="$";
- // $salt = substr(md5(time()),0,2);
- $record[$key] = crypt($record[$key],$salt);
- } else {
- $record[$key] = md5($record[$key]);
+ if ((isset($field['encryption']) && $field['encryption'] == 'CLEARTEXT') || (isset($record['_ispconfig_pw_crypted']) && $record['_ispconfig_pw_crypted'] == 1)) {
+ $sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
+ } elseif(isset($field['encryption']) && $field['encryption'] == 'CRYPT') {
+ $record[$key] = $app->auth->crypt_password(stripslashes($record[$key]));
+ $sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
+ } elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
+ $tmp = $app->db->queryOneRecord("SELECT PASSWORD('".$app->db->quote(stripslashes($record[$key]))."') as `crypted`");
+ $record[$key] = $tmp['crypted'];
+ $sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
+ } else {
+ $record[$key] = md5(stripslashes($record[$key]));
+ $sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
}
- $sql_update .= "`$key` = '".$record[$key]."', ";
+
} elseif ($field['formtype'] == 'CHECKBOX') {
if($record[$key] == '') {
// if a checkbox is not set, we set it to the unchecked value
@@ -585,7 +755,7 @@
}
-
+ // Add backticks for incomplete table names
if(stristr($this->formDef['db_table'],'.')) {
$escape = '';
} else {
@@ -595,7 +765,7 @@
if($action == "INSERT") {
if($this->formDef['auth'] == 'yes') {
- // Setze User und Gruppe
+ // Set user and group
$sql_insert_key .= "`sys_userid`, ";
$sql_insert_val .= ($this->formDef["auth_preset"]["userid"] > 0)?"'".$this->formDef["auth_preset"]["userid"]."', ":"'".$this->sys_userid."', ";
$sql_insert_key .= "`sys_groupid`, ";
@@ -612,7 +782,12 @@
$sql = "INSERT INTO ".$escape.$this->formDef['db_table'].$escape." ($sql_insert_key) VALUES ($sql_insert_val)";
} else {
if($primary_id != 0) {
- $sql_update = substr($sql_update,0,-2);
+ // update client permissions only if client_id > 0
+ if($this->formDef['auth'] == 'yes' && $this->client_id > 0) {
+ $sql_update .= '`sys_userid` = "'.$this->sys_userid.'", ';
+ $sql_update .= '`sys_groupid` = "'.$this->sys_default_group.'", ';
+ }
+ $sql_update = substr($sql_update,0,-2);
$sql = "UPDATE ".$escape.$this->formDef['db_table'].$escape." SET ".$sql_update." WHERE ".$this->formDef['db_table_idx']." = ".$primary_id;
if($sql_ext_where != '') $sql .= " and ".$sql_ext_where;
} else {
@@ -643,14 +818,24 @@
$sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$this->formDef['db_table_idx']." = ".$primary_id;
return $app->db->queryOneRecord($sql);
} elseif (@is_array($primary_id)) {
- $sql_where = '';
+ $sql_offset = 0;
+ $sql_limit = 0;
+ $sql_where = '';
foreach($primary_id as $key => $val) {
$key = $app->db->quote($key);
$val = $app->db->quote($val);
- $sql_where .= "$key = '$val' AND ";
+ if($key == '#OFFSET#') $sql_offset = $app->functions->intval($val);
+ elseif($key == '#LIMIT#') $sql_limit = $app->functions->intval($val);
+ elseif(stristr($val,'%')) {
+ $sql_where .= "$key like '$val' AND ";
+ } else {
+ $sql_where .= "$key = '$val' AND ";
+ }
}
$sql_where = substr($sql_where,0,-5);
+ if($sql_where == '') $sql_where = '1';
$sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$sql_where;
+ if($sql_offset >= 0 && $sql_limit > 0) $sql .= ' LIMIT ' . $sql_offset . ',' . $sql_limit;
return $app->db->queryAllRecords($sql);
} else {
$this->errorMessage = 'The ID must be either an integer or an array.';
@@ -669,6 +854,10 @@
} else {
$modules = $app->db->quote($params['modules']);
}
+ if(isset($params['limit_client']) && $params['limit_client'] > 0) {
+ $modules .= ',client';
+ }
+
if(!isset($params['startmodule'])) {
$startmodule = 'dashboard';
} else {
@@ -681,28 +870,34 @@
$usertheme = $app->db->quote($params["usertheme"]);
$type = 'user';
$active = 1;
- $insert_id = intval($insert_id);
+ $insert_id = $app->functions->intval($insert_id);
$language = $app->db->quote($params["language"]);
$groupid = $app->db->datalogInsert('sys_group', "(name,description,client_id) VALUES ('$username','','$insert_id')", 'groupid');
$groups = $groupid;
+ if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($password));
$sql1 = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id)
- VALUES ('$username',md5('$password'),'$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,$insert_id)";
+ VALUES ('$username','$password','$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,$insert_id)";
$app->db->query($sql1);
}
function ispconfig_sysuser_update($params,$client_id){
global $app;
$username = $app->db->quote($params["username"]);
- $password = $app->db->quote($params["password"]);
- $client_id = intval($client_id);
- $sql = "UPDATE sys_user set username = '$username', passwort = md5('$password') WHERE client_id = $client_id";
+ $clear_password = $app->db->quote($params["password"]);
+ $client_id = $app->functions->intval($client_id);
+ if(!isset($params['_ispconfig_pw_crypted']) || $params['_ispconfig_pw_crypted'] != 1) $password = $app->auth->crypt_password(stripslashes($clear_password));
+ else $password = $clear_password;
+ if ($clear_password) $pwstring = ", passwort = '$password'"; else $pwstring ="" ;
+ $sql = "UPDATE sys_user set username = '$username' $pwstring WHERE client_id = $client_id";
$app->db->query($sql);
}
function ispconfig_sysuser_delete($client_id){
global $app;
- $client_id = intval($client_id);
+ $client_id = $app->functions->intval($client_id);
$sql = "DELETE FROM sys_user WHERE client_id = $client_id";
+ $app->db->query($sql);
+ $sql = "DELETE FROM sys_group WHERE client_id = $client_id";
$app->db->query($sql);
}
@@ -711,8 +906,9 @@
$app->db->datalogSave($this->formDef['db_table'], $action, $this->formDef['db_table_idx'], $primary_id, $record_old, $record_new);
return true;
+
/*
-
+ // Add backticks for incomplete table names.
if(stristr($this->formDef['db_table'],'.')) {
$escape = '';
} else {
--
Gitblit v1.9.1