Issues in FRSFileDao.class.php (master) - Issues in master - Enalean/tuleap - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4873)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/common/dao/FRSFileDao.class.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Copyright (c) Xerox Corporation, Codendi Team, 2001-2009. All rights reserved
 *
 * This file is a part of Codendi.
 *
 * Codendi is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * Codendi is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with Codendi. If not, see <http://www.gnu.org/licenses/>.
 */
require_once('include/DataAccessObject.class.php');
require_once('www/file/file_utils.php');

class FRSFileDao extends DataAccessObject {
    /**
     * Return the array that match given id.
     *
     * @return DataAccessResult
     */
    function searchById($id) {
        $_id = (int) $id;
        return $this->_search(' f.file_id = '.$this->da->escapeInt($_id), '', ' ORDER BY release_time DESC LIMIT 1');
    }
    
    function searchInReleaseById($id, $group_id) {
        $_id = (int) $id;
        $_group_id = (int) $group_id;
        return $this->_search(' p.group_id='.$this->da->escapeInt($_group_id).' AND r.release_id = f.release_id' .
        		              ' AND r.package_id = p.package_id AND f.file_id ='.$this->da->escapeInt($_id),'',
        		              'ORDER BY post_date DESC LIMIT 1',array('frs_package AS p', 'frs_release AS r'));
    }

    function searchByIdList($idList) {
        if(is_array($idList) && count($idList) > 0) {
            $sql_where = sprintf(' f.file_id IN (%s)', implode(', ', $idList));
        }
        return $this->_search($sql_where, '', '');
    }

    /**
     * Return the list of files for a given release according to filters
     *
     * @param int $id the ID of the release the files belong to
     * @param int $only_active_files 1 means that only files with an active status will be retrieved. 0 means all files
     * @return DataAccessResult
     */
    function searchByReleaseId($id, $only_active_files = 1) {
        $_id = (int) $id;
        $where_status = "";
        if ($only_active_files == 1) {
            $where_status = " AND status='A' ";
        }
        return $this->_search(' release_id='.$this->da->escapeInt($_id).' '.$where_status,'','');
    }
    		
   
   function searchInfoByGroupFileID($group_id, $file_id){
        $_group_id = (int) $group_id;
        $_file_id = (int) $file_id;
        
        $sql = sprintf("SELECT f.filename, f.file_id AS file_id, p.group_id AS group_id, " .
        				"p.package_id, r.release_id "
              		  ."FROM frs_release AS r, frs_package AS p, frs_file AS f "
              		  ."WHERE p.group_id= %s "
			  		  ."AND r.package_id = p.package_id "
			  		  ."AND f.release_id = r.release_id "
                      ."AND f.file_id=%s ",
			  			$this->da->quoteSmart($_group_id),
			  			$this->da->quoteSmart($_file_id));
        return $this->retrieve($sql);
    }
   
    /**
     * Retrieve file info from database.
     * 
     * @param int $release_id the ID of the release the files belong to
     * @param int $only_active_files 1 means that only files with an active status will be retrieved. 0 means all files
     */
    function searchInfoFileByReleaseID($release_id, $only_active_files = 1){
    	$_release_id = (int) $release_id;
    
    $where_status = "";
    if ($only_active_files) {
        $where_status = " AND status='A' ";
    }
    	
    	$sql = sprintf("SELECT frs_file.file_id AS file_id, frs_file.filename AS filename, frs_file.file_size AS file_size," 
                . "frs_file.release_time AS release_time, frs_file.type_id AS type, frs_file.processor_id AS processor,"
                . "frs_dlstats_filetotal_agg.downloads AS downloads , frs_file.computed_md5 AS computed_md5, frs_file.user_id AS user_id,"
                . "frs_file.comment AS comment "
                . "FROM frs_file "
                . "LEFT JOIN frs_dlstats_filetotal_agg ON frs_dlstats_filetotal_agg.file_id=frs_file.file_id "
                . "WHERE release_id=%s".$where_status ,
                $this->da->quoteSmart($_release_id));
        return $this->retrieve($sql);
    }
   
    function _search($where, $group = '', $order = '', $from = array()) {
        $sql = 'SELECT f.* '
            .' FROM frs_file AS f '
            .(count($from) > 0 ? ', '.implode(', ', $from) : '') 
            .(trim($where) != '' ? ' WHERE '.$where.' ' : '') 
            .$group
            .$order;
        return $this->retrieve($sql);
    }
    
    function searchFileByName($file_name, $group_id){
    	$_group_id = (int) $group_id;
    	return $this->_search(' p.group_id='.$this->da->escapeInt($_group_id).' AND r.release_id = f.release_id' .
    						  ' AND r.package_id = p.package_id AND filename='.$this->da->quoteSmart($file_name).' AND f.status=\'A\'','',
							  '', array('frs_package AS p', 'frs_release AS r'));
    }

    function searchFileByNameFromRelease($file_name, $release_id){
    	$file_name = $this->da->quoteSmart('%/'.$file_name);
    	$release_id = $this->da->quoteSmart($release_id);
    	$sql = 'SELECT file_id'
    	    .' from frs_file'
    	    .' WHERE filename LIKE '.$file_name
    	    .' AND release_id = '.$release_id
    	    .' AND status = \'A\'';
    	return $this->retrieve($sql);
    }

    /**
     * create a row in the table frs_file
     *
     * @return true or id(auto_increment) if there is no error
     */
    function create($file_name=null, $filepath=null, $release_id=null, $type_id=null,
    				$processor_id=null, $release_time=null, 
                    $file_size=null, $reference_md5= null, $post_date=null, $status ='A') {

        $arg    = array();
        $values = array();

        if($file_name !== null) {
            $arg[] = 'filename';
            $values[] = $this->da->quoteSmart($file_name);
        }

        if($filepath !== null) {
            $arg[] = 'filepath';
            $values[] = $this->da->quoteSmart($filepath);
        }

        if($release_id !== null) {
            $arg[] = 'release_id';
            $values[] = ($this->da->escapeInt($release_id));
        }
        
        if($type_id !== null) {
            $arg[] = 'type_id';
            $values[] = ($this->da->escapeInt($type_id));
        }

        if($processor_id !== null) {
            $arg[] = 'processor_id';
            $values[] = ($this->da->escapeInt($processor_id));
        }

        if($reference_md5 !== null) {
            $arg[] = 'reference_md5';
            $values[] = $this->da->quoteSmart($reference_md5);
        }

        $arg[] = 'release_time';
        $values[] = ($this->da->escapeInt(time()));
        
        if($file_size !== null) {
            $arg[] = 'file_size';
            $values[] = ($this->da->escapeInt($file_size));
        } else {
            $arg[] = 'file_size';
            $values[] = file_utils_get_size($file_name); 
        }

        $arg[] = 'post_date';
        $values[] = ($this->da->escapeInt(time()));

        $arg[] = 'status';
        $values[] = $status;
        
        $sql = 'INSERT INTO frs_file'
            .'('.implode(', ', $arg).')'
            .' VALUES ('.implode(', ', $values).')';
        return $this->_createAndReturnId($sql);
    }
    
    
    function createFromArray($data_array) {
        $arg    = array();
        $values = array();
        $cols   = array('filename', 'filepath', 'release_id', 'type_id', 'processor_id', 'file_size', 'status', 'computed_md5', 'reference_md5', 'user_id', 'comment');
        foreach ($data_array as $key => $value) {
            if (in_array($key, $cols)) {
                $arg[]    = $key;
                $values[] = $this->da->quoteSmart($value);
            }
        }
        $arg[]    = 'release_time';
        $values[] = $this->da->quoteSmart(time());
        $arg[]    = 'post_date';
        $values[] = $this->da->quoteSmart(time());
        if (count($arg)) {
            $sql = 'INSERT INTO frs_file '
                .'('.implode(', ', $arg).')'
                .' VALUES ('.implode(', ', $values).')';
            return $this->_createAndReturnId($sql);
        } else {
            return false;
        }
    }
    
    
    function _createAndReturnId($sql) {
        return $this->updateAndGetLastId($sql);
    }
    /**
     * Update a row in the table frs_file 
     *
     * @return true if there is no error
     */
    function updateById($file_id, $file_name=null, $release_id=null, $type_id=null,
    				$processor_id=null, $release_time=null, $file_size=null, $status=null) {       
       
        $argArray = array();

		if($file_name !== null) {
            $argArray[] = 'file_name='.$this->da->quoteSmart($file_name);
        }

        if($release_id !== null) {
            $argArray[] = 'release_id='.($this->da->escapeInt($release_id));
        }
		
        if($type_id !== null) {
            $argArray[] = 'type_id='.($this->da->escapeInt($type_id));
        }
        
        if($processor_id !== null) {
            $argArray[] = 'processor_id='.($this->da->escapeInt($processor_id));
        }
        
        if($release_time !== null) {
            $argArray[] = 'release_time='.($this->da->escapeInt($release_time));
        }

        if($file_size !== null) {
            $argArray[] = 'file_size='.($this->da->escapeInt($file_size));
        }

        if($status !== null) {
            $argArray[] = 'status='.$this->da->quoteSmart($status);
        }

        $sql = 'UPDATE frs_file'
            .' SET '.implode(', ', $argArray)
            .' WHERE file_id='.($this->da->escapeInt($file_id));

        $inserted = $this->update($sql);
        return $inserted;
    }

    function updateFromArray($data_array) {
        $updated = false;
        $id = false;
        if (isset($data_array['file_id'])) {
            $file_id = $data_array['file_id'];
        }
        if ($file_id) {
            $dar = $this->searchById($file_id);
            if (!$dar->isError() && $dar->valid()) {
                $current =& $dar->current();
                $set_array = array();
                foreach($data_array as $key => $value) {
                    if ($key != 'id' && $key!= 'post_date' && $value != $current[$key]) {
                        $set_array[] = $key .' = '. $this->da->quoteSmart($value);
                    }
                }
                if (count($set_array)) {
                    $sql = 'UPDATE frs_file'
                        .' SET '.implode(' , ', $set_array)
                        .' WHERE file_id='. $this->da->quoteSmart($file_id);
                    $updated = $this->update($sql);
                }
            }
        }
        return $updated;
    }

    /**
     * Delete entry that match $release_id in frs_file
     *
     * @param $file_id int
     * 
     * @return true if there is no error
     */
    function delete($file_id) {
        $sql = "UPDATE frs_file SET status='D' WHERE file_id=".$this->da->escapeInt($file_id);
        $deleted = $this->update($sql);
        return $deleted;
    }

    /**
     * Log the file download action into the database
     * 
     * @param Object{FRSFile) $file the FRSFile Object to log the download of

     * @param int $user_id the user that download the file
     * @return boolean true if there is no error, false otherwise
     */
    function logDownload($file, $user_id) {
       $sql = "INSERT INTO filedownload_log(user_id,filerelease_id,time) "
             ."VALUES ('".$this->da->escapeInt($user_id)."','".$this->da->escapeInt($file->getFileID())."','".$this->da->escapeInt(time())."')";
       return $this->update($sql);
    }

    /**
     * Return true if a download is already logged for the user since the given time
     *
     * @param Integer $fileId
     * @param Integer $userId
     * @param Integer $time
     *
     * @return Boolean
     */
    function existsDownloadLogSince($fileId, $userId, $time) {
        $sql = 'SELECT NULL'.
               ' FROM filedownload_log'.
               ' WHERE user_id = '.$this->da->escapeInt($userId).
               ' AND filerelease_id = '.$this->da->escapeInt($fileId).
               ' AND time >= '.$time.
               ' LIMIT 1';
        $dar = $this->retrieve($sql);
        return ($dar && !$dar->isError() && $dar->rowCount() !== 0);
    }

    /**
     * Retrieve all the files marked as deleted but not yet present in 'deleted' table
     *
     * @param $groupId
     *
     * @return DataAccessResult
     */
    function searchStagingCandidates($groupId = 0) {
        $fields = '';
        $from   = '';
        $where  = '';
        if ($groupId != 0) {
            $fields .= ', rel.name as release_name, rel.status_id as release_status, rel.release_id';
            $fields .= ', pkg.name as package_name, pkg.status_id as package_status, pkg.package_id';
            $from   .= ' JOIN frs_release rel ON (f.release_id = rel.release_id)'.
                       ' JOIN frs_package pkg ON (rel.package_id = pkg.package_id)';
            $where  .= ' AND pkg.group_id = '.$this->da->escapeInt($groupId);
            $where  .= ' AND rel.status_id != '.FRSRelease::STATUS_DELETED;
        }
        $sql = 'SELECT f.* '.
               $fields.
               ' FROM frs_file f LEFT JOIN frs_file_deleted d USING(file_id)'.
               $from.
               ' WHERE f.status = "D"'.
               ' AND d.file_id IS NULL'.
               $where;
        return $this->retrieve($sql);
    }

    /**
     * Retrieve all deleted files not purged yet after a given period of time
     * 
     * @param Integer $time    Timestamp of the date to start the search
     * @param Integer $groupId
     * @param Integer $offset
     * @param Integer $limit
     * 
     * @return DataAccessResult
     */
    function searchFilesToPurge($time, $groupId=0, $offset=0, $limit=0) {
        $fields = '';
        $from   = '';
        $where  = '';
        if ($groupId != 0) {
            $fields .= ', rel.name as release_name, rel.status_id as release_status, rel.release_id';
            $fields .= ', pkg.name as package_name, pkg.status_id as package_status, pkg.package_id';
            $from   .= ' JOIN frs_release rel USING (release_id)'.
                       ' JOIN frs_package pkg USING (package_id)';
            $where  .= ' AND pkg.group_id = '.$this->da->escapeInt($groupId);
            $where  .= ' AND rel.status_id != '.FRSRelease::STATUS_DELETED;
        }
        $sql = 'SELECT file.* '.
               $fields.
               ' FROM frs_file_deleted file'.
               $from.
               ' WHERE delete_date <= '.$this->da->escapeInt($time).
               ' AND purge_date IS NULL'.
               $where.
               ' ORDER BY delete_date DESC';
        return $this->retrieve($sql);
    }

    /**
     * Copy deleted entry in the dedicated table
     * 
     * @param Integer $id FileId
     * 
     * @return Boolean
     */
    function setFileInDeletedList($id) {
        // Store file in deleted table
        $sql = 'INSERT INTO frs_file_deleted(file_id, filename, filepath, release_id, type_id, processor_id, release_time, file_size, post_date, status, computed_md5, reference_md5, user_id,delete_date)'.
               ' SELECT file_id, filename, filepath, release_id, type_id, processor_id, release_time, file_size, post_date, status, computed_md5, reference_md5, user_id,'.$this->da->escapeInt($_SERVER['REQUEST_TIME']).
               ' FROM frs_file'.
               ' WHERE file_id = '.$this->da->escapeInt($id);
        return $this->update($sql);
    }

    /**
     * Set the date of the purge of a file
     * 
     * @param Integer $id   File id
     * @param Integer $time Timestamp of the deletion
     * 
     * @return Boolean
     */
    function setPurgeDate($id, $time) {
        $sql = 'UPDATE frs_file_deleted'.
               ' SET purge_date = '.$this->da->escapeInt($time).
               ' WHERE file_id = '.$this->da->escapeInt($id);
        return $this->update($sql);
    }
    
    /**
     * Restore file by updating its status and removing it from  frs_file_deleted
     * 
     * @param Integer $id   File id
     * 
     * @return Boolean
     */
    function restoreFile($id) {
        $sql = 'UPDATE frs_file SET status = "A" WHERE file_id = '.$this->da->escapeInt($id);
        if ($this->update($sql)) {
            $sql = 'DELETE FROM frs_file_deleted WHERE file_id = '.$this->da->escapeInt($id);
            return $this->update($sql);
        }
        return false;
    }
    
    /**
     * Retrieves all the documents marked to be restored
     * 
     * @return DataAccessResult
     */
    function searchFilesToRestore($groupId=null) {
        $fields = '';
        $from   = '';
        $where  = '';
        if($groupId !== null) {
            $fields .= ', rel.name as release_name, rel.status_id as release_status, rel.release_id';
            $fields .= ', pkg.name as package_name, pkg.status_id as package_status, pkg.package_id';
            $from   .= ' JOIN frs_release rel USING (release_id)'.
                       ' JOIN frs_package pkg USING (package_id)';
            $where  .= ' AND pkg.group_id = '.$this->da->escapeInt($groupId);
        }
        $sql = 'SELECT file.* '.
               $fields.
               ' FROM frs_file_deleted file'.
               $from.
               ' WHERE delete_date IS NULL '.
               ' AND purge_date IS NULL'.
               $where;
        return $this->retrieve($sql);
    }

    /**
     * Returns if the file is already marked to be restored or not
     * 
     * @param String $filename
     * 
     * @return boolean
     */
    function isMarkedToBeRestored($filename) {
        $sql = 'SELECT NULL'.
               ' FROM frs_file_deleted file'.
               ' WHERE delete_date IS NULL '.
               ' AND purge_date IS NULL '.
               ' AND filename ='.$this->da->quoteSmart($filename);
        $res = $this->retrieve($sql);
        return ($res && !$res->isError() && $res->rowCount() > 0);
    }

    /**
     * Mark file to be restored
     * 
     * @param Integer $id
     * 
     * @return Boolean
     */
    function markFileToBeRestored($id) {
                $sql = 'UPDATE frs_file_deleted AS f,'.
                ' frs_release AS r '.
                ' SET f.delete_date = NULL '.
                ' WHERE f.file_id = '.$this->da->escapeInt($id).
                ' AND f.release_id = r.release_id '.
                ' AND r.status_id != 2 ';
        return $this->update($sql);
    }

    /**
     * Cancel restoration of a file
     * 
     * @param Integer $fileId File id
     * 
     * @return Boolean
     */
    function cancelRestore($fileId) {
        $sql = 'UPDATE frs_file_deleted SET delete_date = '.$this->da->escapeInt($_SERVER['REQUEST_TIME']).' WHERE file_id = '.$this->da->escapeInt($fileId);
        return $this->update($sql);
    }

    /**
     * Insert the computed md5sum value in case of offline checksum comput
     * e
     * @param Integer $fileId
     * @param String $md5Computed
     * 
     * @return Boolean
     */
    function updateComputedMd5sum($fileId, $md5Computed) {
        $sql = ' UPDATE frs_file '. 
               ' SET computed_md5 = '.$this->da->quoteSmart($md5Computed).
               ' WHERE file_id= '.$this->da->escapeInt($fileId);
        return $this->update($sql);
    }

}

?>


GitHub Access Token became invalid

Issues (4873)

Security Analysis not enabled

src/common/dao/FRSFileDao.class.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2			/**
3			* Copyright (c) Xerox Corporation, Codendi Team, 2001-2009. All rights reserved
4			*
5			* This file is a part of Codendi.
6			*
7			* Codendi is free software; you can redistribute it and/or modify
8			* it under the terms of the GNU General Public License as published by
9			* the Free Software Foundation; either version 2 of the License, or
10			* (at your option) any later version.
11			*
12			* Codendi is distributed in the hope that it will be useful,
13			* but WITHOUT ANY WARRANTY; without even the implied warranty of
14			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15			* GNU General Public License for more details.
16			*
17			* You should have received a copy of the GNU General Public License
18			* along with Codendi. If not, see <http://www.gnu.org/licenses/>.
19			*/
20			require_once('include/DataAccessObject.class.php');
21			require_once('www/file/file_utils.php');
22
23			class FRSFileDao extends DataAccessObject {
24			/**
25			* Return the array that match given id.
26			*
27			* @return DataAccessResult
28			*/
29			function searchById($id) {
30			$_id = (int) $id;
31			return $this->_search(' f.file_id = '.$this->da->escapeInt($_id), '', ' ORDER BY release_time DESC LIMIT 1');
32			}
33
34			function searchInReleaseById($id, $group_id) {
35			$_id = (int) $id;
36			$_group_id = (int) $group_id;
37			return $this->_search(' p.group_id='.$this->da->escapeInt($_group_id).' AND r.release_id = f.release_id' .
38			' AND r.package_id = p.package_id AND f.file_id ='.$this->da->escapeInt($_id),'',
39			'ORDER BY post_date DESC LIMIT 1',array('frs_package AS p', 'frs_release AS r'));
40			}
41
42			function searchByIdList($idList) {
43			if(is_array($idList) && count($idList) > 0) {
44			$sql_where = sprintf(' f.file_id IN (%s)', implode(', ', $idList));
45			}
46			return $this->_search($sql_where, '', '');
47			}
48
49			/**
50			* Return the list of files for a given release according to filters
51			*
52			* @param int $id the ID of the release the files belong to
53			* @param int $only_active_files 1 means that only files with an active status will be retrieved. 0 means all files
54			* @return DataAccessResult
55			*/
56			function searchByReleaseId($id, $only_active_files = 1) {
57			$_id = (int) $id;
58			$where_status = "";
59			if ($only_active_files == 1) {
60			$where_status = " AND status='A' ";
61			}
62			return $this->_search(' release_id='.$this->da->escapeInt($_id).' '.$where_status,'','');
63			}
64
65
66			function searchInfoByGroupFileID($group_id, $file_id){
67			$_group_id = (int) $group_id;
68			$_file_id = (int) $file_id;
69
70			$sql = sprintf("SELECT f.filename, f.file_id AS file_id, p.group_id AS group_id, " .
71			"p.package_id, r.release_id "
72			."FROM frs_release AS r, frs_package AS p, frs_file AS f "
73			."WHERE p.group_id= %s "
74			."AND r.package_id = p.package_id "
75			."AND f.release_id = r.release_id "
76			."AND f.file_id=%s ",
77			$this->da->quoteSmart($_group_id),
78			$this->da->quoteSmart($_file_id));
79			return $this->retrieve($sql);
80			}
81
82			/**
83			* Retrieve file info from database.
84			*
85			* @param int $release_id the ID of the release the files belong to
86			* @param int $only_active_files 1 means that only files with an active status will be retrieved. 0 means all files
87			*/
88			function searchInfoFileByReleaseID($release_id, $only_active_files = 1){
89			$_release_id = (int) $release_id;
90
91			$where_status = "";
92			if ($only_active_files) {
93			$where_status = " AND status='A' ";
94			}
95
96			$sql = sprintf("SELECT frs_file.file_id AS file_id, frs_file.filename AS filename, frs_file.file_size AS file_size,"
97			. "frs_file.release_time AS release_time, frs_file.type_id AS type, frs_file.processor_id AS processor,"
98			. "frs_dlstats_filetotal_agg.downloads AS downloads , frs_file.computed_md5 AS computed_md5, frs_file.user_id AS user_id,"
99			. "frs_file.comment AS comment "
100			. "FROM frs_file "
101			. "LEFT JOIN frs_dlstats_filetotal_agg ON frs_dlstats_filetotal_agg.file_id=frs_file.file_id "
102			. "WHERE release_id=%s".$where_status ,
103			$this->da->quoteSmart($_release_id));
104			return $this->retrieve($sql);
105			}
106
107			function _search($where, $group = '', $order = '', $from = array()) {
108			$sql = 'SELECT f.* '
109			.' FROM frs_file AS f '
110			.(count($from) > 0 ? ', '.implode(', ', $from) : '')
111			.(trim($where) != '' ? ' WHERE '.$where.' ' : '')
112			.$group
113			.$order;
114			return $this->retrieve($sql);
115			}
116
117			function searchFileByName($file_name, $group_id){
118			$_group_id = (int) $group_id;
119			return $this->_search(' p.group_id='.$this->da->escapeInt($_group_id).' AND r.release_id = f.release_id' .
120			' AND r.package_id = p.package_id AND filename='.$this->da->quoteSmart($file_name).' AND f.status=\'A\'','',
121			'', array('frs_package AS p', 'frs_release AS r'));
122			}
123
124			function searchFileByNameFromRelease($file_name, $release_id){
125			$file_name = $this->da->quoteSmart('%/'.$file_name);
126			$release_id = $this->da->quoteSmart($release_id);
127			$sql = 'SELECT file_id'
128			.' from frs_file'
129			.' WHERE filename LIKE '.$file_name
130			.' AND release_id = '.$release_id
131			.' AND status = \'A\'';
132			return $this->retrieve($sql);
133			}
134
135			/**
136			* create a row in the table frs_file
137			*
138			* @return true or id(auto_increment) if there is no error
139			*/
140			function create($file_name=null, $filepath=null, $release_id=null, $type_id=null,
141			$processor_id=null, $release_time=null,
142			$file_size=null, $reference_md5= null, $post_date=null, $status ='A') {
143
144			$arg = array();
145			$values = array();
146
147			if($file_name !== null) {
148			$arg[] = 'filename';
149			$values[] = $this->da->quoteSmart($file_name);
150			}
151
152			if($filepath !== null) {
153			$arg[] = 'filepath';
154			$values[] = $this->da->quoteSmart($filepath);
155			}
156
157			if($release_id !== null) {
158			$arg[] = 'release_id';
159			$values[] = ($this->da->escapeInt($release_id));
160			}
161
162			if($type_id !== null) {
163			$arg[] = 'type_id';
164			$values[] = ($this->da->escapeInt($type_id));
165			}
166
167			if($processor_id !== null) {
168			$arg[] = 'processor_id';
169			$values[] = ($this->da->escapeInt($processor_id));
170			}
171
172			if($reference_md5 !== null) {
173			$arg[] = 'reference_md5';
174			$values[] = $this->da->quoteSmart($reference_md5);
175			}
176
177			$arg[] = 'release_time';
178			$values[] = ($this->da->escapeInt(time()));
179
180			if($file_size !== null) {
181			$arg[] = 'file_size';
182			$values[] = ($this->da->escapeInt($file_size));
183			} else {
184			$arg[] = 'file_size';
185			$values[] = file_utils_get_size($file_name);
186			}
187
188			$arg[] = 'post_date';
189			$values[] = ($this->da->escapeInt(time()));
190
191			$arg[] = 'status';
192			$values[] = $status;
193
194			$sql = 'INSERT INTO frs_file'
195			.'('.implode(', ', $arg).')'
196			.' VALUES ('.implode(', ', $values).')';
197			return $this->_createAndReturnId($sql);
198			}
199
200
201			function createFromArray($data_array) {
202			$arg = array();
203			$values = array();
204			$cols = array('filename', 'filepath', 'release_id', 'type_id', 'processor_id', 'file_size', 'status', 'computed_md5', 'reference_md5', 'user_id', 'comment');
205			foreach ($data_array as $key => $value) {
206			if (in_array($key, $cols)) {
207			$arg[] = $key;
208			$values[] = $this->da->quoteSmart($value);
209			}
210			}
211			$arg[] = 'release_time';
212			$values[] = $this->da->quoteSmart(time());
213			$arg[] = 'post_date';
214			$values[] = $this->da->quoteSmart(time());
215			if (count($arg)) {
216			$sql = 'INSERT INTO frs_file '
217			.'('.implode(', ', $arg).')'
218			.' VALUES ('.implode(', ', $values).')';
219			return $this->_createAndReturnId($sql);
220			} else {
221			return false;
222			}
223			}
224
225
226			function _createAndReturnId($sql) {
227			return $this->updateAndGetLastId($sql);
228			}
229			/**
230			* Update a row in the table frs_file
231			*
232			* @return true if there is no error
233			*/
234			function updateById($file_id, $file_name=null, $release_id=null, $type_id=null,
235			$processor_id=null, $release_time=null, $file_size=null, $status=null) {
236
237			$argArray = array();
238
239			if($file_name !== null) {
240			$argArray[] = 'file_name='.$this->da->quoteSmart($file_name);
241			}
242
243			if($release_id !== null) {
244			$argArray[] = 'release_id='.($this->da->escapeInt($release_id));
245			}
246
247			if($type_id !== null) {
248			$argArray[] = 'type_id='.($this->da->escapeInt($type_id));
249			}
250
251			if($processor_id !== null) {
252			$argArray[] = 'processor_id='.($this->da->escapeInt($processor_id));
253			}
254
255			if($release_time !== null) {
256			$argArray[] = 'release_time='.($this->da->escapeInt($release_time));
257			}
258
259			if($file_size !== null) {
260			$argArray[] = 'file_size='.($this->da->escapeInt($file_size));
261			}
262
263			if($status !== null) {
264			$argArray[] = 'status='.$this->da->quoteSmart($status);
265			}
266
267			$sql = 'UPDATE frs_file'
268			.' SET '.implode(', ', $argArray)
269			.' WHERE file_id='.($this->da->escapeInt($file_id));
270
271			$inserted = $this->update($sql);
272			return $inserted;
273			}
274
275			function updateFromArray($data_array) {
276			$updated = false;
277			$id = false;
278			if (isset($data_array['file_id'])) {
279			$file_id = $data_array['file_id'];
280			}
281			if ($file_id) {
282			$dar = $this->searchById($file_id);
283			if (!$dar->isError() && $dar->valid()) {
284			$current =& $dar->current();
285			$set_array = array();
286			foreach($data_array as $key => $value) {
287			if ($key != 'id' && $key!= 'post_date' && $value != $current[$key]) {
288			$set_array[] = $key .' = '. $this->da->quoteSmart($value);
289			}
290			}
291			if (count($set_array)) {
292			$sql = 'UPDATE frs_file'
293			.' SET '.implode(' , ', $set_array)
294			.' WHERE file_id='. $this->da->quoteSmart($file_id);
295			$updated = $this->update($sql);
296			}
297			}
298			}
299			return $updated;
300			}
301
302			/**
303			* Delete entry that match $release_id in frs_file
304			*
305			* @param $file_id int
306			*
307			* @return true if there is no error
308			*/
309			function delete($file_id) {
310			$sql = "UPDATE frs_file SET status='D' WHERE file_id=".$this->da->escapeInt($file_id);
311			$deleted = $this->update($sql);
312			return $deleted;
313			}
314
315			/**
316			* Log the file download action into the database
317			*
318			* @param Object{FRSFile) $file the FRSFile Object to log the download of
			0 ignored issues – show Documentation introduced 2015-12-16 20:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `Object{FRSFile)` could not be parsed: Unknown type name "Object{FRSFile" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
319			* @param int $user_id the user that download the file
320			* @return boolean true if there is no error, false otherwise
321			*/
322			function logDownload($file, $user_id) {
323			$sql = "INSERT INTO filedownload_log(user_id,filerelease_id,time) "
324			."VALUES ('".$this->da->escapeInt($user_id)."','".$this->da->escapeInt($file->getFileID())."','".$this->da->escapeInt(time())."')";
325			return $this->update($sql);
326			}
327
328			/**
329			* Return true if a download is already logged for the user since the given time
330			*
331			* @param Integer $fileId
332			* @param Integer $userId
333			* @param Integer $time
334			*
335			* @return Boolean
336			*/
337			function existsDownloadLogSince($fileId, $userId, $time) {
338			$sql = 'SELECT NULL'.
339			' FROM filedownload_log'.
340			' WHERE user_id = '.$this->da->escapeInt($userId).
341			' AND filerelease_id = '.$this->da->escapeInt($fileId).
342			' AND time >= '.$time.
343			' LIMIT 1';
344			$dar = $this->retrieve($sql);
345			return ($dar && !$dar->isError() && $dar->rowCount() !== 0);
346			}
347
348			/**
349			* Retrieve all the files marked as deleted but not yet present in 'deleted' table
350			*
351			* @param $groupId
352			*
353			* @return DataAccessResult
354			*/
355			function searchStagingCandidates($groupId = 0) {
356			$fields = '';
357			$from = '';
358			$where = '';
359			if ($groupId != 0) {
360			$fields .= ', rel.name as release_name, rel.status_id as release_status, rel.release_id';
361			$fields .= ', pkg.name as package_name, pkg.status_id as package_status, pkg.package_id';
362			$from .= ' JOIN frs_release rel ON (f.release_id = rel.release_id)'.
363			' JOIN frs_package pkg ON (rel.package_id = pkg.package_id)';
364			$where .= ' AND pkg.group_id = '.$this->da->escapeInt($groupId);
365			$where .= ' AND rel.status_id != '.FRSRelease::STATUS_DELETED;
366			}
367			$sql = 'SELECT f.* '.
368			$fields.
369			' FROM frs_file f LEFT JOIN frs_file_deleted d USING(file_id)'.
370			$from.
371			' WHERE f.status = "D"'.
372			' AND d.file_id IS NULL'.
373			$where;
374			return $this->retrieve($sql);
375			}
376
377			/**
378			* Retrieve all deleted files not purged yet after a given period of time
379			*
380			* @param Integer $time Timestamp of the date to start the search
381			* @param Integer $groupId
382			* @param Integer $offset
383			* @param Integer $limit
384			*
385			* @return DataAccessResult
386			*/
387			function searchFilesToPurge($time, $groupId=0, $offset=0, $limit=0) {
388			$fields = '';
389			$from = '';
390			$where = '';
391			if ($groupId != 0) {
392			$fields .= ', rel.name as release_name, rel.status_id as release_status, rel.release_id';
393			$fields .= ', pkg.name as package_name, pkg.status_id as package_status, pkg.package_id';
394			$from .= ' JOIN frs_release rel USING (release_id)'.
395			' JOIN frs_package pkg USING (package_id)';
396			$where .= ' AND pkg.group_id = '.$this->da->escapeInt($groupId);
397			$where .= ' AND rel.status_id != '.FRSRelease::STATUS_DELETED;
398			}
399			$sql = 'SELECT file.* '.
400			$fields.
401			' FROM frs_file_deleted file'.
402			$from.
403			' WHERE delete_date <= '.$this->da->escapeInt($time).
404			' AND purge_date IS NULL'.
405			$where.
406			' ORDER BY delete_date DESC';
407			return $this->retrieve($sql);
408			}
409
410			/**
411			* Copy deleted entry in the dedicated table
412			*
413			* @param Integer $id FileId
414			*
415			* @return Boolean
416			*/
417			function setFileInDeletedList($id) {
418			// Store file in deleted table
419			$sql = 'INSERT INTO frs_file_deleted(file_id, filename, filepath, release_id, type_id, processor_id, release_time, file_size, post_date, status, computed_md5, reference_md5, user_id,delete_date)'.
420			' SELECT file_id, filename, filepath, release_id, type_id, processor_id, release_time, file_size, post_date, status, computed_md5, reference_md5, user_id,'.$this->da->escapeInt($_SERVER['REQUEST_TIME']).
421			' FROM frs_file'.
422			' WHERE file_id = '.$this->da->escapeInt($id);
423			return $this->update($sql);
424			}
425
426			/**
427			* Set the date of the purge of a file
428			*
429			* @param Integer $id File id
430			* @param Integer $time Timestamp of the deletion
431			*
432			* @return Boolean
433			*/
434			function setPurgeDate($id, $time) {
435			$sql = 'UPDATE frs_file_deleted'.
436			' SET purge_date = '.$this->da->escapeInt($time).
437			' WHERE file_id = '.$this->da->escapeInt($id);
438			return $this->update($sql);
439			}
440
441			/**
442			* Restore file by updating its status and removing it from frs_file_deleted
443			*
444			* @param Integer $id File id
445			*
446			* @return Boolean
447			*/
448			function restoreFile($id) {
449			$sql = 'UPDATE frs_file SET status = "A" WHERE file_id = '.$this->da->escapeInt($id);
450			if ($this->update($sql)) {
451			$sql = 'DELETE FROM frs_file_deleted WHERE file_id = '.$this->da->escapeInt($id);
452			return $this->update($sql);
453			}
454			return false;
455			}
456
457			/**
458			* Retrieves all the documents marked to be restored
459			*
460			* @return DataAccessResult
461			*/
462			function searchFilesToRestore($groupId=null) {
463			$fields = '';
464			$from = '';
465			$where = '';
466			if($groupId !== null) {
467			$fields .= ', rel.name as release_name, rel.status_id as release_status, rel.release_id';
468			$fields .= ', pkg.name as package_name, pkg.status_id as package_status, pkg.package_id';
469			$from .= ' JOIN frs_release rel USING (release_id)'.
470			' JOIN frs_package pkg USING (package_id)';
471			$where .= ' AND pkg.group_id = '.$this->da->escapeInt($groupId);
472			}
473			$sql = 'SELECT file.* '.
474			$fields.
475			' FROM frs_file_deleted file'.
476			$from.
477			' WHERE delete_date IS NULL '.
478			' AND purge_date IS NULL'.
479			$where;
480			return $this->retrieve($sql);
481			}
482
483			/**
484			* Returns if the file is already marked to be restored or not
485			*
486			* @param String $filename
487			*
488			* @return boolean
489			*/
490			function isMarkedToBeRestored($filename) {
491			$sql = 'SELECT NULL'.
492			' FROM frs_file_deleted file'.
493			' WHERE delete_date IS NULL '.
494			' AND purge_date IS NULL '.
495			' AND filename ='.$this->da->quoteSmart($filename);
496			$res = $this->retrieve($sql);
497			return ($res && !$res->isError() && $res->rowCount() > 0);
498			}
499
500			/**
501			* Mark file to be restored
502			*
503			* @param Integer $id
504			*
505			* @return Boolean
506			*/
507			function markFileToBeRestored($id) {
508			$sql = 'UPDATE frs_file_deleted AS f,'.
509			' frs_release AS r '.
510			' SET f.delete_date = NULL '.
511			' WHERE f.file_id = '.$this->da->escapeInt($id).
512			' AND f.release_id = r.release_id '.
513			' AND r.status_id != 2 ';
514			return $this->update($sql);
515			}
516
517			/**
518			* Cancel restoration of a file
519			*
520			* @param Integer $fileId File id
521			*
522			* @return Boolean
523			*/
524			function cancelRestore($fileId) {
525			$sql = 'UPDATE frs_file_deleted SET delete_date = '.$this->da->escapeInt($_SERVER['REQUEST_TIME']).' WHERE file_id = '.$this->da->escapeInt($fileId);
526			return $this->update($sql);
527			}
528
529			/**
530			* Insert the computed md5sum value in case of offline checksum comput
531			* e
532			* @param Integer $fileId
533			* @param String $md5Computed
534			*
535			* @return Boolean
536			*/
537			function updateComputedMd5sum($fileId, $md5Computed) {
538			$sql = ' UPDATE frs_file '.
539			' SET computed_md5 = '.$this->da->quoteSmart($md5Computed).
540			' WHERE file_id= '.$this->da->escapeInt($fileId);
541			return $this->update($sql);
542			}
543
544			}
545
546			?>
547

Enalean / tuleap

GitHub Access Token became invalid

Issues (4873)

Security Analysis not enabled

src/common/dao/FRSFileDao.class.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like