This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | //------------------------------------------------------------------------------ |
||
4 | // |
||
5 | // eTraxis - Records tracking web-based system |
||
6 | // Copyright (C) 2005-2010 Artem Rodygin |
||
7 | // |
||
8 | // This program is free software: you can redistribute it and/or modify |
||
9 | // it under the terms of the GNU General Public License as published by |
||
10 | // the Free Software Foundation, either version 3 of the License, or |
||
11 | // (at your option) any later version. |
||
12 | // |
||
13 | // This program is distributed in the hope that it will be useful, |
||
14 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
15 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
16 | // GNU General Public License for more details. |
||
17 | // |
||
18 | // You should have received a copy of the GNU General Public License |
||
19 | // along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
20 | // |
||
21 | //------------------------------------------------------------------------------ |
||
22 | |||
23 | /** |
||
24 | * @package eTraxis |
||
25 | * @ignore |
||
26 | */ |
||
27 | |||
28 | /**#@+ |
||
29 | * Dependency. |
||
30 | */ |
||
31 | require_once('../engine/engine.php'); |
||
32 | require_once('../dbo/accounts.php'); |
||
33 | require_once('../dbo/fields.php'); |
||
34 | require_once('../dbo/values.php'); |
||
35 | require_once('../dbo/records.php'); |
||
36 | /**#@-*/ |
||
37 | |||
38 | init_page(LOAD_TAB, GUEST_IS_ALLOWED); |
||
0 ignored issues
–
show
|
|||
39 | |||
40 | // check that requested record exists |
||
41 | |||
42 | $id = ustr2int(try_request('id')); |
||
43 | $record = record_find($id); |
||
44 | |||
45 | if (!$record) |
||
46 | { |
||
47 | debug_write_log(DEBUG_NOTICE, 'Record cannot be found.'); |
||
48 | exit; |
||
49 | } |
||
50 | |||
51 | // get current user's permissions and verify them |
||
52 | |||
53 | $permissions = record_get_permissions($record['template_id'], $record['creator_id'], $record['responsible_id']); |
||
54 | |||
55 | if (!can_record_be_displayed($permissions)) |
||
56 | { |
||
57 | debug_write_log(DEBUG_NOTICE, 'Record cannot be displayed.'); |
||
58 | exit; |
||
59 | } |
||
60 | |||
61 | // mark the record as read |
||
62 | |||
63 | record_read($id); |
||
64 | |||
65 | // get the list of changes |
||
66 | |||
67 | $sort = $page = NULL; |
||
68 | $list = changes_list($id, |
||
69 | $record['creator_id'], |
||
70 | is_null($record['responsible_id']) ? 0 : $record['responsible_id'], |
||
71 | $sort, $page); |
||
72 | |||
73 | $xml = NULL; |
||
74 | |||
75 | if ($list->rows == 0) |
||
0 ignored issues
–
show
The property
$rows is declared protected in CRecordset . Since you implemented __get() , maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.
Since your code implements the magic setter <?php
/**
* @property int $x
* @property int $y
* @property string $text
*/
class MyLabel
{
private $properties;
private $allowedProperties = array('x', 'y', 'text');
public function __get($name)
{
if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
return $properties[$name];
} else {
return null;
}
}
public function __set($name, $value)
{
if (in_array($name, $this->allowedProperties)) {
$properties[$name] = $value;
} else {
throw new \LogicException("Property $name is not defined.");
}
}
}
Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property.
Loading history...
|
|||
76 | { |
||
77 | debug_write_log(DEBUG_NOTICE, 'List of changes is empty.'); |
||
78 | |||
79 | $xml .= '<text>' . get_html_resource(RES_NONE2_ID) . '</text>'; |
||
80 | } |
||
81 | else |
||
82 | { |
||
83 | // generate list header |
||
84 | |||
85 | $columns = array |
||
86 | ( |
||
87 | RES_TIMESTAMP_ID, |
||
88 | RES_ORIGINATOR_ID, |
||
89 | RES_FIELD_NAME_ID, |
||
90 | RES_OLD_VALUE_ID, |
||
91 | RES_NEW_VALUE_ID, |
||
92 | ); |
||
93 | |||
94 | $rec_from = $rec_to = 0; |
||
95 | |||
96 | $bookmarks = gen_xml_bookmarks($page, $list->rows, $rec_from, $rec_to, 'changes.php?id=' . $id . '&'); |
||
0 ignored issues
–
show
The property
$rows is declared protected in CRecordset . Since you implemented __get() , maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.
Since your code implements the magic setter <?php
/**
* @property int $x
* @property int $y
* @property string $text
*/
class MyLabel
{
private $properties;
private $allowedProperties = array('x', 'y', 'text');
public function __get($name)
{
if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
return $properties[$name];
} else {
return null;
}
}
public function __set($name, $value)
{
if (in_array($name, $this->allowedProperties)) {
$properties[$name] = $value;
} else {
throw new \LogicException("Property $name is not defined.");
}
}
}
Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property.
Loading history...
|
|||
97 | |||
98 | $xml .= '<list>' |
||
99 | . '<hrow>'; |
||
100 | |||
101 | for ($i = 1; $i <= count($columns); $i++) |
||
102 | { |
||
103 | if ($i < 4) |
||
104 | { |
||
105 | $smode = ($sort == $i ? ($i + count($columns)) : $i); |
||
106 | |||
107 | $xml .= "<hcell url=\"changes.php?id={$id}&sort={$smode}\">" |
||
108 | . get_html_resource($columns[$i - 1]) |
||
109 | . '</hcell>'; |
||
110 | } |
||
111 | else |
||
112 | { |
||
113 | $xml .= "<hcell>" |
||
114 | . get_html_resource($columns[$i - 1]) |
||
115 | . '</hcell>'; |
||
116 | } |
||
117 | } |
||
118 | |||
119 | $xml .= '</hrow>'; |
||
120 | |||
121 | // go through the list of changes |
||
122 | |||
123 | $list->seek($rec_from - 1); |
||
124 | |||
125 | for ($i = $rec_from; $i <= $rec_to; $i++) |
||
126 | { |
||
127 | $row = $list->fetch(); |
||
128 | |||
129 | $old_value = value_find($row['field_type'], $row['old_value_id']); |
||
130 | $new_value = value_find($row['field_type'], $row['new_value_id']); |
||
131 | |||
132 | if ($row['field_type'] == FIELD_TYPE_CHECKBOX) |
||
133 | { |
||
134 | $old_value = get_html_resource($old_value ? RES_YES_ID : RES_NO_ID); |
||
135 | $new_value = get_html_resource($new_value ? RES_YES_ID : RES_NO_ID); |
||
136 | } |
||
137 | elseif ($row['field_type'] == FIELD_TYPE_LIST) |
||
138 | { |
||
139 | $old_value = (is_null($old_value) ? NULL : value_find_listvalue($row['field_id'], $old_value)); |
||
140 | $new_value = (is_null($new_value) ? NULL : value_find_listvalue($row['field_id'], $new_value)); |
||
141 | } |
||
142 | elseif ($row['field_type'] == FIELD_TYPE_RECORD) |
||
143 | { |
||
144 | $old_value = (is_null($old_value) ? NULL : 'rec#' . $old_value); |
||
145 | $new_value = (is_null($new_value) ? NULL : 'rec#' . $new_value); |
||
146 | } |
||
147 | elseif ($row['field_type'] == FIELD_TYPE_DATE) |
||
148 | { |
||
149 | $old_value = (is_null($old_value) ? NULL : get_date(ustr2date($old_value))); |
||
150 | $new_value = (is_null($new_value) ? NULL : get_date(ustr2date($new_value))); |
||
151 | } |
||
152 | |||
153 | $xml .= '<row>' |
||
154 | . '<cell>' . get_datetime($row['event_time']) . '</cell>' |
||
155 | . '<cell>' . ustr2html(sprintf('%s (%s)', $row['fullname'], account_get_username($row['username']))) . '</cell>' |
||
156 | . '<cell>' . (is_null($row['field_name']) ? get_html_resource(RES_SUBJECT_ID) : ustr2html($row['field_name'])) . '</cell>' |
||
157 | . '<cell>' . (is_null($old_value) ? get_html_resource(RES_NONE_ID) : update_references($old_value)) . '</cell>' |
||
158 | . '<cell>' . (is_null($new_value) ? get_html_resource(RES_NONE_ID) : update_references($new_value)) . '</cell>' |
||
159 | . '</row>'; |
||
160 | } |
||
161 | |||
162 | $xml .= '</list>' |
||
163 | . $bookmarks; |
||
164 | } |
||
165 | |||
166 | echo(xml2html($xml)); |
||
167 | |||
168 | ?> |
||
169 |
It seems like the type of the argument is not accepted by the function/method which you are calling.
In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.
We suggest to add an explicit type cast like in the following example: