This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | //------------------------------------------------------------------------------ |
||
4 | // |
||
5 | // eTraxis - Records tracking web-based system |
||
6 | // Copyright (C) 2010-2011 Artem Rodygin |
||
7 | // |
||
8 | // This program is free software: you can redistribute it and/or modify |
||
9 | // it under the terms of the GNU General Public License as published by |
||
10 | // the Free Software Foundation, either version 3 of the License, or |
||
11 | // (at your option) any later version. |
||
12 | // |
||
13 | // This program is distributed in the hope that it will be useful, |
||
14 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
15 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
16 | // GNU General Public License for more details. |
||
17 | // |
||
18 | // You should have received a copy of the GNU General Public License |
||
19 | // along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
20 | // |
||
21 | //------------------------------------------------------------------------------ |
||
22 | |||
23 | /** |
||
24 | * @package eTraxis |
||
25 | * @ignore |
||
26 | */ |
||
27 | |||
28 | /**#@+ |
||
29 | * Dependency. |
||
30 | */ |
||
31 | require_once('../engine/engine.php'); |
||
32 | require_once('../dbo/records.php'); |
||
33 | /**#@-*/ |
||
34 | |||
35 | init_page(LOAD_TAB, GUEST_IS_ALLOWED); |
||
0 ignored issues
–
show
|
|||
36 | |||
37 | // check that requested record exists |
||
38 | |||
39 | $id = ustr2int(try_request('id')); |
||
40 | $record = record_find($id); |
||
41 | |||
42 | if (!$record) |
||
43 | { |
||
44 | debug_write_log(DEBUG_NOTICE, 'Record cannot be found.'); |
||
45 | exit; |
||
46 | } |
||
47 | |||
48 | // get current user's permissions and verify them |
||
49 | |||
50 | $permissions = record_get_permissions($record['template_id'], $record['creator_id'], $record['responsible_id']); |
||
51 | |||
52 | if (!can_record_be_displayed($permissions)) |
||
53 | { |
||
54 | debug_write_log(DEBUG_NOTICE, 'Record cannot be displayed.'); |
||
55 | exit; |
||
56 | } |
||
57 | |||
58 | // records list is submitted |
||
59 | |||
60 | if (try_request('submitted') == 'subrecords') |
||
61 | { |
||
62 | debug_write_log(DEBUG_NOTICE, 'Data are submitted.'); |
||
63 | |||
64 | View Code Duplication | foreach ($_REQUEST as $request) |
|
65 | { |
||
66 | if (substr($request, 0, 3) == 'rec') |
||
67 | { |
||
68 | subrecord_remove($id, intval(substr($request, 3))); |
||
69 | } |
||
70 | } |
||
71 | |||
72 | $rs = dal_query('depends/list.sql', $record['record_id']); |
||
73 | echo(sprintf('%s (%u)', get_html_resource(RES_SUBRECORDS_ID), $rs->rows)); |
||
0 ignored issues
–
show
The property
$rows is declared protected in CRecordset . Since you implemented __get() , maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.
Since your code implements the magic setter <?php
/**
* @property int $x
* @property int $y
* @property string $text
*/
class MyLabel
{
private $properties;
private $allowedProperties = array('x', 'y', 'text');
public function __get($name)
{
if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
return $properties[$name];
} else {
return null;
}
}
public function __set($name, $value)
{
if (in_array($name, $this->allowedProperties)) {
$properties[$name] = $value;
} else {
throw new \LogicException("Property $name is not defined.");
}
}
}
Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property.
Loading history...
|
|||
74 | exit; |
||
75 | } |
||
76 | |||
77 | // local JS functions |
||
78 | |||
79 | $resTitle = get_js_resource(RES_ATTACH_SUBRECORD_ID); |
||
80 | $resOK = get_js_resource(RES_OK_ID); |
||
81 | $resNext = get_js_resource(RES_NEXT_ID); |
||
82 | $resCancel = get_js_resource(RES_CANCEL_ID); |
||
83 | |||
84 | $xml = <<<JQUERY |
||
85 | <script> |
||
86 | |||
87 | function createSubrecordForceToStep2 () |
||
88 | { |
||
89 | var items = $("#projectform #project").children().length; |
||
90 | |||
91 | if (items == 1) |
||
92 | { |
||
93 | createSubrecordStep2(); |
||
94 | } |
||
95 | } |
||
96 | |||
97 | function createSubrecordForceToStep3 () |
||
98 | { |
||
99 | var items = $("#templateform #template").children().length; |
||
100 | |||
101 | if (items == 1) |
||
102 | { |
||
103 | createSubrecordStep3(); |
||
104 | } |
||
105 | } |
||
106 | |||
107 | function createSubrecordStep1 () |
||
108 | { |
||
109 | jqModal("{$resTitle}", "create.php?parent={$id}", "{$resNext}", "{$resCancel}", "createSubrecordStep2()", null, "createSubrecordForceToStep2()"); |
||
110 | } |
||
111 | |||
112 | function createSubrecordStep2 () |
||
113 | { |
||
114 | closeModal(); |
||
115 | jqModal("{$resTitle}", "create.php?parent={$id}&" + $("#projectform").serialize(), "{$resNext}", "{$resCancel}", "createSubrecordStep3()", null, "createSubrecordForceToStep3()"); |
||
116 | } |
||
117 | |||
118 | function createSubrecordStep3 () |
||
119 | { |
||
120 | closeModal(); |
||
121 | jqModal("{$resTitle}", "create.php?parent={$id}&" + $("#templateform").serialize(), "{$resOK}", "{$resCancel}", "$('#mainform').submit()"); |
||
122 | } |
||
123 | |||
124 | function addSubrecord () |
||
125 | { |
||
126 | jqModal("{$resTitle}", "addsubrec.php?id={$id}", "{$resOK}", "{$resCancel}", "$('#addsubrecform').submit()"); |
||
127 | } |
||
128 | |||
129 | function removeSubrecordSuccess (data) |
||
130 | { |
||
131 | var index = $("#tabs").tabs("option", "selected") + 1; |
||
132 | $("[href=#ui-tabs-" + index + "]").html(data); |
||
133 | reloadTab(); |
||
134 | } |
||
135 | |||
136 | </script> |
||
137 | JQUERY; |
||
138 | |||
139 | // generate buttons |
||
140 | |||
141 | $xml .= '<buttonset>'; |
||
142 | |||
143 | $xml .= (can_subrecord_be_added($record, $permissions) |
||
144 | ? '<button action="createSubrecordStep1()">' |
||
145 | : '<button disabled="true">') |
||
146 | . get_html_resource(RES_CREATE_SUBRECORD_ID) |
||
147 | . '</button>'; |
||
148 | |||
149 | $xml .= (can_subrecord_be_added($record, $permissions) |
||
150 | ? '<button action="addSubrecord()">' |
||
151 | : '<button disabled="true">') |
||
152 | . get_html_resource(RES_ATTACH_SUBRECORD_ID) |
||
153 | . '</button>'; |
||
154 | |||
155 | $xml .= '</buttonset>'; |
||
156 | |||
157 | $xml .= (can_subrecord_be_removed($record, $permissions) |
||
158 | ? '<button action="$(\'#subrecords\').submit()">' |
||
159 | : '<button disabled="true">') |
||
160 | . get_html_resource(RES_REMOVE_SUBRECORD_ID) |
||
161 | . '</button>'; |
||
162 | |||
163 | // generate list of subrecords |
||
164 | |||
165 | $list = subrecords_list($id); |
||
166 | |||
167 | if ($list->rows != 0) |
||
0 ignored issues
–
show
The property
$rows is declared protected in CRecordset . Since you implemented __get() , maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion.
Since your code implements the magic setter <?php
/**
* @property int $x
* @property int $y
* @property string $text
*/
class MyLabel
{
private $properties;
private $allowedProperties = array('x', 'y', 'text');
public function __get($name)
{
if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
return $properties[$name];
} else {
return null;
}
}
public function __set($name, $value)
{
if (in_array($name, $this->allowedProperties)) {
$properties[$name] = $value;
} else {
throw new \LogicException("Property $name is not defined.");
}
}
}
Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property.
Loading history...
|
|||
168 | { |
||
169 | $columns = array |
||
170 | ( |
||
171 | RES_ID_ID, |
||
172 | RES_STATE_ID, |
||
173 | RES_SUBJECT_ID, |
||
174 | RES_RESPONSIBLE_ID, |
||
175 | ); |
||
176 | |||
177 | $xml .= '<form name="subrecords" action="subrecords.php?id=' . $id . '" success="removeSubrecordSuccess">' |
||
178 | . '<list>' |
||
179 | . '<hrow>' |
||
180 | . '<hcell checkboxes="true"/>'; |
||
181 | |||
182 | foreach ($columns as $column) |
||
183 | { |
||
184 | $xml .= "<hcell>" . get_html_resource($column) . '</hcell>'; |
||
185 | } |
||
186 | |||
187 | $xml .= '</hrow>'; |
||
188 | |||
189 | View Code Duplication | while (($row = $list->fetch())) |
|
190 | { |
||
191 | if (is_record_closed($row)) |
||
192 | { |
||
193 | $color = 'grey'; |
||
194 | } |
||
195 | elseif ($row['is_dependency']) |
||
196 | { |
||
197 | $color = 'red'; |
||
198 | } |
||
199 | else |
||
200 | { |
||
201 | $color = NULL; |
||
202 | } |
||
203 | |||
204 | $xml .= "<row name=\"rec{$row['record_id']}\" url=\"view.php?id={$row['record_id']}\" color=\"{$color}\">" |
||
205 | . '<cell align="left" nowrap="true">' . record_id($row['record_id'], $row['template_prefix']) . '</cell>' |
||
206 | . '<cell align="left">' . ustr2html($row['state_abbr']) . '</cell>' |
||
207 | . '<cell align="left">' . update_references($row['subject'], BBCODE_SEARCH_ONLY) . '</cell>' |
||
208 | . '<cell align="left">' . (is_null($row['fullname']) ? get_html_resource(RES_NONE_ID) : ustr2html($row['fullname'])) . '</cell>' |
||
209 | . '</row>'; |
||
210 | } |
||
211 | |||
212 | $xml .= '</list>' |
||
213 | . '</form>'; |
||
214 | } |
||
215 | |||
216 | echo(xml2html($xml)); |
||
217 | |||
218 | ?> |
||
219 |
It seems like the type of the argument is not accepted by the function/method which you are calling.
In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.
We suggest to add an explicit type cast like in the following example: