This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | //------------------------------------------------------------------------------ |
||
4 | // |
||
5 | // eTraxis - Records tracking web-based system |
||
6 | // Copyright (C) 2005-2011 Artem Rodygin |
||
7 | // |
||
8 | // This program is free software: you can redistribute it and/or modify |
||
9 | // it under the terms of the GNU General Public License as published by |
||
10 | // the Free Software Foundation, either version 3 of the License, or |
||
11 | // (at your option) any later version. |
||
12 | // |
||
13 | // This program is distributed in the hope that it will be useful, |
||
14 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
15 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
16 | // GNU General Public License for more details. |
||
17 | // |
||
18 | // You should have received a copy of the GNU General Public License |
||
19 | // along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
20 | // |
||
21 | //------------------------------------------------------------------------------ |
||
22 | |||
23 | /** |
||
24 | * @package eTraxis |
||
25 | * @ignore |
||
26 | */ |
||
27 | |||
28 | /**#@+ |
||
29 | * Dependency. |
||
30 | */ |
||
31 | require_once('../engine/engine.php'); |
||
32 | require_once('../dbo/fields.php'); |
||
33 | require_once('../dbo/values.php'); |
||
34 | require_once('../dbo/records.php'); |
||
35 | /**#@-*/ |
||
36 | |||
37 | init_page(LOAD_INLINE); |
||
38 | |||
39 | $error = NO_ERROR; |
||
40 | |||
41 | // check that requested record exists |
||
42 | |||
43 | $id = ustr2int(try_request('id')); |
||
44 | $record = record_find($id); |
||
45 | |||
46 | if (!$record) |
||
47 | { |
||
48 | debug_write_log(DEBUG_NOTICE, 'Record cannot be found.'); |
||
49 | header('HTTP/1.1 307 index.php'); |
||
50 | exit; |
||
51 | } |
||
52 | |||
53 | // get current user's permissions and verify them |
||
54 | |||
55 | $permissions = record_get_permissions($record['template_id'], $record['creator_id'], $record['responsible_id']); |
||
56 | |||
57 | View Code Duplication | if (!can_record_be_modified($record, $permissions)) |
|
58 | { |
||
59 | debug_write_log(DEBUG_NOTICE, 'Record cannot be modified.'); |
||
60 | header('HTTP/1.1 307 view.php?id=' . $id); |
||
61 | exit; |
||
62 | } |
||
63 | |||
64 | // modification form is submitted |
||
65 | |||
66 | if (try_request('submitted') == 'modifyform') |
||
67 | { |
||
68 | debug_write_log(DEBUG_NOTICE, 'Data are submitted.'); |
||
69 | |||
70 | $subject = ustrcut($_REQUEST['subject'], MAX_RECORD_SUBJECT); |
||
71 | |||
72 | $rs = dal_query('records/elist.sql', $id); |
||
73 | |||
74 | while (($row = $rs->fetch()) && ($error == NO_ERROR)) |
||
75 | { |
||
76 | $error = record_validate(OPERATION_MODIFY_RECORD, $subject, $id, $row['state_id'], $record['creator_id'], $record['responsible_id']); |
||
77 | } |
||
78 | |||
79 | if ($error == NO_ERROR) |
||
80 | { |
||
81 | $error = record_modify($id, $subject, $record['creator_id'], $record['responsible_id']); |
||
82 | } |
||
83 | |||
84 | View Code Duplication | switch ($error) |
|
85 | { |
||
86 | case NO_ERROR: |
||
87 | header('HTTP/1.0 200 OK'); |
||
88 | break; |
||
89 | |||
90 | case ERROR_INCOMPLETE_FORM: |
||
91 | send_http_error(get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID)); |
||
92 | break; |
||
93 | |||
94 | case ERROR_INVALID_INTEGER_VALUE: |
||
95 | send_http_error(get_html_resource(RES_ALERT_INVALID_INTEGER_VALUE_ID)); |
||
96 | break; |
||
97 | |||
98 | case ERROR_INVALID_FLOAT_VALUE: |
||
99 | send_http_error(get_html_resource(RES_ALERT_INVALID_DECIMAL_VALUE_ID)); |
||
100 | break; |
||
101 | |||
102 | case ERROR_INVALID_DATE_VALUE: |
||
103 | send_http_error(get_html_resource(RES_ALERT_INVALID_DATE_VALUE_ID)); |
||
104 | break; |
||
105 | |||
106 | case ERROR_INVALID_TIME_VALUE: |
||
107 | send_http_error(get_html_resource(RES_ALERT_INVALID_TIME_VALUE_ID)); |
||
108 | break; |
||
109 | |||
110 | case ERROR_INTEGER_VALUE_OUT_OF_RANGE: |
||
111 | case ERROR_FLOAT_VALUE_OUT_OF_RANGE: |
||
112 | case ERROR_DATE_VALUE_OUT_OF_RANGE: |
||
113 | case ERROR_TIME_VALUE_OUT_OF_RANGE: |
||
114 | send_http_error(ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), $_SESSION['FIELD_NAME'], $_SESSION['MIN_FIELD_INTEGER'], $_SESSION['MAX_FIELD_INTEGER'])); |
||
115 | unset($_SESSION['FIELD_NAME']); |
||
116 | unset($_SESSION['MIN_FIELD_INTEGER']); |
||
117 | unset($_SESSION['MAX_FIELD_INTEGER']); |
||
118 | break; |
||
119 | |||
120 | case ERROR_RECORD_NOT_FOUND: |
||
121 | send_http_error(get_html_resource(RES_ALERT_RECORD_NOT_FOUND_ID)); |
||
122 | break; |
||
123 | |||
124 | case ERROR_VALUE_FAILS_REGEX_CHECK: |
||
125 | send_http_error(ustrprocess(get_html_resource(RES_ALERT_VALUE_FAILS_REGEX_CHECK_ID), $_SESSION['FIELD_NAME'], $_SESSION['FIELD_VALUE'])); |
||
126 | unset($_SESSION['FIELD_NAME']); |
||
127 | unset($_SESSION['FIELD_VALUE']); |
||
128 | break; |
||
129 | |||
130 | default: |
||
131 | send_http_error(get_html_resource(RES_ALERT_UNKNOWN_ERROR_ID)); |
||
132 | } |
||
133 | |||
134 | exit; |
||
135 | } |
||
136 | else |
||
137 | { |
||
138 | debug_write_log(DEBUG_NOTICE, 'Data are being requested.'); |
||
139 | |||
140 | $subject = $record['subject']; |
||
141 | } |
||
142 | |||
143 | // local JS functions |
||
144 | |||
145 | $resTitle = get_js_resource(RES_ERROR_ID); |
||
146 | $resOK = get_js_resource(RES_OK_ID); |
||
147 | |||
148 | $xml = <<<JQUERY |
||
149 | <script> |
||
150 | |||
151 | function modifySuccess () |
||
152 | { |
||
153 | closeModal(); |
||
154 | $("#tabs").tabs("load", 2); |
||
155 | reloadTab(); |
||
156 | } |
||
157 | |||
158 | function modifyError (XMLHttpRequest) |
||
159 | { |
||
160 | jqAlert("{$resTitle}", XMLHttpRequest.responseText, "{$resOK}"); |
||
161 | } |
||
162 | |||
163 | </script> |
||
164 | JQUERY; |
||
165 | |||
166 | // generate general information |
||
167 | |||
168 | $xml .= '<form name="modifyform" action="modify.php?id=' . $id . '" success="modifySuccess" error="modifyError">' |
||
169 | . '<group>' |
||
170 | . '<control name="subject" required="' . get_html_resource(RES_REQUIRED3_ID) . '" description="true">' |
||
171 | . '<label>' . get_html_resource(RES_SUBJECT_ID) . '</label>' |
||
172 | . '<editbox maxlen="' . MAX_RECORD_SUBJECT . '">' . ustr2html($subject) . '</editbox>' |
||
173 | . '<description>' |
||
174 | . get_html_resource(RES_ALERT_SPECIFY_SHORT_DESCRIPTION_ID) |
||
175 | . '</description>' |
||
176 | . '</control>' |
||
177 | . '</group>'; |
||
178 | |||
179 | // go through the list of all states and their fields |
||
180 | |||
181 | $flag = FALSE; |
||
182 | $script = NULL; |
||
183 | $notes = '<note>' . get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID) . '</note>'; |
||
184 | |||
185 | $states = dal_query('records/elist.sql', $id); |
||
186 | |||
187 | while (($state = $states->fetch())) |
||
188 | { |
||
189 | $fields = dal_query('records/flist.sql', |
||
190 | $id, |
||
191 | $state['state_id'], |
||
192 | $record['creator_id'], |
||
193 | is_null($record['responsible_id']) ? 0 : $record['responsible_id'], |
||
194 | $_SESSION[VAR_USERID], |
||
195 | FIELD_ALLOW_TO_WRITE); |
||
196 | |||
197 | if ($fields->rows != 0) |
||
0 ignored issues
–
show
|
|||
198 | { |
||
199 | $xml .= '<group title="' . ustr2html($state['state_name']) . '">'; |
||
200 | |||
201 | while (($field = $fields->fetch())) |
||
202 | { |
||
203 | $name = 'field' . $field['field_id']; |
||
204 | $value = value_find($field['field_type'], $field['value_id']); |
||
205 | |||
206 | $xml .= '<control name="' . $name . '"' |
||
207 | . ($field['is_required'] |
||
208 | ? ' required="' . get_html_resource(RES_REQUIRED3_ID) . '"' |
||
209 | : NULL) |
||
210 | . (ustrlen($field['description']) != 0 |
||
211 | ? ' description="true"' |
||
212 | : NULL) |
||
213 | . '>'; |
||
214 | |||
215 | View Code Duplication | switch ($field['field_type']) |
|
216 | { |
||
217 | case FIELD_TYPE_NUMBER: |
||
218 | |||
219 | $xml .= '<label>' . ustr2html($field['field_name']) . '</label>'; |
||
220 | |||
221 | $xml .= '<editbox maxlen="' . (ustrlen(MAX_FIELD_INTEGER) + 1) . '">' |
||
222 | . ustr2html(try_request($name, $value)) |
||
223 | . '</editbox>'; |
||
224 | |||
225 | $notes .= '<note>' |
||
226 | . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($field['field_name']), $field['param1'], $field['param2']) |
||
227 | . '</note>'; |
||
228 | |||
229 | break; |
||
230 | |||
231 | case FIELD_TYPE_FLOAT: |
||
232 | |||
233 | $xml .= '<label>' . ustr2html($field['field_name']) . '</label>'; |
||
234 | |||
235 | $xml .= '<editbox maxlen="' . ustrlen(MAX_FIELD_FLOAT) . '">' |
||
236 | . ustr2html(try_request($name, $value)) |
||
237 | . '</editbox>'; |
||
238 | |||
239 | $notes .= '<note>' |
||
240 | . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), |
||
241 | ustr2html($field['field_name']), |
||
242 | value_find(FIELD_TYPE_FLOAT, $field['param1']), |
||
243 | value_find(FIELD_TYPE_FLOAT, $field['param2'])) |
||
244 | . '</note>'; |
||
245 | |||
246 | break; |
||
247 | |||
248 | case FIELD_TYPE_STRING: |
||
249 | |||
250 | $xml .= '<label>' . ustr2html($field['field_name']) . '</label>'; |
||
251 | |||
252 | $xml .= '<editbox maxlen="' . $field['param1'] . '">' |
||
253 | . ustr2html(try_request($name, $value)) |
||
254 | . '</editbox>'; |
||
255 | |||
256 | $flag = TRUE; |
||
257 | |||
258 | break; |
||
259 | |||
260 | case FIELD_TYPE_MULTILINED: |
||
261 | |||
262 | $xml .= '<label>' . ustr2html($field['field_name']) . '</label>'; |
||
263 | |||
264 | $xml .= '<textbox rows="' . $_SESSION[VAR_TEXTROWS] . '" maxlen="' . MAX_FIELD_MULTILINED . '">' |
||
265 | . ustr2html(try_request($name, $value)) |
||
266 | . '</textbox>'; |
||
267 | |||
268 | $flag = TRUE; |
||
269 | |||
270 | break; |
||
271 | |||
272 | case FIELD_TYPE_CHECKBOX: |
||
273 | |||
274 | $user_value = (try_request('submitted') == 'mainform') |
||
275 | ? isset($_REQUEST[$name]) |
||
276 | : $value; |
||
277 | |||
278 | $xml .= '<label/>'; |
||
279 | |||
280 | $xml .= ($user_value |
||
281 | ? '<checkbox checked="true">' |
||
282 | : '<checkbox>') |
||
283 | . ustr2html($field['field_name']) |
||
284 | . '</checkbox>'; |
||
285 | |||
286 | break; |
||
287 | |||
288 | case FIELD_TYPE_LIST: |
||
289 | |||
290 | $selected = try_request($name, $value); |
||
291 | |||
292 | $xml .= '<label>' . ustr2html($field['field_name']) . '</label>'; |
||
293 | |||
294 | $xml .= '<combobox>' |
||
295 | . '<listitem value=""/>'; |
||
296 | |||
297 | $list = dal_query('values/lvlist.sql', $field['field_id']); |
||
298 | |||
299 | while (($item = $list->fetch())) |
||
300 | { |
||
301 | $xml .= ($selected == $item['int_value'] |
||
302 | ? '<listitem value="' . $item['int_value'] . '" selected="true">' |
||
303 | : '<listitem value="' . $item['int_value'] . '">') |
||
304 | . ustr2html($item['str_value']) |
||
305 | . '</listitem>'; |
||
306 | } |
||
307 | |||
308 | $xml .= '</combobox>'; |
||
309 | |||
310 | break; |
||
311 | |||
312 | case FIELD_TYPE_RECORD: |
||
313 | |||
314 | $xml .= '<label>' . ustr2html($field['field_name']) . '</label>'; |
||
315 | |||
316 | $xml .= '<editbox maxlen="' . ustrlen(MAXINT) . '">' |
||
317 | . ustr2html(try_request($name, $value)) |
||
318 | . '</editbox>'; |
||
319 | |||
320 | $notes .= '<note>' |
||
321 | . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($field['field_name']), 1, MAXINT) |
||
322 | . '</note>'; |
||
323 | |||
324 | break; |
||
325 | |||
326 | case FIELD_TYPE_DATE: |
||
327 | |||
328 | $event_time = $state['event_time']; |
||
329 | |||
330 | $field['param1'] = date_offset($event_time, $field['param1']); |
||
331 | $field['param2'] = date_offset($event_time, $field['param2']); |
||
332 | |||
333 | $xml .= '<label>' . sprintf('%s (%s)', ustr2html($field['field_name']), get_date_format_str()) . '</label>'; |
||
334 | |||
335 | $xml .= '<editbox maxlen="' . ustrlen(get_date(SAMPLE_DATE)) . '">' |
||
336 | . ustr2html(try_request($name, $value)) |
||
337 | . '</editbox>'; |
||
338 | |||
339 | $notes .= '<note>' |
||
340 | . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($field['field_name']), get_date($field['param1']), get_date($field['param2'])) |
||
341 | . '</note>'; |
||
342 | |||
343 | $script .= '$("#' . $name . '").datepicker($.datepicker.regional["' . $_SESSION[VAR_LOCALE] . '"]);'; |
||
344 | |||
345 | break; |
||
346 | |||
347 | case FIELD_TYPE_DURATION: |
||
348 | |||
349 | $xml .= '<label>' . ustr2html($field['field_name']) . '</label>'; |
||
350 | |||
351 | $xml .= '<editbox maxlen="' . ustrlen(time2ustr(MAX_FIELD_DURATION)) . '">' |
||
352 | . ustr2html(try_request($name, $value)) |
||
353 | . '</editbox>'; |
||
354 | |||
355 | $notes .= '<note>' |
||
356 | . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($field['field_name']), time2ustr($field['param1']), time2ustr($field['param2'])) |
||
357 | . '</note>'; |
||
358 | |||
359 | break; |
||
360 | |||
361 | default: |
||
362 | |||
363 | debug_write_log(DEBUG_WARNING, 'Unknown field type = ' . $field['field_type']); |
||
364 | } |
||
365 | |||
366 | View Code Duplication | if (ustrlen($field['description']) != 0) |
|
367 | { |
||
368 | $xml .= '<description>' |
||
369 | . update_references($field['description'], BBCODE_ALL) |
||
370 | . '</description>'; |
||
371 | } |
||
372 | |||
373 | $xml .= '</control>'; |
||
374 | |||
375 | if ($field['add_separator']) |
||
376 | { |
||
377 | $xml .= '<hr/>'; |
||
378 | } |
||
379 | } |
||
380 | |||
381 | $xml .= '</group>'; |
||
382 | } |
||
383 | } |
||
384 | |||
385 | if ($flag) |
||
386 | { |
||
387 | $notes .= '<note>' . get_html_resource(RES_LINK_TO_ANOTHER_RECORD_ID) . '</note>'; |
||
388 | } |
||
389 | |||
390 | $xml .= $notes |
||
391 | . '</form>' |
||
392 | . '<script>' |
||
393 | . $script |
||
394 | . '</script>'; |
||
395 | |||
396 | echo(xml2html($xml)); |
||
397 | |||
398 | ?> |
||
399 |
Since your code implements the magic setter
_set
, this function will be called for any write access on an undefined variable. You can add the@property
annotation to your class or interface to document the existence of this variable.Since the property has write access only, you can use the @property-write annotation instead.
Of course, you may also just have mistyped another name, in which case you should fix the error.
See also the PhpDoc documentation for @property.