From 4912bf99c23d61b81e08f3da385d5f53ed6f5d57 Mon Sep 17 00:00:00 2001 From: Julio Montoya Date: Fri, 29 May 2009 23:01:01 +0200 Subject: [PATCH] [svn r21094] Security improvements FS#4261 --- main/reservation/rsys.php | 198 +++++++++++++++++++++++++++++--------- 1 file changed, 152 insertions(+), 46 deletions(-) diff --git a/main/reservation/rsys.php b/main/reservation/rsys.php index e40623cc4c..ec0a0b0819 100644 --- a/main/reservation/rsys.php +++ b/main/reservation/rsys.php @@ -58,7 +58,7 @@ class Rsys { */ function get_num_subscriptions_reservationperiods($res_id) { $sql = "SELECT COUNT(*) FROM ".Rsys :: getTable("subscription")." s - WHERE s.reservation_id = '".$res_id."'"; + WHERE s.reservation_id = '".Database::escape_string($res_id)."'"; return @ Database::result(api_sql_query($sql, __FILE__, __LINE__), 0, 0); } @@ -179,7 +179,7 @@ class Rsys { * @return - boolean True or False */ function check_category($name, $id=0) { - $sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower($name)."' AND id<>".Database::escape_string($id).""; + $sql = "SELECT name FROM ".Rsys :: getTable("category")." WHERE LCASE(name)='".strtolower(Database::escape_string($name))."' AND id<>".Database::escape_string($id).""; $Result = api_sql_query($sql, __FILE__, __LINE__); return (Database::num_rows($Result) == 0); } @@ -289,6 +289,13 @@ class Rsys { $keyword = Database::escape_string($_GET['keyword']); $sql .= " WHERE name LIKE '%".Database::escape_string($keyword)."%' OR id LIKE '%".Database::escape_string($keyword)."%'"; } + $from = intval($from); + $per_page = intval($per_page); + $column = intval($column); + if(!in_array($direction, array('ASC','DESC'))) { + $direction = 'ASC'; + } + $sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page; $result = api_sql_query($sql, __FILE__, __LINE__); while ($array = Database::fetch_array($result, 'NUM')) @@ -423,7 +430,7 @@ class Rsys { LEFT JOIN ".Rsys :: getTable("item_rights")." ir ON ir.item_id=i.id LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id - WHERE i.id='".$item_id."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")"; + WHERE i.id='".Database::escape_string($item_id)."' AND (". (!empty ($x) ? "(cu.user_id='".api_get_user_id()."' AND ".$x.") OR " : '')." i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")"; return Database::num_rows(api_sql_query($sql, __FILE__, __LINE__)) > 0; } @@ -505,9 +512,16 @@ class Rsys { WHERE ((cu.user_id='".api_get_user_id()."' AND (ir.edit_right=1 OR ir.delete_right=1)) OR i.creator='".api_get_user_id()."' OR 1=". (api_is_platform_admin() ? 1 : 0).")"; if (!empty ($_GET['cat']) && $_GET['cat'] <> 0) { - $sql .= " AND ca.id = '".$_GET['cat']."' "; + $sql .= " AND ca.id = '".Database::escape_string($_GET['cat'])."' "; } - + + $from = intval($from); + $per_page = intval($per_page); + $column = intval($column); + if(!in_array($direction, array('ASC','DESC'))) { + $direction = 'ASC'; + } + $sql .= " GROUP BY i.id ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page; $result = api_sql_query($sql, __FILE__, __LINE__); @@ -560,14 +574,14 @@ class Rsys { * @return - Array The returned rows */ function get_table_itemrights($from, $per_page, $column, $direction) { - $itemid = $_GET['item_id']; + $itemid = Database::escape_string($_GET['item_id']); $sql = "SELECT id, name FROM ".Database :: get_main_table(TABLE_MAIN_CLASS); $result = api_sql_query($sql, __FILE__, __LINE__); while ($array = Database::fetch_array($result, 'NUM')) { $arr[] = $array; } $sql = "SELECT item_id, class_id,edit_right,delete_right,m_reservation,view_right - FROM ".Rsys :: getTable("item_rights")." WHERE item_id=".$itemid; + FROM ".Rsys :: getTable("item_rights")." WHERE item_id=".$itemid; $result = api_sql_query($sql, __FILE__, __LINE__); while ($array = Database::fetch_array($result, 'NUM')) { $arr1[] = $array; @@ -618,14 +632,20 @@ class Rsys { } function set_new_right($item_id, $class_id, $column, $value) { + $item_id = Database::escape_string($item_id); + $class_id = Database::escape_string($class_id); + $value = Database::escape_string($value); + $column = Database::escape_string($column); + + $sql = "SELECT item_id FROM ".Rsys :: getTable("item_rights")."WHERE item_id=".$item_id." AND class_id=".$class_id; $result = api_sql_query($sql, __FILE__, __LINE__); $switcher = Database::num_rows($result); if ($switcher > 0) { - $sql = $sql = "UPDATE ".Rsys :: getTable("item_rights")." SET ".$column."='".Database::escape_string($value)."' WHERE class_id = '".$class_id."' AND item_id ='".$item_id."'"; + $sql = $sql = "UPDATE ".Rsys :: getTable("item_rights")." SET ".$column."='".$value."' WHERE class_id = '".$class_id."' AND item_id ='".$item_id."'"; api_sql_query($sql, __FILE__, __LINE__); } else { - $sql = "INSERT INTO ".Rsys :: getTable("item_rights")." (item_id,class_id,".$column.") VALUES ('".Database::escape_string($item_id)."','".Database::escape_string($class_id)."','".$value."')"; + $sql = "INSERT INTO ".Rsys :: getTable("item_rights")." (item_id,class_id,".$column.") VALUES ('".$item_id."','".$class_id."','".$value."')"; api_sql_query($sql, __FILE__, __LINE__); } } @@ -647,6 +667,7 @@ class Rsys { * @return - Array The returned rows */ function get_itemfiltered_class($item_id) { + $item_id = Database::escape_string($item_id); $sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id NOT IN (SELECT class_id FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC"; $arr = api_store_result(api_sql_query($sql, __FILE__, __LINE__)); return $arr; @@ -659,6 +680,7 @@ class Rsys { * @return - int The amount */ function get_num_itemfiltered_class($item_id) { + $item_id = Database::escape_string($item_id); $sql = "SELECT COUNT(id) FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id NOT IN (SELECT class_id FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."') ORDER BY name ASC, code ASC"; return Database::result(api_sql_query($sql, __FILE__, __LINE__), 0, 0); } @@ -690,6 +712,9 @@ class Rsys { * @return - int The id */ function edit_item_right($item_id, $class_id, $edit, $delete, $m_reservation) { + $item_id = Database::escape_string($item_id); + $class_id = Database::escape_string($class_id); + if (!Rsys :: item_allow($item_id, 'm_rights')) return false; $sql = "UPDATE ".Rsys :: getTable("item_rights")." SET edit_right='".Database::escape_string($edit)."', delete_right='".Database::escape_string($delete)."', m_reservation='".Database::escape_string($m_reservation)."' WHERE class_id = '".$class_id."' AND item_id ='".$item_id."'"; @@ -702,6 +727,9 @@ class Rsys { * @param - int $id The id */ function delete_item_right($item_id, $class_id) { + $item_id = Database::escape_string($item_id); + $class_id = Database::escape_string($class_id); + if (!Rsys :: item_allow($item_id, 'm_rights')) return false; $sql = "DELETE FROM ".Rsys :: getTable("item_rights")." WHERE item_id='".$item_id."' AND class_id='".$class_id."'"; @@ -709,18 +737,23 @@ class Rsys { } function get_class_group($class_id) { + $class_id = Database::escape_string($class_id); $sql = "SELECT * FROM ".Database :: get_main_table(TABLE_MAIN_CLASS)." WHERE id='".$class_id."'"; $arr = api_store_result(api_sql_query($sql, __FILE__, __LINE__)); return $arr; } function get_item_rights($item_id, $class_id) { + $item_id = Database::escape_string($item_id); + $class_id = Database::escape_string($class_id); + $sql = "SELECT * FROM ".Rsys :: getTable('item_rights')." WHERE item_id='".$item_id."' AND class_id='".$class_id."'"; $arr = api_store_result(api_sql_query($sql, __FILE__, __LINE__)); return $arr; } function black_out_changer($item_id) { + $item_id = Database::escape_string($item_id); $sql = "SELECT blackout FROM ".Rsys :: getTable("item")." WHERE id='".$item_id."'"; $Value = api_store_result(api_sql_query($sql, __FILE__, __LINE__)); ($Value[0][0] == 0 ? $changedValue = 1 : $changedValue = 0); @@ -731,8 +764,11 @@ class Rsys { } function black_out_notifier($item_id, $value) { + $item_id = Database::escape_string($item_id); + $value = Database::escape_string($value); + $sql = "SELECT id, timepicker FROM ".Rsys :: getTable('reservation')." - WHERE item_id='".$item_id."' AND subscribers > '0'"; + WHERE item_id='".$item_id."' AND subscribers > '0'"; $value == 1 ? $sql .= " AND end_at >= (NOW()-7000000) " : $sql .= " AND end_at >= NOW()"; $reservations = api_sql_query($sql, __FILE__, __LINE__); while ($reservation = Database::fetch_array($reservations)) { @@ -796,6 +832,13 @@ class Rsys { } function check_date($item_id, $start_date, $end_date, $start_at, $end_at) { + $item_id = Database::escape_string($item_id); + $start_date = Database::escape_string($start_date); + $end_date = Database::escape_string($end_date); + $start_at = Database::escape_string($start_at); + $end_at = Database::escape_string($end_at); + + $sql = "SELECT * FROM ".Rsys :: getTable('reservation')." WHERE item_id='".$item_id."' ORDER BY start_at"; $result = api_sql_query($sql, __FILE__, __LINE__); @@ -810,10 +853,10 @@ class Rsys { } $sql = "SELECT id, start_at, end_at FROM ".Rsys :: getTable('reservation')." - WHERE ((start_at > '".$start_at."' AND - start_at < '".$end_at."') OR - (end_at > '".$start_at."' AND - end_at < '".$end_at."') OR (start_at <= '".$start_at."' AND end_at >= '".$end_at."')) AND item_id='".$item_id."'"; + WHERE ((start_at > '".$start_at."' AND + start_at < '".$end_at."') OR + (end_at > '".$start_at."' AND + end_at < '".$end_at."') OR (start_at <= '".$start_at."' AND end_at >= '".$end_at."')) AND item_id='".$item_id."'"; $result = Database::fetch_array(api_sql_query($sql, __FILE__, __LINE__)); if (count($result) != 0){ $GLOBALS['start_date'] = $result[1]; @@ -824,6 +867,14 @@ class Rsys { } function check_date_edit($item_id, $start_date, $end_date, $start_at, $end_at, $reservation_id) { + $item_id = Database::escape_string($item_id); + $reservation_id = Database::escape_string($reservation_id); + $start_date = Database::escape_string($start_date); + $end_date = Database::escape_string($end_date); + $start_at = Database::escape_string($start_at); + $end_at = Database::escape_string($end_at); + + $sql = "SELECT * FROM ".Rsys :: getTable('reservation')." WHERE item_id='".$item_id."' AND id <> '".$reservation_id."' ORDER BY start_at"; $result = api_sql_query($sql, __FILE__, __LINE__); @@ -872,6 +923,7 @@ class Rsys { * Returns an array with items from a category linked to rights(used by m_reservations.php) */ function get_cat_r_items($category) { + $category = Database::escape_string($category); $sql = "SELECT i.id,i.name as catitem FROM ".Rsys :: getTable('item')." i INNER JOIN ".Rsys :: getTable('category')." cat ON cat.id=i.category_id @@ -890,6 +942,7 @@ class Rsys { * Returns an array with [ itemID => "category/item" ] with view_rights (used by reservation.php) */ function get_cat_items($category) { + $category = Database::escape_string($category); $sql = "SELECT i.id,i.name as catitem FROM ".Rsys :: getTable('item')." i INNER JOIN ".Rsys :: getTable('category')." cat ON cat.id=i.category_id @@ -926,6 +979,14 @@ class Rsys { $keyword = Database::escape_string($_GET['keyword']); $sql .= "AND (i.name LIKE '%".$keyword."%' OR i.description LIKE '%".$keyword."%' OR r.notes LIKE '%".$keyword."%')"; } + + $from = intval($from); + $per_page = intval($per_page); + $column = intval($column); + if(!in_array($direction, array('ASC','DESC'))) { + $direction = 'ASC'; + } + $sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page; $result = api_sql_query($sql, __FILE__, __LINE__); while ($array = Database::fetch_array($result, 'NUM')) { @@ -935,13 +996,14 @@ class Rsys { } function check_edit_right($id) { + $id = Database::escape_string($id); $sql = "SELECT r.id - FROM ".Rsys :: getTable('reservation')." r - INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id - LEFT JOIN ".Rsys :: getTable('item_rights')." ir ON ir.item_id=i.id - LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id - LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id - WHERE ((cu.user_id='".api_get_user_id()."'AND ir.edit_right=1) OR 1=". (api_is_platform_admin() ? 1 : 0).") AND r.id='".$id."'"; + FROM ".Rsys :: getTable('reservation')." r + INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id + LEFT JOIN ".Rsys :: getTable('item_rights')." ir ON ir.item_id=i.id + LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id + LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id + WHERE ((cu.user_id='".api_get_user_id()."'AND ir.edit_right=1) OR 1=". (api_is_platform_admin() ? 1 : 0).") AND r.id='".$id."'"; $result = api_sql_query($sql, __FILE__, __LINE__); while ($array = Database::fetch_array($result, 'NUM')) { $arr[] = $array; @@ -950,13 +1012,14 @@ class Rsys { } function check_delete_right($id) { + $id = Database::escape_string($id); $sql = "SELECT r.id - FROM ".Rsys :: getTable('reservation')." r - INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id - LEFT JOIN ".Rsys :: getTable('item_rights')." ir ON ir.item_id=i.id - LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id - LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id - WHERE ((cu.user_id='".api_get_user_id()."'AND ir.delete_right=1) OR 1=". (api_is_platform_admin() ? 1 : 0).") AND r.id='".$id."'"; + FROM ".Rsys :: getTable('reservation')." r + INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id + LEFT JOIN ".Rsys :: getTable('item_rights')." ir ON ir.item_id=i.id + LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS)." c ON ir.class_id=c.id AND ir.item_id = i.id + LEFT JOIN ".Database :: get_main_table(TABLE_MAIN_CLASS_USER)." cu ON cu.class_id = c.id + WHERE ((cu.user_id='".api_get_user_id()."'AND ir.delete_right=1) OR 1=". (api_is_platform_admin() ? 1 : 0).") AND r.id='".$id."'"; $result = api_sql_query($sql, __FILE__, __LINE__); while ($array = Database::fetch_array($result, 'NUM')) { $arr[] = $array; @@ -965,6 +1028,7 @@ class Rsys { } function check_auto_accept($id) { + $id = Database::escape_string($id); $sql = "SELECT auto_accept FROM ".Rsys :: getTable('reservation')." WHERE id='".$id."'"; return Database::result(api_sql_query($sql, __FILE__, __LINE__), 0, 0); } @@ -1059,6 +1123,8 @@ class Rsys { * */ function edit_reservation($id, $item_id, $auto_accept, $max_users, $start_at, $end_at, $subscribe_from, $subscribe_until, $notes, $timepicker) { + $id = Database::escape_string($id); + if (!Rsys :: item_allow($item_id, 'm_reservation')) return false; $stamp_start = Rsys :: mysql_datetime_to_timestamp($start_at); @@ -1100,6 +1166,8 @@ class Rsys { * Deletes a reservation */ function delete_reservation($id) { + $id = Database::escape_string($id); + $sql = "SELECT id FROM ".Rsys :: getTable("reservation")."WHERE id='".$id."' OR subid='".$id."'"; $result2 = api_sql_query($sql, __FILE__, __LINE__); while ($arr = Database::fetch_array($result2, 'NUM')) { @@ -1121,6 +1189,7 @@ class Rsys { } function is_owner_item($id) { + $id = Database::escape_string($id); $sql = "SELECT creator FROM ".Rsys :: getTable('item')."i ,".Rsys :: getTable('reservation')." r where i.id = r.item_id and r.id = '".$id."' @@ -1132,6 +1201,8 @@ class Rsys { } function get_reservation($id) { + $id = Database::escape_string($id); + $sql = "SELECT * FROM ".Rsys :: getTable('reservation')." r INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id @@ -1171,6 +1242,13 @@ class Rsys { function get_table_subcribed_reservations($from, $per_page, $column, $direction) { + $from = intval($from); + $per_page = intval($per_page); + $column = intval($column); + if(!in_array($direction, array('ASC','DESC'))) { + $direction = 'ASC'; + } + $sql = "SELECT i1.name as col0,c.name as col1, DATE_FORMAT(r1.start_at ,'%Y-%m-%d %H:%i') as col2, DATE_FORMAT(r1.end_at ,'%Y-%m-%d %H:%i') as col3, CONCAT(u.lastname,' ',u.firstname) as col4, @@ -1242,6 +1320,15 @@ class Rsys { } function get_table_waiting_users($from, $per_page, $column, $direction) { + + $from = intval($from); + $per_page = intval($per_page); + $column = intval($column); + if(!in_array($direction, array('ASC','DESC'))) { + $direction = 'ASC'; + } + + /*$sql = "SELECT dummy AS col0, CONCAT(u.lastname,' ',u.firstname) AS col1, s.user_id AS col2, accepted AS col3 FROM ".Rsys :: getTable('subscription')." s INNER JOIN ".Database :: get_main_table(TABLE_MAIN_USER)." u ON s.user_id = u.user_id "; @@ -1255,7 +1342,7 @@ class Rsys { and s.reservation_id = r.id"; if (!empty ($_GET['rid'])) { - $sql .= " and r.id = '".$_GET['rid']."'"; + $sql .= " and r.id = '".Database::escape_string($_GET['rid'])."'"; } $sql .= " ORDER BY col".$column." ".$direction." LIMIT ".$from.",".$per_page; $result = api_sql_query($sql, __FILE__, __LINE__); @@ -1307,6 +1394,9 @@ class Rsys { function set_accepted($id, $value) { global $subscription; + + $id = Database::escape_string($id); + $value = Database::escape_string($value); $sql = "UPDATE ".Rsys :: getTable('subscription')." SET ACCEPTED='".$value."' WHERE dummy='".$id."'"; api_sql_query($sql, __FILE__, __LINE__); $user_info = api_get_user_info($subscription[0]); @@ -1358,8 +1448,13 @@ class Rsys { */ function check_date_subscription($reservation_id, $start_at, $end_at) { + $reservation_id = Database::escape_string($reservation_id); + $start_at = Database::escape_string($start_at); + $end_at = Database::escape_string($end_at); + + $sql = "SELECT id, start_at, end_at FROM ".Rsys :: getTable('reservation')." - WHERE start_at > '".$start_at."' AND id='".$reservation_id."' "; + WHERE start_at > '".$start_at."' AND id='".$reservation_id."' "; $result = api_sql_query($sql, __FILE__, __LINE__); if (Database::num_rows($result) != 0){ $result2 = Database::fetch_array($result); @@ -1369,7 +1464,7 @@ class Rsys { } $sql = "SELECT id, start_at, end_at FROM ".Rsys :: getTable('reservation')." - WHERE end_at < '".$end_at."' AND id='".$reservation_id."' "; + WHERE end_at < '".$end_at."' AND id='".$reservation_id."' "; $result = api_sql_query($sql, __FILE__, __LINE__); if (Database::num_rows($result) != 0){ $result2 = Database::fetch_array($result); @@ -1407,6 +1502,9 @@ class Rsys { } function check_date_month_calendar($date, $itemid) { + $itemid = Database::escape_string($itemid); + $date = Database::escape_string($date); + $sql = "SELECT id FROM ".Rsys :: getTable('reservation')." WHERE ((DATE_FORMAT(start_at, '%Y-%m-%e') = '".$date."' OR DATE_FORMAT(end_at, '%Y-%m-%e') = '".$date."' OR (start_at <= '".$date." 00:00:00' AND end_at >= '".$date." 00:00:00' ) OR (start_at>='".$date." 00:00:00' AND start_at<='".$date." 23:59:59')) AND (subscribers < max_users OR timepicker=1)) AND item_id= '".$itemid."'"; @@ -1428,6 +1526,10 @@ class Rsys { * @param - int $reservation_id The id off the reservation */ function add_subscription($reservation_id, $user_id, $accepted) { + $reservation_id = Database::escape_string($reservation_id); + $user_id = Database::escape_string($user_id); + $accepted = Database::escape_string($accepted); + $sql = "SELECT user_id FROM ".Rsys :: getTable("subscription")." WHERE user_id='".$user_id."' AND reservation_id='".$reservation_id."'"; if (Database::num_rows(api_sql_query($sql, __FILE__, __LINE__)) == 0) { $sql = "INSERT INTO ".Rsys :: getTable("subscription")." (user_id,reservation_id,accepted) VALUES ('".Database::escape_string($user_id)."','".Database::escape_string($reservation_id)."','". ($accepted ? '1' : '0')."')"; @@ -1455,6 +1557,10 @@ class Rsys { * @param - int $reservation_id The id off the reservation */ function add_subscription_timepicker($reservation_id, $user_id, $start_date, $end_date, $accepted, $min, $max) { + + $start_date = Database::escape_string($start_date); + $end_date = Database::escape_string($end_date); + if (Rsys :: check_date_subscription($reservation_id, $start_date, $end_date) <> 0) return 1; if (!($min==0 && $max ==0)){ @@ -1472,9 +1578,9 @@ class Rsys { * Delete subscription */ function delete_subscription($reservation_id, $dummy) { - $sql = "DELETE FROM ".Rsys :: getTable("subscription")." WHERE dummy='".$dummy."'"; + $sql = "DELETE FROM ".Rsys :: getTable("subscription")." WHERE dummy='".Database::escape_string($dummy)."'"; api_sql_query($sql, __FILE__, __LINE__); - $sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers-1 WHERE id='".$reservation_id."'"; + $sql = "UPDATE ".Rsys :: getTable("reservation")." SET subscribers=subscribers-1 WHERE id='".Database::escape_string($reservation_id)."'"; api_sql_query($sql, __FILE__, __LINE__); } @@ -1538,9 +1644,9 @@ class Rsys { */ function get_num_subscriptions() { $sql = "SELECT COUNT(*) FROM ".Rsys :: getTable("subscription")." s - INNER JOIN ".Rsys :: getTable("reservation")." r ON r.id = s.reservation_id - INNER JOIN ".Rsys :: getTable("item")." i ON i.id=r.item_id - WHERE s.user_id = '".api_get_user_id()."'"; + INNER JOIN ".Rsys :: getTable("reservation")." r ON r.id = s.reservation_id + INNER JOIN ".Rsys :: getTable("item")." i ON i.id=r.item_id + WHERE s.user_id = '".api_get_user_id()."'"; return @ Database::result(api_sql_query($sql, __FILE__, __LINE__), 0, 0); } @@ -1569,6 +1675,12 @@ class Rsys { * ['max_end_at'] = the maximal end_at in all reservations (usefull to build table) */ function get_item_reservations($from, $till, $itemid) { + $itemid = Database::escape_string($itemid); + $till = Database::escape_string($till); + $from = Database::escape_string($from); + + + $sql = "SELECT r.*,i.name as item_name FROM ".Rsys :: getTable('reservation')." r INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id LEFT JOIN ".Rsys :: getTable('item_rights')." ir ON ir.item_id=i.id @@ -1619,6 +1731,7 @@ class Rsys { * Returns $reservation_id=>"START_AT - END_AT" */ function get_item_subfiltered_reservations($item_id) { + $itemid = Database::escape_string($itemid); $sql = "SELECT r.id AS reservation_id, r.start_at, r.end_at FROM ".Rsys :: getTable('reservation')." r INNER JOIN ".Rsys :: getTable('item')." i ON r.item_id=i.id @@ -1636,6 +1749,9 @@ class Rsys { * @param - String $till DateTime */ function get_subscriptions($from, $till) { + $till = Database::escape_string($till); + $from = Database::escape_string($from); + // TODO: only return for current user... $sql = "SELECT r.*,s.start_at AS tp_start,s.end_at AS tp_end,s.accepted FROM ".Rsys :: getTable('subscription')." s INNER JOIN ".Rsys :: getTable('reservation')." r ON s.reservation_id = r.id WHERE ((r.timepicker=0 AND r.start_at>='".$from."' AND r.end_at<='".$till."') OR (s.start_at>='".$from."' AND s.end_at<='".$till."'))"; $result = api_sql_query($sql, __FILE__, __LINE__); @@ -1650,6 +1766,7 @@ class Rsys { } function get_item_id($item_name) { + $item_name = Database::escape_string($item_name); $sql = "SELECT id FROM ".Rsys :: getTable('item')." WHERE name='".$item_name."'"; $result = api_sql_query($sql, __FILE__, __LINE__); $result_array = Database::fetch_array($result); @@ -1663,15 +1780,4 @@ Rsys :: init(); require_once 'rcalendar.php'; require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php'); -/* -$img=imagecreate(1,1); -$color=imagecolorallocate($img, 220, 90, 0); -imagefill($img,0,0,$color); -imagejpeg($img,'../img/px_orange.gif',100); - -$img=imagecreate(1,1); -$color=imagecolorallocate($img, 0, 0, 0); -imagefill($img,0,0,$color); -imagejpeg($img,'../img/px_black.gif',100); -*/ -?> +?> \ No newline at end of file