Issues (1098)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/records/state.php (9 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
//------------------------------------------------------------------------------
4
//
5
//  eTraxis - Records tracking web-based system
6
//  Copyright (C) 2005-2012  Artem Rodygin
7
//
8
//  This program is free software: you can redistribute it and/or modify
9
//  it under the terms of the GNU General Public License as published by
10
//  the Free Software Foundation, either version 3 of the License, or
11
//  (at your option) any later version.
12
//
13
//  This program is distributed in the hope that it will be useful,
14
//  but WITHOUT ANY WARRANTY; without even the implied warranty of
15
//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16
//  GNU General Public License for more details.
17
//
18
//  You should have received a copy of the GNU General Public License
19
//  along with this program.  If not, see <http://www.gnu.org/licenses/>.
20
//
21
//------------------------------------------------------------------------------
22
23
/**
24
 * @package eTraxis
25
 * @ignore
26
 */
27
28
/**#@+
29
 * Dependency.
30
 */
31
require_once('../engine/engine.php');
32
require_once('../dbo/accounts.php');
33
require_once('../dbo/states.php');
34
require_once('../dbo/fields.php');
35
require_once('../dbo/values.php');
36
require_once('../dbo/records.php');
37
require_once('../dbo/events.php');
38
/**#@-*/
39
40
init_page(LOAD_INLINE);
41
42
// check that requested record exists
43
44
$id     = ustr2int(try_request('id'));
45
$record = record_find($id);
46
47
if (!$record)
0 ignored issues
show
Bug Best Practice introduced by
The expression $record of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
48
{
49
    debug_write_log(DEBUG_NOTICE, 'Record cannot be found.');
50
    header('HTTP/1.1 307 index.php');
51
    exit;
52
}
53
54
// check that requested state exists
55
56
$state_id = ustr2int(try_request('state'));
57
$state    = state_find($state_id);
58
59
if (!$state)
0 ignored issues
show
Bug Best Practice introduced by
The expression $state of type array is implicitly converted to a boolean; are you sure this is intended? If so, consider using empty($expr) instead to make it clear that you intend to check for an array without elements.

This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent.

Consider making the comparison explicit by using empty(..) or ! empty(...) instead.

Loading history...
60
{
61
    debug_write_log(DEBUG_NOTICE, 'State cannot be found.');
62
    header('HTTP/1.1 307 view.php?id=' . $id);
63
    exit;
64
}
65
66
// get current user's permissions
67
68
$permissions = record_get_permissions($record['template_id'], $record['creator_id'], $record['responsible_id']);
69
70
// check whether a state of specified record can be changed
71
72
if (!can_state_be_changed($record) &&
73
    !can_record_be_reopened($record, $permissions))
74
{
75
    debug_write_log(DEBUG_NOTICE, 'State cannot be changed.');
76
    header('HTTP/1.1 307 view.php?id=' . $id);
77
    exit;
78
}
79
80
// if state is final...
81
82
if ($state['state_type'] == STATE_TYPE_FINAL)
83
{
84
    // ... check whether there are no unclosed dependencies
85
    $rs = dal_query('depends/listuc.sql', $id);
86
87
    if ($rs->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
88
    {
89
        debug_write_log(DEBUG_NOTICE, 'The record has unclosed dependencies.');
90
        header('HTTP/1.1 307 view.php?id=' . $id);
91
        exit;
92
    }
93
94
    // ... check we are not reopening closed record
95
    if (is_record_closed($record))
96
    {
97
        debug_write_log(DEBUG_NOTICE, 'The record cannot be reopened in a final state.');
98
        header('HTTP/1.1 307 view.php?id=' . $id);
99
        exit;
100
    }
101
}
102
else
103
{
104
    // ... otherwise, check whether the record can be moved to specified state from current one
105
    if (is_record_closed($record))
106
    {
107
        if ($state['template_id'] != $record['template_id'])
108
        {
109
            debug_write_log(DEBUG_NOTICE, 'No permissions to reopen in specified state.');
110
            header('HTTP/1.1 307 view.php?id=' . $id);
111
            exit;
112
        }
113
    }
114
    else
115
    {
116
        $rs = dal_query('records/tramongs.sql', $id, $_SESSION[VAR_USERID], '');
117
118
        if ($rs->rows == 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
119
        {
120
            debug_write_log(DEBUG_NOTICE, 'No permissions to change to specified state.');
121
            header('HTTP/1.1 307 view.php?id=' . $id);
122
            exit;
123
        }
124
    }
125
}
126
127
// state form is submitted
128
129
if (try_request('submitted') == 'stateform')
130
{
131
    debug_write_log(DEBUG_NOTICE, 'Data are submitted.');
132
133
    $rs = dal_query('records/efnd.sql',
134
                    $_SESSION[VAR_USERID],
135
                    is_record_closed($record) ? EVENT_RECORD_REOPENED : EVENT_RECORD_STATE_CHANGED,
136
                    time() - 3,
137
                    $state_id);
138
139
    if ($rs->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
140
    {
141
        debug_write_log(DEBUG_NOTICE, 'Double click issue is detected.');
142
        exit;
143
    }
144
145
    switch ($state['responsible'])
146
    {
147
        case STATE_RESPONSIBLE_REMAIN:
148
            $responsible_id = 0;
149
            break;
150
        case STATE_RESPONSIBLE_ASSIGN:
151
            $responsible_id = try_request('responsible');
152
            break;
153
        case STATE_RESPONSIBLE_REMOVE:
154
            $responsible_id = NULL;
155
            break;
156
        default:
157
            debug_write_log(DEBUG_WARNING, 'Unknown state responsible type = ' . $state['responsible']);
158
    }
159
160
    $error = record_validate(OPERATION_CHANGE_STATE, NULL, $id, $state_id);
161
162
    if ($error == NO_ERROR)
163
    {
164
        $error = state_change($id,
165
                              $state_id,
166
                              $responsible_id,
167
                              ($state['state_type'] == STATE_TYPE_FINAL),
168
                              is_record_closed($record));
169
    }
170
171 View Code Duplication
    switch ($error)
172
    {
173
        case NO_ERROR:
174
            header('HTTP/1.0 200 OK');
175
            break;
176
177
        case ERROR_INCOMPLETE_FORM:
178
            send_http_error(get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID));
179
            break;
180
181
        case ERROR_INVALID_INTEGER_VALUE:
182
            send_http_error(get_html_resource(RES_ALERT_INVALID_INTEGER_VALUE_ID));
183
            break;
184
185
        case ERROR_INVALID_FLOAT_VALUE:
186
            send_http_error(get_html_resource(RES_ALERT_INVALID_DECIMAL_VALUE_ID));
187
            break;
188
189
        case ERROR_INVALID_DATE_VALUE:
190
            send_http_error(get_html_resource(RES_ALERT_INVALID_DATE_VALUE_ID));
191
            break;
192
193
        case ERROR_INVALID_TIME_VALUE:
194
            send_http_error(get_html_resource(RES_ALERT_INVALID_TIME_VALUE_ID));
195
            break;
196
197
        case ERROR_INTEGER_VALUE_OUT_OF_RANGE:
198
        case ERROR_FLOAT_VALUE_OUT_OF_RANGE:
199
        case ERROR_DATE_VALUE_OUT_OF_RANGE:
200
        case ERROR_TIME_VALUE_OUT_OF_RANGE:
201
            send_http_error(ustrprocess(get_js_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), $_SESSION['FIELD_NAME'], $_SESSION['MIN_FIELD_INTEGER'], $_SESSION['MAX_FIELD_INTEGER']));
202
            unset($_SESSION['FIELD_NAME']);
203
            unset($_SESSION['MIN_FIELD_INTEGER']);
204
            unset($_SESSION['MAX_FIELD_INTEGER']);
205
            break;
206
207
        case ERROR_RECORD_NOT_FOUND:
208
            send_http_error(get_html_resource(RES_ALERT_RECORD_NOT_FOUND_ID));
209
            break;
210
211
        case ERROR_VALUE_FAILS_REGEX_CHECK:
212
            send_http_error(ustrprocess(get_js_resource(RES_ALERT_VALUE_FAILS_REGEX_CHECK_ID), $_SESSION['FIELD_NAME'], $_SESSION['FIELD_VALUE']));
213
            unset($_SESSION['FIELD_NAME']);
214
            unset($_SESSION['FIELD_VALUE']);
215
            break;
216
217
        default:
218
            send_http_error(get_html_resource(RES_ALERT_UNKNOWN_ERROR_ID));
219
    }
220
221
    exit;
222
}
223
else
224
{
225
    debug_write_log(DEBUG_NOTICE, 'Data are being requested.');
226
227
    $responsible_id = NULL;
228
}
229
230
// local JS functions
231
232
$resTitle = get_js_resource(RES_ERROR_ID);
233
$resOK    = get_js_resource(RES_OK_ID);
234
235
$xml = <<<JQUERY
236
<script>
237
238
function stateSuccess ()
239
{
240
    closeModal();
241
    reloadTab();
242
}
243
244
function stateError (XMLHttpRequest)
245
{
246
    jqAlert("{$resTitle}", XMLHttpRequest.responseText, "{$resOK}");
247
}
248
249
</script>
250
JQUERY;
251
252
// generate state form
253
254
$xml .= '<form name="stateform" action="state.php?id=' . $id . '&amp;state=' . $state_id . '" success="stateSuccess" error="stateError">';
255
256
// get list of latest values of related fields
257
258
$rs = dal_query('fields/listv.sql', $id, $state_id);
259
260
// if state is being used first time (no latest values yet), then get list of fields
261
262
if ($rs->rows == 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
263
{
264
    $rs = dal_query('fields/list.sql', $state_id, 'field_order');
265
}
266
267
if ($rs->rows == 0 && $state['responsible'] != STATE_RESPONSIBLE_ASSIGN)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
268
{
269
    debug_write_log(DEBUG_NOTICE, 'No fields for specified state are found.');
270
271
    $xml .= '<div>' . get_html_resource(RES_CONFIRM_CHANGE_STATE_ID) . '</div>';
272
}
273
else
274
{
275
    // if state must be assigned, generate list of accounts
276
277
    $xml .= '<group>';
278
279
    if ($state['responsible'] == STATE_RESPONSIBLE_ASSIGN)
280
    {
281
        debug_write_log(DEBUG_NOTICE, 'Record should be assigned.');
282
283
        $rs_res = dal_query('records/responsibles.sql', $state_id, $_SESSION[VAR_USERID]);
284
285
        if ($rs_res->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
286
        {
287
            $rs_last = dal_query('records/lastresp.sql', $id);
288
289
            $last_responsible = ($rs_last->rows == 0) ? $_SESSION[VAR_USERID] : $rs_last->fetch('event_param');
290
291
            $default_responsible = (is_null($record['responsible_id']) ? $last_responsible : $record['responsible_id']);
292
293
            $xml .= '<control name="responsible" required="' . get_html_resource(RES_REQUIRED3_ID) . '">'
294
                  . '<label>' . get_html_resource(RES_RESPONSIBLE_ID) . '</label>'
295
                  . '<combobox>';
296
297 View Code Duplication
            while (($row = $rs_res->fetch()))
298
            {
299
                $xml .= ($row['account_id'] == $default_responsible
300
                            ? '<listitem value="' . $row['account_id'] . '" selected="true">'
301
                            : '<listitem value="' . $row['account_id'] . '">')
302
                      . ustr2html(sprintf('%s (%s)', $row['fullname'], account_get_username($row['username'])))
303
                      . '</listitem>';
304
            }
305
306
            $xml .= '</combobox>'
307
                  . '</control>';
308
        }
309
    }
310
311
    $flag1  = FALSE;
312
    $flag2  = FALSE;
313
    $notes  = NULL;
314
    $script = NULL;
315
316
    // go through the list of fields
317
318
    debug_write_log(DEBUG_NOTICE, 'Fields of specified state are being enumerated.');
319
320
    while (($row = $rs->fetch()))
321
    {
322
        $name  = 'field' . $row['field_id'];
323
        $value = NULL;
324
325
        // determine default value of the field
326
327
        $clone_id = is_record_cloned($id);
328
329
        if (!is_null($row['value_id']))
330
        {
331
            $value = $row['value_id'];
332
        }
333
        elseif ($clone_id != 0)
334
        {
335
            $rsv = dal_query('values/fndk.sql', $clone_id, $row['field_id']);
336
337
            if ($rsv->rows != 0)
0 ignored issues
show
The property $rows is declared protected in CRecordset. Since you implemented __get(), maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.

Since your code implements the magic setter _set, this function will be called for any write access on an undefined variable. You can add the @property annotation to your class or interface to document the existence of this variable.

<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}

Since the property has write access only, you can use the @property-write annotation instead.

Of course, you may also just have mistyped another name, in which case you should fix the error.

See also the PhpDoc documentation for @property.

Loading history...
338
            {
339
                $value = $rsv->fetch('value_id');
340
            }
341
            elseif (!is_null($row['value_id']))
342
            {
343
                $value = $row['value_id'];
344
            }
345
        }
346
347
        // adjust for current date the value of date fields
348
349
        if ($row['field_type'] == FIELD_TYPE_DATE)
350
        {
351
            $today = time();
352
353
            $row['param1'] = date_offset($today, $row['param1']);
354
            $row['param2'] = date_offset($today, $row['param2']);
355
356
            if (!is_null($value))
357
            {
358
                $value = date_offset($today, $value);
359
                $value = ustr2int($value, $row['param1'], $row['param2']);
360
            }
361
        }
362
363
        // convert to "human reading" format
364
        $value = value_find($row['field_type'], $value);
365
366
        if ($row['is_required'])
367
        {
368
            $flag1 = TRUE;
369
        }
370
371
        // generate control for the field
372
        $xml .= '<control name="' . $name . '"'
373
              . ($row['is_required'] && $row['field_type'] != FIELD_TYPE_CHECKBOX
374
                    ? ' required="' . get_html_resource(RES_REQUIRED3_ID) . '"'
375
                    : NULL)
376
              . (ustrlen($row['description']) != 0
377
                    ? ' description="true"'
378
                    : NULL)
379
              . '>';
380
381
        switch ($row['field_type'])
382
        {
383
            case FIELD_TYPE_NUMBER:
384
385
                $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
386
387
                $xml .= '<editbox maxlen="' . (ustrlen(MAX_FIELD_INTEGER) + 1) . '">'
388
                      . ustr2html(try_request($name, $value))
389
                      . '</editbox>';
390
391
                $notes .= '<note>'
392
                        . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($row['field_name']), $row['param1'], $row['param2'])
393
                        . '</note>';
394
395
                break;
396
397
            case FIELD_TYPE_FLOAT:
398
399
                $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
400
401
                $xml .= '<editbox maxlen="' . ustrlen(MAX_FIELD_FLOAT) . '">'
402
                      . ustr2html(try_request($name, $value))
403
                      . '</editbox>';
404
405
                $notes .= '<note>'
406
                        . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID),
407
                                      ustr2html($row['field_name']),
408
                                      value_find(FIELD_TYPE_FLOAT, $row['param1']),
409
                                      value_find(FIELD_TYPE_FLOAT, $row['param2']))
410
                        . '</note>';
411
412
                break;
413
414
            case FIELD_TYPE_STRING:
415
416
                $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
417
418
                $xml .= '<editbox maxlen="' . $row['param1'] . '">'
419
                      . ustr2html(try_request($name, $value))
420
                      . '</editbox>';
421
422
                $flag2 = TRUE;
423
424
                break;
425
426
            case FIELD_TYPE_MULTILINED:
427
428
                $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
429
430
                $xml .= '<textbox rows="' . $_SESSION[VAR_TEXTROWS] . '" maxlen="' . MAX_FIELD_MULTILINED . '">'
431
                      . ustr2html(try_request($name, $value))
432
                      . '</textbox>';
433
434
                $flag2 = TRUE;
435
436
                break;
437
438
            case FIELD_TYPE_CHECKBOX:
439
440
                $user_value = (try_request('submitted') == 'fieldsform')
441
                            ? isset($_REQUEST[$name])
442
                            : $value;
443
444
                $xml .= '<label/>';
445
446
                $xml .= ($user_value
447
                            ? '<checkbox checked="true">'
448
                            : '<checkbox>')
449
                      . ustr2html($row['field_name'])
450
                      . '</checkbox>';
451
452
                break;
453
454
            case FIELD_TYPE_LIST:
455
456
                $selected = try_request($name, $value);
457
458
                $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
459
460
                $xml .= '<combobox>'
461
                      . '<listitem value=""/>';
462
463
                $rsv = dal_query('values/lvlist.sql', $row['field_id']);
464
465
                while (($item = $rsv->fetch()))
466
                {
467
                    $xml .= ($selected == $item['int_value']
468
                                ? '<listitem value="' . $item['int_value'] . '" selected="true">'
469
                                : '<listitem value="' . $item['int_value'] . '">')
470
                          . ustr2html($item['str_value'])
471
                          . '</listitem>';
472
                }
473
474
                $xml .= '</combobox>';
475
476
                break;
477
478
            case FIELD_TYPE_RECORD:
479
480
                $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
481
482
                $xml .= '<editbox maxlen="' . ustrlen(MAXINT) . '">'
483
                      . ustr2html(try_request($name, $value))
484
                      . '</editbox>';
485
486
                $notes .= '<note>'
487
                        . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($row['field_name']), 1, MAXINT)
488
                        . '</note>';
489
490
                break;
491
492
            case FIELD_TYPE_DATE:
493
494
                $xml .= '<label>' . sprintf('%s (%s)', ustr2html($row['field_name']), get_date_format_str()) . '</label>';
495
496
                $xml .= '<editbox maxlen="' . ustrlen(get_date(SAMPLE_DATE)) . '">'
497
                      . ustr2html(try_request($name, $value))
498
                      . '</editbox>';
499
500
                $notes .= '<note>'
501
                        . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($row['field_name']), get_date($row['param1']), get_date($row['param2']))
502
                        . '</note>';
503
504
                $script .= '$("#' . $name . '").datepicker($.datepicker.regional["' . $_SESSION[VAR_LOCALE] . '"]);';
505
506
                break;
507
508
            case FIELD_TYPE_DURATION:
509
510
                $xml .= '<label>' . ustr2html($row['field_name']) . '</label>';
511
512
                $xml .= '<editbox maxlen="' . ustrlen(time2ustr(MAX_FIELD_DURATION)) . '">'
513
                      . ustr2html(try_request($name, $value))
514
                      . '</editbox>';
515
516
                $notes .= '<note>'
517
                        . ustrprocess(get_html_resource(RES_ALERT_FIELD_VALUE_OUT_OF_RANGE_ID), ustr2html($row['field_name']), time2ustr($row['param1']), time2ustr($row['param2']))
518
                        . '</note>';
519
520
                break;
521
522
            default:
523
524
                debug_write_log(DEBUG_WARNING, 'Unknown field type = ' . $row['field_type']);
525
        }
526
527 View Code Duplication
        if (strlen($row['description']) != 0)
528
        {
529
            $xml .= '<description>'
530
                  . update_references($row['description'], BBCODE_ALL)
531
                  . '</description>';
532
        }
533
534
        $xml .= '</control>';
535
536
        if ($row['add_separator'])
537
        {
538
            $xml .= '<hr/>';
539
        }
540
    }
541
542
    if ($flag1)
543
    {
544
        $notes = '<note>' . get_html_resource(RES_ALERT_REQUIRED_ARE_EMPTY_ID) . '</note>' . $notes;
545
    }
546
547
    if ($flag2)
548
    {
549
        $notes .= '<note>' . get_html_resource(RES_LINK_TO_ANOTHER_RECORD_ID) . '</note>';
550
    }
551
552
    $xml .= '</group>'
553
          . $notes
554
          . '<script>' . $script . '</script>';
555
}
556
557
$xml .= '</form>';
558
559
echo(xml2html($xml));
560
561
?>
562