Spaces:
Sleeping
Sleeping
| $filter = new InputFilter(); | |
| $_GET = $filter->xssFilterHard($_GET, "url"); | |
| $_POST = $filter->xssFilterHard($_POST, "url"); | |
| $_REQUEST = $filter->xssFilterHard($_REQUEST, "url"); | |
| $_SESSION = $filter->xssFilterHard($_SESSION, "url"); | |
| $request = isset($_POST['request']) ? $_POST['request'] : null; | |
| if (!isset($request)) { | |
| $request = isset($_GET['request']) ? $_GET['request'] : null; | |
| } | |
| if (isset($request)) { | |
| switch ($request) { | |
| case 'deleteGridRowOnDynaform': | |
| //This code is to update the SESSION variable for dependent fields in grids | |
| if (!defined("XMLFORM_AJAX_PATH")) { | |
| define("XMLFORM_AJAX_PATH", PATH_XMLFORM); | |
| } | |
| if (is_array($_SESSION[$_POST["formID"]][$_POST["gridname"]])) { | |
| if (!is_array($_SESSION[$_POST["formID"]][$_POST["gridname"]])) { | |
| $_SESSION[$_POST["formID"]][$_POST["gridname"]] = (array)$_SESSION[$_POST["formID"]][$_POST["gridname"]]; | |
| } | |
| ksort($_SESSION[$_POST["formID"]][$_POST["gridname"]]); | |
| $oFields = array(); | |
| $initialKey = 1; | |
| foreach ($_SESSION[$_POST["formID"]][$_POST["gridname"]] as $key => $value) { | |
| if ($key != $_POST["rowpos"]) { | |
| $oFields[$initialKey] = $value; | |
| $initialKey++; | |
| } | |
| } | |
| unset($_SESSION[$_POST["formID"]][$_POST["gridname"]]); | |
| $_SESSION[$_POST["formID"]][$_POST["gridname"]] = $oFields; | |
| } | |
| break; | |
| /** widgets **/ | |
| case 'suggest': | |
| try { | |
| if (isset($_GET["inputEnconde64"])) { | |
| $_GET['input'] = base64_decode($_GET['input']); | |
| } | |
| if (!isset($_GET['form']) || !isset($_GET['variable'])) { | |
| throw new Exception('Please contact the system administrator.'); | |
| } | |
| $gridName = isset($_GET['grid']) ? $_GET['grid'] : ''; | |
| //When is a grid the form parameter include the name of grid | |
| $xmlFile = str_replace($gridName, '', $_GET['form']); | |
| //We will to get the form and variable and the query related | |
| $xmlFile = G::getUIDName(urlDecode($xmlFile)); | |
| $gridName = isset($_GET['grid']) ? $_GET['grid'] : ''; | |
| $xmlFile = str_replace($gridName, '', $xmlFile); | |
| $myForm = new Form($xmlFile, PATH_DYNAFORM); | |
| $myForm->id = urlDecode($_GET['form']); | |
| $bdUid = 'workflow'; | |
| if (isset($_GET['type']) && $_GET['type']==='form' && isset($myForm->fields[$_GET['variable']]->sql)) { | |
| $sqlQuery = $myForm->fields[$_GET['variable']]->sql; | |
| if (isset($myForm->fields[$_GET['variable']]->sqlConnection) && !empty($myForm->fields[$_GET['variable']]->sqlConnection)) { | |
| $bdUid = $myForm->fields[$_GET['variable']]->sqlConnection; | |
| } | |
| } elseif (isset($_GET['type']) && $_GET['type']==='grid' && isset($myForm->fields[$_GET['grid']])) { | |
| foreach ($myForm->fields[$_GET['grid']] as $index => $value) { | |
| if (is_array($value) && isset($value[$_GET['variable']])) { | |
| $newObj = $value[$_GET['variable']]; | |
| $sqlQuery = $newObj->sql; | |
| if (isset($newObj->sqlConnection) && !empty($newObj->sqlConnection)) { | |
| $bdUid = $newObj->sqlConnection; | |
| } | |
| } | |
| } | |
| } else { | |
| throw new Exception('The variable with ' . $_GET['variable'] . ' does not defined in the form.'); | |
| } | |
| // Replace values for dependent fields | |
| $aDependentFieldsKeys = explode("|", base64_decode(str_rot13($_GET['dependentFieldsKeys']))); | |
| $aDependentFieldsValue = explode("|", $_GET['dependentFieldsValue']); | |
| if ($aDependentFieldsKeys) { | |
| $aDependentFields = array(); | |
| foreach ($aDependentFieldsKeys as $nKey => $sFieldVar) { | |
| $sKeyDepFields = substr($sFieldVar, 2); | |
| $aDependentFields[$sKeyDepFields] = $aDependentFieldsValue[$nKey]; | |
| } | |
| $sqlQuery = G::replaceDataField($sqlQuery, $aDependentFields); | |
| } | |
| // Parsed SQL Structure | |
| $parser = new PHPSQLParser($sqlQuery); | |
| $searchType = $_GET["searchType"]; | |
| // Verify parsed array | |
| $sqlQuery = queryModified($parser->parsed, $_GET['input'], $searchType); | |
| $aRows = Array(); | |
| try { | |
| $con = Propel::getConnection($bdUid); | |
| $con->begin(); | |
| $rs = $con->executeQuery($sqlQuery); | |
| $con->commit(); | |
| while ($rs->next()) { | |
| array_push($aRows, $rs->getRow()); | |
| } | |
| } catch (SQLException $sqle) { | |
| $con->rollback(); | |
| } | |
| $input = strtolower($_GET['input']); | |
| $len = strlen($input); | |
| $limit = isset($_GET['limit']) ? (int)$_GET['limit'] : 0; | |
| $aResults = array(); | |
| $count = 0; | |
| $aRows = sortByChar($aRows, $input); | |
| if ($len) { | |
| for ($i = 0; $i < count($aRows); $i++) { | |
| $aRow = $aRows[$i]; | |
| $nCols = sizeof($aRow); | |
| $aRow = array_values($aRow); | |
| switch ($nCols) { | |
| case 1: | |
| $id = $aRow[0]; | |
| $value = $aRow[0]; | |
| $info = ''; | |
| break; | |
| case 2: | |
| $id = $aRow[0]; | |
| $value = $aRow[1]; | |
| $info = ''; | |
| break; | |
| case $nCols >= 3: | |
| $id = $aRow[0]; | |
| $value = $aRow[1]; | |
| $info = $aRow[2]; | |
| break; | |
| } | |
| // had to use utf_decode, here | |
| // not necessary if the results are coming from mysql | |
| // | |
| $count++; | |
| $aResults[] = array( | |
| "id" => $id, | |
| "value" => htmlspecialchars($value), | |
| "info" => htmlspecialchars($info) | |
| ); | |
| } | |
| } | |
| header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past | |
| header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified | |
| header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 | |
| header("Pragma: no-cache"); // HTTP/1.0 | |
| if (isset($_REQUEST['json'])) { | |
| header("Content-Type: application/json"); | |
| echo Bootstrap::json_encode(array("status" => 0, "results" => $aResults)); | |
| } else { | |
| header("Content-Type: text/xml"); | |
| echo "<?xml version=\"1.0\" encoding=\"utf-8\" ?><results>"; | |
| for ($i = 0; $i < count($aResults); $i++) { | |
| echo "<rs id=\"" . $aResults[$i]['id'] . "\" info=\"" . $aResults[$i]['info'] . "\">" . $aResults[$i]['value'] . "</rs>"; | |
| } | |
| echo "</results>"; | |
| } | |
| } catch (Exception $e) { | |
| $err = $e->getMessage(); | |
| $err = preg_replace("[\n|\r|\n\r]", ' ', $err);//Made compatible to PHP 5.3 | |
| echo '{"status":1, "message":"' . $err . '"}'; | |
| } | |
| break; | |
| case 'storeInTmp': | |
| if (!isset($_SESSION['USER_LOGGED'])) { | |
| echo "{status: 1, message: \"success\"}"; | |
| break; | |
| } | |
| try { | |
| $con = Propel::getConnection($_GET['cnn']); | |
| if ($_GET['pkt'] == 'int') { | |
| $primaryKeyField = Propel::getDB($_GET['cnn'])->quoteIdentifier($_GET['pk']); | |
| $tableName = Propel::getDB($_GET['cnn'])->quoteIdentifier($_GET['table']); | |
| $rs = $con->executeQuery("SELECT MAX($primaryKeyField) as lastId FROM $tableName"); | |
| $rs->next(); | |
| $row = $rs->getRow(); | |
| $gKey = (int)$row['lastId'] + 1; | |
| } else { | |
| $gKey = G::encryptOld(date('Y-m-d H:i:s') . '@' . rand()); | |
| } | |
| // See above. Gross, but it works. | |
| $field = mysql_real_escape_string($_GET['fld']); | |
| $field = str_replace("`", "", $field); | |
| $query = "INSERT INTO $tableName ($primaryKeyField, $field) VALUES (?, ?)"; // '$gKey', '{$_GET['value']}')"; | |
| $rs = $con->prepareStatement($query); | |
| $rs->set(1, $gKey); | |
| $rs->set(2, $_GET['value']); | |
| $rs->executeQuery(); | |
| echo "{status: 1, message: \"success\"}"; | |
| } catch (Exception $e) { | |
| $err = $e->getMessage(); | |
| $err = preg_replace("[\n|\r|\n\r]", " ", $err); //Made compatible to PHP 5.3 | |
| echo "{status: 0, message: \"" . $err . "\"}"; | |
| } | |
| break; | |
| } | |
| } | |
| function sortByChar($aRows, $charSel) | |
| { | |
| $aIniChar = array(); | |
| $aRest = array(); | |
| for ($i = 0; $i < count($aRows); $i++) { | |
| $aRow = $aRows[$i]; | |
| $nCols = sizeof($aRow); | |
| $aRowOrder = array_values($aRow); | |
| switch ($nCols) { | |
| case 1: | |
| $value = $aRowOrder[0]; | |
| break; | |
| case 2: | |
| $value = $aRowOrder[1]; | |
| break; | |
| case $nCols >= 3: | |
| $value = $aRowOrder[1]; | |
| break; | |
| } | |
| if (substr(strtolower($value), 0, 1) == substr(strtolower($charSel), 0, 1)) { | |
| array_push($aIniChar, $aRow); | |
| } else { | |
| array_push($aRest, $aRow); | |
| } | |
| } | |
| return array_merge($aIniChar, $aRest); | |
| } | |
| /* | |
| * Converts a SQL array parsing to a SQL string. | |
| * @param string $sqlParsed | |
| * @param string $inputSel default value empty string | |
| * @return string | |
| */ | |
| function queryModified($sqlParsed, $inputSel = "", $searchType) | |
| { | |
| if (!empty($sqlParsed['SELECT'])) { | |
| $sqlSelectOptions = (isset($sqlParsed["OPTIONS"]) && count($sqlParsed["OPTIONS"]) > 0) ? implode(" ", | |
| $sqlParsed["OPTIONS"]) : null; | |
| $sqlSelect = "SELECT $sqlSelectOptions "; | |
| $aSelect = $sqlParsed["SELECT"]; | |
| $sFieldSel = (count($aSelect) > 1) ? $aSelect[1]['base_expr'] : $aSelect[0]['base_expr']; | |
| foreach ($aSelect as $key => $value) { | |
| if ($key != 0) { | |
| $sqlSelect .= ", "; | |
| } | |
| $sAlias = str_replace("`", "", $aSelect[$key]['alias']); | |
| $sBaseExpr = $aSelect[$key]['base_expr']; | |
| switch ($aSelect[$key]['expr_type']) { | |
| case 'colref' : | |
| if ($sAlias === $sBaseExpr) { | |
| $sqlSelect .= $sAlias; | |
| } else { | |
| $sqlSelect .= $sBaseExpr . ' AS ' . $sAlias; | |
| } | |
| break; | |
| case 'expression' : | |
| if ($sAlias === $sBaseExpr) { | |
| $sqlSelect .= $sBaseExpr; | |
| } else { | |
| $sqlSelect .= $sBaseExpr . ' AS ' . $sAlias; | |
| } | |
| break; | |
| case 'subquery' : | |
| if (strpos($sAlias, $sBaseExpr, 0) != 0) { | |
| $sqlSelect .= $sAlias; | |
| } else { | |
| $sqlSelect .= $sBaseExpr . " AS " . $sAlias; | |
| } | |
| break; | |
| case 'operator' : | |
| $sqlSelect .= $sBaseExpr; | |
| break; | |
| default : | |
| $sqlSelect .= $sBaseExpr; | |
| break; | |
| } | |
| } | |
| $sqlFrom = " FROM "; | |
| if (!empty($sqlParsed['FROM'])) { | |
| $aFrom = $sqlParsed['FROM']; | |
| if (count($aFrom) > 0) { | |
| foreach ($aFrom as $key => $value) { | |
| if ($key == 0) { | |
| $sqlFrom .= $aFrom[$key]['table'] . (($aFrom[$key]['table'] == $aFrom[$key]['alias']) ? "" : " " . $aFrom[$key]['alias']); | |
| } else { | |
| $sqlFrom .= " " . (($aFrom[$key]['join_type'] == 'JOIN') ? "INNER" : $aFrom[$key]['join_type']) . " JOIN " . $aFrom[$key]['table'] | |
| . (($aFrom[$key]['table'] == $aFrom[$key]['alias']) ? "" : " " . $aFrom[$key]['alias']) . " " . $aFrom[$key]['ref_type'] . " " . $aFrom[$key]['ref_clause']; | |
| } | |
| } | |
| } | |
| } | |
| $sqlConditionLike = "LIKE '%" . $inputSel . "%'"; | |
| switch ($searchType) { | |
| case "searchtype*": | |
| $sqlConditionLike = "LIKE '" . $inputSel . "%'"; | |
| break; | |
| case "*searchtype": | |
| $sqlConditionLike = "LIKE '%" . $inputSel . "'"; | |
| break; | |
| } | |
| if (!empty($sqlParsed['WHERE'])) { | |
| $sqlWhere = " WHERE "; | |
| $aWhere = $sqlParsed['WHERE']; | |
| foreach ($aWhere as $key => $value) { | |
| $sqlWhere .= $value['base_expr'] . " "; | |
| } | |
| $sqlWhere .= " AND " . $sFieldSel . " " . $sqlConditionLike; | |
| } else { | |
| $sqlWhere = " WHERE " . $sFieldSel . " " . $sqlConditionLike; | |
| } | |
| $sqlGroupBy = ""; | |
| if (!empty($sqlParsed['GROUP'])) { | |
| $sqlGroupBy = "GROUP BY "; | |
| $aGroup = $sqlParsed['GROUP']; | |
| foreach ($aGroup as $key => $value) { | |
| if ($key != 0) { | |
| $sqlGroupBy .= ", "; | |
| } | |
| if ($value['direction'] == 'ASC') { | |
| $sqlGroupBy .= $value['base_expr']; | |
| } else { | |
| $sqlGroupBy .= $value['base_expr'] . " " . $value['direction']; | |
| } | |
| } | |
| } | |
| $sqlHaving = ""; | |
| if (!empty($sqlParsed['HAVING'])) { | |
| $sqlHaving = "HAVING "; | |
| $aHaving = $sqlParsed['HAVING']; | |
| foreach ($aHaving as $key => $value) { | |
| $sqlHaving .= $value['base_expr'] . " "; | |
| } | |
| } | |
| $sqlOrderBy = ""; | |
| if (!empty($sqlParsed['ORDER'])) { | |
| $sqlOrderBy = "ORDER BY "; | |
| $aOrder = $sqlParsed['ORDER']; | |
| foreach ($aOrder as $key => $value) { | |
| if ($key != 0) { | |
| $sqlOrderBy .= ", "; | |
| } | |
| if ($value['direction'] == 'ASC') { | |
| $sqlOrderBy .= $value['base_expr']; | |
| } else { | |
| $sqlOrderBy .= $value['base_expr'] . " " . $value['direction']; | |
| } | |
| } | |
| } else { | |
| $sqlOrderBy = " ORDER BY " . $sFieldSel; | |
| } | |
| $sqlLimit = ""; | |
| if (!empty($sqlParsed['LIMIT'])) { | |
| $sqlLimit = "LIMIT " . $sqlParsed['LIMIT']['start'] . ", " . $sqlParsed['LIMIT']['end']; | |
| } | |
| return $sqlSelect . $sqlFrom . $sqlWhere . $sqlGroupBy . $sqlHaving . $sqlOrderBy . $sqlLimit; | |
| } | |
| if (!empty($sqlParsed['CALL'])) { | |
| $sCall = "CALL "; | |
| $aCall = $sqlParsed['CALL']; | |
| foreach ($aCall as $key => $value) { | |
| $sCall .= $value . " "; | |
| } | |
| return $sCall; | |
| } | |
| if (!empty($sqlParsed['EXECUTE'])) { | |
| $sCall = "EXECUTE "; | |
| $aCall = $sqlParsed['EXECUTE']; | |
| foreach ($aCall as $key => $value) { | |
| $sCall .= $value . " "; | |
| } | |
| return $sCall; | |
| } | |
| if (!empty($sqlParsed[''])) { | |
| $sCall = ""; | |
| $aCall = $sqlParsed['']; | |
| foreach ($aCall as $key => $value) { | |
| $sCall .= $value . " "; | |
| } | |
| return $sCall; | |
| } | |
| } | |