Peter M. Groen / knowledgetree

Commit 347e20b87afb2a6602ea81d18e370b29c3beb51e

Authored by Michael Joseph
1 parent 4306f6fd

[999478] Added quoting for all db values. 


git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@2914 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 1 changed file with 88 additions and 79 deletions
lib/documentmanagement/Document.inc
  View file @347e20b
... ... @@ -286,7 +286,7 @@ class Document {
286 286 //if the folder is not the root folder
287 287 if ($iFolderID != 0) {
288 288 $sql = $default->db;
289   - $sql->query("SELECT parent_id FROM $default->folders_table WHERE ID = $iFolderID");
  289 + $sql->query("SELECT parent_id FROM $default->folders_table WHERE ID = " . quote($iFolderID));
290 290 $sql->next_record();
291 291 return $this->generateParentFolderIDS($sql->f("parent_id")) . ",$iFolderID";
292 292 }
... ... @@ -314,7 +314,7 @@ class Document {
314 314 //if the folder is not the root folder
315 315 if ($iFolderID != 0) {
316 316 $sql = $default->db;
317   - $sql->query("SELECT name, parent_id FROM $default->folders_table WHERE ID = $iFolderID");
  317 + $sql->query("SELECT name, parent_id FROM $default->folders_table WHERE ID = " . quote($iFolderID));
318 318 $sql->next_record();
319 319 return $this->generateFullFolderPath($sql->f("parent_id")) . "/" . $sql->f("name");
320 320 }
... ... @@ -336,7 +336,7 @@ class Document {
336 336 /**
337 337 * Insert the current document into the database
338 338 *
339   - * @return boolean true on successful insert, false otherwise and set $_SESSION["errorMessage"]
  339 + * @return boolean true on successful insert, false otherwise
340 340 */
341 341 function create() {
342 342 global $default, $lang_err_doc_exist, $lang_err_database;
... ... @@ -346,7 +346,22 @@ class Document {
346 346 $this->sFullPath = $this->generateFolderPath($this->iFolderID);
347 347 $this->sParentFolderIDs = $this->generateFolderIDs($this->iFolderID);
348 348 $result = $sql->query("INSERT INTO " . $default->documents_table . " (document_type_id, name, filename, size, creator_id, modified, description, mime_id, folder_id, major_version, minor_version, is_checked_out, checked_out_user_id, parent_folder_ids, full_path, status_id) " .
349   - "VALUES ($this->iDocumentTypeID, '$this->sName', '$this->sFileName', $this->iSize, $this->iCreatorID, '" . getCurrentDateTime() . "', '$this->sDescription', $this->iMimeTypeID, $this->iFolderID, $this->iMajorVersion, $this->iMinorVersion, " . ($this->bIsCheckedOut ? 1 : 0) . ", $this->iCheckedOutUserID, '$this->sParentFolderIDs','$this->sFullPath', $this->iStatusID)");
  349 + "VALUES (" . quote($this->iDocumentTypeID) . ", " .
  350 + quote($this->sName) . ", " .
  351 + quote($this->sFileName) . ", " .
  352 + quote($this->iSize) . ", " .
  353 + quote($this->iCreatorID) . ", " .
  354 + quote(getCurrentDateTime()) . ", " .
  355 + quote($this->sDescription) . ", " .
  356 + quote($this->iMimeTypeID) . ", " .
  357 + quote($this->iFolderID) . ", " .
  358 + quote($this->iMajorVersion) . ", " .
  359 + quote($this->iMinorVersion) . ", " .
  360 + quote($this->bIsCheckedOut) . ", " .
  361 + quote($this->iCheckedOutUserID) . ", " .
  362 + quote($this->sParentFolderIDs) . ", " .
  363 + quote($this->sFullPath) . ", " .
  364 + quote($this->iStatusID) . ")");
350 365 if ($result) {
351 366 //set the current documents primary key
352 367 $this->iId = $sql->insert_id();
... ... @@ -354,10 +369,8 @@ class Document {
354 369 $this->insertDocumentPermissions();
355 370 return true;
356 371 }
357   - $_SESSION["errorMessage"] = $lang_err_database;
358 372 return false;
359 373 }
360   - $_SESSION["errorMessage"] = $lang_err_object_exists . "id = " . $this->iId . " table = documents";
361 374 return false;
362 375  
363 376 }
... ... @@ -373,7 +386,7 @@ class Document {
373 386 "FROM $default->documents_table AS D INNER JOIN folders AS F ON D.folder_id = F.id " .
374 387 "INNER JOIN $default->groups_folders_table AS GFL ON GFL.folder_id = F.id " .
375 388 "INNER JOIN $default->users_groups_table AS UGL ON UGL.group_id = GFL.group_id " .
376   - "WHERE D.id=$this->iId";
  389 + "WHERE D.id=" . quote($this->iId);
377 390 $default->log->debug("addDocument groupPerms=$sGroupPerms");
378 391 if ($sql->query($sGroupPerms)) {
379 392 $default->log->debug("groupPerms succeeded");
... ... @@ -384,7 +397,7 @@ class Document {
384 397 $sRolePerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " .
385 398 "SELECT user_id, document_id " .
386 399 "FROM $default->folders_user_roles_table " .
387   - "WHERE document_id=$this->iId";
  400 + "WHERE document_id=" . quote($this->iId);
388 401 $default->log->info("addDocument rolePerms=$sRolePerms");
389 402 if ($sql->query($sRolePerms)) {
390 403 $default->log->debug("rolePerms succeeded");
... ... @@ -397,7 +410,7 @@ class Document {
397 410 "SELECT U.id, D.id " .
398 411 "FROM $default->users_table AS U, $default->documents_table AS D INNER JOIN $default->folders_table AS F ON D.folder_id = F.id " .
399 412 "WHERE F.is_public = 1 " .
400   - "AND D.id=$this->iId";
  413 + "AND D.id=" . quote($this->iId);
401 414 $default->log->debug("addDocument publicFolder=$sPublicFolderPerms");
402 415 if ($sql->query($sPublicFolderPerms)) {
403 416 $default->log->debug("publicFolder succeeded");
... ... @@ -409,7 +422,7 @@ class Document {
409 422 $sCreatorPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " .
410 423 "SELECT creator_id, id " .
411 424 "FROM $default->documents_table " .
412   - "WHERE id=$this->iId";
  425 + "WHERE id=" . quote($this->iId);
413 426 $default->log->debug("addDocument creatorPerms=$sCreatorPerms");
414 427 if ($sql->query($sCreatorPerms)) {
415 428 $default->log->debug("creatorPerms succeeded");
... ... @@ -421,68 +434,65 @@ class Document {
421 434 /**
422 435 * Update the documents current values in the database
423 436 *
424   - * @return boolean true on successful update, false otherwise and set $_SESSION["errorMessage"]
  437 + * @return boolean true on successful update, false otherwise
425 438 */
426 439 function update($aForMove = false) {
427 440 global $default, $lang_err_database, $lang_err_object_key;
428 441 if ($this->iId >= 0) {
429 442 $sql = $default->db;
430 443 $sQuery = "UPDATE " . $default->documents_table . " SET " .
431   - "document_type_id = $this->iDocumentTypeID, " .
432   - "name = '$this->sName', " .
433   - "filename = '$this->sFileName', " .
434   - "size = $this->iSize, " .
435   - "creator_id = $this->iCreatorID, " .
436   - "modified = '" . getCurrentDateTime() . "', " .
437   - "description = '$this->sDescription', " .
438   - "mime_id = $this->iMimeTypeID, " .
439   - "folder_id = $this->iFolderID, " .
440   - "major_version = $this->iMajorVersion, " .
441   - "minor_version = $this->iMinorVersion, ";
  444 + "document_type_id = " . quote($this->iDocumentTypeID) . ", " .
  445 + "name = " . quote($this->sName) . ", " .
  446 + "filename = " . quote($this->sFileName) . ", " .
  447 + "size = " . quote($this->iSize) . ", " .
  448 + "creator_id = " . quote($this->iCreatorID) . ", " .
  449 + "modified = " . quote(getCurrentDateTime()) . ", " .
  450 + "description = " . quote($this->sDescription) . ", " .
  451 + "mime_id = " . quote($this->iMimeTypeID) . ", " .
  452 + "folder_id = " . quote($this->iFolderID) . ", " .
  453 + "major_version = " . quote($this->iMajorVersion) . ", " .
  454 + "minor_version = " . quote($this->iMinorVersion) . ", ";
442 455 if ($aForMove) {
443 456 //only update these if the document is being moved
444 457 $this->sFullPath = $this->generateFolderPath($this->iFolderID);
445 458 $this->sParentFolderIDs = $this->generateFolderIDs($this->iFolderID);
446 459  
447   - $sQuery .= "parent_folder_ids = '$this->sParentFolderIDs'," .
448   - "full_path = '$this->sFullPath', ";
  460 + $sQuery .= "parent_folder_ids = " . quote($this->sParentFolderIDs) . ", " .
  461 + "full_path = " . quote($this->sFullPath) . ", ";
449 462 }
450   - $sQuery .= "is_checked_out = " . ($this->bIsCheckedOut ? "1" : "0") . ", " .
451   - "checked_out_user_id = $this->iCheckedOutUserID, " .
452   - "status_id = $this->iStatusID " .
453   - "WHERE id = $this->iId";
  463 + $sQuery .= "is_checked_out = " . quote($this->bIsCheckedOut) . ", " .
  464 + "checked_out_user_id = " . quote($this->iCheckedOutUserID) . ", " .
  465 + "status_id = " . quote($this->iStatusID) . " " .
  466 + "WHERE id = " . quote($this->iId);
454 467 $result = $sql->query($sQuery);
455 468 if ($result) {
456 469 return true;
  470 + } else {
  471 + return false;
457 472 }
458   - $_SESSION["errorMessage"] = $lang_err_database;
459   - return false;
460 473 }
461   - $_SESSION["errorMessage"] = $lang_err_object_key;
462 474 return false;
463   -
464 475 }
465 476  
466 477 /**
467 478 * Delete the current document from the database. Set the primary key to -1
468 479 * on successful deletion
469 480 *
470   - * @return boolean true and reset id to -1 on successful deletion, false otherwise and set $_SESSION["errorMessage"]
  481 + * @return boolean true and reset id to -1 on successful deletion, false otherwise
471 482 */
472 483 function delete() {
473 484 global $default, $lang_err_database, $lang_err_object_key;
474 485 if ($this->iId >= 0) {
475 486 $sql = $default->db;
476   - $result = $sql->query("DELETE FROM " . $default->documents_table . " WHERE id = $this->iId");
  487 + $result = $sql->query("DELETE FROM " . $default->documents_table . " " .
  488 + "WHERE id = " . quote($this->iId));
477 489 if ($result) {
478 490 $this->iId = -1;
479 491 // clean up for this deleted document
480 492 return true;
481 493 }
482   - $_SESSION["errorMessage"] = $lang_err_database;
483 494 return false;
484 495 }
485   - $_SESSION["errorMessage"] = $lang_err_object_key;
486 496 return false;
487 497 }
488 498  
... ... @@ -495,9 +505,10 @@ class Document {
495 505 global $default;
496 506 //get the steps in this document's collaboration process
497 507 $sQuery = "SELECT FURL.id, GFAL.precedence " .
498   - "FROM $default->folders_user_roles_table AS FURL INNER JOIN $default->groups_folders_approval_table AS GFAL ON FURL.group_folder_approval_id = GFAL.id " .
499   - "WHERE document_id = " . $this->iId . " " .
500   - "ORDER BY GFAL.precedence ASC";
  508 + "FROM $default->folders_user_roles_table AS FURL " .
  509 + "INNER JOIN $default->groups_folders_approval_table AS GFAL ON FURL.group_folder_approval_id = GFAL.id " .
  510 + "WHERE document_id = " . quote($this->iId) . " " .
  511 + "ORDER BY GFAL.precedence ASC";
501 512 $sql = $default->db;
502 513 $sql->query($sQuery);
503 514 if ($sql->next_record()) {
... ... @@ -511,12 +522,11 @@ class Document {
511 522 $oRole = Role::get($oFolderCollaboration->getRoleID());
512 523 //get the user to email
513 524 $oUser = User::get($oFolderUserRole->getUserID());
514   -
  525 + // FIXME: delegate this to message templating handling messaging layer
  526 + // construct and send the mail
515 527 $sBody = $oUser->getUserName() . ", your role of '" . $oRole->getName() . "' in the document, '" . $this->sName . "' collaboration process is now active. " .
516 528 "Click " . generateLink("/presentation/lookAndFeel/knowledgeTree/documentmanagement/viewBL.php", "fDocumentID=" . $this->iId, "here") . " to access " .
517 529 "the document";
518   -
519   -
520 530 $oEmail = & new Email();
521 531 $oEmail->send($oUser->getEmail(), "Document collaboration role active", $sBody);
522 532 DocumentCollaboration::createDependantDocuments($oFolderUserRole);
... ... @@ -532,11 +542,11 @@ class Document {
532 542 $oRole = Role::get($oFolderCollaboration->getRoleID());
533 543 //get the user to email
534 544 $oUser = User::get($oFolderUserRole->getUserID());
535   -
  545 + // FIXME: delegate this to message templating handling messaging layer
  546 + // construct and send the mail
536 547 $sBody = $oUser->getUserName() . ", your role of '" . $oRole->getName() . "' in the document, '" . $this->sName . "' collaboration process is now active. " .
537 548 "Click " . generateLink("/presentation/lookAndFeel/knowledgeTree/documentmanagement/viewBL.php", "fDocumentID=" . $this->iId, "here") . " to access " .
538 549 "the document";
539   -
540 550 $oEmail = & new Email();
541 551 $oEmail->send($oUser->getEmail(), "Document collaboration role active", $sBody);
542 552 DocumentCollaboration::createDependantDocuments($oFolderUserRole);
... ... @@ -554,8 +564,9 @@ class Document {
554 564 //if the user is assinged to two or more roles, make sure we get the current
555 565 //one by ordering by precedence
556 566 $sql->query("SELECT FURL.id AS id, GFAT.precedence " .
557   - "FROM $default->groups_folders_approval_table AS GFAT INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " .
558   - "WHERE document_id = $this->iId AND FURL.user_id = " . $_SESSION["userID"] . " " .
  567 + "FROM $default->groups_folders_approval_table AS GFAT " .
  568 + "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " .
  569 + "WHERE document_id = $this->iId AND FURL.user_id = " . quote($_SESSION["userID"]) . " " .
559 570 "AND done = 0 " .
560 571 "ORDER BY precedence ASC");
561 572 if ($sql->next_record()) {
... ... @@ -575,14 +586,13 @@ class Document {
575 586 * a document object and populate it with the corresponding
576 587 * database values
577 588 *
578   - * @return Document populated Document object on success, false otherwise and set $_SESSION["errorMessage"]
  589 + * @return Document populated Document object on success, false otherwise.
579 590 */
580 591 function & get($iDocumentID) {
581 592 global $default, $lang_err_doc_not_exist;
582 593 if (strlen($iDocumentID) > 0) {
583 594 $sql = $default->db;
584   - // TODO: join on sys_deleted
585   - $sql->query("SELECT * FROM $default->documents_table WHERE id = $iDocumentID");
  595 + $sql->query("SELECT * FROM $default->documents_table WHERE id = " . quote($iDocumentID));
586 596 if ($sql->next_record()) {
587 597 $oDocument = & new Document($sql->f("name"), $sql->f("filename"), $sql->f("size"), $sql->f("creator_id"), $sql->f("mime_id"), $sql->f("folder_id"), $sql->f("description"));
588 598 $oDocument->setDocumentTypeID($sql->f("document_type_id"));
... ... @@ -598,10 +608,8 @@ class Document {
598 608 $oDocument->iId = $iDocumentID;
599 609 return $oDocument;
600 610 }
601   - $_SESSION["errorMessage"] = $lang_err_object_not_exist . "id = " . $iDocumentID . " table = documents";
602 611 return false;
603 612 } else {
604   - $_SESSION["errorMessage"] = "Document ID not set. Cannot retrieve document with no id";
605 613 return false;
606 614 }
607 615 }
... ... @@ -612,14 +620,15 @@ class Document {
612 620 *
613 621 * @param String Where clause (not required)
614 622 *
615   - * @return Array array of Documents objects, false otherwise and set $_SESSION["errorMessage"]
  623 + * @return Array array of Documents objects, false otherwise.
616 624 */
617 625 function getList($sWhereClause = null) {
618 626 global $default, $lang_err_database;
619 627 $aDocumentArray;
620 628 settype($aDocumentArray, "array");
621 629 $sql = $default->db;
622   - $result = $sql->query("SELECT * FROM " . $default->documents_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
  630 + $result = $sql->query("SELECT * FROM " . $default->documents_table .
  631 + (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
623 632 if ($result) {
624 633 $iCount = 0;
625 634 while ($sql->next_record()) {
... ... @@ -629,7 +638,6 @@ class Document {
629 638 }
630 639 return $aDocumentArray;
631 640 }
632   - $_SESSION["errorMessage"] = $lang_err_database;
633 641 return false;
634 642 }
635 643  
... ... @@ -640,13 +648,17 @@ class Document {
640 648 * @param Document type primary key
641 649 * @param Get only the mandatory fields
642 650 *
643   - * @return array array of document field objects, false otherwise and $_SESSION["errorMessage"]
  651 + * @return array array of document field objects, false otherwise
644 652 */
645 653 function getDocumentFieldsForDocumentType($iDocumentTypeID, $bMandatoryOnly = false) {
646 654 $aDocumentFieldArray;
647 655 settype($aDocumentFieldArray,"array");
648 656 $sql = $default->db;
649   - $result = $sql->query("SELECT DF.id AS id, DF.name AS name, DF.data_type AS data_type FROM document_fields AS DF INNER JOIN document_type_fields_link AS DTFL ON DF.id = DTFL.field_id WHERE DTFL.document_type_id = $iDocumentTypeID " . ($bMandatoryOnly ? "AND DFTL.is_mandatory = 1 " : " ") . "ORDER BY DF.name ASC");
  657 + $result = $sql->query("SELECT DF.id AS id, DF.name AS name, DF.data_type AS data_type " .
  658 + "FROM $default->document_fields_table AS DF " .
  659 + "INNER JOIN $default->document_type_fields_table AS DTFL ON DF.id = DTFL.field_id " .
  660 + "WHERE DTFL.document_type_id = " . quote($iDocumentTypeID) . ($bMandatoryOnly ? "AND DFTL.is_mandatory = 1 " : " ") .
  661 + "ORDER BY DF.name ASC");
650 662 if ($result) {
651 663 $iCount = 0;
652 664 while ($sql->next_record()) {
... ... @@ -658,7 +670,6 @@ class Document {
658 670 }
659 671 return $aDocumentFieldArray;
660 672 }
661   - $_SESSION["errorMessage"] = $lang_err_database;
662 673 return false;
663 674  
664 675 }
... ... @@ -671,10 +682,11 @@ class Document {
671 682 */
672 683 function getDocumentHistory() {
673 684 global $default, $lang_err_database;
674   - $aDocumentHistory;
675   - settype($aDocumentHistory, "array");
  685 + $aDocumentHistory = array();
676 686 $sql = $default->db;
677   - $result = $sql->query("SELECT * FROM " . $default->document_transactions_table . " WHERE document_id = $this->iId ORDER BY datetime DESC");
  687 + $result = $sql->query("SELECT * FROM " . $default->document_transactions_table . " " .
  688 + "WHERE document_id = " . quote($this->iId) . " " .
  689 + "ORDER BY datetime DESC");
678 690 if ($result) {
679 691 $iCount = 0;
680 692 while($sql->next_record()) {
... ... @@ -684,9 +696,7 @@ class Document {
684 696 }
685 697 return $history;
686 698 }
687   - $_SESSION["errorMessage"] = $lang_err_database;
688 699 return false;
689   -
690 700 }
691 701  
692 702 /**
... ... @@ -745,15 +755,15 @@ class Document {
745 755 * @param String File name of document
746 756 * @param int Primary key of folder to which document is assigned
747 757 *
748   - * @return boolean true if document exists, false otherwise and set $_SESSION["errorMessage"]
  758 + * @return boolean true if document exists, false otherwise.
749 759 */
750 760 function documentExists($sFileName, $iFolderID) {
751 761 global $default;
752 762 $sql = $default->db;
753 763 $sQuery = "SELECT * FROM $default->documents_table " .
754   - "WHERE filename = '$sFileName' " .
755   - "AND folder_id = $iFolderID " .
756   - "AND status_id = " . LIVE;
  764 + "WHERE filename = " . quote($sFileName) .
  765 + " AND folder_id = " . quote($iFolderID) .
  766 + " AND status_id = " . LIVE;
757 767 $sql->query($sQuery);
758 768 if ($sql->next_record()) {
759 769 return true;
... ... @@ -765,20 +775,17 @@ class Document {
765 775 * Lookup the document name for the document
766 776 *
767 777 * @param int the ID of the document to lookup the document name for
768   - * @return string the name of the document on success, false otherwise and set $_SESSION["errorMessage"]
  778 + * @return string the name of the document on success, false otherwise.
769 779 */
770 780 function getDocumentName($iDocumentID) {
771 781 global $default, $lang_err_database, $lang_err_doc_not_exist;
772 782 $sql = $default->db;
773 783  
774   - if ($sql->query("SELECT name FROM " . $default->documents_table . " WHERE id = $iDocumentID")) {
  784 + if ($sql->query("SELECT name FROM $default->documents_table " .
  785 + "WHERE id = " . quote($iDocumentID))) {
775 786 if ($sql->next_record()) {
776 787 return $sql->f("name");
777   - } else {
778   - $_SESSION["errorMessage"] = $lang_err_doc_not_exist;
779   - }
780   - } else {
781   - $_SESSION["errorMessage"] = $lang_err_database;
  788 + }
782 789 }
783 790 return false;
784 791 }
... ... @@ -807,8 +814,8 @@ class Document {
807 814 $sql->query("SELECT * " .
808 815 "FROM $default->folder_doctypes_table AS FDL " .
809 816 "INNER JOIN $default->documents_table AS D ON D.document_type_id = FDL.document_type_id " .
810   - "WHERE FDL.id = $iFolderDocTypeID " .
811   - "AND D.folder_id = $iFolderID");
  817 + "WHERE FDL.id = " . quote($iFolderDocTypeID) . " " .
  818 + "AND D.folder_id = " . quote($iFolderID));
812 819 if ($sql->next_record()) {
813 820 return true;
814 821 }
... ... @@ -822,9 +829,9 @@ class Document {
822 829 function removeInvalidDocumentTypeEntries() {
823 830 global $default;
824 831 $sQuery = "SELECT field_id FROM $default->document_type_fields_table DTFL " .
825   - "INNER JOIN $default->document_fields_table AS DF ON DF.id = DTFL.field_id " .
826   - "WHERE DTFL.document_type_id = $this->iDocumentTypeID " .
827   - "AND DF.is_generic = 0";
  832 + "INNER JOIN $default->document_fields_table AS DF ON DF.id = DTFL.field_id " .
  833 + "WHERE DTFL.document_type_id = " . quote($this->iDocumentTypeID) . " " .
  834 + "AND DF.is_generic = 0";
828 835 $sql = $default->db;
829 836 $sql->query($sQuery);
830 837 $aFieldIDs = array();
... ... @@ -834,7 +841,9 @@ class Document {
834 841 }
835 842 if (count($aFieldIDs) > 0) {
836 843 //delete the entries
837   - $sQuery = "DELETE FROM $default->document_fields_link_table WHERE document_id = $this->iId AND document_field_id IN (" . implode(",",$aFieldIDs) . ")";
  844 + $sQuery = "DELETE FROM $default->document_fields_link_table " .
  845 + "WHERE document_id = " . quote($this->iId) . "
  846 + AND document_field_id IN (" . implode(",",$aFieldIDs) . ")";
838 847 if ($sql->query($sQuery)) {
839 848 return true;
840 849 }
... ...