This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
Encourage use of @property annotation when providing magic access
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | //------------------------------------------------------------------------------ |
||
4 | // |
||
5 | // eTraxis - Records tracking web-based system |
||
6 | // Copyright (C) 2007-2011 Artem Rodygin |
||
7 | // |
||
8 | // This program is free software: you can redistribute it and/or modify |
||
9 | // it under the terms of the GNU General Public License as published by |
||
10 | // the Free Software Foundation, either version 3 of the License, or |
||
11 | // (at your option) any later version. |
||
12 | // |
||
13 | // This program is distributed in the hope that it will be useful, |
||
14 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
15 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
16 | // GNU General Public License for more details. |
||
17 | // |
||
18 | // You should have received a copy of the GNU General Public License |
||
19 | // along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
20 | // |
||
21 | //------------------------------------------------------------------------------ |
||
22 | |||
23 | /** |
||
24 | * @package eTraxis |
||
25 | * @ignore |
||
26 | */ |
||
27 | |||
28 | /**#@+ |
||
29 | * Dependency. |
||
30 | */ |
||
31 | require_once('../engine/engine.php'); |
||
32 | require_once('../dbo/projects.php'); |
||
33 | require_once('../dbo/templates.php'); |
||
34 | /**#@-*/ |
||
35 | |||
36 | init_page(LOAD_INLINE); |
||
37 | |||
38 | if (get_user_level() != USER_LEVEL_ADMIN) |
||
39 | { |
||
40 | debug_write_log(DEBUG_NOTICE, 'User must have admin rights to be allowed.'); |
||
41 | header('HTTP/1.1 307 index.php'); |
||
42 | exit; |
||
43 | } |
||
44 | |||
45 | // check that requested template exists |
||
46 | |||
47 | $id = ustr2int(try_request('id')); |
||
48 | $template = template_find($id); |
||
49 | |||
50 | if (!$template) |
||
51 | { |
||
52 | debug_write_log(DEBUG_NOTICE, 'Template cannot be found.'); |
||
53 | header('HTTP/1.1 307 index.php'); |
||
54 | exit; |
||
55 | } |
||
56 | |||
57 | // check that templates restriction will not be violated |
||
58 | |||
59 | $rs = dal_query('templates/count.sql'); |
||
60 | |||
61 | View Code Duplication | if (MAX_TEMPLATES_NUMBER != 0 && $rs->fetch(0) >= MAX_TEMPLATES_NUMBER) |
|
62 | { |
||
63 | debug_write_log(DEBUG_NOTICE, 'Maximum amount of templates is already reached.'); |
||
64 | header('HTTP/1.1 307 tview.php?id=' . $id); |
||
65 | exit; |
||
66 | } |
||
67 | |||
68 | // cloned template has been submitted |
||
69 | |||
70 | if (try_request('submitted') == 'cloneform') |
||
71 | { |
||
72 | debug_write_log(DEBUG_NOTICE, 'Data are submitted.'); |
||
73 | |||
74 | $project_id = ustr2int(try_request('project')); |
||
75 | |||
76 | $project = project_find($project_id); |
||
77 | |||
78 | if (!$project) |
||
79 | { |
||
80 | debug_write_log(DEBUG_NOTICE, 'Project cannot be found.'); |
||
81 | header('HTTP/1.1 307 tview.php?id=' . $id); |
||
82 | exit; |
||
83 | } |
||
84 | |||
85 | $template_name = ustrcut($_REQUEST['template_name'], MAX_TEMPLATE_NAME); |
||
86 | $template_prefix = ustrcut($_REQUEST['template_prefix'], MAX_TEMPLATE_PREFIX); |
||
87 | $critical_age = ustrcut($_REQUEST['critical_age'], ustrlen(MAX_TEMPLATE_DAYS_COUNT)); |
||
88 | $frozen_time = ustrcut($_REQUEST['frozen_time'], ustrlen(MAX_TEMPLATE_DAYS_COUNT)); |
||
89 | $description = ustrcut($_REQUEST['description'], MAX_TEMPLATE_DESCRIPTION); |
||
90 | $guest_access = isset($_REQUEST['guest_access']); |
||
91 | |||
92 | $error = template_validate($template_name, $template_prefix, $critical_age, $frozen_time); |
||
93 | |||
94 | if ($error == NO_ERROR) |
||
95 | { |
||
96 | $error = template_create($project_id, $template_name, $template_prefix, $critical_age, $frozen_time, $description, $guest_access); |
||
97 | |||
98 | if ($error == NO_ERROR) |
||
99 | { |
||
100 | $rs = dal_query('templates/fndk.sql', $project_id, ustrtolower($template_name), ustrtolower($template_prefix)); |
||
101 | |||
102 | if ($rs->rows == 0) |
||
0 ignored issues
–
show
|
|||
103 | { |
||
104 | debug_write_log(DEBUG_WARNING, 'Created template not found.'); |
||
105 | header('HTTP/1.1 307 tview.php?id=' . $id); |
||
106 | } |
||
107 | else |
||
108 | { |
||
109 | $template_id = $rs->fetch('template_id'); |
||
110 | template_clone($id, $template_id); |
||
111 | $id = $template_id; |
||
112 | } |
||
113 | } |
||
114 | } |
||
115 | |||
116 | View Code Duplication | switch ($error) |
|
117 | { |
||
118 | case NO_ERROR: |
||
119 | header('HTTP/1.0 200 OK'); |
||
120 | echo($id); |
||
121 | break; |
||
122 | |||
123 | case ERROR_INCOMPLETE_FORM: |
||
124 | send_http_error(get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID)); |
||
125 | break; |
||
126 | |||
127 | case ERROR_ALREADY_EXISTS: |
||
128 | send_http_error(get_html_resource(RES_ALERT_TEMPLATE_ALREADY_EXISTS_ID)); |
||
129 | break; |
||
130 | |||
131 | case ERROR_INVALID_INTEGER_VALUE: |
||
132 | send_http_error(get_html_resource(RES_ALERT_INVALID_INTEGER_VALUE_ID)); |
||
133 | break; |
||
134 | |||
135 | case ERROR_INTEGER_VALUE_OUT_OF_RANGE: |
||
136 | send_http_error(ustrprocess(get_html_resource(RES_ALERT_INTEGER_VALUE_OUT_OF_RANGE_ID), MIN_TEMPLATE_DAYS_COUNT, MAX_TEMPLATE_DAYS_COUNT)); |
||
137 | break; |
||
138 | |||
139 | default: |
||
140 | send_http_error(get_html_resource(RES_ALERT_UNKNOWN_ERROR_ID)); |
||
141 | } |
||
142 | |||
143 | exit; |
||
144 | } |
||
145 | View Code Duplication | else |
|
146 | { |
||
147 | debug_write_log(DEBUG_NOTICE, 'Data are being requested.'); |
||
148 | |||
149 | $error = NO_ERROR; |
||
150 | |||
151 | $project_id = $template['project_id']; |
||
152 | $template_name = $template['template_name']; |
||
153 | $template_prefix = $template['template_prefix']; |
||
154 | $critical_age = $template['critical_age']; |
||
155 | $frozen_time = $template['frozen_time']; |
||
156 | $description = $template['description']; |
||
157 | $guest_access = $template['guest_access']; |
||
158 | } |
||
159 | |||
160 | // local JS functions |
||
161 | |||
162 | $resTitle = get_js_resource(RES_ERROR_ID); |
||
163 | $resOK = get_js_resource(RES_OK_ID); |
||
164 | |||
165 | $xml = <<<JQUERY |
||
166 | <script> |
||
167 | |||
168 | function cloneSuccess (data) |
||
169 | { |
||
170 | closeModal(); |
||
171 | window.open("tview.php?id=" + data, "_parent"); |
||
172 | } |
||
173 | |||
174 | function cloneError (XMLHttpRequest) |
||
175 | { |
||
176 | jqAlert("{$resTitle}", XMLHttpRequest.responseText, "{$resOK}"); |
||
177 | } |
||
178 | |||
179 | </script> |
||
180 | JQUERY; |
||
181 | |||
182 | // generate page |
||
183 | |||
184 | $xml .= '<form name="cloneform" action="tclone.php?id=' . $id . '" success="cloneSuccess" error="cloneError">' |
||
185 | . '<group>' |
||
186 | . '<control name="project" required="' . get_html_resource(RES_REQUIRED3_ID) . '">' |
||
187 | . '<label>' . get_html_resource(RES_PROJECT_ID) . '</label>' |
||
188 | . '<combobox>'; |
||
189 | |||
190 | $rs = dal_query('projects/list.sql', 'project_name'); |
||
191 | |||
192 | View Code Duplication | while (($row = $rs->fetch())) |
|
193 | { |
||
194 | $xml .= ($row['project_id'] == $project_id |
||
195 | ? '<listitem value="' . $row['project_id'] . '" selected="true">' |
||
196 | : '<listitem value="' . $row['project_id'] . '">') |
||
197 | . ustr2html($row['project_name']) |
||
198 | . '</listitem>'; |
||
199 | } |
||
200 | |||
201 | $xml .= '</combobox>' |
||
202 | . '</control>' |
||
203 | . '<control name="template_name" required="' . get_html_resource(RES_REQUIRED3_ID) . '">' |
||
204 | . '<label>' . get_html_resource(RES_TEMPLATE_NAME_ID) . '</label>' |
||
205 | . '<editbox maxlen="' . MAX_TEMPLATE_NAME . '">' . ustr2html($template_name) . '</editbox>' |
||
206 | . '</control>' |
||
207 | . '<control name="template_prefix" required="' . get_html_resource(RES_REQUIRED3_ID) . '">' |
||
208 | . '<label>' . get_html_resource(RES_TEMPLATE_PREFIX_ID) . '</label>' |
||
209 | . '<editbox maxlen="' . MAX_TEMPLATE_PREFIX . '">' . ustr2html($template_prefix) . '</editbox>' |
||
210 | . '</control>' |
||
211 | . '<control name="critical_age">' |
||
212 | . '<label>' . get_html_resource(RES_CRITICAL_AGE_ID) . '</label>' |
||
213 | . '<editbox maxlen="' . ustrlen(MAX_TEMPLATE_DAYS_COUNT) . '">' . ustr2html($critical_age) . '</editbox>' |
||
214 | . '</control>' |
||
215 | . '<control name="frozen_time">' |
||
216 | . '<label>' . get_html_resource(RES_FROZEN_TIME_ID) . '</label>' |
||
217 | . '<editbox maxlen="' . ustrlen(MAX_TEMPLATE_DAYS_COUNT) . '">' . ustr2html($frozen_time) . '</editbox>' |
||
218 | . '</control>' |
||
219 | . '<control name="description">' |
||
220 | . '<label>' . get_html_resource(RES_DESCRIPTION_ID) . '</label>' |
||
221 | . '<editbox maxlen="' . MAX_TEMPLATE_DESCRIPTION . '">' . ustr2html($description) . '</editbox>' |
||
222 | . '</control>' |
||
223 | . '<control name="guest_access">' |
||
224 | . '<label/>' |
||
225 | . ($guest_access |
||
226 | ? '<checkbox checked="true">' |
||
227 | : '<checkbox>') |
||
228 | . get_html_resource(RES_GUEST_ACCESS_ID) |
||
229 | . '</checkbox>' |
||
230 | . '</control>' |
||
231 | . '</group>' |
||
232 | . '<note>' . get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID) . '</note>' |
||
233 | . '<note>' . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), get_html_resource(RES_CRITICAL_AGE_ID), MIN_TEMPLATE_DAYS_COUNT, MAX_TEMPLATE_DAYS_COUNT) . '</note>' |
||
234 | . '<note>' . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), get_html_resource(RES_FROZEN_TIME_ID), MIN_TEMPLATE_DAYS_COUNT, MAX_TEMPLATE_DAYS_COUNT) . '</note>' |
||
235 | . '</form>'; |
||
236 | |||
237 | echo(xml2html($xml)); |
||
238 | |||
239 | ?> |
||
240 |
Since your code implements the magic setter
_set
, this function will be called for any write access on an undefined variable. You can add the@property
annotation to your class or interface to document the existence of this variable.Since the property has write access only, you can use the @property-write annotation instead.
Of course, you may also just have mistyped another name, in which case you should fix the error.
See also the PhpDoc documentation for @property.