Issues (1098)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/records/create.php (27 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
//------------------------------------------------------------------------------
4
//
5
//  eTraxis - Records tracking web-based system
6
//  Copyright (C) 2005-2011  Artem Rodygin
7
//
8
//  This program is free software: you can redistribute it and/or modify
9
//  it under the terms of the GNU General Public License as published by
10
//  the Free Software Foundation, either version 3 of the License, or
11
//  (at your option) any later version.
12
//
13
//  This program is distributed in the hope that it will be useful,
14
//  but WITHOUT ANY WARRANTY; without even the implied warranty of
15
//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16
//  GNU General Public License for more details.
17
//
18
//  You should have received a copy of the GNU General Public License
19
//  along with this program.  If not, see <http://www.gnu.org/licenses/>.
20
//
21
//------------------------------------------------------------------------------
22
23
/**
24
 * @package eTraxis
25
 * @ignore
26
 */
27
28
/**#@+
29
 * Dependency.
30
 */
31
require_once('../engine/engine.php');
32
require_once('../dbo/accounts.php');
33
require_once('../dbo/states.php');
34
require_once('../dbo/fields.php');
35
require_once('../dbo/values.php');
36
require_once('../dbo/records.php');
37
/**#@-*/
38
39
init_page(LOAD_INLINE);
40
41
$error = NO_ERROR;
42
43
// check whether a cloning was requested
44
45
$id = ustr2int(try_request('id'));
46
47
if ($id == 0)
48
{
49
    $parent        = record_find(ustr2int(try_request('parent')));
50
    $is_dependency = TRUE;
51
52
    if ($parent)
0 ignored issues
show
Bug Best Practice introduced by
The expression $parent of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using ! empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
53
    {
54
        debug_write_log(DEBUG_NOTICE, 'Data for new subrecord creating are being requested.');
55
    }
56
    else
57
    {
58
        debug_write_log(DEBUG_NOTICE, 'Data for new record creating are being requested.');
59
    }
60
61
    if (!can_record_be_created())
62
    {
63
        debug_write_log(DEBUG_NOTICE, 'Record cannot be created.');
64
        header('HTTP/1.1 307 index.php');
65
        exit;
66
    }
67
68
    $form  = 'projectform';
69
    $focus = '.project';
70
    $step  = 1;
71
}
72
else
73
{
74
    debug_write_log(DEBUG_NOTICE, 'Data for record cloning are being requested.');
75
76
    $record        = record_find($id);
77
    $parent        = FALSE;
78
    $is_dependency = TRUE;
79
80
    if (!$record)
0 ignored issues
show
Bug Best Practice introduced by
The expression $record of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
81
    {
82
        debug_write_log(DEBUG_NOTICE, 'Record cannot be found.');
83
        header('HTTP/1.1 307 index.php');
84
        exit;
85
    }
86
87
    $permissions = record_get_permissions($record['template_id'], $record['creator_id'], $record['responsible_id']);
88
89
    if (!can_record_be_created())
90
    {
91
        debug_write_log(DEBUG_NOTICE, 'Record cannot be cloned.');
92
        header('HTTP/1.1 307 view.php?id=' . $id);
93
        exit;
94
    }
95
96
    $subject        = $record['subject'];
97
    $responsible_id = $record['responsible_id'];
98
    $project_id     = $record['project_id'];
99
    $template_id    = $record['template_id'];
100
101 View Code Duplication
    if (DATABASE_DRIVER == DRIVER_ORACLE9)
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
102
    {
103
        $rs = dal_query('records/oracle/tfndid.sql', $_SESSION[VAR_USERID], $project_id, $template_id);
104
    }
105
    else
106
    {
107
        $rs = dal_query('records/tfndid.sql', $_SESSION[VAR_USERID], $project_id, $template_id);
108
    }
109
110
    if ($rs->rows == 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
111
    {
112
        debug_write_log(DEBUG_NOTICE, 'Template cannot be found.');
113
        header('HTTP/1.1 307 view.php?id=' . $id);
114
        exit;
115
    }
116
117
    $row = $rs->fetch();
118
119
    $project_name  = $row['project_name'];
120
    $template_name = $row['template_name'];
121
    $state_id      = $row['state_id'];
122
    $state_name    = $row['state_name'];
123
    $responsible   = $row['responsible'];
124
125
    $form  = 'mainform';
126
    $focus = '.subject';
127
    $step  = 3;
128
}
129
130
// project has been selected
131
132
if (try_request('submitted') == 'projectform')
133
{
134
    debug_write_log(DEBUG_NOTICE, 'Data for step #2 (template) are being requested.');
135
136
    $project_id = ustr2int(try_request('project'));
137
138 View Code Duplication
    if (DATABASE_DRIVER == DRIVER_ORACLE9)
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
139
    {
140
        $rs = dal_query('records/oracle/pfndid.sql', $_SESSION[VAR_USERID], $project_id);
141
    }
142
    else
143
    {
144
        $rs = dal_query('records/pfndid.sql', $_SESSION[VAR_USERID], $project_id);
145
    }
146
147
    if ($rs->rows == 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
148
    {
149
        debug_write_log(DEBUG_NOTICE, 'Project cannot be found.');
150
        header('HTTP/1.1 307 index.php');
151
        exit;
152
    }
153
154
    $project_name = $rs->fetch('project_name');
155
156
    $form  = 'templateform';
157
    $focus = '.template';
158
    $step  = 2;
159
}
160
161
// template has been selected
162
163
elseif (try_request('submitted') == 'templateform')
164
{
165
    debug_write_log(DEBUG_NOTICE, 'Data for step #3 (final) are being requested.');
166
167
    $subject        = ($parent ? $parent['subject'] : NULL);
168
    $responsible_id = ($id == 0 ? NULL : $record['responsible_id']);
169
    $project_id     = ustr2int(try_request('project'));
170
    $template_id    = ustr2int(try_request('template'));
171
172 View Code Duplication
    if (DATABASE_DRIVER == DRIVER_ORACLE9)
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
173
    {
174
        $rs = dal_query('records/oracle/tfndid.sql', $_SESSION[VAR_USERID], $project_id, $template_id);
175
    }
176
    else
177
    {
178
        $rs = dal_query('records/tfndid.sql', $_SESSION[VAR_USERID], $project_id, $template_id);
179
    }
180
181
    if ($rs->rows == 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
182
    {
183
        debug_write_log(DEBUG_NOTICE, 'Template cannot be found.');
184
        header('HTTP/1.1 307 index.php');
185
        exit;
186
    }
187
188
    $row = $rs->fetch();
189
190
    $project_name  = $row['project_name'];
191
    $template_name = $row['template_name'];
192
    $state_id      = $row['state_id'];
193
    $state_name    = $row['state_name'];
194
    $responsible   = $row['responsible'];
195
196
    $form  = 'mainform';
197
    $focus = '.subject';
198
    $step  = 3;
199
}
200
201
// new record has been submitted
202
203
elseif (try_request('submitted') == 'mainform')
204
{
205
    debug_write_log(DEBUG_NOTICE, 'Data are submitted.');
206
207
    $subject     = ustrcut($_REQUEST['subject'], MAX_RECORD_SUBJECT);
208
    $project_id  = ustr2int(try_request('project'));
209
    $template_id = ustr2int(try_request('template'));
210
211 View Code Duplication
    if (DATABASE_DRIVER == DRIVER_ORACLE9)
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
212
    {
213
        $rs = dal_query('records/oracle/tfndid.sql', $_SESSION[VAR_USERID], $project_id, $template_id);
214
    }
215
    else
216
    {
217
        $rs = dal_query('records/tfndid.sql', $_SESSION[VAR_USERID], $project_id, $template_id);
218
    }
219
220
    if ($rs->rows == 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
221
    {
222
        debug_write_log(DEBUG_NOTICE, 'Template cannot be found.');
223
        header('HTTP/1.1 307 index.php');
224
        exit;
225
    }
226
227
    $row = $rs->fetch();
228
229
    $project_name  = $row['project_name'];
230
    $template_name = $row['template_name'];
231
    $state_id      = $row['state_id'];
232
    $state_name    = $row['state_name'];
233
    $responsible   = $row['responsible'];
234
235
    $rs = dal_query('records/efnd.sql', $_SESSION[VAR_USERID], EVENT_RECORD_CREATED, time() - 3, $state_id);
236
237
    if ($rs->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
238
    {
239
        debug_write_log(DEBUG_NOTICE, 'Double click issue is detected.');
240
        header('HTTP/1.1 307 index.php');
241
        exit;
242
    }
243
244
    $responsible_id = try_request('responsible');
245
    $is_dependency  = isset($_REQUEST['is_dependency']);
246
247
    $error = record_validate(OPERATION_CREATE_RECORD, $subject, NULL, $state_id);
248
249
    if ($error == NO_ERROR)
250
    {
251
        $record_id = 0;
252
253
        $error = record_create($record_id,
254
                               $subject,
255
                               $state_id,
256
                               $responsible_id,
257
                               $id);
258
259
        if ($error == NO_ERROR)
260
        {
261
            if ($parent)
262
            {
263
                subrecord_add($parent['record_id'], $record_id, $is_dependency);
264
            }
265
266
            /* temporarily disabled
267
            if (isset($_REQUEST['attachname']) && ATTACHMENTS_ENABLED)
268
            {
269
                $attachname = ustrcut($_REQUEST['attachname'], MAX_ATTACHMENT_NAME);
270
                attachment_add($record_id, $attachname, $_FILES['attachfile']);
271
            }
272
            */
273
274
            record_read($record_id);
275
        }
276
    }
277
278
    switch ($error)
279
    {
280 View Code Duplication
        case NO_ERROR:
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
281
282
            header('HTTP/1.0 200 OK');
283
284
            if ($parent)
285
            {
286
                $rs = dal_query('depends/list.sql', $parent['record_id']);
287
                echo(sprintf('%s (%u)', get_html_resource(RES_SUBRECORDS_ID), $rs->rows));
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
288
            }
289
            else
290
            {
291
                echo($record_id);
292
            }
293
294
            break;
295
296
        case ERROR_INCOMPLETE_FORM:
297
            send_http_error(get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID));
298
            break;
299
300
        case ERROR_INVALID_INTEGER_VALUE:
301
            send_http_error(get_html_resource(RES_ALERT_INVALID_INTEGER_VALUE_ID));
302
            break;
303
304
        case ERROR_INVALID_FLOAT_VALUE:
305
            send_http_error(get_html_resource(RES_ALERT_INVALID_DECIMAL_VALUE_ID));
306
            break;
307
308
        case ERROR_INVALID_DATE_VALUE:
309
            send_http_error(get_html_resource(RES_ALERT_INVALID_DATE_VALUE_ID));
310
            break;
311
312
        case ERROR_INVALID_TIME_VALUE:
313
            send_http_error(get_html_resource(RES_ALERT_INVALID_TIME_VALUE_ID));
314
            break;
315
316
        case ERROR_INTEGER_VALUE_OUT_OF_RANGE:
317
        case ERROR_FLOAT_VALUE_OUT_OF_RANGE:
318
        case ERROR_DATE_VALUE_OUT_OF_RANGE:
319
        case ERROR_TIME_VALUE_OUT_OF_RANGE:
320
            send_http_error(ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), $_SESSION['FIELD_NAME'], $_SESSION['MIN_FIELD_INTEGER'], $_SESSION['MAX_FIELD_INTEGER']));
321
            unset($_SESSION['FIELD_NAME']);
322
            unset($_SESSION['MIN_FIELD_INTEGER']);
323
            unset($_SESSION['MAX_FIELD_INTEGER']);
324
            break;
325
326
        case ERROR_RECORD_NOT_FOUND:
327
            send_http_error(get_html_resource(RES_ALERT_RECORD_NOT_FOUND_ID));
328
            break;
329
330
        case ERROR_VALUE_FAILS_REGEX_CHECK:
331
            send_http_error(ustrprocess(get_html_resource(RES_ALERT_VALUE_FAILS_REGEX_CHECK_ID), $_SESSION['FIELD_NAME'], $_SESSION['FIELD_VALUE']));
332
            unset($_SESSION['FIELD_NAME']);
333
            unset($_SESSION['FIELD_VALUE']);
334
            break;
335
336
        default:
337
            send_http_error(get_html_resource(RES_ALERT_UNKNOWN_ERROR_ID));
338
    }
339
340
    exit;
341
}
342
343
// local JS functions
344
345
$resTitle = get_js_resource(RES_ERROR_ID);
346
$resOK    = get_js_resource(RES_OK_ID);
347
348
$xml = <<<JQUERY
349
<script>
350
351
function cloneSuccess (data)
352
{
353
    var index = $("#tabs").tabs("option", "selected") + 1;
354
    $("[href=#ui-tabs-" + index + "]").html(data);
355
356
    closeModal();
357
    reloadTab();
358
}
359
360
function createSuccess (data)
361
{
362
    closeModal();
363
    window.open("view.php?id=" + data, "_parent");
364
}
365
366
function createError (XMLHttpRequest)
367
{
368
    jqAlert("{$resTitle}", XMLHttpRequest.responseText, "{$resOK}");
369
}
370
371
</script>
372
JQUERY;
373
374
// generate general information
375
376
$xml .= '<form name="' . $form . '" action="create.php' . ($id == 0 ? ($parent ? '?parent=' . $parent['record_id'] : NULL) : '?id=' . $id) . '" success=' . ($parent ? '"cloneSuccess"' : '"createSuccess"') . ' error="createError">'
377
      . '<group>';
378
379
if ($step == 1)
380
{
381
    debug_write_log(DEBUG_NOTICE, 'Step #1 (project) is being proceeded.');
382
383
    $xml .= '<control name="project" required="' . get_html_resource(RES_REQUIRED3_ID) . '">'
384
          . '<label>' . get_html_resource(RES_PROJECT_ID) . '</label>'
385
          . '<combobox>';
386
387
    if (DATABASE_DRIVER == DRIVER_ORACLE9)
388
    {
389
        $rs = dal_query('records/oracle/plist.sql', $_SESSION[VAR_USERID]);
390
    }
391
    else
392
    {
393
        $rs = dal_query('records/plist.sql', $_SESSION[VAR_USERID]);
394
    }
395
396
    if ($rs->rows == 1)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
397
    {
398
        debug_write_log(DEBUG_NOTICE, 'One project only is found.');
399
    }
400
401 View Code Duplication
    while (($row = $rs->fetch()))
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
402
    {
403
        $xml .= ($parent && $parent['project_id'] == $row['project_id']
404
                    ? '<listitem value="' . $row['project_id'] . '" selected="true">'
405
                    : '<listitem value="' . $row['project_id'] . '">')
406
              . ustr2html($row['project_name'])
407
              . '</listitem>';
408
    }
409
410
    $xml .= '</combobox>'
411
          . '</control>';
412
}
413
else
414
{
415
    $xml .= '<control name="project">'
416
          . '<label>' . get_html_resource(RES_PROJECT_ID) . '</label>'
417
          . '<combobox>'
418
          . '<listitem value="' . $project_id . '">' . ustr2html($project_name) . '</listitem>'
419
          . '</combobox>'
420
          . '</control>';
421
422
    if ($step == 2)
423
    {
424
        debug_write_log(DEBUG_NOTICE, 'Step #2 (template) is being proceeded.');
425
426
        $xml .= '<control name="template" required="' . get_html_resource(RES_REQUIRED3_ID) . '">'
427
              . '<label>' . get_html_resource(RES_TEMPLATE_ID) . '</label>'
428
              . '<combobox>';
429
430 View Code Duplication
        if (DATABASE_DRIVER == DRIVER_ORACLE9)
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
431
        {
432
            $rs = dal_query('records/oracle/tlist.sql', $_SESSION[VAR_USERID], $project_id);
433
        }
434
        else
435
        {
436
            $rs = dal_query('records/tlist.sql', $_SESSION[VAR_USERID], $project_id);
437
        }
438
439
        if ($rs->rows == 1)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
440
        {
441
            debug_write_log(DEBUG_NOTICE, 'One template only is found.');
442
        }
443
444 View Code Duplication
        while (($row = $rs->fetch()))
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
445
        {
446
            $xml .= ($parent && $parent['template_id'] == $row['template_id']
447
                        ? '<listitem value="' . $row['template_id'] . '" selected="true">'
448
                        : '<listitem value="' . $row['template_id'] . '">')
449
                  . ustr2html($row['template_name'])
450
                  . '</listitem>';
451
        }
452
453
        $xml .= '</combobox>'
454
              . '</control>';
455
    }
456
    else
457
    {
458
        debug_write_log(DEBUG_NOTICE, 'Step #3 (final) is being proceeded.');
459
460
        $xml .= '<control name="template">'
461
              . '<label>' . get_html_resource(RES_TEMPLATE_ID) . '</label>'
462
              . '<combobox>'
463
              . '<listitem value="' . $template_id . '">' . ustr2html($template_name) . '</listitem>'
464
              . '</combobox>'
465
              . '</control>'
466
              . '<control name="subject" required="' . get_html_resource(RES_REQUIRED3_ID) . '" description="true">'
467
              . '<label>' . get_html_resource(RES_SUBJECT_ID) . '</label>'
468
              . '<editbox maxlen="' . MAX_RECORD_SUBJECT . '">' . ustr2html($subject) . '</editbox>'
469
              . '<description>'
470
              . get_html_resource(RES_ALERT_SPECIFY_SHORT_DESCRIPTION_ID)
471
              . '</description>'
472
              . '</control>';
473
474
        if ($responsible == STATE_RESPONSIBLE_ASSIGN)
475
        {
476
            debug_write_log(DEBUG_NOTICE, 'Record should be assigned.');
477
478
            $rs = dal_query('records/responsibles.sql', $state_id, $_SESSION[VAR_USERID]);
479
480
            if ($rs->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
481
            {
482
                $xml .= '<control name="responsible" required="' . get_html_resource(RES_REQUIRED3_ID) . '">'
483
                      . '<label>' . get_html_resource(RES_RESPONSIBLE_ID) . '</label>'
484
                      . '<combobox>';
485
486 View Code Duplication
                while (($row = $rs->fetch()))
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
487
                {
488
                    $xml .= ($row['account_id'] == $responsible_id
489
                                ? '<listitem value="' . $row['account_id'] . '" selected="true">'
490
                                : '<listitem value="' . $row['account_id'] . '">')
491
                          . ustr2html(sprintf('%s (%s)', $row['fullname'], account_get_username($row['username'])))
492
                          . '</listitem>';
493
                }
494
495
                $xml .= '</combobox>'
496
                      . '</control>';
497
            }
498
        }
499
500
        if ($parent)
501
        {
502
            $xml .= '<control name="is_dependency">'
503
                  . ($is_dependency
504
                        ? '<checkbox checked="true">'
505
                        : '<checkbox>')
506
                  . get_html_resource(RES_DEPENDENCY_ID)
507
                  . '</checkbox>'
508
                  . '</control>';
509
        }
510
    }
511
}
512
513
$xml .= '</group>';
514
515
// go through the list of all fields of initial state
516
517
$flag   = FALSE;
518
$script = NULL;
519
$notes  = '<note>' . get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID) . '</note>';
520
521
if ($step == 3)
522
{
523
    $rs = dal_query('fields/list.sql', $state_id, 'field_order');
524
525
    if ($rs->rows == 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
526
    {
527
        debug_write_log(DEBUG_NOTICE, 'No fields for initial state are found.');
528
    }
529
    else
530
    {
531
        debug_write_log(DEBUG_NOTICE, 'Fields of initial state are being enumerated.');
532
533
        $xml .= '<group title="' . ustr2html($state_name) . '">';
534
535
        while (($row = $rs->fetch()))
536
        {
537
            $name  = 'field' . $row['field_id'];
538
            $value = NULL;
539
540
            if ($id != 0)
541
            {
542
                $rsv = dal_query('values/fndk.sql', $id, $row['field_id']);
543
544
                if ($rsv->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
545
                {
546
                    $value = value_find($row['field_type'], $rsv->fetch('value_id'));
547
                }
548 View Code Duplication
                elseif (!is_null($row['value_id']))
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
549
                {
550
                    $value = value_find($row['field_type'], ($row['field_type'] == FIELD_TYPE_DATE ? date_offset(time(), $row['value_id']) : $row['value_id']));
551
                }
552
            }
553 View Code Duplication
            elseif (!is_null($row['value_id']))
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
554
            {
555
                $value = value_find($row['field_type'], ($row['field_type'] == FIELD_TYPE_DATE ? date_offset(time(), $row['value_id']) : $row['value_id']));
556
            }
557
558
            $xml .= '<control name="' . $name . '"'
559
                  . ($row['is_required'] && $row['field_type'] != FIELD_TYPE_CHECKBOX
560
                        ? ' required="' . get_html_resource(RES_REQUIRED3_ID) . '"'
561
                        : NULL)
562
                  . (ustrlen($row['description']) != 0
563
                        ? ' description="true"'
564
                        : NULL)
565
                  . '>';
566
567 View Code Duplication
            switch ($row['field_type'])
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
568
            {
569
                case FIELD_TYPE_NUMBER:
570
571
                    $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
572
573
                    $xml .= '<editbox maxlen="' . (ustrlen(MAX_FIELD_INTEGER) + 1) . '">'
574
                          . ustr2html(try_request($name, $value))
575
                          . '</editbox>';
576
577
                    $notes .= '<note>'
578
                            . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($row['field_name']), $row['param1'], $row['param2'])
579
                            . '</note>';
580
581
                    break;
582
583
                case FIELD_TYPE_FLOAT:
584
585
                    $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
586
587
                    $xml .= '<editbox maxlen="' . ustrlen(MAX_FIELD_FLOAT) . '">'
588
                          . ustr2html(try_request($name, $value))
589
                          . '</editbox>';
590
591
                    $notes .= '<note>'
592
                            . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID),
593
                                          ustr2html($row['field_name']),
594
                                          value_find(FIELD_TYPE_FLOAT, $row['param1']),
595
                                          value_find(FIELD_TYPE_FLOAT, $row['param2']))
596
                            . '</note>';
597
598
                    break;
599
600
                case FIELD_TYPE_STRING:
601
602
                    $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
603
604
                    $xml .= '<editbox maxlen="' . $row['param1'] . '">'
605
                          . ustr2html(try_request($name, $value))
606
                          . '</editbox>';
607
608
                    $flag = TRUE;
609
610
                    break;
611
612
                case FIELD_TYPE_MULTILINED:
613
614
                    $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
615
616
                    $xml .= '<textbox rows="' . $_SESSION[VAR_TEXTROWS] . '" maxlen="' . MAX_FIELD_MULTILINED . '">'
617
                          . ustr2html(try_request($name, $value))
618
                          . '</textbox>';
619
620
                    $flag = TRUE;
621
622
                    break;
623
624
                case FIELD_TYPE_CHECKBOX:
625
626
                    $user_value = (try_request('submitted') == 'mainform')
627
                                ? isset($_REQUEST[$name])
628
                                : $value;
629
630
                    $xml .= '<label/>';
631
632
                    $xml .= ($user_value
633
                                ? '<checkbox checked="true">'
634
                                : '<checkbox>')
635
                          . ustr2html($row['field_name'])
636
                          . '</checkbox>';
637
638
                    break;
639
640
                case FIELD_TYPE_LIST:
641
642
                    $selected = try_request($name, $value);
643
644
                    $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
645
646
                    $xml .= '<combobox>'
647
                          . '<listitem value=""/>';
648
649
                    $rsv = dal_query('values/lvlist.sql', $row['field_id']);
650
651
                    while (($item = $rsv->fetch()))
652
                    {
653
                        $xml .= ($selected == $item['int_value']
654
                                    ? '<listitem value="' . $item['int_value'] . '" selected="true">'
655
                                    : '<listitem value="' . $item['int_value'] . '">')
656
                              . ustr2html($item['str_value'])
657
                              . '</listitem>';
658
                    }
659
660
                    $xml .= '</combobox>';
661
662
                    break;
663
664
                case FIELD_TYPE_RECORD:
665
666
                    $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
667
668
                    $xml .= '<editbox maxlen="' . ustrlen(MAXINT) . '">'
669
                          . ustr2html(try_request($name, $value))
670
                          . '</editbox>';
671
672
                    $notes .= '<note>'
673
                            . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($row['field_name']), 1, MAXINT)
674
                            . '</note>';
675
676
                    break;
677
678
                case FIELD_TYPE_DATE:
679
680
                    $today = time();
681
682
                    $row['param1'] = date_offset($today, $row['param1']);
683
                    $row['param2'] = date_offset($today, $row['param2']);
684
685
                    $xml .= '<label>' . sprintf('%s (%s)', ustr2html($row['field_name']), get_date_format_str()) . '</label>';
686
687
                    $xml .= '<editbox maxlen="' . ustrlen(get_date(SAMPLE_DATE)) . '">'
688
                          . ustr2html(try_request($name, $value))
689
                          . '</editbox>';
690
691
                    $notes .= '<note>'
692
                            . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($row['field_name']), get_date($row['param1']), get_date($row['param2']))
693
                            . '</note>';
694
695
                    $script .= '<onready>'
696
                             . '$("#' . $name . '").datepicker($.datepicker.regional["' . $_SESSION[VAR_LOCALE] . '"]);'
697
                             . '</onready>';
698
699
                    break;
700
701
                case FIELD_TYPE_DURATION:
702
703
                    $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
704
705
                    $xml .= '<editbox maxlen="' . ustrlen(time2ustr(MAX_FIELD_DURATION)) . '">'
706
                          . ustr2html(try_request($name, $value))
707
                          . '</editbox>';
708
709
                    $notes .= '<note>'
710
                            . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($row['field_name']), time2ustr($row['param1']), time2ustr($row['param2']))
711
                            . '</note>';
712
713
                    break;
714
715
                default:
716
717
                    debug_write_log(DEBUG_WARNING, 'Unknown field type = ' . $row['field_type']);
718
            }
719
720 View Code Duplication
            if (ustrlen($row['description']) != 0)
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
721
            {
722
                $xml .= '<description>'
723
                      . update_references($row['description'], BBCODE_ALL)
724
                      . '</description>';
725
            }
726
727
            $xml .= '</control>';
728
729
            if ($row['add_separator'])
730
            {
731
                $xml .= '<hr/>';
732
            }
733
        }
734
735
        $xml .= '</group>';
736
    }
737
738
    $permissions = record_get_permissions($template_id, $_SESSION[VAR_USERID], 0);
739
740
    /* temporarily disabled
741
    if (get_user_level() != USER_LEVEL_GUEST &&
742
        ($permissions & PERMIT_ATTACH_FILES) &&
743
        ATTACHMENTS_ENABLED)
744
    {
745
        $xml .= '<group title="' . get_html_resource(RES_ATTACH_FILE_ID) . '">'
746
              . '<control name="attachname">'
747
              . '<label>' . get_html_resource(RES_ATTACHMENT_NAME_ID) . '</label>'
748
              . '<editbox maxlen="' . MAX_ATTACHMENT_NAME . '"/>'
749
              . '</control>'
750
              . '<control name="attachfile">'
751
              . '<label>' . get_html_resource(RES_ATTACHMENT_FILE_ID) . '</label>'
752
              . '<filebox/>'
753
              . '</control>'
754
              . '</group>';
755
756
        $notes .= '<note>' . ustrprocess(get_html_resource(RES_ALERT_UPLOAD_FORM_SIZE_ID), ATTACHMENTS_MAXSIZE) . '</note>';
757
    }
758
    */
759
}
760
761
if ($flag)
762
{
763
    $notes .= '<note>' . get_html_resource(RES_LINK_TO_ANOTHER_RECORD_ID) . '</note>';
764
}
765
766
$xml .= $notes
767
      . '</form>'
768
      . '<script>'
769
      . $script
770
      . '</script>';
771
772
echo(xml2html($xml));
773
774
?>
0 ignored issues
show
It is not recommended to use PHP's closing tag ?> in files other than templates.

Using a closing tag in PHP files that only contain PHP code is not recommended as you might accidentally add whitespace after the closing tag which would then be output by PHP. This can cause severe problems, for example headers cannot be sent anymore.

A simple precaution is to leave off the closing tag as it is not required, and it also has no negative effects whatsoever.

Loading history...
775