phpBMS

root/trunk/phpbms/checkunique.php

Revision 720, 4.4 kB (checked in by brieb, 7 months ago)
  • fixed checkunique breaking with uuids and possible SQL injection
  • fixed backslashes in searches
  • fixed mark_as in invoice search commands incorrectly setting value to string 'NULL'
  • Property svn:keywords set to LastChangedBy LastChangedDate LastChangedRevision
Line 
1<?php
2/*
3 $Rev$ | $LastChangedBy$
4 $LastChangedDate$
5 +-------------------------------------------------------------------------+
6 | Copyright (c) 2004 - 2010, Kreotek LLC                                  |
7 | All rights reserved.                                                    |
8 +-------------------------------------------------------------------------+
9 |                                                                         |
10 | Redistribution and use in source and binary forms, with or without      |
11 | modification, are permitted provided that the following conditions are  |
12 | met:                                                                    |
13 |                                                                         |
14 | - Redistributions of source code must retain the above copyright        |
15 |   notice, this list of conditions and the following disclaimer.         |
16 |                                                                         |
17 | - Redistributions in binary form must reproduce the above copyright     |
18 |   notice, this list of conditions and the following disclaimer in the   |
19 |   documentation and/or other materials provided with the distribution.  |
20 |                                                                         |
21 | - Neither the name of Kreotek LLC nor the names of its contributore may |
22 |   be used to endorse or promote products derived from this software     |
23 |   without specific prior written permission.                            |
24 |                                                                         |
25 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS     |
26 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT       |
27 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A |
28 | PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT      |
29 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,   |
30 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT        |
31 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,   |
32 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY   |
33 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT     |
34 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE   |
35 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.    |
36 |                                                                         |
37 +-------------------------------------------------------------------------+
38*/
39
40
41class uniqueChecker{
42
43    var $db;
44
45    function uniqueChecker($db){
46
47        $this->db = $db;
48        $this->db->errorFormat = "json";
49
50    }//end function init
51
52
53    function check($tabledefuuid, $columname, $value, $excludeid = NULL){
54
55        $querystatement = "
56            SELECT
57                `maintable`
58            FROM
59                `tabledefs`
60            WHERE
61                `uuid` = '".mysql_real_escape_string($tabledefuuid)."'";
62
63        $queryresult = $this->db->query($querystatement);
64
65        if($this->db->numRows($queryresult) === 0)
66            return "error";
67
68        $therecord = $this->db->fetchArray($queryresult);
69
70        $table = $therecord["maintable"];
71
72        $columname = mysql_real_escape_string(str_replace("`","", $columname));
73        $value = mysql_real_escape_string($value);
74
75        $querystatement = "
76            SELECT
77                count(id) AS thecount
78            FROM
79                `".$table."`
80            WHERE
81                `".$columname."` = '".$value."'";
82
83        if($excludeid){
84
85            $querystatement .= " AND `uuid` != '".mysql_real_escape_string($excludeid)."'";
86
87        }//endif
88
89        $queryresult = $this->db->query($querystatement);
90
91        $therecord = $this->db->fetchArray($queryresult);
92
93        return ($therecord["thecount"] == 0);
94
95    }//end function check
96
97}//end class
98
99
100/**
101 * PROCESSING ==================================================================
102 */
103if(!isset($noOutput)){
104
105    require_once("include/session.php");
106
107    if(!isset($_GET["tduuid"]) || !isset($_GET["cname"]) || !isset($_GET["value"]))
108        $error = new appError(200, "passed parameters not set");
109
110    if(!isset($_GET["xuuid"]))
111        $_GET["xuuid"] = "";
112
113    $checker = new uniqueChecker($db);
114
115    echo json_encode($checker->check($_GET["tduuid"], $_GET["cname"], $_GET["value"], $_GET["xuuid"]));
116
117}//endif
Note: See TracBrowser for help on using the browser.
Copyright © 2010 Kreotek, LLC. All Rights reserved.