mirror of
https://git.code.sf.net/p/seeddms/code
synced 2025-02-06 23:24:57 +00:00
- lots of fixes of potential seurity holes (quote any string in sql statement)
This commit is contained in:
steinm
parent
9fdcd9ab1f
commit
78495ab780
|
|
@ -312,7 +312,7 @@ class LetoDMS_Core_DMS {
|
|||
function getDocument($id) { /* {{{ */
|
||||
if (!is_numeric($id)) return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblDocuments WHERE id = " . $id;
|
||||
$queryStr = "SELECT * FROM tblDocuments WHERE id = " . (int) $id;
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
if (is_bool($resArr) && $resArr == false)
|
||||
return false;
|
||||
|
|
@ -321,7 +321,7 @@ class LetoDMS_Core_DMS {
|
|||
$resArr = $resArr[0];
|
||||
|
||||
// New Locking mechanism uses a separate table to track the lock.
|
||||
$queryStr = "SELECT * FROM tblDocumentLocks WHERE document = " . $id;
|
||||
$queryStr = "SELECT * FROM tblDocumentLocks WHERE document = " . (int) $id;
|
||||
$lockArr = $this->db->getResultArray($queryStr);
|
||||
if ((is_bool($lockArr) && $lockArr==false) || (count($lockArr)==0)) {
|
||||
// Could not find a lock on the selected document.
|
||||
|
|
@ -378,7 +378,7 @@ class LetoDMS_Core_DMS {
|
|||
$queryStr = "SELECT `tblDocuments`.*, `tblDocumentLocks`.`userID` as `lockUser` ".
|
||||
"FROM `tblDocuments` ".
|
||||
"LEFT JOIN `tblDocumentLocks` ON `tblDocuments`.`id`=`tblDocumentLocks`.`document` ".
|
||||
"WHERE `tblDocuments`.`name` = '" . $name . "'";
|
||||
"WHERE `tblDocuments`.`name` = " . $this->db->qstr($name);
|
||||
if($folder)
|
||||
$queryStr .= " AND `tblDocuments`.`folder` = ". $folder->getID();
|
||||
$queryStr .= " LIMIT 1";
|
||||
|
|
@ -707,7 +707,7 @@ class LetoDMS_Core_DMS {
|
|||
function getFolder($id) { /* {{{ */
|
||||
if (!is_numeric($id)) return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblFolders WHERE id = " . $id;
|
||||
$queryStr = "SELECT * FROM tblFolders WHERE id = " . (int) $id;
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
|
||||
if (is_bool($resArr) && $resArr == false)
|
||||
|
|
@ -736,7 +736,7 @@ class LetoDMS_Core_DMS {
|
|||
function getFolderByName($name, $folder=null) { /* {{{ */
|
||||
if (!$name) return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblFolders WHERE name = '" . $name . "'";
|
||||
$queryStr = "SELECT * FROM tblFolders WHERE name = " . $this->db->qstr($name);
|
||||
if($folder)
|
||||
$queryStr .= " AND `parent` = ". $folder->getID();
|
||||
$queryStr .= " LIMIT 1";
|
||||
|
|
@ -766,7 +766,7 @@ class LetoDMS_Core_DMS {
|
|||
if (!is_numeric($id))
|
||||
return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblUsers WHERE id = " . $id;
|
||||
$queryStr = "SELECT * FROM tblUsers WHERE id = " . (int) $id;
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
|
||||
if (is_bool($resArr) && $resArr == false) return false;
|
||||
|
|
@ -791,9 +791,9 @@ class LetoDMS_Core_DMS {
|
|||
* @return object instance of LetoDMS_Core_User or false
|
||||
*/
|
||||
function getUserByLogin($login, $email='') { /* {{{ */
|
||||
$queryStr = "SELECT * FROM tblUsers WHERE login = '".$login."'";
|
||||
$queryStr = "SELECT * FROM tblUsers WHERE login = ".$this->db->qstr($login);
|
||||
if($email)
|
||||
$queryStr .= " AND email='".$email."'";
|
||||
$queryStr .= " AND email=".$this->db->qstr($email);
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
|
||||
if (is_bool($resArr) && $resArr == false) return false;
|
||||
|
|
@ -816,7 +816,7 @@ class LetoDMS_Core_DMS {
|
|||
* @return object instance of LetoDMS_Core_User or false
|
||||
*/
|
||||
function getUserByEmail($email) { /* {{{ */
|
||||
$queryStr = "SELECT * FROM tblUsers WHERE email = '".$email."'";
|
||||
$queryStr = "SELECT * FROM tblUsers WHERE email = ".$this->db->qstr($email);
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
|
||||
if (is_bool($resArr) && $resArr == false) return false;
|
||||
|
|
@ -865,10 +865,12 @@ class LetoDMS_Core_DMS {
|
|||
* is still allowed
|
||||
* @return object of LetoDMS_Core_User
|
||||
*/
|
||||
function addUser($login, $pwd, $fullName, $email, $language, $theme, $comment, $role=0, $isHidden=0) { /* {{{ */
|
||||
function addUser($login, $pwd, $fullName, $email, $language, $theme, $comment, $role='0', $isHidden=0) { /* {{{ */
|
||||
if (is_object($this->getUserByLogin($login))) {
|
||||
return false;
|
||||
}
|
||||
if($role == '')
|
||||
$role = '0';
|
||||
$queryStr = "INSERT INTO tblUsers (login, pwd, fullName, email, language, theme, comment, role, hidden) VALUES ('".$login."', '".$pwd."', '".$fullName."', '".$email."', '".$language."', '".$theme."', '".$comment."', '".$role."', '".$isHidden."')";
|
||||
$res = $this->db->getResult($queryStr);
|
||||
if (!$res)
|
||||
|
|
@ -887,7 +889,7 @@ class LetoDMS_Core_DMS {
|
|||
if (!is_numeric($id))
|
||||
return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblGroups WHERE id = " . $id;
|
||||
$queryStr = "SELECT * FROM tblGroups WHERE id = " . (int) $id;
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
|
||||
if (is_bool($resArr) && $resArr == false)
|
||||
|
|
@ -909,7 +911,7 @@ class LetoDMS_Core_DMS {
|
|||
* @return object/boolean group or false if no group was found
|
||||
*/
|
||||
function getGroupByName($name) { /* {{{ */
|
||||
$queryStr = "SELECT `tblGroups`.* FROM `tblGroups` WHERE `tblGroups`.`name` = '".$name."'";
|
||||
$queryStr = "SELECT `tblGroups`.* FROM `tblGroups` WHERE `tblGroups`.`name` = ".$this->db->qstr($name);
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
|
||||
if (is_bool($resArr) && $resArr == false)
|
||||
|
|
@ -972,7 +974,7 @@ class LetoDMS_Core_DMS {
|
|||
if (!is_numeric($id))
|
||||
return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblKeywordCategories WHERE id = " . $id;
|
||||
$queryStr = "SELECT * FROM tblKeywordCategories WHERE id = " . (int) $id;
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
if ((is_bool($resArr) && !$resArr) || (count($resArr) != 1))
|
||||
return false;
|
||||
|
|
@ -984,7 +986,7 @@ class LetoDMS_Core_DMS {
|
|||
} /* }}} */
|
||||
|
||||
function getKeywordCategoryByName($name, $owner) { /* {{{ */
|
||||
$queryStr = "SELECT * FROM tblKeywordCategories WHERE name = '" . $name . "' AND owner = '" . $owner. "'";
|
||||
$queryStr = "SELECT * FROM tblKeywordCategories WHERE name = " . $this->db->qstr($name) . " AND owner = " . (int) $owner;
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
if ((is_bool($resArr) && !$resArr) || (count($resArr) != 1))
|
||||
return false;
|
||||
|
|
@ -1017,7 +1019,7 @@ class LetoDMS_Core_DMS {
|
|||
function getAllUserKeywordCategories($userID) { /* {{{ */
|
||||
$queryStr = "SELECT * FROM tblKeywordCategories";
|
||||
if ($userID != -1)
|
||||
$queryStr .= " WHERE owner = " . $userID;
|
||||
$queryStr .= " WHERE owner = " . (int) $userID;
|
||||
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
if (is_bool($resArr) && !$resArr)
|
||||
|
|
@ -1048,7 +1050,7 @@ class LetoDMS_Core_DMS {
|
|||
if (!is_numeric($id))
|
||||
return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblCategory WHERE id = " . $id;
|
||||
$queryStr = "SELECT * FROM tblCategory WHERE id = " . (int) $id;
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
if ((is_bool($resArr) && !$resArr) || (count($resArr) != 1))
|
||||
return false;
|
||||
|
|
@ -1085,7 +1087,7 @@ class LetoDMS_Core_DMS {
|
|||
* @return object instance of LetoDMS_Core_DocumentCategory
|
||||
*/
|
||||
function getDocumentCategoryByName($name) { /* {{{ */
|
||||
$queryStr = "SELECT * FROM tblCategory where name='".$name."'";
|
||||
$queryStr = "SELECT * FROM tblCategory where name=".$this->db->qstr($name);
|
||||
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
if (!$resArr)
|
||||
|
|
@ -1120,7 +1122,7 @@ class LetoDMS_Core_DMS {
|
|||
$queryStr = "SELECT `tblNotify`.* FROM `tblNotify` ".
|
||||
"WHERE `tblNotify`.`groupID` = ". $group->getID();
|
||||
if($type) {
|
||||
$queryStr .= " AND `tblNotify`.`targetType` = ".$type;
|
||||
$queryStr .= " AND `tblNotify`.`targetType` = ". (int) $type;
|
||||
}
|
||||
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
|
|
@ -1148,7 +1150,7 @@ class LetoDMS_Core_DMS {
|
|||
$queryStr = "SELECT `tblNotify`.* FROM `tblNotify` ".
|
||||
"WHERE `tblNotify`.`userID` = ". $user->getID();
|
||||
if($type) {
|
||||
$queryStr .= " AND `tblNotify`.`targetType` = ".$type;
|
||||
$queryStr .= " AND `tblNotify`.`targetType` = ". (int) $type;
|
||||
}
|
||||
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
|
|
@ -1190,7 +1192,7 @@ class LetoDMS_Core_DMS {
|
|||
*/
|
||||
function checkPasswordRequest($hash) { /* {{{ */
|
||||
/* Get the password request from the database */
|
||||
$queryStr = "SELECT * FROM tblUserPasswordRequest where hash='". $hash ."'";
|
||||
$queryStr = "SELECT * FROM tblUserPasswordRequest where hash=".$this->db->qstr($hash);
|
||||
$resArr = $this->db->getResultArray($queryStr);
|
||||
if (is_bool($resArr) && !$resArr)
|
||||
return false;
|
||||
|
|
@ -1210,7 +1212,7 @@ class LetoDMS_Core_DMS {
|
|||
*/
|
||||
function deletePasswordRequest($hash) { /* {{{ */
|
||||
/* Delete the request, so nobody can use it a second time */
|
||||
$queryStr = "DELETE FROM tblUserPasswordRequest WHERE hash='" . $hash."'";
|
||||
$queryStr = "DELETE FROM tblUserPasswordRequest WHERE hash=".$this->db->qstr($hash);
|
||||
if (!$this->db->getResult($queryStr))
|
||||
return false;
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -183,7 +183,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
function setName($newName) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblDocuments SET name = '" . $newName . "' WHERE id = ". $this->_id;
|
||||
$queryStr = "UPDATE tblDocuments SET name = ".$db->qstr($newName)." WHERE id = ". $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -206,7 +206,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
function setComment($newComment) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblDocuments SET comment = '" . $newComment . "' WHERE id = ". $this->_id;
|
||||
$queryStr = "UPDATE tblDocuments SET comment = ".$db->qstr($newComment)." WHERE id = ". $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -219,7 +219,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
function setKeywords($newKeywords) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblDocuments SET keywords = '" . $newKeywords . "' WHERE id = ". $this->_id;
|
||||
$queryStr = "UPDATE tblDocuments SET keywords = ".$db->qstr($newKeywords)." WHERE id = ". $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -369,7 +369,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
function setDefaultAccess($mode) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblDocuments set defaultAccess = " . $mode . " WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblDocuments set defaultAccess = " . (int) $mode . " WHERE id = " . $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -474,7 +474,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
return true;
|
||||
}
|
||||
|
||||
$queryStr = "UPDATE tblDocuments SET expires = " . $expires . " WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblDocuments SET expires = " . (int) $expires . " WHERE id = " . $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -608,7 +608,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
}
|
||||
$modeStr = "";
|
||||
if ($mode!=M_ANY) {
|
||||
$modeStr = " AND mode".$op.$mode;
|
||||
$modeStr = " AND mode".$op.(int)$mode;
|
||||
}
|
||||
$queryStr = "SELECT * FROM tblACLs WHERE targetType = ".T_DOCUMENT.
|
||||
" AND target = " . $this->_id . $modeStr . " ORDER BY targetType";
|
||||
|
|
@ -644,7 +644,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
$userOrGroup = ($isUser) ? "userID" : "groupID";
|
||||
|
||||
$queryStr = "INSERT INTO tblACLs (target, targetType, ".$userOrGroup.", mode) VALUES
|
||||
(".$this->_id.", ".T_DOCUMENT.", " . $userOrGroupID . ", " .$mode. ")";
|
||||
(".$this->_id.", ".T_DOCUMENT.", " . (int) $userOrGroupID . ", " .(int) $mode. ")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -673,7 +673,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
|
||||
$userOrGroup = ($isUser) ? "userID" : "groupID";
|
||||
|
||||
$queryStr = "UPDATE tblACLs SET mode = " . $newMode . " WHERE targetType = ".T_DOCUMENT." AND target = " . $this->_id . " AND " . $userOrGroup . " = " . $userOrGroupID;
|
||||
$queryStr = "UPDATE tblACLs SET mode = " . (int) $newMode . " WHERE targetType = ".T_DOCUMENT." AND target = " . $this->_id . " AND " . $userOrGroup . " = " . (int) $userOrGroupID;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -700,7 +700,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
|
||||
$userOrGroup = ($isUser) ? "userID" : "groupID";
|
||||
|
||||
$queryStr = "DELETE FROM tblACLs WHERE targetType = ".T_DOCUMENT." AND target = ".$this->_id." AND ".$userOrGroup." = " . $userOrGroupID;
|
||||
$queryStr = "DELETE FROM tblACLs WHERE targetType = ".T_DOCUMENT." AND target = ".$this->_id." AND ".$userOrGroup." = " . (int) $userOrGroupID;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -788,7 +788,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
$foundInACL = true;
|
||||
if ($groupAccess->getMode() > $highestPrivileged)
|
||||
$highestPrivileged = $groupAccess->getMode();
|
||||
if ($highestPrivileged == M_ALL) //höher geht's nicht -> wir können uns die arbeit schenken
|
||||
if ($highestPrivileged == M_ALL) // max access right -> skip the rest
|
||||
return $highestPrivileged;
|
||||
}
|
||||
}
|
||||
|
|
@ -928,7 +928,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
/* Check to see if user/group is already on the list. */
|
||||
$queryStr = "SELECT * FROM `tblNotify` WHERE `tblNotify`.`target` = '".$this->_id."' ".
|
||||
"AND `tblNotify`.`targetType` = '".T_DOCUMENT."' ".
|
||||
"AND `tblNotify`.`".$userOrGroup."` = '".$userOrGroupID."'";
|
||||
"AND `tblNotify`.`".$userOrGroup."` = '".(int) $userOrGroupID."'";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if (is_bool($resArr)) {
|
||||
return -4;
|
||||
|
|
@ -937,7 +937,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
return -3;
|
||||
}
|
||||
|
||||
$queryStr = "INSERT INTO tblNotify (target, targetType, " . $userOrGroup . ") VALUES (" . $this->_id . ", " . T_DOCUMENT . ", " . $userOrGroupID . ")";
|
||||
$queryStr = "INSERT INTO tblNotify (target, targetType, " . $userOrGroup . ") VALUES (" . $this->_id . ", " . T_DOCUMENT . ", " . (int) $userOrGroupID . ")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return -4;
|
||||
|
||||
|
|
@ -999,7 +999,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
/* Check to see if the target is in the database. */
|
||||
$queryStr = "SELECT * FROM `tblNotify` WHERE `tblNotify`.`target` = '".$this->_id."' ".
|
||||
"AND `tblNotify`.`targetType` = '".T_DOCUMENT."' ".
|
||||
"AND `tblNotify`.`".$userOrGroup."` = '".$userOrGroupID."'";
|
||||
"AND `tblNotify`.`".$userOrGroup."` = '".(int) $userOrGroupID."'";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if (is_bool($resArr)) {
|
||||
return -4;
|
||||
|
|
@ -1008,7 +1008,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
return -3;
|
||||
}
|
||||
|
||||
$queryStr = "DELETE FROM tblNotify WHERE target = " . $this->_id . " AND targetType = " . T_DOCUMENT . " AND " . $userOrGroup . " = " . $userOrGroupID;
|
||||
$queryStr = "DELETE FROM tblNotify WHERE target = " . $this->_id . " AND targetType = " . T_DOCUMENT . " AND " . $userOrGroup . " = " . (int) $userOrGroupID;
|
||||
if (!$db->getResult($queryStr))
|
||||
return -4;
|
||||
|
||||
|
|
@ -1055,7 +1055,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
}
|
||||
|
||||
$queryStr = "INSERT INTO tblDocumentContent (document, version, comment, date, createdBy, dir, orgFileName, fileType, mimeType) VALUES ".
|
||||
"(".$this->_id.", ".(int)$version.",'".$comment."', ".$date.", ".$user->getID().", '".$dir."', '".$orgFileName."', '".$fileType."', '" . $mimeType . "')";
|
||||
"(".$this->_id.", ".(int)$version.",".$db->qstr($comment).", ".$date.", ".$user->getID().", ".$db->qstr($dir).", ".$db->qstr($orgFileName).", ".$db->qstr($fileType).", ".$db->qstr($mimeType).")";
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
// copy file
|
||||
|
|
@ -1068,10 +1068,10 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
|
||||
// TODO - verify
|
||||
if ($this->_dms->enableConverting && in_array($docResultSet->_content->getFileType(), array_keys($this->_dms->convertFileTypes)))
|
||||
$docResultSet->_content->convert(); //Auch wenn das schiefgeht, wird deswegen nicht gleich alles "hingeschmissen" (sprich: false zurückgegeben)
|
||||
$docResultSet->_content->convert(); // Even if if fails, do not return false
|
||||
|
||||
$queryStr = "INSERT INTO `tblDocumentStatus` (`documentID`, `version`) ".
|
||||
"VALUES ('". $this->_id ."', '". $version ."')";
|
||||
"VALUES (". $this->_id .", ". (int) $version .")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -1179,7 +1179,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
}
|
||||
|
||||
$db = $this->_dms->getDB();
|
||||
$queryStr = "SELECT * FROM tblDocumentContent WHERE document = ".$this->_id." AND version = " . $version;
|
||||
$queryStr = "SELECT * FROM tblDocumentContent WHERE document = ".$this->_id." AND version = " . (int) $version;
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if (is_bool($resArr) && !$res)
|
||||
return false;
|
||||
|
|
@ -1272,7 +1272,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
|
||||
if (!is_numeric($linkID)) return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblDocumentLinks WHERE document = " . $this->_id ." AND id = " . $linkID;
|
||||
$queryStr = "SELECT * FROM tblDocumentLinks WHERE document = " . $this->_id ." AND id = " . (int) $linkID;
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if ((is_bool($resArr) && !$resArr) || count($resArr)==0)
|
||||
return false;
|
||||
|
|
@ -1306,7 +1306,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
|
||||
$public = ($public) ? "1" : "0";
|
||||
|
||||
$queryStr = "INSERT INTO tblDocumentLinks(document, target, userID, public) VALUES (".$this->_id.", ".$targetID.", ".$userID.", " . $public.")";
|
||||
$queryStr = "INSERT INTO tblDocumentLinks(document, target, userID, public) VALUES (".$this->_id.", ".(int)$targetID.", ".(int)$userID.", ".(int)$public.")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -1317,7 +1317,9 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
function removeDocumentLink($linkID) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "DELETE FROM tblDocumentLinks WHERE document = " . $this->_id ." AND id = " . $linkID;
|
||||
if (!is_numeric($linkID)) return false;
|
||||
|
||||
$queryStr = "DELETE FROM tblDocumentLinks WHERE document = " . $this->_id ." AND id = " . (int) $linkID;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
unset ($this->_documentLinks);
|
||||
return true;
|
||||
|
|
@ -1328,7 +1330,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
|
||||
if (!is_numeric($ID)) return false;
|
||||
|
||||
$queryStr = "SELECT * FROM tblDocumentFiles WHERE document = " . $this->_id ." AND id = " . $ID;
|
||||
$queryStr = "SELECT * FROM tblDocumentFiles WHERE document = " . $this->_id ." AND id = " . (int) $ID;
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if ((is_bool($resArr) && !$resArr) || count($resArr)==0) return false;
|
||||
|
||||
|
|
@ -1359,7 +1361,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
$dir = $this->getDir();
|
||||
|
||||
$queryStr = "INSERT INTO tblDocumentFiles (comment, date, dir, document, fileType, mimeType, orgFileName, userID, name) VALUES ".
|
||||
"('".$comment."', '".mktime()."', '" . $dir ."', " . $this->_id.", '".$fileType."', '".$mimeType."', '".$orgFileName."',".$user->getID().",'".$name."')";
|
||||
"(".$db->qstr($comment).", '".mktime()."', ".$db->qstr($dir).", ".$this->_id.", ".$db->qstr($fileType).", ".$db->qstr($mimeType).", ".$db->qstr($orgFileName).",".$user->getID().",".$db->qstr($name).")";
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
$id = $db->getInsertID();
|
||||
|
|
@ -1377,6 +1379,8 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
function removeDocumentFile($ID) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
if (!is_numeric($ID)) return false;
|
||||
|
||||
$file = $this->getDocumentFile($ID);
|
||||
if (is_bool($file) && !$file) return false;
|
||||
|
||||
|
|
@ -1388,7 +1392,7 @@ class LetoDMS_Core_Document { /* {{{ */
|
|||
$name=$file->getName();
|
||||
$comment=$file->getcomment();
|
||||
|
||||
$queryStr = "DELETE FROM tblDocumentFiles WHERE document = " . $this->getID() . " AND id = " . $ID;
|
||||
$queryStr = "DELETE FROM tblDocumentFiles WHERE document = " . $this->getID() . " AND id = " . (int) $ID;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -1628,7 +1632,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
// if status is released and there are reviewers set status draft_rev
|
||||
// if status is released or draft_rev and there are approves set status draft_app
|
||||
// if status is draft and there are no approver and no reviewers set status to release
|
||||
function verifyStatus($ignorecurrentstatus=false,$user=null) { /* {{{ */
|
||||
function verifyStatus($ignorecurrentstatus=false, $user=null) { /* {{{ */
|
||||
|
||||
unset($this->_status);
|
||||
$st=$this->getStatus();
|
||||
|
|
@ -1664,10 +1668,10 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
|
||||
function LetoDMS_Core_DocumentContent($document, $version, $comment, $date, $userID, $dir, $orgFileName, $fileType, $mimeType) { /* {{{ */
|
||||
$this->_document = $document;
|
||||
$this->_version = $version;
|
||||
$this->_version = (int) $version;
|
||||
$this->_comment = $comment;
|
||||
$this->_date = $date;
|
||||
$this->_userID = $userID;
|
||||
$this->_userID = (int) $userID;
|
||||
$this->_dir = $dir;
|
||||
$this->_orgFileName = $orgFileName;
|
||||
$this->_fileType = $fileType;
|
||||
|
|
@ -1693,7 +1697,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
function setComment($newComment) { /* {{{ */
|
||||
$db = $this->_document->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblDocumentContent SET comment = '" . $newComment . "' WHERE `document` = " . $this->_document->getID() . " AND `version` = " . $this->_version;
|
||||
$queryStr = "UPDATE tblDocumentContent SET comment = ".$db->qstr($newComment)." WHERE `document` = " . $this->_document->getID() . " AND `version` = " . $this->_version;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -1781,6 +1785,8 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
function getStatus($limit=1) { /* {{{ */
|
||||
$db = $this->_document->_dms->getDB();
|
||||
|
||||
if (!is_numeric($limit)) return false;
|
||||
|
||||
// Retrieve the current overall status of the content represented by
|
||||
// this object.
|
||||
if (!isset($this->_status)) {
|
||||
|
|
@ -1806,7 +1812,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
"LEFT JOIN `tblDocumentStatusLog` USING (`statusID`) ".
|
||||
"WHERE `tblDocumentStatus`.`documentID` = '". $this->_document->getID() ."' ".
|
||||
"AND `tblDocumentStatus`.`version` = '". $this->_version ."' ".
|
||||
"ORDER BY `tblDocumentStatusLog`.`statusLogID` DESC LIMIT ".$limit;
|
||||
"ORDER BY `tblDocumentStatusLog`.`statusLogID` DESC LIMIT ".(int) $limit;
|
||||
|
||||
$res = $db->getResultArray($queryStr);
|
||||
if (is_bool($res) && !$res)
|
||||
|
|
@ -1831,6 +1837,8 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
function setStatus($status, $comment, $updateUser) { /* {{{ */
|
||||
$db = $this->_document->_dms->getDB();
|
||||
|
||||
if (!is_numeric($status)) return false;
|
||||
|
||||
/* return an error if $updateuser is not set */
|
||||
if(!$updateUser)
|
||||
return false;
|
||||
|
|
@ -1850,7 +1858,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
return false;
|
||||
}
|
||||
$queryStr = "INSERT INTO `tblDocumentStatusLog` (`statusID`, `status`, `comment`, `date`, `userID`) ".
|
||||
"VALUES ('". $this->_status["statusID"] ."', '". $status ."', '". $comment ."', NOW(), '". $updateUser->getID() ."')";
|
||||
"VALUES ('". $this->_status["statusID"] ."', '". (int) $status ."', ".$db->qstr($comment).", NOW(), '". $updateUser->getID() ."')";
|
||||
$res = $db->getResult($queryStr);
|
||||
if (is_bool($res) && !$res)
|
||||
return false;
|
||||
|
|
@ -1868,6 +1876,8 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
function getReviewStatus($limit=1) { /* {{{ */
|
||||
$db = $this->_document->_dms->getDB();
|
||||
|
||||
if (!is_numeric($limit)) return false;
|
||||
|
||||
// Retrieve the current status of each assigned reviewer for the content
|
||||
// represented by this object.
|
||||
if (!isset($this->_reviewStatus)) {
|
||||
|
|
@ -1890,7 +1900,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
"LEFT JOIN `tblUsers` on `tblUsers`.`id` = `tblDocumentReviewers`.`required`".
|
||||
"LEFT JOIN `tblGroups` on `tblGroups`.`id` = `tblDocumentReviewers`.`required`".
|
||||
"WHERE `tblDocumentReviewers`.`reviewId` = '". $rec['reviewId'] ."' ".
|
||||
"ORDER BY `tblDocumentReviewLog`.`reviewLogID` DESC LIMIT ".$limit;
|
||||
"ORDER BY `tblDocumentReviewLog`.`reviewLogID` DESC LIMIT ".(int) $limit;
|
||||
|
||||
$res = $db->getResultArray($queryStr);
|
||||
if (is_bool($res) && !$res) {
|
||||
|
|
@ -1907,6 +1917,8 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
function getApprovalStatus($limit=1) { /* {{{ */
|
||||
$db = $this->_document->_dms->getDB();
|
||||
|
||||
if (!is_numeric($limit)) return false;
|
||||
|
||||
// Retrieve the current status of each assigned approver for the content
|
||||
// represented by this object.
|
||||
if (!isset($this->_approvalStatus)) {
|
||||
|
|
@ -1929,7 +1941,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
"LEFT JOIN `tblUsers` on `tblUsers`.`id` = `tblDocumentApprovers`.`required` ".
|
||||
"LEFT JOIN `tblGroups` on `tblGroups`.`id` = `tblDocumentApprovers`.`required`".
|
||||
"WHERE `tblDocumentApprovers`.`approveId` = '". $rec['approveId'] ."' ".
|
||||
"ORDER BY `tblDocumentApproveLog`.`approveLogId` DESC LIMIT ".$limit;
|
||||
"ORDER BY `tblDocumentApproveLog`.`approveLogId` DESC LIMIT ".(int) $limit;
|
||||
|
||||
$res = $db->getResultArray($queryStr);
|
||||
if (is_bool($res) && !$res) {
|
||||
|
|
@ -2082,7 +2094,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
$queryStr = "INSERT INTO `tblDocumentReviewLog` (`reviewID`, `status`,
|
||||
`comment`, `date`, `userID`) ".
|
||||
"VALUES ('". $reviewStatus["indstatus"][0]["reviewID"] ."', '".
|
||||
$status ."', '". $comment ."', NOW(), '".
|
||||
(int) $status ."', ".$db->qstr($comment).", NOW(), '".
|
||||
$requestUser->getID() ."')";
|
||||
$res=$db->getResult($queryStr);
|
||||
if (is_bool($res) && !$res)
|
||||
|
|
@ -2116,7 +2128,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
$queryStr = "INSERT INTO `tblDocumentReviewLog` (`reviewID`, `status`,
|
||||
`comment`, `date`, `userID`) ".
|
||||
"VALUES ('". $reviewStatus[0]["reviewID"] ."', '".
|
||||
$status ."', '". $comment ."', NOW(), '".
|
||||
(int) $status ."', ".$db->qstr($comment).", NOW(), '".
|
||||
$requestUser->getID() ."')";
|
||||
$res=$db->getResult($queryStr);
|
||||
if (is_bool($res) && !$res)
|
||||
|
|
@ -2284,7 +2296,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
$queryStr = "INSERT INTO `tblDocumentApproveLog` (`approveID`, `status`,
|
||||
`comment`, `date`, `userID`) ".
|
||||
"VALUES ('". $approvalStatus["indstatus"][0]["approveID"] ."', '".
|
||||
$status ."', '". $comment ."', NOW(), '".
|
||||
(int) $status ."', ".$db->qstr($comment).", NOW(), '".
|
||||
$requestUser->getID() ."')";
|
||||
$res=$db->getResult($queryStr);
|
||||
if (is_bool($res) && !$res)
|
||||
|
|
@ -2324,7 +2336,7 @@ class LetoDMS_Core_DocumentContent { /* {{{ */
|
|||
$queryStr = "INSERT INTO `tblDocumentApproveLog` (`approveID`, `status`,
|
||||
`comment`, `date`, `userID`) ".
|
||||
"VALUES ('". $approvalStatus[0]["approveID"] ."', '".
|
||||
$status ."', '". $comment ."', NOW(), '".
|
||||
(int) $status ."', ".$db->qstr($comment).", NOW(), '".
|
||||
$requestUser->getID() ."')";
|
||||
$res=$db->getResult($queryStr);
|
||||
if (is_bool($res) && !$res)
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ class LetoDMS_Core_DocumentCategory {
|
|||
function setName($newName) {
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblCategory SET name = '$newName' WHERE id = ". $this->_id;
|
||||
$queryStr = "UPDATE tblCategory SET name = ".$db->qstr($newName)." WHERE id = ". $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -84,7 +84,7 @@ class LetoDMS_Core_DocumentCategory {
|
|||
function addCategory($keywords) {
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "INSERT INTO tblCategory (category) VALUES ('".$keywords."')";
|
||||
$queryStr = "INSERT INTO tblCategory (category) VALUES (".$db->qstr($keywords).")";
|
||||
return $db->getResult($queryStr);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -273,7 +273,7 @@ class LetoDMS_Core_Folder {
|
|||
function setDefaultAccess($mode) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblFolders set defaultAccess = " . $mode . " WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblFolders set defaultAccess = " . (int) $mode . " WHERE id = " . $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -304,7 +304,7 @@ class LetoDMS_Core_Folder {
|
|||
|
||||
$inheritAccess = ($inheritAccess) ? "1" : "0";
|
||||
|
||||
$queryStr = "UPDATE tblFolders SET inheritAccess = " . $inheritAccess . " WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblFolders SET inheritAccess = " . (int) $inheritAccess . " WHERE id = " . $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -384,7 +384,7 @@ class LetoDMS_Core_Folder {
|
|||
}
|
||||
//inheritAccess = true, defaultAccess = M_READ
|
||||
$queryStr = "INSERT INTO tblFolders (name, parent, folderList, comment, date, owner, inheritAccess, defaultAccess, sequence) ".
|
||||
"VALUES ('".$name."', ".$this->_id.", '".$pathPrefix."', '".$comment."', ".mktime().", ".$owner->getID().", 1, ".M_READ.", ".$sequence.")";
|
||||
"VALUES (".$db->qstr($name).", ".$this->_id.", ".$db->qstr($pathPrefix).", ".$db->qstr($comment).", ".mktime().", ".$owner->getID().", 1, ".M_READ.", ". $sequence.")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
$newFolder = $this->_dms->getFolder($db->getInsertID());
|
||||
|
|
@ -393,7 +393,7 @@ class LetoDMS_Core_Folder {
|
|||
return $newFolder;
|
||||
} /* }}} */
|
||||
|
||||
/*
|
||||
/**
|
||||
* Returns an array of all parents, grand parent, etc. up to root folder.
|
||||
* The folder itself is the last element of the array.
|
||||
*
|
||||
|
|
@ -415,6 +415,11 @@ class LetoDMS_Core_Folder {
|
|||
}
|
||||
} /* }}} */
|
||||
|
||||
/**
|
||||
* Returns a unix file system path
|
||||
*
|
||||
* @return string path separated with '/'
|
||||
*/
|
||||
function getFolderPathPlain() { /* {{{ */
|
||||
$path="";
|
||||
$folderPath = $this->getPath();
|
||||
|
|
@ -491,7 +496,7 @@ class LetoDMS_Core_Folder {
|
|||
* @param string $orgFileName the original file name
|
||||
* @param string $fileType usually the extension of the filename
|
||||
* @param string $mimeType mime type of the content
|
||||
* @param integer $sequence position of new document within the folder
|
||||
* @param float $sequence position of new document within the folder
|
||||
* @param array $reviewers list of users who must review this document
|
||||
* @param array $approvers list of users who must approve this document
|
||||
* @param string $reqversion version number of the content
|
||||
|
|
@ -517,7 +522,7 @@ class LetoDMS_Core_Folder {
|
|||
}
|
||||
|
||||
$queryStr = "INSERT INTO tblDocuments (name, comment, date, expires, owner, folder, folderList, inheritAccess, defaultAccess, locked, keywords, sequence) VALUES ".
|
||||
"('".$name."', '".$comment."', " . mktime().", ".$expires.", ".$owner->getID().", ".$this->_id.",'".$pathPrefix."', 1, ".M_READ.", -1, '".$keywords."', " . $sequence . ")";
|
||||
"(".$db->qstr($name).", ".$db->qstr($comment).", " . mktime().", ".(int) $expires.", ".$owner->getID().", ".$this->_id.",".$db->qstr($pathPrefix).", 1, ".M_READ.", -1, ".$db->qstr($keywords).", " . $sequence . ")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -593,7 +598,7 @@ class LetoDMS_Core_Folder {
|
|||
}
|
||||
$modeStr = "";
|
||||
if ($mode!=M_ANY) {
|
||||
$modeStr = " AND mode".$op.$mode;
|
||||
$modeStr = " AND mode".$op.(int)$mode;
|
||||
}
|
||||
$queryStr = "SELECT * FROM tblACLs WHERE targetType = ".T_FOLDER.
|
||||
" AND target = " . $this->_id . $modeStr . " ORDER BY targetType";
|
||||
|
|
@ -640,7 +645,7 @@ class LetoDMS_Core_Folder {
|
|||
$userOrGroup = ($isUser) ? "userID" : "groupID";
|
||||
|
||||
$queryStr = "INSERT INTO tblACLs (target, targetType, ".$userOrGroup.", mode) VALUES
|
||||
(".$this->_id.", ".T_FOLDER.", " . $userOrGroupID . ", " .$mode. ")";
|
||||
(".$this->_id.", ".T_FOLDER.", " . (int) $userOrGroupID . ", " .(int) $mode. ")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -669,7 +674,7 @@ class LetoDMS_Core_Folder {
|
|||
|
||||
$userOrGroup = ($isUser) ? "userID" : "groupID";
|
||||
|
||||
$queryStr = "UPDATE tblACLs SET mode = " . $newMode . " WHERE targetType = ".T_FOLDER." AND target = " . $this->_id . " AND " . $userOrGroup . " = " . $userOrGroupID;
|
||||
$queryStr = "UPDATE tblACLs SET mode = " . (int) $newMode . " WHERE targetType = ".T_FOLDER." AND target = " . $this->_id . " AND " . $userOrGroup . " = " . (int) $userOrGroupID;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -688,7 +693,7 @@ class LetoDMS_Core_Folder {
|
|||
|
||||
$userOrGroup = ($isUser) ? "userID" : "groupID";
|
||||
|
||||
$queryStr = "DELETE FROM tblACLs WHERE targetType = ".T_FOLDER." AND target = ".$this->_id." AND ".$userOrGroup." = " . $userOrGroupID;
|
||||
$queryStr = "DELETE FROM tblACLs WHERE targetType = ".T_FOLDER." AND target = ".$this->_id." AND ".$userOrGroup." = " . (int) $userOrGroupID;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -912,7 +917,7 @@ class LetoDMS_Core_Folder {
|
|||
//
|
||||
$queryStr = "SELECT * FROM `tblNotify` WHERE `tblNotify`.`target` = '".$this->_id."' ".
|
||||
"AND `tblNotify`.`targetType` = '".T_FOLDER."' ".
|
||||
"AND `tblNotify`.`".$userOrGroup."` = '".$userOrGroupID."'";
|
||||
"AND `tblNotify`.`".$userOrGroup."` = '". (int) $userOrGroupID."'";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if (is_bool($resArr)) {
|
||||
return -4;
|
||||
|
|
@ -921,7 +926,7 @@ class LetoDMS_Core_Folder {
|
|||
return -3;
|
||||
}
|
||||
|
||||
$queryStr = "INSERT INTO tblNotify (target, targetType, " . $userOrGroup . ") VALUES (" . $this->_id . ", " . T_FOLDER . ", " . $userOrGroupID . ")";
|
||||
$queryStr = "INSERT INTO tblNotify (target, targetType, " . $userOrGroup . ") VALUES (" . $this->_id . ", " . T_FOLDER . ", " . (int) $userOrGroupID . ")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return -4;
|
||||
|
||||
|
|
@ -985,7 +990,7 @@ class LetoDMS_Core_Folder {
|
|||
//
|
||||
$queryStr = "SELECT * FROM `tblNotify` WHERE `tblNotify`.`target` = '".$this->_id."' ".
|
||||
"AND `tblNotify`.`targetType` = '".T_FOLDER."' ".
|
||||
"AND `tblNotify`.`".$userOrGroup."` = '".$userOrGroupID."'";
|
||||
"AND `tblNotify`.`".$userOrGroup."` = '". (int) $userOrGroupID."'";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if (is_bool($resArr)) {
|
||||
return -4;
|
||||
|
|
@ -994,7 +999,7 @@ class LetoDMS_Core_Folder {
|
|||
return -3;
|
||||
}
|
||||
|
||||
$queryStr = "DELETE FROM tblNotify WHERE target = " . $this->_id . " AND targetType = " . T_FOLDER . " AND " . $userOrGroup . " = " . $userOrGroupID;
|
||||
$queryStr = "DELETE FROM tblNotify WHERE target = " . $this->_id . " AND targetType = " . T_FOLDER . " AND " . $userOrGroup . " = " . (int) $userOrGroupID;
|
||||
if (!$db->getResult($queryStr))
|
||||
return -4;
|
||||
|
||||
|
|
|
|||
|
|
@ -61,7 +61,7 @@ class LetoDMS_Core_Group {
|
|||
function setName($newName) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblGroups SET name = '" . $newName . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblGroups SET name = ".$db->qstr($newName)." WHERE id = " . $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -74,7 +74,7 @@ class LetoDMS_Core_Group {
|
|||
function setComment($newComment) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblGroups SET comment = '" . $newComment . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblGroups SET comment = ".$db->qstr($newComment)." WHERE id = " . $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -247,8 +247,8 @@ class LetoDMS_Core_Group {
|
|||
"LEFT JOIN `tblDocumentReviewLog` USING (`reviewID`) ".
|
||||
"LEFT JOIN `ttreviewid` on `ttreviewid`.`maxLogID` = `tblDocumentReviewLog`.`reviewLogID` ".
|
||||
"WHERE `ttreviewid`.`maxLogID`=`tblDocumentReviewLog`.`reviewLogID` ".
|
||||
($documentID==null ? "" : "AND `tblDocumentReviewers`.`documentID` = '". $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentReviewers`.`version` = '". $version ."' ").
|
||||
($documentID==null ? "" : "AND `tblDocumentReviewers`.`documentID` = '". (int) $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentReviewers`.`version` = '". (int) $version ."' ").
|
||||
"AND `tblDocumentReviewers`.`type`='1' ".
|
||||
"AND `tblDocumentReviewers`.`required`='". $this->_id ."' ";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
|
|
@ -278,8 +278,8 @@ class LetoDMS_Core_Group {
|
|||
"LEFT JOIN `tblDocumentApproveLog` USING (`approveID`) ".
|
||||
"LEFT JOIN `ttapproveid` on `ttapproveid`.`maxLogID` = `tblDocumentApproveLog`.`approveLogID` ".
|
||||
"WHERE `ttapproveid`.`maxLogID`=`tblDocumentApproveLog`.`approveLogID` ".
|
||||
($documentID==null ? "" : "AND `tblDocumentApprovers`.`documentID` = '". $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentApprovers`.`version` = '". $version ."' ").
|
||||
($documentID==null ? "" : "AND `tblDocumentApprovers`.`documentID` = '". (int) $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentApprovers`.`version` = '". (int) $version ."' ").
|
||||
"AND `tblDocumentApprovers`.`type`='1' ".
|
||||
"AND `tblDocumentApprovers`.`required`='". $this->_id ."' ";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ class LetoDMS_Core_KeywordCategory {
|
|||
function setName($newName) {
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblKeywordCategories SET name = '$newName' WHERE id = ". $this->_id;
|
||||
$queryStr = "UPDATE tblKeywordCategories SET name = ".$db->qstr($newName)." WHERE id = ". $this->_id;
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -101,14 +101,14 @@ class LetoDMS_Core_KeywordCategory {
|
|||
function editKeywordList($listID, $keywords) {
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblKeywords SET keywords = '$keywords' WHERE id = $listID";
|
||||
$queryStr = "UPDATE tblKeywords SET keywords = ".$db->qstr($keywords)." WHERE id = $listID";
|
||||
return $db->getResult($queryStr);
|
||||
}
|
||||
|
||||
function addKeywordList($keywords) {
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "INSERT INTO tblKeywords (category, keywords) VALUES (" . $this->_id . ", '$keywords')";
|
||||
$queryStr = "INSERT INTO tblKeywords (category, keywords) VALUES (" . $this->_id . ", ".$db->qstr($keywords).")";
|
||||
return $db->getResult($queryStr);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -133,7 +133,7 @@ class LetoDMS_Core_User {
|
|||
function setLogin($newLogin) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblUsers SET login ='" . $newLogin . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblUsers SET login =".$db->qstr($newLogin)." WHERE id = " . $this->_id;
|
||||
$res = $db->getResult($queryStr);
|
||||
if (!$res)
|
||||
return false;
|
||||
|
|
@ -147,7 +147,7 @@ class LetoDMS_Core_User {
|
|||
function setFullName($newFullName) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblUsers SET fullname = '" . $newFullName . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblUsers SET fullname = ".$db->qstr($newFullName)." WHERE id = " . $this->_id;
|
||||
$res = $db->getResult($queryStr);
|
||||
if (!$res)
|
||||
return false;
|
||||
|
|
@ -161,7 +161,7 @@ class LetoDMS_Core_User {
|
|||
function setPwd($newPwd) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblUsers SET pwd ='" . $newPwd . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblUsers SET pwd =".$db->qstr($newPwd)." WHERE id = " . $this->_id;
|
||||
$res = $db->getResult($queryStr);
|
||||
if (!$res)
|
||||
return false;
|
||||
|
|
@ -175,7 +175,7 @@ class LetoDMS_Core_User {
|
|||
function setEmail($newEmail) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblUsers SET email ='" . $newEmail . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblUsers SET email =".$db->qstr($newEmail)." WHERE id = " . $this->_id;
|
||||
$res = $db->getResult($queryStr);
|
||||
if (!$res)
|
||||
return false;
|
||||
|
|
@ -189,7 +189,7 @@ class LetoDMS_Core_User {
|
|||
function setLanguage($newLanguage) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblUsers SET language ='" . $newLanguage . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblUsers SET language =".$db->qstr($newLanguage)." WHERE id = " . $this->_id;
|
||||
$res = $db->getResult($queryStr);
|
||||
if (!$res)
|
||||
return false;
|
||||
|
|
@ -203,7 +203,7 @@ class LetoDMS_Core_User {
|
|||
function setTheme($newTheme) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblUsers SET theme ='" . $newTheme . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblUsers SET theme =".$db->qstr($newTheme)." WHERE id = " . $this->_id;
|
||||
$res = $db->getResult($queryStr);
|
||||
if (!$res)
|
||||
return false;
|
||||
|
|
@ -217,7 +217,7 @@ class LetoDMS_Core_User {
|
|||
function setComment($newComment) { /* {{{ */
|
||||
$db = $this->_dms->getDB();
|
||||
|
||||
$queryStr = "UPDATE tblUsers SET comment ='" . $newComment . "' WHERE id = " . $this->_id;
|
||||
$queryStr = "UPDATE tblUsers SET comment =".$db->qstr($newComment)." WHERE id = " . $this->_id;
|
||||
$res = $db->getResult($queryStr);
|
||||
if (!$res)
|
||||
return false;
|
||||
|
|
@ -322,7 +322,7 @@ class LetoDMS_Core_User {
|
|||
$queryStr = "DELETE FROM tblNotify WHERE userID = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
//Der Besitz von Dokumenten oder Ordnern, deren bisheriger Besitzer der zu löschende war, geht an den Admin über
|
||||
/* Assign documents of the removed user to the given user */
|
||||
$queryStr = "UPDATE tblFolders SET owner = " . $assignTo . " WHERE owner = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
|
|
@ -332,11 +332,11 @@ class LetoDMS_Core_User {
|
|||
$queryStr = "UPDATE tblDocumentContent SET createdBy = " . $assignTo . " WHERE createdBy = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
//Verweise auf Dokumente: Private löschen...
|
||||
// Remove private links on documents ...
|
||||
$queryStr = "DELETE FROM tblDocumentLinks WHERE userID = " . $this->_id . " AND public = 0";
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
//... und öffentliche an Admin übergeben
|
||||
// ... but keep public links
|
||||
$queryStr = "UPDATE tblDocumentLinks SET userID = " . $assignTo . " WHERE userID = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
|
|
@ -348,19 +348,19 @@ class LetoDMS_Core_User {
|
|||
$queryStr = "DELETE FROM tblDocumentLocks WHERE userID = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
//User aus allen Gruppen löschen
|
||||
// Delete user from all groups
|
||||
$queryStr = "DELETE FROM tblGroupMembers WHERE userID = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
//User aus allen ACLs streichen
|
||||
// User aus allen ACLs streichen
|
||||
$queryStr = "DELETE FROM tblACLs WHERE userID = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
//Eintrag aus tblUserImagess löschen
|
||||
// Delete image of user
|
||||
$queryStr = "DELETE FROM tblUserImages WHERE userID = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
//Eintrag aus tblUsers löschen
|
||||
// Delete user itself
|
||||
$queryStr = "DELETE FROM tblUsers WHERE id = " . $this->_id;
|
||||
if (!$db->getResult($queryStr)) return false;
|
||||
|
||||
|
|
@ -528,9 +528,9 @@ class LetoDMS_Core_User {
|
|||
fclose($fp);
|
||||
|
||||
if ($this->hasImage())
|
||||
$queryStr = "UPDATE tblUserImages SET image = '".base64_encode($content)."', mimeType = '". $mimeType."' WHERE userID = " . $this->_id;
|
||||
$queryStr = "UPDATE tblUserImages SET image = '".base64_encode($content)."', mimeType = ".$db->qstr($mimeType)." WHERE userID = " . $this->_id;
|
||||
else
|
||||
$queryStr = "INSERT INTO tblUserImages (userID, image, mimeType) VALUES (" . $this->_id . ", '".base64_encode($content)."', '".$mimeType."')";
|
||||
$queryStr = "INSERT INTO tblUserImages (userID, image, mimeType) VALUES (" . $this->_id . ", '".base64_encode($content)."', ".$db->qstr($mimeType).")";
|
||||
if (!$db->getResult($queryStr))
|
||||
return false;
|
||||
|
||||
|
|
@ -571,8 +571,8 @@ class LetoDMS_Core_User {
|
|||
"FROM `tblDocumentReviewers` ".
|
||||
"LEFT JOIN `tblDocumentReviewLog` USING (`reviewID`) ".
|
||||
"WHERE `tblDocumentReviewers`.`type`='0' ".
|
||||
($documentID==null ? "" : "AND `tblDocumentReviewers`.`documentID` = '". $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentReviewers`.`version` = '". $version ."' ").
|
||||
($documentID==null ? "" : "AND `tblDocumentReviewers`.`documentID` = '". (int) $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentReviewers`.`version` = '". (int) $version ."' ").
|
||||
"AND `tblDocumentReviewers`.`required`='". $this->_id ."' ".
|
||||
"ORDER BY `tblDocumentReviewLog`.`reviewLogID` DESC LIMIT 1";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
|
|
@ -592,8 +592,8 @@ class LetoDMS_Core_User {
|
|||
"LEFT JOIN `tblDocumentReviewLog` USING (`reviewID`) ".
|
||||
"LEFT JOIN `tblGroupMembers` ON `tblGroupMembers`.`groupID` = `tblDocumentReviewers`.`required` ".
|
||||
"WHERE `tblDocumentReviewers`.`type`='1' ".
|
||||
($documentID==null ? "" : "AND `tblDocumentReviewers`.`documentID` = '". $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentReviewers`.`version` = '". $version ."' ").
|
||||
($documentID==null ? "" : "AND `tblDocumentReviewers`.`documentID` = '". (int) $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentReviewers`.`version` = '". (int) $version ."' ").
|
||||
"AND `tblGroupMembers`.`userID`='". $this->_id ."' ".
|
||||
"ORDER BY `tblDocumentReviewLog`.`reviewLogID` DESC LIMIT 1";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
|
|
@ -665,8 +665,8 @@ class LetoDMS_Core_User {
|
|||
"FROM `tblDocumentApprovers` ".
|
||||
"LEFT JOIN `tblDocumentApproveLog` USING (`approveID`) ".
|
||||
"WHERE `tblDocumentApprovers`.`type`='0' ".
|
||||
($documentID==null ? "" : "AND `tblDocumentApprovers`.`documentID` = '". $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentApprovers`.`version` = '". $version ."' ").
|
||||
($documentID==null ? "" : "AND `tblDocumentApprovers`.`documentID` = '". (int) $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentApprovers`.`version` = '". (int) $version ."' ").
|
||||
"AND `tblDocumentApprovers`.`required`='". $this->_id ."' ".
|
||||
"ORDER BY `tblDocumentApproveLog`.`approveLogID` DESC LIMIT 1";
|
||||
|
||||
|
|
@ -702,8 +702,8 @@ class LetoDMS_Core_User {
|
|||
"LEFT JOIN `tblDocumentApproveLog` USING (`approveID`) ".
|
||||
"LEFT JOIN `tblGroupMembers` ON `tblGroupMembers`.`groupID` = `tblDocumentApprovers`.`required` ".
|
||||
"WHERE `tblDocumentApprovers`.`type`='1' ".
|
||||
($documentID==null ? "" : "AND `tblDocumentApprovers`.`documentID` = '". $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentApprovers`.`version` = '". $version ."' ").
|
||||
($documentID==null ? "" : "AND `tblDocumentApprovers`.`documentID` = '". (int) $documentID ."' ").
|
||||
($version==null ? "" : "AND `tblDocumentApprovers`.`version` = '". (int) $version ."' ").
|
||||
"AND `tblGroupMembers`.`userID`='". $this->_id ."' ".
|
||||
"ORDER BY `tblDocumentApproveLog`.`approveLogID` DESC LIMIT 1";
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
|
|
@ -798,7 +798,7 @@ class LetoDMS_Core_User {
|
|||
|
||||
if ($isgroup){
|
||||
|
||||
$queryStr = "SELECT * FROM tblMandatoryApprovers WHERE userID = " . $this->_id . " AND approverGroupID = " . $id;
|
||||
$queryStr = "SELECT * FROM tblMandatoryApprovers WHERE userID = " . $this->_id . " AND approverGroupID = " . (int) $id;
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if (count($resArr)!=0) return;
|
||||
|
||||
|
|
@ -808,7 +808,7 @@ class LetoDMS_Core_User {
|
|||
|
||||
}else{
|
||||
|
||||
$queryStr = "SELECT * FROM tblMandatoryApprovers WHERE userID = " . $this->_id . " AND approverUserID = " . $id;
|
||||
$queryStr = "SELECT * FROM tblMandatoryApprovers WHERE userID = " . $this->_id . " AND approverUserID = " . (int) $id;
|
||||
$resArr = $db->getResultArray($queryStr);
|
||||
if (count($resArr)!=0) return;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user