Issues in Employee.php (scrutinizer-code-quality) - Issues in scrutinizer-code-quality - adamjakab/SuiteCRM - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4069)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

modules/Employees/Employee.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/*********************************************************************************
 * SugarCRM Community Edition is a customer relationship management program developed by
 * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.

 * SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
 * Copyright (C) 2011 - 2014 Salesagility Ltd.
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Affero General Public License version 3 as published by the
 * Free Software Foundation with the addition of the following permission added
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
 * details.
 *
 * You should have received a copy of the GNU Affero General Public License along with
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 *
 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
 * SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
 *
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU Affero General Public License version 3.
 *
 * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "Powered by
 * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
 * reasonably feasible for  technical reasons, the Appropriate Legal Notices must
 * display the words  "Powered by SugarCRM" and "Supercharged by SuiteCRM".
 ********************************************************************************/

/*********************************************************************************

 * Description: TODO:  To be written.
 * Portions created by SugarCRM are Copyright (C) SugarCRM, Inc.
 * All Rights Reserved.
 * Contributor(s): ______________________________________..
 ********************************************************************************/


require_once('include/SugarObjects/templates/person/Person.php');

// Employee is used to store customer information.
class Employee extends Person {
	// Stored fields
	var $name = '';
	var $id;
	var $is_admin;
	var $first_name;
	var $last_name;
	var $full_name;
	var $user_name;
	var $title;
	var $description;
	var $department;
	var $reports_to_id;
	var $reports_to_name;
	var $phone_home;
	var $phone_mobile;
	var $phone_work;
	var $phone_other;
	var $phone_fax;
	var $email1;
	var $email2;
	var $address_street;
	var $address_city;
	var $address_state;
	var $address_postalcode;
	var $address_country;
	var $date_entered;
	var $date_modified;
	var $modified_user_id;
	var $created_by;
	var $created_by_name;
	var $modified_by_name;
	var $status;
	var $messenger_id;
	var $messenger_type;
	var $employee_status;
	var $error_string;
    public $person_id;

	var $module_dir = "Employees";


	var $table_name = "users";

	var $object_name = "Employee";
	var $user_preferences;

	var $encodeFields = Array("first_name", "last_name", "description");

	// This is used to retrieve related fields from form posts.
	var $additional_column_fields = Array('reports_to_name');



	var $new_schema = true;

	function __construct() {
		parent::__construct();
		$this->setupCustomFields('Users');
		$this->emailAddress = new SugarEmailAddress();
	}

    /**
     * @deprecated deprecated since version 7.6, PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code, use __construct instead
     */
    function Employee(){
        $deprecatedMessage = 'PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code';
        if(isset($GLOBALS['log'])) {
            $GLOBALS['log']->deprecated($deprecatedMessage);
        }
        else {
            trigger_error($deprecatedMessage, E_USER_DEPRECATED);
        }
        self::__construct();
    }



	function get_summary_text() {
        $this->_create_proper_name_field();
        return $this->name;
    }


	function fill_in_additional_list_fields() {
		$this->fill_in_additional_detail_fields();
	}

	function fill_in_additional_detail_fields()
	{
		global $locale;
		$query = "SELECT u1.first_name, u1.last_name from users u1, users u2 where u1.id = u2.reports_to_id AND u2.id = '$this->id' and u1.deleted=0";
		$result =$this->db->query($query, true, "Error filling in additional detail fields") ;

		$row = $this->db->fetchByAssoc($result);

		if($row != null)
		{
			$this->reports_to_name = stripslashes($locale->getLocaleFormattedName($row['first_name'], $row['last_name']));
		}
		else
		{
			$this->reports_to_name = '';
		}
	}

	function retrieve_employee_id($employee_name)
	{
		$query = "SELECT id from users where user_name='$user_name' AND deleted=0";
		$result  = $this->db->query($query, false,"Error retrieving employee ID: ");
		$row = $this->db->fetchByAssoc($result);
		return $row['id'];
	}

	/**
	 * @return -- returns a list of all employees in the system.

	 * Portions created by SugarCRM are Copyright (C) SugarCRM, Inc..
	 * All Rights Reserved..
	 * Contributor(s): ______________________________________..
	 */
	function verify_data()
	{
		//none of the checks from the users module are valid here since the user_name and
		//is_admin_on fields are not editable.
		return TRUE;
	}

	function get_list_view_data(){

        $user_fields = parent::get_list_view_data();

		// Copy over the reports_to_name
		if ( isset($GLOBALS['app_list_strings']['messenger_type_dom'][$this->messenger_type]) )
            $user_fields['MESSENGER_TYPE'] = $GLOBALS['app_list_strings']['messenger_type_dom'][$this->messenger_type];
		if ( isset($GLOBALS['app_list_strings']['employee_status_dom'][$this->employee_status]) )
            $user_fields['EMPLOYEE_STATUS'] = $GLOBALS['app_list_strings']['employee_status_dom'][$this->employee_status];
		$user_fields['REPORTS_TO_NAME'] = $this->reports_to_name;

        return $user_fields;
	}

	function list_view_parse_additional_sections(&$list_form/*, $xTemplateSection*/){
		return $list_form;
	}


	function create_export_query($order_by, $where, $relate_link_join = '') {
		include('modules/Employees/field_arrays.php');

		$cols = '';
		foreach($fields_array['Employee']['export_fields'] as $field) {
			$cols .= (empty($cols)) ? '' : ', ';
			$cols .= $field;
		}

		$query = "SELECT {$cols} FROM users ";

		$where_auto = " users.deleted = 0";

		if($where != "")
			$query .= " WHERE $where AND " . $where_auto;
		else
			$query .= " WHERE " . $where_auto;

		if($order_by != "")
			$query .= " ORDER BY $order_by";
		else
			$query .= " ORDER BY users.user_name";

		return $query;
	}

	//use parent class
	/**
	 * Generate the name field from the first_name and last_name fields.
	 */
	/*
	function _create_proper_name_field() {
        global $locale;
        $full_name = $locale->getLocaleFormattedName($this->first_name, $this->last_name);
        $this->name = $full_name;
        $this->full_name = $full_name;
	}
	*/

	function preprocess_fields_on_save(){
		parent::preprocess_fields_on_save();

	}


    /**
     * create_new_list_query
     *
     * Return the list query used by the list views and export button. Next generation of create_new_list_query function.
     *
     * We overrode this function in the Employees module to add the additional filter check so that we do not retrieve portal users for the Employees list view queries
     *
     * @param string $order_by custom order by clause
     * @param string $where custom where clause
     * @param array $filter Optioanal
     * @param array $params Optional     *
     * @param int $show_deleted Optional, default 0, show deleted records is set to 1.
     * @param string $join_type
     * @param boolean $return_array Optional, default false, response as array
     * @param object $parentbean creating a subquery for this bean.
     * @param boolean $singleSelect Optional, default false.
     * @return String select query string, optionally an array value will be returned if $return_array= true.
     */
	function create_new_list_query($order_by, $where,$filter=array(),$params=array(), $show_deleted = 0,$join_type='', $return_array = false,$parentbean=null, $singleSelect = false, $ifListForExport = false)
    {
        //create the filter for portal only users, as they should not be showing up in query results
        if(empty($where)){
            $where = ' users.portal_only = 0 ';
        }else{
            $where .= ' and users.portal_only = 0 ';
        }

        //return parent method, specifying for array to be returned
        return parent::create_new_list_query($order_by, $where, $filter,$params, $show_deleted, $join_type, $return_array, $parentbean, $singleSelect, $ifListForExport);
    }

    /*
     * Overwrite Sugar bean which returns the current objects custom fields.  Lets return User custom fields instead
     */
    function hasCustomFields()
    {

        //Check to see if there are custom user fields that we should report on, first check the custom_fields array
        $userCustomfields = !empty($GLOBALS['dictionary']['Employee']['custom_fields']);
        if(!$userCustomfields){
            //custom Fields not set, so traverse employee fields to see if any custom fields exist
            foreach ($GLOBALS['dictionary']['Employee']['fields'] as $k=>$v){
                if(!empty($v['source']) && $v['source'] == 'custom_fields'){
                    //custom field has been found, set flag to true and break
                    $userCustomfields = true;
                    break;
                }

            }
        }

        //return result of search for custom fields
        return $userCustomfields;
    }
}

?>


1		<?php
2	1	if(!defined('sugarEntry') \|\| !sugarEntry) die('Not A Valid Entry Point');
3		/*********************************************************************************
4		* SugarCRM Community Edition is a customer relationship management program developed by
5		* SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
6
7		* SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
8		* Copyright (C) 2011 - 2014 Salesagility Ltd.
9		*
10		* This program is free software; you can redistribute it and/or modify it under
11		* the terms of the GNU Affero General Public License version 3 as published by the
12		* Free Software Foundation with the addition of the following permission added
13		* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
14		* IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
15		* OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
16		*
17		* This program is distributed in the hope that it will be useful, but WITHOUT
18		* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
19		* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
20		* details.
21		*
22		* You should have received a copy of the GNU Affero General Public License along with
23		* this program; if not, see http://www.gnu.org/licenses or write to the Free
24		* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
25		* 02110-1301 USA.
26		*
27		* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
28		* SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
29		*
30		* The interactive user interfaces in modified source and object code versions
31		* of this program must display Appropriate Legal Notices, as required under
32		* Section 5 of the GNU Affero General Public License version 3.
33		*
34		* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
35		* these Appropriate Legal Notices must retain the display of the "Powered by
36		* SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
37		* reasonably feasible for technical reasons, the Appropriate Legal Notices must
38		* display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
39		********************************************************************************/
40
41		/*********************************************************************************
42
43		* Description: TODO: To be written.
44		* Portions created by SugarCRM are Copyright (C) SugarCRM, Inc.
45		* All Rights Reserved.
46		* Contributor(s): ______________________________________..
47		********************************************************************************/
48
49
50	1	require_once('include/SugarObjects/templates/person/Person.php');
51
52		// Employee is used to store customer information.
53		class Employee extends Person {
54		// Stored fields
55		var $name = '';
56		var $id;
57		var $is_admin;
58		var $first_name;
59		var $last_name;
60		var $full_name;
61		var $user_name;
62		var $title;
63		var $description;
64		var $department;
65		var $reports_to_id;
66		var $reports_to_name;
67		var $phone_home;
68		var $phone_mobile;
69		var $phone_work;
70		var $phone_other;
71		var $phone_fax;
72		var $email1;
73		var $email2;
74		var $address_street;
75		var $address_city;
76		var $address_state;
77		var $address_postalcode;
78		var $address_country;
79		var $date_entered;
80		var $date_modified;
81		var $modified_user_id;
82		var $created_by;
83		var $created_by_name;
84		var $modified_by_name;
85		var $status;
86		var $messenger_id;
87		var $messenger_type;
88		var $employee_status;
89		var $error_string;
90		public $person_id;
91
92		var $module_dir = "Employees";
93
94
95		var $table_name = "users";
96
97		var $object_name = "Employee";
98		var $user_preferences;
99
100		var $encodeFields = Array("first_name", "last_name", "description");
101
102		// This is used to retrieve related fields from form posts.
103		var $additional_column_fields = Array('reports_to_name');
104
105
106
107		var $new_schema = true;
108
109	15	function __construct() {
110	15	parent::__construct();
111	15	$this->setupCustomFields('Users');
112	15	$this->emailAddress = new SugarEmailAddress();
113	15	}
114
115		/**
116		* @deprecated deprecated since version 7.6, PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code, use __construct instead
117		*/
118		function Employee(){
119		$deprecatedMessage = 'PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code';
120		if(isset($GLOBALS['log'])) {
121		$GLOBALS['log']->deprecated($deprecatedMessage);
122		}
123		else {
124		trigger_error($deprecatedMessage, E_USER_DEPRECATED);
125		}
126		self::__construct();
127		}
128
129
130
131	1	function get_summary_text() {
132	1	$this->_create_proper_name_field();
133	1	return $this->name;
134		}
135
136
137	1	function fill_in_additional_list_fields() {
138	1	$this->fill_in_additional_detail_fields();
139	1	}
140
141	3	function fill_in_additional_detail_fields()
142		{
143	3	global $locale;
144	3	$query = "SELECT u1.first_name, u1.last_name from users u1, users u2 where u1.id = u2.reports_to_id AND u2.id = '$this->id' and u1.deleted=0";
145	3	$result =$this->db->query($query, true, "Error filling in additional detail fields") ;
146
147	3	$row = $this->db->fetchByAssoc($result);
148
149	3	if($row != null)
150		{
151		$this->reports_to_name = stripslashes($locale->getLocaleFormattedName($row['first_name'], $row['last_name']));
152		}
153		else
154		{
155	3	$this->reports_to_name = '';
156		}
157	3	}
158
159		function retrieve_employee_id($employee_name)
160		{
161		$query = "SELECT id from users where user_name='$user_name' AND deleted=0";
162		$result = $this->db->query($query, false,"Error retrieving employee ID: ");
163		$row = $this->db->fetchByAssoc($result);
164		return $row['id'];
165		}
166
167		/**
168		* @return -- returns a list of all employees in the system.
		0 ignored issues – show Documentation introduced 2016-03-07 17:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `--` could not be parsed: Unknown type name "--" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
169		* Portions created by SugarCRM are Copyright (C) SugarCRM, Inc..
170		* All Rights Reserved..
171		* Contributor(s): ______________________________________..
172		*/
173	1	function verify_data()
174		{
175		//none of the checks from the users module are valid here since the user_name and
176		//is_admin_on fields are not editable.
177	1	return TRUE;
178		}
179
180	1	function get_list_view_data(){
181
182	1	$user_fields = parent::get_list_view_data();
183
184		// Copy over the reports_to_name
185	1	if ( isset($GLOBALS['app_list_strings']['messenger_type_dom'][$this->messenger_type]) )
186	1	$user_fields['MESSENGER_TYPE'] = $GLOBALS['app_list_strings']['messenger_type_dom'][$this->messenger_type];
187	1	if ( isset($GLOBALS['app_list_strings']['employee_status_dom'][$this->employee_status]) )
188		$user_fields['EMPLOYEE_STATUS'] = $GLOBALS['app_list_strings']['employee_status_dom'][$this->employee_status];
189	1	$user_fields['REPORTS_TO_NAME'] = $this->reports_to_name;
190
191	1	return $user_fields;
192		}
193
194	1	function list_view_parse_additional_sections(&$list_form/, $xTemplateSection/){
195	1	return $list_form;
196		}
197
198
199	1	function create_export_query($order_by, $where, $relate_link_join = '') {
200	1	include('modules/Employees/field_arrays.php');
201
202	1	$cols = '';
203	1	foreach($fields_array['Employee']['export_fields'] as $field) {
204	1	$cols .= (empty($cols)) ? '' : ', ';
205	1	$cols .= $field;
206		}
207
208	1	$query = "SELECT {$cols} FROM users ";
209
210	1	$where_auto = " users.deleted = 0";
211
212	1	if($where != "")
213	1	$query .= " WHERE $where AND " . $where_auto;
214		else
215	1	$query .= " WHERE " . $where_auto;
216
217	1	if($order_by != "")
218	1	$query .= " ORDER BY $order_by";
219		else
220	1	$query .= " ORDER BY users.user_name";
221
222	1	return $query;
223		}
224
225		//use parent class
226		/**
227		* Generate the name field from the first_name and last_name fields.
228		*/
229		/*
230		function _create_proper_name_field() {
231		global $locale;
232		$full_name = $locale->getLocaleFormattedName($this->first_name, $this->last_name);
233		$this->name = $full_name;
234		$this->full_name = $full_name;
235		}
236		*/
237
238	1	function preprocess_fields_on_save(){
239	1	parent::preprocess_fields_on_save();
240
241	1	}
242
243
244		/**
245		* create_new_list_query
246		*
247		* Return the list query used by the list views and export button. Next generation of create_new_list_query function.
248		*
249		* We overrode this function in the Employees module to add the additional filter check so that we do not retrieve portal users for the Employees list view queries
250		*
251		* @param string $order_by custom order by clause
252		* @param string $where custom where clause
253		* @param array $filter Optioanal
254		* @param array $params Optional *
255		* @param int $show_deleted Optional, default 0, show deleted records is set to 1.
256		* @param string $join_type
257		* @param boolean $return_array Optional, default false, response as array
258		* @param object $parentbean creating a subquery for this bean.
259		* @param boolean $singleSelect Optional, default false.
260		* @return String select query string, optionally an array value will be returned if $return_array= true.
261		*/
262		function create_new_list_query($order_by, $where,$filter=array(),$params=array(), $show_deleted = 0,$join_type='', $return_array = false,$parentbean=null, $singleSelect = false, $ifListForExport = false)
263		{
264		//create the filter for portal only users, as they should not be showing up in query results
265		if(empty($where)){
266		$where = ' users.portal_only = 0 ';
267		}else{
268		$where .= ' and users.portal_only = 0 ';
269		}
270
271		//return parent method, specifying for array to be returned
272		return parent::create_new_list_query($order_by, $where, $filter,$params, $show_deleted, $join_type, $return_array, $parentbean, $singleSelect, $ifListForExport);
273		}
274
275		/*
276		* Overwrite Sugar bean which returns the current objects custom fields. Lets return User custom fields instead
277		*/
278	3	function hasCustomFields()
279		{
280
281		//Check to see if there are custom user fields that we should report on, first check the custom_fields array
282	3	$userCustomfields = !empty($GLOBALS['dictionary']['Employee']['custom_fields']);
283	3	if(!$userCustomfields){
284		//custom Fields not set, so traverse employee fields to see if any custom fields exist
285	3	foreach ($GLOBALS['dictionary']['Employee']['fields'] as $k=>$v){
286	3	if(!empty($v['source']) && $v['source'] == 'custom_fields'){
287		//custom field has been found, set flag to true and break
288		$userCustomfields = true;
289	3	break;
290		}
291
292		}
293		}
294
295		//return result of search for custom fields
296	3	return $userCustomfields;
297		}
298		}
299
300		?>
301

adamjakab / SuiteCRM

Issues (4069)

Security Analysis not enabled

modules/Employees/Employee.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like