Issues (1098)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/records/record.php (10 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
//------------------------------------------------------------------------------
4
//
5
//  eTraxis - Records tracking web-based system
6
//  Copyright (C) 2005-2011  Artem Rodygin
7
//
8
//  This program is free software: you can redistribute it and/or modify
9
//  it under the terms of the GNU General Public License as published by
10
//  the Free Software Foundation, either version 3 of the License, or
11
//  (at your option) any later version.
12
//
13
//  This program is distributed in the hope that it will be useful,
14
//  but WITHOUT ANY WARRANTY; without even the implied warranty of
15
//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16
//  GNU General Public License for more details.
17
//
18
//  You should have received a copy of the GNU General Public License
19
//  along with this program.  If not, see <http://www.gnu.org/licenses/>.
20
//
21
//------------------------------------------------------------------------------
22
23
/**
24
 * @package eTraxis
25
 * @ignore
26
 */
27
28
/**#@+
29
 * Dependency.
30
 */
31
require_once('../engine/engine.php');
32
require_once('../dbo/accounts.php');
33
require_once('../dbo/fields.php');
34
require_once('../dbo/values.php');
35
require_once('../dbo/records.php');
36
require_once('../dbo/views.php');
37
/**#@-*/
38
39
init_page(LOAD_TAB, GUEST_IS_ALLOWED);
0 ignored issues
show
GUEST_IS_ALLOWED is of type boolean, but the function expects a false|integer.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
40
41
// whether a record's dump was requested
42
43
$dump_mode = isset($_REQUEST['dump']);
44
45
debug_write_log(DEBUG_NOTICE, 'Dump mode = ' . $dump_mode);
46
47
// check that requested record exists
48
49
$id     = ustr2int(try_request($dump_mode ? 'dump' : 'id'));
50
$record = record_find($id);
51
52
if (!$record)
0 ignored issues
show
Bug Best Practice introduced by
The expression $record of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
53
{
54
    debug_write_log(DEBUG_NOTICE, 'Record cannot be found.');
55
    exit;
56
}
57
58
// get current user's permissions and verify them
59
60
$permissions = record_get_permissions($record['template_id'], $record['creator_id'], $record['responsible_id']);
61
62
if (!can_record_be_displayed($permissions))
63
{
64
    debug_write_log(DEBUG_NOTICE, 'Record cannot be displayed.');
65
    exit;
66
}
67
68
// find previous and next records
69
70
$columns = columns_list();
71
72
$sort = $page = NULL;
73
$list = records_list($columns, $sort, $page, $_SESSION[VAR_SEARCH_MODE], $_SESSION[VAR_SEARCH_TEXT]);
74
75
$prev_id = $next_id = $temp_id = NULL;
76
77
while (($row = $list->fetch()))
78
{
79
    if ($id == $row['record_id'])
80
    {
81
        $prev_id = $temp_id;
82
83
        if (($row = $list->fetch()))
84
        {
85
            $next_id = $row['record_id'];
86
        }
87
88
        break;
89
    }
90
91
    $temp_id = $row['record_id'];
92
}
93
94
// mark the record as read
95
96
record_read($id);
97
98
// local JS functions
99
100
$resModify    = get_js_resource(RES_MODIFY_ID);
101
$resClone     = get_js_resource(RES_CLONE_ID);
102
$resPostpone  = get_js_resource(RES_POSTPONE_ID);
103
$resSubscribe = get_js_resource(RES_SUBSCRIBE_OTHERS_ID);
104
$resOK        = get_js_resource(RES_OK_ID);
105
$resCancel    = get_js_resource(RES_CANCEL_ID);
106
$resClose     = get_js_resource(RES_CLOSE_ID);
107
108
$xml = <<<JQUERY
109
<script>
110
111
function recordModify ()
112
{
113
    jqModal("{$resModify}", "modify.php?id={$id}", "{$resOK}", "{$resCancel}", "$('#modifyform').submit()");
114
}
115
116
function recordClone ()
117
{
118
    jqModal("{$resClone}", "create.php?id={$id}", "{$resOK}", "{$resCancel}", "$('#mainform').submit()");
119
}
120
121
function recordPostpone ()
122
{
123
    jqModal("{$resPostpone}", "postpone.php?id={$id}", "{$resOK}", "{$resCancel}", "$('#postponeform').submit()");
124
}
125
126
function recordResume ()
127
{
128
    $.post("resume.php?id={$id}", function() {
129
        reloadTab();
130
    });
131
}
132
133
function recordSubscribe ()
134
{
135
    $.post("subscribe-self.php?id={$id}", function() {
136
        reloadTab();
137
    });
138
}
139
140
function recordSubscribeOthers ()
141
{
142
    jqModal("{$resSubscribe}", "subscribe.php?id={$id}", "{$resClose}");
143
}
144
145
function recordAssign ()
146
{
147
    if ($("#responsible option:selected").val() != 0)
148
    {
149
        $("#assignform").submit();
150
    }
151
}
152
153
function stateChange ()
154
{
155
    var state = $("#state option:selected").val();
156
    var title = $("#state option:selected").text();
157
    jqModal(title, "state.php?id={$id}&amp;state=" + state, "{$resOK}", "{$resCancel}", "$('#stateform').submit()");
158
}
159
160
function addConfidentialComment ()
161
{
162
    $("#rcommentform :input[name=submitted]").val("rconfidentialform");
163
    $("#rcommentform").submit();
164
    $("#rcommentform :input[name=submitted]").val("rcommentform");
165
}
166
167
function previewComment ()
168
{
169
    $("#rpreviewdiv").load("preview.php", $("#rcommentform").serialize());
170
}
171
172
function commentSuccess (data)
173
{
174
    $("[href=#ui-tabs-5]").html(data);
175
    reloadTab();
176
}
177
178
</script>
179
JQUERY;
180
181
// generate buttons
182
183
$xml .= '<buttonset>'
184
      . '<button url="index.php">' . get_html_resource(RES_BACK_ID) . '</button>';
185
186
if (!is_null($prev_id) || !is_null($next_id))
187
{
188
    if (!is_null($prev_id))
189
    {
190
        $xml .= '<button url="view.php?id=' . $prev_id . '">%lt;%lt;</button>';
191
    }
192
    else
193
    {
194
        $xml .= '<button disabled="true">%lt;%lt;</button>';
195
    }
196
197
    if (!is_null($next_id))
198
    {
199
        $xml .= '<button url="view.php?id=' . $next_id . '">%gt;%gt;</button>';
200
    }
201
    else
202
    {
203
        $xml .= '<button disabled="true">%gt;%gt;</button>';
204
    }
205
}
206
207
$xml .= '</buttonset>';
208
209
$xml .= '<button url="record.php?dump=' . $id . '">' . get_html_resource(RES_DUMP_ID) . '</button>';
210
211
$xml .= '<buttonset>';
212
213
$xml .= (can_record_be_modified($record, $permissions)
214
            ? '<button action="recordModify()">'
215
            : '<button disabled="true">')
216
      . get_html_resource(RES_MODIFY_ID)
217
      . '</button>';
218
219
$xml .= (can_record_be_deleted($record, $permissions)
220
            ? '<button url="delete.php?id=' . $id . '" prompt="' . get_html_resource(RES_CONFIRM_DELETE_RECORD_ID) . '">'
221
            : '<button disabled="false">')
222
      . get_html_resource(RES_DELETE_ID)
223
      . '</button>';
224
225
$rs = dal_query(DATABASE_DRIVER == DRIVER_ORACLE9 ? 'records/oracle/tfndid.sql' : 'records/tfndid.sql',
226
                $_SESSION[VAR_USERID],
227
                $record['project_id'],
228
                $record['template_id']);
229
230
$xml .= ($rs->rows != 0
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
231
            ? '<button action="recordClone()">'
232
            : '<button disabled="true">')
233
      . get_html_resource(RES_CLONE_ID)
234
      . '</button>';
235
236
if (is_record_postponed($record))
237
{
238
    $xml .= (can_record_be_resumed($record, $permissions)
239
                ? '<button action="recordResume()" prompt="' . get_html_resource(RES_CONFIRM_RESUME_RECORD_ID) . '">'
240
                : '<button disabled="true">')
241
          . get_html_resource(RES_RESUME_ID)
242
          . '</button>';
243
}
244
else
245
{
246
    $xml .= (can_record_be_postponed($record, $permissions)
247
                ? '<button action="recordPostpone()">'
248
                : '<button disabled="true">')
249
          . get_html_resource(RES_POSTPONE_ID)
250
          . '</button>';
251
}
252
253
$xml .= '</buttonset>';
254
255
if (EMAIL_NOTIFICATIONS_ENABLED && (get_user_level() != USER_LEVEL_GUEST))
256
{
257
    $xml .= '<buttonset>'
258
          . '<button action="recordSubscribe()">' . get_html_resource(is_record_subscribed($id, $_SESSION[VAR_USERID]) ? RES_UNSUBSCRIBE_ID : RES_SUBSCRIBE_ID) . '</button>'
259
          . '<button action="recordSubscribeOthers()">' . get_html_resource(RES_SUBSCRIBE_OTHERS_ID) . '</button>'
260
          . '</buttonset>';
261
}
262
263
// whether this record can be reassigned
264
265
if (can_record_be_reassigned($record, $permissions))
266
{
267
    $rs = dal_query('records/responsibles.sql', $record['state_id'], $_SESSION[VAR_USERID]);
268
269
    if ($rs->rows > 1)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
270
    {
271
        $prompt        = get_html_resource(RES_CONFIRM_ASSIGN_RECORD_ID);
272
        $msgtitle      = get_html_resource(RES_QUESTION_ID);
273
        $btnactiontext = get_html_resource(RES_OK_ID);
274
        $btncanceltext = get_html_resource(RES_CANCEL_ID);
275
276
        $xml .= '<form name="assignform" action="assign.php?id=' . $id . '" success="reloadTab">'
277
              . '<dropdown name="responsible">';
278
279
        while (($row = $rs->fetch()))
280
        {
281
            if ($record['responsible_id'] != $row['account_id'])
282
            {
283
                $xml .= ($row['account_id'] == $_SESSION[VAR_USERID]
284
                            ? '<listitem value="' . $row['account_id'] . '" selected="true">'
285
                            : '<listitem value="' . $row['account_id'] . '">')
286
                      . ustr2html(sprintf('%s (%s)', $row['fullname'], account_get_username($row['username'])))
287
                      . '</listitem>';
288
            }
289
        }
290
291
        $xml .= '</dropdown>'
292
              . '<button action="recordAssign()" prompt="' . get_html_resource(RES_CONFIRM_ASSIGN_RECORD_ID) . '">'
293
              . get_html_resource(RES_ASSIGN2_ID)
294
              . '</button>'
295
              . '</form>'
296
              . '<onready>'
297
              . '$("#responsible").combobox();'
298
              . '</onready>';
299
    }
300
}
301
else
302
{
303
    debug_write_log(DEBUG_NOTICE, 'Record cannot be reassigned.');
304
}
305
306
// whether current state can be changed
307
308
if (can_state_be_changed($record))
309
{
310
    $rs = dal_query('depends/listuc.sql', $id);
311
    $rs = dal_query('records/tramongs.sql', $id, $_SESSION[VAR_USERID], ($rs->rows == 0 ? '' : 'and s.state_type <> ' . STATE_TYPE_FINAL));
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
312
313
    if ($rs->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
314
    {
315
        $xml .= '<form>'
316
              . '<dropdown name="state">';
317
318
        while (($row = $rs->fetch()))
319
        {
320
            $xml .= ($record['next_state_id'] == $row['state_id']
321
                        ? '<listitem value="' . $row['state_id'] . '" selected="true">'
322
                        : '<listitem value="' . $row['state_id'] . '">')
323
                  . ustr2html($row['state_name'])
324
                  . '</listitem>';
325
        }
326
327
        $xml .= '</dropdown>'
328
              . '<button action="stateChange()">' . get_html_resource(RES_CHANGE_STATE_ID) . '</button>'
329
              . '</form>'
330
              . '<onready>'
331
              . '$("#state").combobox();'
332
              . '</onready>';
333
    }
334
}
335
elseif (can_record_be_reopened($record, $permissions))
336
{
337
    $rs = dal_query('states/list3.sql', $record['template_id']);
338
339
    if ($rs->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
340
    {
341
        $xml .= '<form>'
342
              . '<dropdown name="state">';
343
344
        while (($row = $rs->fetch()))
345
        {
346
            if ($row['state_type'] == STATE_TYPE_FINAL)
347
            {
348
                continue;
349
            }
350
351
            $xml .= ($row['state_type'] == STATE_TYPE_INITIAL
352
                        ? '<listitem value="' . $row['state_id'] . '" selected="true">'
353
                        : '<listitem value="' . $row['state_id'] . '">')
354
                  . ustr2html($row['state_name'])
355
                  . '</listitem>';
356
        }
357
358
        $xml .= '</dropdown>'
359
              . '<button action="stateChange()">' . get_html_resource(RES_REOPEN_ID) . '</button>'
360
              . '</form>'
361
              . '<onready>'
362
              . '$("#state").combobox();'
363
              . '</onready>';
364
    }
365
}
366
else
367
{
368
    debug_write_log(DEBUG_NOTICE, 'State cannot be changed.');
369
}
370
371
// generate general information
372
373
$xml .= '<group title="' . get_html_resource(RES_GENERAL_INFO_ID) . '">'
374
      . '<text label="' . get_html_resource(RES_ID_ID)          . '">' . record_id($record['record_id'], $record['template_prefix']) . '</text>'
375
      . '<text label="' . get_html_resource(RES_SUBJECT_ID)     . '">' . update_references($record['subject'], BBCODE_MINIMUM) . '</text>'
376
      . '<text label="' . get_html_resource(RES_STATE_ID)       . '">' . ustr2html($record['state_name']) . '</text>'
377
      . '<text label="' . get_html_resource(RES_RESPONSIBLE_ID) . '">' . (is_null($record['username']) ? get_html_resource(RES_NONE_ID) : ustr2html(sprintf('%s (%s)', $record['fullname'], account_get_username($record['username'])))) . '</text>'
378
      . '<text label="' . get_html_resource(RES_AUTHOR_ID)      . '">' . ustr2html(sprintf('%s (%s)', $record['author_fullname'], account_get_username($record['author_username']))) . '</text>'
379
      . '<text label="' . get_html_resource(RES_AGE_ID)         . '">' . get_record_last_event($record) . '/' . get_record_age($record) . '</text>'
380
      . '<text label="' . get_html_resource(RES_PROJECT_ID)     . '">' . ustr2html($record['project_name']) . '</text>'
381
      . '<text label="' . get_html_resource(RES_TEMPLATE_ID)    . '">' . ustr2html($record['template_name']) . '</text>';
382
383 View Code Duplication
if (is_record_postponed($record))
384
{
385
    $xml .= '<text label="' . get_html_resource(RES_POSTPONED_ID) . '">' . get_date($record['postpone_time']) . '</text>';
386
}
387
388
$xml .= '</group>';
389
390
// go through the list of all states and their fields
391
392
$responsible = FALSE;
393
394
$events = dal_query('records/elist2.sql', $id);
395
396
while (($event = $events->fetch()))
397
{
398
    if ($event['event_type'] == EVENT_RECORD_ASSIGNED)
399
    {
400
        $responsible = account_find($event['event_param']);
401
        $group_title = 'Reassigned';
402
    }
403 View Code Duplication
    elseif ($event['event_type'] == EVENT_RECORD_CREATED  ||
404
            $event['event_type'] == EVENT_RECORD_REOPENED ||
405
            $event['event_type'] == EVENT_RECORD_STATE_CHANGED)
406
    {
407
        if ($event['responsible'] == STATE_RESPONSIBLE_REMOVE)
408
        {
409
            $responsible = FALSE;
410
        }
411
        elseif ($event['responsible'] == STATE_RESPONSIBLE_ASSIGN)
412
        {
413
            $responsible = account_find($events->fetch('event_param'));
414
        }
415
416
        $group_title = ustr2html($event['state_name']);
417
    }
418
    elseif ($event['event_type'] == EVENT_COMMENT_ADDED ||
419
            $event['event_type'] == EVENT_CONFIDENTIAL_COMMENT)
420
    {
421
        $group_title = get_html_resource(RES_COMMENT_ID);
422
    }
423
    elseif ($event['event_type'] == EVENT_FILE_ATTACHED)
424
    {
425
        $group_title = get_html_resource(RES_ATTACHMENT_ID);
426
    }
427
    else
428
    {
429
        continue;
430
    }
431
432
    $group_title .= ' - ' . get_datetime($event['event_time'])
433
                  . ' - ' . ustr2html(sprintf('%s (%s)', $event['fullname'], account_get_username($event['username'])));
434
435
    $xml .= '<group title="' . $group_title . '">';
436
437
    if ($event['event_type'] == EVENT_RECORD_CREATED  ||
438
        $event['event_type'] == EVENT_RECORD_REOPENED ||
439
        $event['event_type'] == EVENT_RECORD_STATE_CHANGED)
440
    {
441
        $xml .= '<text label="' . get_html_resource(RES_RESPONSIBLE_ID) . '">'
442
              . ($responsible ? ustr2html(sprintf('%s (%s)', $responsible['fullname'], account_get_username($responsible['username'])))
443
                              : get_html_resource(RES_NONE_ID))
444
              . '</text>';
445
446
        $fields = dal_query('records/flist2.sql',
447
                            $id,
448
                            $event['event_id'],
449
                            $event['state_id'],
450
                            $record['creator_id'],
451
                            is_null($record['responsible_id']) ? 0 : $record['responsible_id'],
452
                            $_SESSION[VAR_USERID],
453
                            FIELD_ALLOW_TO_READ);
454
455 View Code Duplication
        while (($field = $fields->fetch()))
456
        {
457
            $value = value_find($field['field_type'], $field['value_id']);
458
459
            if ($field['field_type'] == FIELD_TYPE_CHECKBOX)
460
            {
461
                $value = get_html_resource($value ? RES_YES_ID : RES_NO_ID);
462
            }
463
            elseif ($field['field_type'] == FIELD_TYPE_LIST)
464
            {
465
                $value = (is_null($value) ? NULL : value_find_listvalue($field['field_id'], $value));
466
            }
467
            elseif ($field['field_type'] == FIELD_TYPE_RECORD)
468
            {
469
                $value = (is_null($value) ? NULL : 'rec#' . $value);
470
            }
471
472
            $xml .= '<text label="' . ustr2html($field['field_name']) . '">'
473
                  . (is_null($value) ? get_html_resource(RES_NONE_ID) : update_references($value, BBCODE_ALL, $field['regex_search'], $field['regex_replace']))
474
                  . '</text>';
475
476
            if ($field['add_separator'])
477
            {
478
                $xml .= '<hr/>';
479
            }
480
        }
481
    }
482
    elseif ($event['event_type'] == EVENT_COMMENT_ADDED ||
483
            $event['event_type'] == EVENT_CONFIDENTIAL_COMMENT)
484
    {
485
        $comment = comment_find($event['event_id'], $permissions);
486
487
        if ($comment)
0 ignored issues
show
Bug Best Practice introduced by
The expression $comment of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using ! empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
488
        {
489
            $xml .= ($comment['is_confidential']
490
                        ? '<text label="' . get_html_resource(RES_CONFIDENTIAL_ID) . '">'
491
                        : '<text>')
492
                  . update_references($comment['comment_body'])
493
                  . '</text>';
494
        }
495
    }
496
    elseif ($event['event_type'] == EVENT_FILE_ATTACHED)
497
    {
498
        $rs         = dal_query('attachs/fndk.sql', $event['event_id']);
499
        $attachment = ($rs->rows == 0 ? FALSE : $rs->fetch());
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
500
501
        if ($attachment)
502
        {
503
            $xml .= '<text label="' . get_html_resource(RES_ATTACHMENT_NAME_ID) . '">'
504
                  . ($attachment['is_removed'] ? NULL : '<url address="download.php?id=' . $attachment['attachment_id'] . '">')
505
                  . ustr2html($attachment['attachment_name'])
506
                  . ($attachment['is_removed'] ? NULL : '</url>')
507
                  . '</text>';
508
509
            $xml .= '<text label="' . get_html_resource(RES_SIZE_ID) . '">'
510
                  . ustrprocess(get_html_resource(RES_KB_ID), sprintf('%01.2f', $attachment['attachment_size'] / 1024))
511
                  . '</text>';
512
        }
513
    }
514
515
    $xml .= '</group>';
516
}
517
518
// whether user is allowed to add new comment
519
520
if (can_comment_be_added($record, $permissions))
521
{
522
    $xml .= '<form name="rcommentform" action="comments.php?id=' . $id . '" success="commentSuccess">'
523
          . '<group title="' . get_html_resource(RES_COMMENT_ID) . '">'
524
          . '<control name="rcomment">'
525
          . '<textbox rows="' . $_SESSION[VAR_TEXTROWS] . '" resizeable="true" maxlen="' . MAX_COMMENT_BODY . '">'
526
          . '</textbox>'
527
          . '</control>'
528
          . '</group>'
529
          . '<buttonset>'
530
          . '<button default="true">' . get_html_resource(RES_ADD_COMMENT_ID) . '</button>';
531
532
    if ($permissions & PERMIT_CONFIDENTIAL_COMMENTS)
533
    {
534
        $xml .= '<button action="addConfidentialComment()">'
535
              . get_html_resource(RES_ADD_CONFIDENTIAL_COMMENT_ID)
536
              . '</button>';
537
    }
538
539
    $xml .= '</buttonset>'
540
          . '<button action="previewComment()">' . get_html_resource(RES_PREVIEW_ID) . '</button>'
541
          . '<div id="rpreviewdiv"/>'
542
          . '<note>' . get_html_resource(RES_LINK_TO_ANOTHER_RECORD_ID) . '</note>'
543
          . '</form>';
544
}
545
else
546
{
547
    debug_write_log(DEBUG_NOTICE, 'Comment cannot be added.');
548
}
549
550
// generate HTML or dumpfile
551
552
if ($dump_mode)
553
{
554
    header('Pragma: private');
555
    header('Cache-Control: private, must-revalidate');
556
    header('Content-Type: text/txt');
557
    header('Content-Disposition: attachment; filename="dump-' . $id . '.txt"');
558
559
    $dump = xml2html("<content>{$xml}</content>", NULL, 'dump.xsl');
560
    $dump = html_entity_decode($dump, ENT_QUOTES, 'UTF-8');
561
    $dump = str_replace('<br>', "\n", $dump);
562
563
    if ($_SESSION[VAR_LINE_ENDINGS] != "\n")
564
    {
565
        $dump = ustr_replace("\n", $_SESSION[VAR_LINE_ENDINGS], $dump);
566
    }
567
568 View Code Duplication
    if ($_SESSION[VAR_ENCODING] != 'UTF-8')
569
    {
570
        $dump = iconv('UTF-8', $_SESSION[VAR_ENCODING], $dump);
571
    }
572
573
    echo($dump);
574
}
575
else
576
{
577
    echo(xml2html($xml));
578
}
579
580
?>
0 ignored issues
show
It is not recommended to use PHP's closing tag ?> in files other than templates.

Using a closing tag in PHP files that only contain PHP code is not recommended as you might accidentally add whitespace after the closing tag which would then be output by PHP. This can cause severe problems, for example headers cannot be sent anymore.

A simple precaution is to leave off the closing tag as it is not required, and it also has no negative effects whatsoever.

Loading history...
581