Issues in searchuser.php (master) - Issues in master - XoopsModules25x/suico - Measure and Improve Code Quality continuously with Scrutinizer

Issues (432)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

searchuser.php (1 issue)

Labels

Bug 1

Severity

Major 1

<?php declare(strict_types=1);

/**
 * Extended User Profile
 *
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 *
 * @copyright       (c) 2000-2016 XOOPS Project (www.xoops.org)
 * @license             GNU GPL 2 (https://www.gnu.org/licenses/gpl-2.0.html)
 * @since               2.3.0
 * @author              Jan Pedersen
 * @author              Taiwen Jiang <[email protected]>
 */

use Xmf\Request;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use XoopsModules\Suico\IndexController;

$op = $_REQUEST['op'] ?? 'search';
switch ($op) {
    default:
    case 'search':
        $GLOBALS['xoopsOption']['template_main'] = 'suico_search.tpl';
        require __DIR__ . '/header.php';
        $myts                       = \MyTextSanitizer::getInstance();
        $controller                 = new IndexController($xoopsDB, $xoopsUser, $xoopsModule);
        $nbSections                 = $controller->getNumbersSections();
        $limit_default              = 20;
        $groups                     = $GLOBALS['xoopsUser'] ? $GLOBALS['xoopsUser']->getGroups() : [XOOPS_GROUP_ANONYMOUS];
        $xoopsOption['cache_group'] = implode('', $groups);
        $searchable_types           = [
            'textbox',
            'select',
            'radio',
            'yesno',
            'date',
            'datetime',
            'timezone',
            'language',
        ];
        $sortby_arr                 = [];
        // Dynamic fields
        $profileHandler = $helper->getHandler('Profile');
        // Get fields
        $fields = $profileHandler->loadFields();
        // Get ids of fields that can be searched
        /** @var XoopsGroupPermHandler $grouppermHandler */
        $grouppermHandler  = xoops_getHandler('groupperm');
        $searchable_fields = $grouppermHandler->getItemIds('profile_search', $groups, $GLOBALS['xoopsModule']->getVar('mid'));
        require_once $GLOBALS['xoops']->path('class/xoopsformloader.php');
        $searchform = new \XoopsThemeForm('', 'searchform', 'searchuser.php', 'post');
        $name_tray  = new \XoopsFormElementTray(_US_NICKNAME);
        $name_tray->addElement(new \XoopsFormSelectMatchOption('', 'uname_match'));
        $name_tray->addElement(new \XoopsFormText('', 'uname', 35, 255));
        $searchform->addElement($name_tray);
        $email_tray = new \XoopsFormElementTray(_US_EMAIL);
        $email_tray->addElement(new \XoopsFormSelectMatchOption('', 'email_match'));
        $email_tray->addElement(new \XoopsFormText('', 'email', 35, 255));
        $searchform->addElement($email_tray);
        // add search groups , only for Webmasters
        if ($GLOBALS['xoopsUser'] && $GLOBALS['xoopsUser']->isAdmin()) {
            $group_tray = new \XoopsFormElementTray(_US_GROUPS);
            $group_tray->addElement(new \XoopsFormSelectGroup('', 'selgroups', null, false, 5, true));
            $searchform->addElement($group_tray);
        }
        foreach (array_keys($fields) as $i) {
            if (!in_array($fields[$i]->getVar('field_id'), $searchable_fields, true) || !in_array($fields[$i]->getVar('field_type'), $searchable_types, true)) {
                continue;
            }
            $sortby_arr[$i] = $fields[$i]->getVar('field_title');
            switch ($fields[$i]->getVar('field_type')) {
                case 'textbox':
                    if (XOBJ_DTYPE_INT == $fields[$i]->getVar('field_valuetype')) {
                        $searchform->addElement(new \XoopsFormText(sprintf(_MD_SUICO_LARGERTHAN, $fields[$i]->getVar('field_title')), $fields[$i]->getVar('field_name') . '_larger', 35, 35));
                        $searchform->addElement(new \XoopsFormText(sprintf(_MD_SUICO_SMALLERTHAN, $fields[$i]->getVar('field_title')), $fields[$i]->getVar('field_name') . '_smaller', 35, 35));
                    } else {
                        $tray = new \XoopsFormElementTray($fields[$i]->getVar('field_title'));
                        $tray->addElement(new \XoopsFormSelectMatchOption('', $fields[$i]->getVar('field_name') . '_match'));
                        $tray->addElement(new \XoopsFormText('', $fields[$i]->getVar('field_name'), 35, $fields[$i]->getVar('field_maxlength')));
                        $searchform->addElement($tray);
                        unset($tray);
                    }
                    break;
                case 'radio':
                case 'select':
                    $options = $fields[$i]->getVar('field_options');
                    $size    = min(count($options), 10);
                    $element = new \XoopsFormSelect($fields[$i]->getVar('field_title'), $fields[$i]->getVar('field_name'), null, $size, true);
                    asort($options);
                    $element->addOptionArray($options);
                    $searchform->addElement($element);
                    unset($element);
                    break;
                case 'yesno':
                    $element = new \XoopsFormSelect($fields[$i]->getVar('field_title'), $fields[$i]->getVar('field_name'), null, 2, true);
                    $element->addOption(1, _YES);
                    $element->addOption(0, _NO);
                    $searchform->addElement($element);
                    unset($element);
                    break;
                case 'date':
                case 'datetime':
                    $searchform->addElement(new \XoopsFormTextDateSelect(sprintf(_MD_SUICO_LATERTHAN, $fields[$i]->getVar('field_title')), $fields[$i]->getVar('field_name') . '_larger', 15, 1));
                    $searchform->addElement(new \XoopsFormTextDateSelect(sprintf(_MD_SUICO_EARLIERTHAN, $fields[$i]->getVar('field_title')), $fields[$i]->getVar('field_name') . '_smaller', 15, time()));
                    break;
                case 'timezone':
                    $element = new \XoopsFormSelect($fields[$i]->getVar('field_title'), $fields[$i]->getVar('field_name'), null, 6, true);
                    require_once $GLOBALS['xoops']->path('class/xoopslists.php');
                    $element->addOptionArray(XoopsLists::getTimeZoneList());
                    $searchform->addElement($element);
                    unset($element);
                    break;
                case 'language':
                    $element = new \XoopsFormSelectLang($fields[$i]->getVar('field_title'), $fields[$i]->getVar('field_name'), null, 6);
                    $searchform->addElement($element);
                    unset($element);
                    break;
            }
        }
        asort($sortby_arr);
        $sortby_arr    = array_merge(['' => _NONE, 'uname' => _US_NICKNAME, 'email' => _US_EMAIL], $sortby_arr);
        $sortby_select = new \XoopsFormSelect(_MD_SUICO_SORTBY, 'sortby');
        $sortby_select->addOptionArray($sortby_arr);
        $searchform->addElement($sortby_select);
        $order_select = new \XoopsFormRadio(_MD_SUICO_ORDER, 'order', 0);
        $order_select->addOption(0, _ASCENDING);
        $order_select->addOption(1, _DESCENDING);
        $searchform->addElement($order_select);
        $limit_text = new \XoopsFormText(_MD_SUICO_PERPAGE, 'limit', 15, 10, $limit_default);
        $searchform->addElement($limit_text);
        $searchform->addElement(new \XoopsFormHidden('op', 'results'));
        $searchform->addElement(new \XoopsFormButton('', 'submit', _SUBMIT, 'submit'));
        $searchform->assign($GLOBALS['xoopsTpl']);
        $GLOBALS['xoopsTpl']->assign('page_title', _MD_SUICO_SEARCH);
        //added count user
        /** @var XoopsMemberHandler $memberHandler */
        $memberHandler = xoops_getHandler('member');
        $acttotal      = $memberHandler->getUserCount(new Criteria('level', 0, '>'));
        $total         = sprintf(_MD_SUICO_ACTUS, "<span style='color:#ff0000;'>{$acttotal}</span>");
        $GLOBALS['xoopsTpl']->assign('total_users', $total);
        break;
    case 'results':
        $GLOBALS['xoopsOption']['template_main'] = 'suico_results.tpl';
        require __DIR__ . '/header.php';
        $myts       = \MyTextSanitizer::getInstance();
        $controller = new IndexController($xoopsDB, $xoopsUser, $xoopsModule);
        $nbSections = $controller->getNumbersSections();
        $GLOBALS['xoopsTpl']->assign('page_title', _MD_SUICO_RESULTS);
        $xoBreadcrumbs[] = [
            'link'  => XOOPS_URL . '/modules/' . $GLOBALS['xoopsModule']->getVar('dirname', 'n') . '/searchuser.php',
            'title' => _SEARCH,
        ];
        $xoBreadcrumbs[] = ['title' => _MD_SUICO_RESULTS];
        /** @var XoopsMemberHandler $memberHandler */
        $memberHandler = xoops_getHandler('member');
        // Dynamic fields
        $profileHandler = $helper->getHandler('Profile');
        // Get fields
        $fields = $profileHandler->loadFields();
        // Get ids of fields that can be searched
        /** @var XoopsGroupPermHandler $grouppermHandler */
        $grouppermHandler  = xoops_getHandler('groupperm');
        $searchable_fields = $grouppermHandler->getItemIds('profile_search', $groups, $GLOBALS['xoopsModule']->getVar('mid'));
        $searchvars        = [];
        $search_url        = [];
        $criteria          = new CriteriaCompo(new Criteria('level', 0, '>'));
        if (isset($_REQUEST['uname']) && '' !== $_REQUEST['uname']) {
            $string = $GLOBALS['xoopsDB']->escape(trim($_REQUEST['uname']));
            switch ($_REQUEST['uname_match']) {
                case XOOPS_MATCH_START:
                    $string .= '%';
                    break;
                case XOOPS_MATCH_END:
                    $string = '%' . $string;
                    break;
                case XOOPS_MATCH_CONTAIN:
                    $string = '%' . $string . '%';
                    break;
            }
            $criteria->add(new Criteria('uname', $string, 'LIKE'));
            $search_url[] = 'uname=' . $_REQUEST['uname'];
            $search_url[] = 'uname_match=' . $_REQUEST['uname_match'];
            $searchvars[] = 'uname';
        }
        if (isset($_REQUEST['email']) && '' !== $_REQUEST['email']) {
            $string = $GLOBALS['xoopsDB']->escape(trim($_REQUEST['email']));
            switch ($_REQUEST['email_match']) {
                case XOOPS_MATCH_START:
                    $string .= '%';
                    break;
                case XOOPS_MATCH_END:
                    $string = '%' . $string;
                    break;
                case XOOPS_MATCH_CONTAIN:
                    $string = '%' . $string . '%';
                    break;
            }
            $searchvars[] = 'email';
            $search_url[] = 'email=' . $_REQUEST['email'];
            $search_url[] = 'email_match=' . $_REQUEST['email_match'];
            $criteria->add(new Criteria('email', $string, 'LIKE'));
            $criteria->add(new Criteria('user_viewemail', 1));
        }
        //$search_url = array();
        foreach (array_keys($fields) as $i) {
            //Radio and Select fields
            if (!in_array($fields[$i]->getVar('field_id'), $searchable_fields, true) || !in_array($fields[$i]->getVar('field_type'), $searchable_types, true)) {
                continue;
            }
            $fieldname = $fields[$i]->getVar('field_name');
            if (in_array($fields[$i]->getVar('field_type'), ['select', 'radio'], true)) {
                if (empty($_REQUEST[$fieldname])) {
                    continue;
                }
                //If field value is sent through request and is not an empty value
                switch ($fields[$i]->getVar('field_valuetype')) {
                    case XOBJ_DTYPE_OTHER:
                    case XOBJ_DTYPE_INT:
                        $value        = array_map('\intval', $_REQUEST[$fieldname]);
                        $searchvars[] = $fieldname;
                        $criteria->add(new Criteria($fieldname, '(' . implode(',', $value) . ')', 'IN'));
                        break;
                    case XOBJ_DTYPE_URL:
                    case XOBJ_DTYPE_TXTBOX:
                    case XOBJ_DTYPE_TXTAREA:
                        $value        = array_map([$GLOBALS['xoopsDB'], 'quoteString'], $_REQUEST[$fieldname]);
                        $searchvars[] = $fieldname;
                        $criteria->add(new Criteria($fieldname, '(' . implode(',', $value) . ')', 'IN'));
                        break;
                }
                foreach ($_REQUEST[$fieldname] as $value) {
                    $search_url[] = $fieldname . '[]=' . $value;
                }
            } else {
                //Other fields (not radio, not select)
                switch ($fields[$i]->getVar('field_valuetype')) {
                    case XOBJ_DTYPE_OTHER:
                    case XOBJ_DTYPE_INT:
                        switch ($fields[$i]->getVar('field_type')) {
                            case 'date':
                            case 'datetime':
                                $value = $_REQUEST[$fieldname . '_larger'];
                                if (!($value = strtotime($_REQUEST[$fieldname . '_larger']))) {
                                    $value = (int)$_REQUEST[$fieldname . '_larger'];
                                }
                                if ($value > 0) {
                                    $search_url[] = $fieldname . '_larger=' . $value;
                                    $searchvars[] = $fieldname;
                                    $criteria->add(new Criteria($fieldname, $value, '>='));
                                }
                                $value = $_REQUEST[$fieldname . '_smaller'];
                                if (!($value = strtotime($_REQUEST[$fieldname . '_smaller']))) {
                                    $value = (int)$_REQUEST[$fieldname . '_smaller'];
                                }
                                if ($value > 0) {
                                    $search_url[] = $fieldname . '_smaller=' . $value;
                                    $searchvars[] = $fieldname;
                                    $criteria->add(new Criteria($fieldname, $value + 24 * 3600, '<='));
                                }
                                break;
                            default:
                                if (isset($_REQUEST[$fieldname . '_larger']) && 0 !== (int)$_REQUEST[$fieldname . '_larger']) {
                                    $value        = (int)$_REQUEST[$fieldname . '_larger'];
                                    $search_url[] = $fieldname . '_larger=' . $value;
                                    $searchvars[] = $fieldname;
                                    $criteria->add(new Criteria($fieldname, $value, '>='));
                                }
                                if (isset($_REQUEST[$fieldname . '_smaller']) && 0 !== (int)$_REQUEST[$fieldname . '_smaller']) {
                                    $value        = (int)$_REQUEST[$fieldname . '_smaller'];
                                    $search_url[] = $fieldname . '_smaller=' . $value;
                                    $searchvars[] = $fieldname;
                                    $criteria->add(new Criteria($fieldname, $value, '<='));
                                }
                                break;
                        }
                        if (isset($_REQUEST[$fieldname]) && !isset($_REQUEST[$fieldname . '_smaller']) && !isset($_REQUEST[$fieldname . '_larger'])) {
                            if (is_array($_REQUEST[$fieldname])) {
                                $value = array_map('\intval', $_REQUEST[$fieldname]);
                                foreach ($value as $thisvalue) {
                                    $search_url[] = $fieldname . '[]=' . $thisvalue;
                                }
                                $criteria->add(new Criteria($fieldname, '(' . implode(',', $value) . ')', 'IN'));
                            } else {
                                $value        = (int)$_REQUEST[$fieldname];
                                $search_url[] = $fieldname . '=' . $value;
                                $criteria->add(new Criteria($fieldname, $value, '='));
                            }
                            $searchvars[] = $fieldname;
                        }
                        break;
                    case XOBJ_DTYPE_URL:
                    case XOBJ_DTYPE_TXTBOX:
                    case XOBJ_DTYPE_TXTAREA:
                        if (isset($_REQUEST[$fieldname]) && '' !== $_REQUEST[$fieldname]) {
                            $value = $GLOBALS['xoopsDB']->escape(trim($_REQUEST[$fieldname]));
                            switch ($_REQUEST[$fieldname . '_match']) {
                                case XOOPS_MATCH_START:
                                    $value .= '%';
                                    break;
                                case XOOPS_MATCH_END:
                                    $value = '%' . $value;
                                    break;
                                case XOOPS_MATCH_CONTAIN:
                                    $value = '%' . $value . '%';
                                    break;
                            }
                            $search_url[] = $fieldname . '=' . $_REQUEST[$fieldname];
                            $search_url[] = $fieldname . '_match=' . $_REQUEST[$fieldname . '_match'];
                            $operator     = 'LIKE';
                            $criteria->add(new Criteria($fieldname, $value, $operator));
                            $searchvars[] = $fieldname;
                        }
                        break;
                }
            }
        }
        //        if ($_REQUEST['sortby'] == "name") {
        //            $criteria->setSort("name");
        //        } else if ($_REQUEST['sortby'] == "email") {
        //            $criteria->setSort("email");
        //        } else if ($_REQUEST['sortby'] == "uname") {
        //            $criteria->setSort("uname");
        //        } else if (isset($fields[$_REQUEST['sortby']])) {
        //            $criteria->setSort($fields[$_REQUEST['sortby']]->getVar('field_name'));
        //        }
        // change by zyspec:
        $sortby = 'uname';
        if (!empty($_REQUEST['sortby'])) {
            switch ($_REQUEST['sortby']) {
                case 'name':
                case 'email':
                case 'uname':
                    $sortby = $_REQUEST['sortby'];
                    break;
                default:
                    if (isset($fields[$_REQUEST['sortby']])) {
                        $sortby = $fields[$_REQUEST['sortby']]->getVar('field_name');
                    }
                    break;
            }
            $criteria->setSort($sortby);
        }
        // add search groups , only for Webmasters
        $searchgroups = [];
        if ($GLOBALS['xoopsUser'] && $GLOBALS['xoopsUser']->isAdmin()) {
            $searchgroups = empty($_REQUEST['selgroups']) ? [] : array_map('\intval', $_REQUEST['selgroups']);
            foreach ($searchgroups as $group) {
                $search_url[] = 'selgroups[]=' . $group;
            }
        }
        $order = 0 == $_REQUEST['order'] ? 'ASC' : 'DESC';
        $criteria->setOrder($order);
        $limit = empty($_REQUEST['limit']) ? $limit_default : (int)$_REQUEST['limit'];
        $criteria->setLimit($limit);
        $start = isset($_REQUEST['start']) ? (int)$_REQUEST['start'] : 0;
        $criteria->setStart($start);
        [$users, $profiles, $total_users] = $profileHandler->search($criteria, $searchvars, $searchgroups);
        $total = sprintf(_MD_SUICO_FOUNDUSER, "<span class='red'>{$total_users}</span>") . ' ';
        $GLOBALS['xoopsTpl']->assign('total_users', $total);
        //Sort information
        foreach (array_keys($users) as $k) {
            $userarray             = [];
            $userarray['output'][] = "<a href='userinfo.php?uid=" . $users[$k]->getVar('uid') . "' title=''>" . $users[$k]->getVar('uname') . '</a>';
            $userarray['output'][] = (1 == $users[$k]->getVar('user_viewemail') || (is_object($GLOBALS['xoopsUser']) && $GLOBALS['xoopsUser']->isAdmin())) ? $users[$k]->getVar('email') : '';
            foreach (array_keys($fields) as $i) {
                if (in_array($fields[$i]->getVar('field_id'), $searchable_fields, true) && in_array($fields[$i]->getVar('field_type'), $searchable_types, true) && in_array($fields[$i]->getVar('field_name'), $searchvars, true)) {
                    $userarray['output'][] = $fields[$i]->getOutputValue($users[$k], $profiles[$k]);
                }
            }
            $GLOBALS['xoopsTpl']->append('users', $userarray);
            unset($userarray);
        }
        //Get captions
        $captions[] = _US_NICKNAME;
        $captions[] = _US_EMAIL;
        foreach (array_keys($fields) as $i) {
            if (in_array($fields[$i]->getVar('field_id'), $searchable_fields, true) && in_array($fields[$i]->getVar('field_type'), $searchable_types, true) && in_array($fields[$i]->getVar('field_name'), $searchvars, true)) {
                $captions[] = $fields[$i]->getVar('field_title');
            }
        }
        $GLOBALS['xoopsTpl']->assign('captions', $captions);
        if ($total_users > $limit) {
            $search_url[] = 'op=results';
            $search_url[] = 'order=' . $order;
            //TODO remove it for final release
            //            $search_url[] = "sortby=" . htmlspecialchars($_REQUEST['sortby']);
            $search_url[] = 'sortby=' . htmlspecialchars($sortby, ENT_QUOTES | ENT_HTML5); // change by zyspec
            $search_url[] = 'limit=' . $limit;
            if (isset($search_url)) {
                $args = implode('&amp;', $search_url);
            }
            require_once $GLOBALS['xoops']->path('class/pagenav.php');
            $nav = new \XoopsPageNav($total_users, $limit, $start, 'start', $args);
            $GLOBALS['xoopsTpl']->assign('nav', $nav->renderNav(5));
        }
        break;
}
require __DIR__ . '/footer.php';
require \dirname(__DIR__, 2) . '/footer.php';


1			<?php declare(strict_types=1);
2
3			/**
4			* Extended User Profile
5			*
6			* You may not change or alter any portion of this comment or credits
7			* of supporting developers from this source code or any supporting source code
8			* which is considered copyrighted (c) material of the original comment or credit authors.
9			* This program is distributed in the hope that it will be useful,
10			* but WITHOUT ANY WARRANTY; without even the implied warranty of
11			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
12			*
13			* @copyright (c) 2000-2016 XOOPS Project (www.xoops.org)
14			* @license GNU GPL 2 (https://www.gnu.org/licenses/gpl-2.0.html)
15			* @since 2.3.0
16			* @author Jan Pedersen
17			* @author Taiwen Jiang <[email protected]>
18			*/
19
20			use Xmf\Request;
			0 ignored issues – show Bug introduced 2025-06-25 13:55 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `Request`. Consider defining an alias. Let?s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let?s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
21			use XoopsModules\Suico\IndexController;
22
23			$op = $_REQUEST['op'] ?? 'search';
24			switch ($op) {
25			default:
26			case 'search':
27			$GLOBALS['xoopsOption']['template_main'] = 'suico_search.tpl';
28			require __DIR__ . '/header.php';
29			$myts = \MyTextSanitizer::getInstance();
30			$controller = new IndexController($xoopsDB, $xoopsUser, $xoopsModule);
31			$nbSections = $controller->getNumbersSections();
32			$limit_default = 20;
33			$groups = $GLOBALS['xoopsUser'] ? $GLOBALS['xoopsUser']->getGroups() : [XOOPS_GROUP_ANONYMOUS];
34			$xoopsOption['cache_group'] = implode('', $groups);
35			$searchable_types = [
36			'textbox',
37			'select',
38			'radio',
39			'yesno',
40			'date',
41			'datetime',
42			'timezone',
43			'language',
44			];
45			$sortby_arr = [];
46			// Dynamic fields
47			$profileHandler = $helper->getHandler('Profile');
48			// Get fields
49			$fields = $profileHandler->loadFields();
50			// Get ids of fields that can be searched
51			/** @var XoopsGroupPermHandler $grouppermHandler */
52			$grouppermHandler = xoops_getHandler('groupperm');
53			$searchable_fields = $grouppermHandler->getItemIds('profile_search', $groups, $GLOBALS['xoopsModule']->getVar('mid'));
54			require_once $GLOBALS['xoops']->path('class/xoopsformloader.php');
55			$searchform = new \XoopsThemeForm('', 'searchform', 'searchuser.php', 'post');
56			$name_tray = new \XoopsFormElementTray(_US_NICKNAME);
57			$name_tray->addElement(new \XoopsFormSelectMatchOption('', 'uname_match'));
58			$name_tray->addElement(new \XoopsFormText('', 'uname', 35, 255));
59			$searchform->addElement($name_tray);
60			$email_tray = new \XoopsFormElementTray(_US_EMAIL);
61			$email_tray->addElement(new \XoopsFormSelectMatchOption('', 'email_match'));
62			$email_tray->addElement(new \XoopsFormText('', 'email', 35, 255));
63			$searchform->addElement($email_tray);
64			// add search groups , only for Webmasters
65			if ($GLOBALS['xoopsUser'] && $GLOBALS['xoopsUser']->isAdmin()) {
66			$group_tray = new \XoopsFormElementTray(_US_GROUPS);
67			$group_tray->addElement(new \XoopsFormSelectGroup('', 'selgroups', null, false, 5, true));
68			$searchform->addElement($group_tray);
69			}
70			foreach (array_keys($fields) as $i) {
71			if (!in_array($fields[$i]->getVar('field_id'), $searchable_fields, true) \|\| !in_array($fields[$i]->getVar('field_type'), $searchable_types, true)) {
72			continue;
73			}
74			$sortby_arr[$i] = $fields[$i]->getVar('field_title');
75			switch ($fields[$i]->getVar('field_type')) {
76			case 'textbox':
77			if (XOBJ_DTYPE_INT == $fields[$i]->getVar('field_valuetype')) {
78			$searchform->addElement(new \XoopsFormText(sprintf(_MD_SUICO_LARGERTHAN, $fields[$i]->getVar('field_title')), $fields[$i]->getVar('field_name') . '_larger', 35, 35));
79			$searchform->addElement(new \XoopsFormText(sprintf(_MD_SUICO_SMALLERTHAN, $fields[$i]->getVar('field_title')), $fields[$i]->getVar('field_name') . '_smaller', 35, 35));
80			} else {
81			$tray = new \XoopsFormElementTray($fields[$i]->getVar('field_title'));
82			$tray->addElement(new \XoopsFormSelectMatchOption('', $fields[$i]->getVar('field_name') . '_match'));
83			$tray->addElement(new \XoopsFormText('', $fields[$i]->getVar('field_name'), 35, $fields[$i]->getVar('field_maxlength')));
84			$searchform->addElement($tray);
85			unset($tray);
86			}
87			break;
88			case 'radio':
89			case 'select':
90			$options = $fields[$i]->getVar('field_options');
91			$size = min(count($options), 10);
92			$element = new \XoopsFormSelect($fields[$i]->getVar('field_title'), $fields[$i]->getVar('field_name'), null, $size, true);
93			asort($options);
94			$element->addOptionArray($options);
95			$searchform->addElement($element);
96			unset($element);
97			break;
98			case 'yesno':
99			$element = new \XoopsFormSelect($fields[$i]->getVar('field_title'), $fields[$i]->getVar('field_name'), null, 2, true);
100			$element->addOption(1, _YES);
101			$element->addOption(0, _NO);
102			$searchform->addElement($element);
103			unset($element);
104			break;
105			case 'date':
106			case 'datetime':
107			$searchform->addElement(new \XoopsFormTextDateSelect(sprintf(_MD_SUICO_LATERTHAN, $fields[$i]->getVar('field_title')), $fields[$i]->getVar('field_name') . '_larger', 15, 1));
108			$searchform->addElement(new \XoopsFormTextDateSelect(sprintf(_MD_SUICO_EARLIERTHAN, $fields[$i]->getVar('field_title')), $fields[$i]->getVar('field_name') . '_smaller', 15, time()));
109			break;
110			case 'timezone':
111			$element = new \XoopsFormSelect($fields[$i]->getVar('field_title'), $fields[$i]->getVar('field_name'), null, 6, true);
112			require_once $GLOBALS['xoops']->path('class/xoopslists.php');
113			$element->addOptionArray(XoopsLists::getTimeZoneList());
114			$searchform->addElement($element);
115			unset($element);
116			break;
117			case 'language':
118			$element = new \XoopsFormSelectLang($fields[$i]->getVar('field_title'), $fields[$i]->getVar('field_name'), null, 6);
119			$searchform->addElement($element);
120			unset($element);
121			break;
122			}
123			}
124			asort($sortby_arr);
125			$sortby_arr = array_merge(['' => _NONE, 'uname' => _US_NICKNAME, 'email' => _US_EMAIL], $sortby_arr);
126			$sortby_select = new \XoopsFormSelect(_MD_SUICO_SORTBY, 'sortby');
127			$sortby_select->addOptionArray($sortby_arr);
128			$searchform->addElement($sortby_select);
129			$order_select = new \XoopsFormRadio(_MD_SUICO_ORDER, 'order', 0);
130			$order_select->addOption(0, _ASCENDING);
131			$order_select->addOption(1, _DESCENDING);
132			$searchform->addElement($order_select);
133			$limit_text = new \XoopsFormText(_MD_SUICO_PERPAGE, 'limit', 15, 10, $limit_default);
134			$searchform->addElement($limit_text);
135			$searchform->addElement(new \XoopsFormHidden('op', 'results'));
136			$searchform->addElement(new \XoopsFormButton('', 'submit', _SUBMIT, 'submit'));
137			$searchform->assign($GLOBALS['xoopsTpl']);
138			$GLOBALS['xoopsTpl']->assign('page_title', _MD_SUICO_SEARCH);
139			//added count user
140			/** @var XoopsMemberHandler $memberHandler */
141			$memberHandler = xoops_getHandler('member');
142			$acttotal = $memberHandler->getUserCount(new Criteria('level', 0, '>'));
143			$total = sprintf(_MD_SUICO_ACTUS, "<span style='color:#ff0000;'>{$acttotal}</span>");
144			$GLOBALS['xoopsTpl']->assign('total_users', $total);
145			break;
146			case 'results':
147			$GLOBALS['xoopsOption']['template_main'] = 'suico_results.tpl';
148			require __DIR__ . '/header.php';
149			$myts = \MyTextSanitizer::getInstance();
150			$controller = new IndexController($xoopsDB, $xoopsUser, $xoopsModule);
151			$nbSections = $controller->getNumbersSections();
152			$GLOBALS['xoopsTpl']->assign('page_title', _MD_SUICO_RESULTS);
153			$xoBreadcrumbs[] = [
154			'link' => XOOPS_URL . '/modules/' . $GLOBALS['xoopsModule']->getVar('dirname', 'n') . '/searchuser.php',
155			'title' => _SEARCH,
156			];
157			$xoBreadcrumbs[] = ['title' => _MD_SUICO_RESULTS];
158			/** @var XoopsMemberHandler $memberHandler */
159			$memberHandler = xoops_getHandler('member');
160			// Dynamic fields
161			$profileHandler = $helper->getHandler('Profile');
162			// Get fields
163			$fields = $profileHandler->loadFields();
164			// Get ids of fields that can be searched
165			/** @var XoopsGroupPermHandler $grouppermHandler */
166			$grouppermHandler = xoops_getHandler('groupperm');
167			$searchable_fields = $grouppermHandler->getItemIds('profile_search', $groups, $GLOBALS['xoopsModule']->getVar('mid'));
168			$searchvars = [];
169			$search_url = [];
170			$criteria = new CriteriaCompo(new Criteria('level', 0, '>'));
171			if (isset($_REQUEST['uname']) && '' !== $_REQUEST['uname']) {
172			$string = $GLOBALS['xoopsDB']->escape(trim($_REQUEST['uname']));
173			switch ($_REQUEST['uname_match']) {
174			case XOOPS_MATCH_START:
175			$string .= '%';
176			break;
177			case XOOPS_MATCH_END:
178			$string = '%' . $string;
179			break;
180			case XOOPS_MATCH_CONTAIN:
181			$string = '%' . $string . '%';
182			break;
183			}
184			$criteria->add(new Criteria('uname', $string, 'LIKE'));
185			$search_url[] = 'uname=' . $_REQUEST['uname'];
186			$search_url[] = 'uname_match=' . $_REQUEST['uname_match'];
187			$searchvars[] = 'uname';
188			}
189			if (isset($_REQUEST['email']) && '' !== $_REQUEST['email']) {
190			$string = $GLOBALS['xoopsDB']->escape(trim($_REQUEST['email']));
191			switch ($_REQUEST['email_match']) {
192			case XOOPS_MATCH_START:
193			$string .= '%';
194			break;
195			case XOOPS_MATCH_END:
196			$string = '%' . $string;
197			break;
198			case XOOPS_MATCH_CONTAIN:
199			$string = '%' . $string . '%';
200			break;
201			}
202			$searchvars[] = 'email';
203			$search_url[] = 'email=' . $_REQUEST['email'];
204			$search_url[] = 'email_match=' . $_REQUEST['email_match'];
205			$criteria->add(new Criteria('email', $string, 'LIKE'));
206			$criteria->add(new Criteria('user_viewemail', 1));
207			}
208			//$search_url = array();
209			foreach (array_keys($fields) as $i) {
210			//Radio and Select fields
211			if (!in_array($fields[$i]->getVar('field_id'), $searchable_fields, true) \|\| !in_array($fields[$i]->getVar('field_type'), $searchable_types, true)) {
212			continue;
213			}
214			$fieldname = $fields[$i]->getVar('field_name');
215			if (in_array($fields[$i]->getVar('field_type'), ['select', 'radio'], true)) {
216			if (empty($_REQUEST[$fieldname])) {
217			continue;
218			}
219			//If field value is sent through request and is not an empty value
220			switch ($fields[$i]->getVar('field_valuetype')) {
221			case XOBJ_DTYPE_OTHER:
222			case XOBJ_DTYPE_INT:
223			$value = array_map('\intval', $_REQUEST[$fieldname]);
224			$searchvars[] = $fieldname;
225			$criteria->add(new Criteria($fieldname, '(' . implode(',', $value) . ')', 'IN'));
226			break;
227			case XOBJ_DTYPE_URL:
228			case XOBJ_DTYPE_TXTBOX:
229			case XOBJ_DTYPE_TXTAREA:
230			$value = array_map([$GLOBALS['xoopsDB'], 'quoteString'], $_REQUEST[$fieldname]);
231			$searchvars[] = $fieldname;
232			$criteria->add(new Criteria($fieldname, '(' . implode(',', $value) . ')', 'IN'));
233			break;
234			}
235			foreach ($_REQUEST[$fieldname] as $value) {
236			$search_url[] = $fieldname . '[]=' . $value;
237			}
238			} else {
239			//Other fields (not radio, not select)
240			switch ($fields[$i]->getVar('field_valuetype')) {
241			case XOBJ_DTYPE_OTHER:
242			case XOBJ_DTYPE_INT:
243			switch ($fields[$i]->getVar('field_type')) {
244			case 'date':
245			case 'datetime':
246			$value = $_REQUEST[$fieldname . '_larger'];
247			if (!($value = strtotime($_REQUEST[$fieldname . '_larger']))) {
248			$value = (int)$_REQUEST[$fieldname . '_larger'];
249			}
250			if ($value > 0) {
251			$search_url[] = $fieldname . '_larger=' . $value;
252			$searchvars[] = $fieldname;
253			$criteria->add(new Criteria($fieldname, $value, '>='));
254			}
255			$value = $_REQUEST[$fieldname . '_smaller'];
256			if (!($value = strtotime($_REQUEST[$fieldname . '_smaller']))) {
257			$value = (int)$_REQUEST[$fieldname . '_smaller'];
258			}
259			if ($value > 0) {
260			$search_url[] = $fieldname . '_smaller=' . $value;
261			$searchvars[] = $fieldname;
262			$criteria->add(new Criteria($fieldname, $value + 24 * 3600, '<='));
263			}
264			break;
265			default:
266			if (isset($_REQUEST[$fieldname . '_larger']) && 0 !== (int)$_REQUEST[$fieldname . '_larger']) {
267			$value = (int)$_REQUEST[$fieldname . '_larger'];
268			$search_url[] = $fieldname . '_larger=' . $value;
269			$searchvars[] = $fieldname;
270			$criteria->add(new Criteria($fieldname, $value, '>='));
271			}
272			if (isset($_REQUEST[$fieldname . '_smaller']) && 0 !== (int)$_REQUEST[$fieldname . '_smaller']) {
273			$value = (int)$_REQUEST[$fieldname . '_smaller'];
274			$search_url[] = $fieldname . '_smaller=' . $value;
275			$searchvars[] = $fieldname;
276			$criteria->add(new Criteria($fieldname, $value, '<='));
277			}
278			break;
279			}
280			if (isset($_REQUEST[$fieldname]) && !isset($_REQUEST[$fieldname . '_smaller']) && !isset($_REQUEST[$fieldname . '_larger'])) {
281			if (is_array($_REQUEST[$fieldname])) {
282			$value = array_map('\intval', $_REQUEST[$fieldname]);
283			foreach ($value as $thisvalue) {
284			$search_url[] = $fieldname . '[]=' . $thisvalue;
285			}
286			$criteria->add(new Criteria($fieldname, '(' . implode(',', $value) . ')', 'IN'));
287			} else {
288			$value = (int)$_REQUEST[$fieldname];
289			$search_url[] = $fieldname . '=' . $value;
290			$criteria->add(new Criteria($fieldname, $value, '='));
291			}
292			$searchvars[] = $fieldname;
293			}
294			break;
295			case XOBJ_DTYPE_URL:
296			case XOBJ_DTYPE_TXTBOX:
297			case XOBJ_DTYPE_TXTAREA:
298			if (isset($_REQUEST[$fieldname]) && '' !== $_REQUEST[$fieldname]) {
299			$value = $GLOBALS['xoopsDB']->escape(trim($_REQUEST[$fieldname]));
300			switch ($_REQUEST[$fieldname . '_match']) {
301			case XOOPS_MATCH_START:
302			$value .= '%';
303			break;
304			case XOOPS_MATCH_END:
305			$value = '%' . $value;
306			break;
307			case XOOPS_MATCH_CONTAIN:
308			$value = '%' . $value . '%';
309			break;
310			}
311			$search_url[] = $fieldname . '=' . $_REQUEST[$fieldname];
312			$search_url[] = $fieldname . '_match=' . $_REQUEST[$fieldname . '_match'];
313			$operator = 'LIKE';
314			$criteria->add(new Criteria($fieldname, $value, $operator));
315			$searchvars[] = $fieldname;
316			}
317			break;
318			}
319			}
320			}
321			// if ($_REQUEST['sortby'] == "name") {
322			// $criteria->setSort("name");
323			// } else if ($_REQUEST['sortby'] == "email") {
324			// $criteria->setSort("email");
325			// } else if ($_REQUEST['sortby'] == "uname") {
326			// $criteria->setSort("uname");
327			// } else if (isset($fields[$_REQUEST['sortby']])) {
328			// $criteria->setSort($fields[$_REQUEST['sortby']]->getVar('field_name'));
329			// }
330			// change by zyspec:
331			$sortby = 'uname';
332			if (!empty($_REQUEST['sortby'])) {
333			switch ($_REQUEST['sortby']) {
334			case 'name':
335			case 'email':
336			case 'uname':
337			$sortby = $_REQUEST['sortby'];
338			break;
339			default:
340			if (isset($fields[$_REQUEST['sortby']])) {
341			$sortby = $fields[$_REQUEST['sortby']]->getVar('field_name');
342			}
343			break;
344			}
345			$criteria->setSort($sortby);
346			}
347			// add search groups , only for Webmasters
348			$searchgroups = [];
349			if ($GLOBALS['xoopsUser'] && $GLOBALS['xoopsUser']->isAdmin()) {
350			$searchgroups = empty($_REQUEST['selgroups']) ? [] : array_map('\intval', $_REQUEST['selgroups']);
351			foreach ($searchgroups as $group) {
352			$search_url[] = 'selgroups[]=' . $group;
353			}
354			}
355			$order = 0 == $_REQUEST['order'] ? 'ASC' : 'DESC';
356			$criteria->setOrder($order);
357			$limit = empty($_REQUEST['limit']) ? $limit_default : (int)$_REQUEST['limit'];
358			$criteria->setLimit($limit);
359			$start = isset($_REQUEST['start']) ? (int)$_REQUEST['start'] : 0;
360			$criteria->setStart($start);
361			[$users, $profiles, $total_users] = $profileHandler->search($criteria, $searchvars, $searchgroups);
362			$total = sprintf(_MD_SUICO_FOUNDUSER, "<span class='red'>{$total_users}</span>") . ' ';
363			$GLOBALS['xoopsTpl']->assign('total_users', $total);
364			//Sort information
365			foreach (array_keys($users) as $k) {
366			$userarray = [];
367			$userarray['output'][] = "<a href='userinfo.php?uid=" . $users[$k]->getVar('uid') . "' title=''>" . $users[$k]->getVar('uname') . '</a>';
368			$userarray['output'][] = (1 == $users[$k]->getVar('user_viewemail') \|\| (is_object($GLOBALS['xoopsUser']) && $GLOBALS['xoopsUser']->isAdmin())) ? $users[$k]->getVar('email') : '';
369			foreach (array_keys($fields) as $i) {
370			if (in_array($fields[$i]->getVar('field_id'), $searchable_fields, true) && in_array($fields[$i]->getVar('field_type'), $searchable_types, true) && in_array($fields[$i]->getVar('field_name'), $searchvars, true)) {
371			$userarray['output'][] = $fields[$i]->getOutputValue($users[$k], $profiles[$k]);
372			}
373			}
374			$GLOBALS['xoopsTpl']->append('users', $userarray);
375			unset($userarray);
376			}
377			//Get captions
378			$captions[] = _US_NICKNAME;
379			$captions[] = _US_EMAIL;
380			foreach (array_keys($fields) as $i) {
381			if (in_array($fields[$i]->getVar('field_id'), $searchable_fields, true) && in_array($fields[$i]->getVar('field_type'), $searchable_types, true) && in_array($fields[$i]->getVar('field_name'), $searchvars, true)) {
382			$captions[] = $fields[$i]->getVar('field_title');
383			}
384			}
385			$GLOBALS['xoopsTpl']->assign('captions', $captions);
386			if ($total_users > $limit) {
387			$search_url[] = 'op=results';
388			$search_url[] = 'order=' . $order;
389			//TODO remove it for final release
390			// $search_url[] = "sortby=" . htmlspecialchars($_REQUEST['sortby']);
391			$search_url[] = 'sortby=' . htmlspecialchars($sortby, ENT_QUOTES \| ENT_HTML5); // change by zyspec
392			$search_url[] = 'limit=' . $limit;
393			if (isset($search_url)) {
394			$args = implode('&', $search_url);
395			}
396			require_once $GLOBALS['xoops']->path('class/pagenav.php');
397			$nav = new \XoopsPageNav($total_users, $limit, $start, 'start', $args);
398			$GLOBALS['xoopsTpl']->assign('nav', $nav->renderNav(5));
399			}
400			break;
401			}
402			require __DIR__ . '/footer.php';
403			require \dirname(__DIR__, 2) . '/footer.php';
404

XoopsModules25x / suico

Issues (432)

Security Analysis not enabled

searchuser.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like