Peter M. Groen / knowledgetree

Commit 347e20b87afb2a6602ea81d18e370b29c3beb51e

Authored by Michael Joseph
1 parent 4306f6fd

[999478] Added quoting for all db values. 


git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@2914 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 1 changed file with 88 additions and 79 deletions
lib/documentmanagement/Document.inc
  View file @347e20b
@@ -286,7 +286,7 @@ class Document { @@ -286,7 +286,7 @@ class Document {
286 //if the folder is not the root folder 286 //if the folder is not the root folder
287 if ($iFolderID != 0) { 287 if ($iFolderID != 0) {
288 $sql = $default->db; 288 $sql = $default->db;
289 - $sql->query("SELECT parent_id FROM $default->folders_table WHERE ID = $iFolderID"); 289 + $sql->query("SELECT parent_id FROM $default->folders_table WHERE ID = " . quote($iFolderID));
290 $sql->next_record(); 290 $sql->next_record();
291 return $this->generateParentFolderIDS($sql->f("parent_id")) . ",$iFolderID"; 291 return $this->generateParentFolderIDS($sql->f("parent_id")) . ",$iFolderID";
292 } 292 }
@@ -314,7 +314,7 @@ class Document { @@ -314,7 +314,7 @@ class Document {
314 //if the folder is not the root folder 314 //if the folder is not the root folder
315 if ($iFolderID != 0) { 315 if ($iFolderID != 0) {
316 $sql = $default->db; 316 $sql = $default->db;
317 - $sql->query("SELECT name, parent_id FROM $default->folders_table WHERE ID = $iFolderID"); 317 + $sql->query("SELECT name, parent_id FROM $default->folders_table WHERE ID = " . quote($iFolderID));
318 $sql->next_record(); 318 $sql->next_record();
319 return $this->generateFullFolderPath($sql->f("parent_id")) . "/" . $sql->f("name"); 319 return $this->generateFullFolderPath($sql->f("parent_id")) . "/" . $sql->f("name");
320 } 320 }
@@ -336,7 +336,7 @@ class Document { @@ -336,7 +336,7 @@ class Document {
336 /** 336 /**
337 * Insert the current document into the database 337 * Insert the current document into the database
338 * 338 *
339 - * @return boolean true on successful insert, false otherwise and set $_SESSION["errorMessage"] 339 + * @return boolean true on successful insert, false otherwise
340 */ 340 */
341 function create() { 341 function create() {
342 global $default, $lang_err_doc_exist, $lang_err_database; 342 global $default, $lang_err_doc_exist, $lang_err_database;
@@ -346,7 +346,22 @@ class Document { @@ -346,7 +346,22 @@ class Document {
346 $this->sFullPath = $this->generateFolderPath($this->iFolderID); 346 $this->sFullPath = $this->generateFolderPath($this->iFolderID);
347 $this->sParentFolderIDs = $this->generateFolderIDs($this->iFolderID); 347 $this->sParentFolderIDs = $this->generateFolderIDs($this->iFolderID);
348 $result = $sql->query("INSERT INTO " . $default->documents_table . " (document_type_id, name, filename, size, creator_id, modified, description, mime_id, folder_id, major_version, minor_version, is_checked_out, checked_out_user_id, parent_folder_ids, full_path, status_id) " . 348 $result = $sql->query("INSERT INTO " . $default->documents_table . " (document_type_id, name, filename, size, creator_id, modified, description, mime_id, folder_id, major_version, minor_version, is_checked_out, checked_out_user_id, parent_folder_ids, full_path, status_id) " .
349 - "VALUES ($this->iDocumentTypeID, '$this->sName', '$this->sFileName', $this->iSize, $this->iCreatorID, '" . getCurrentDateTime() . "', '$this->sDescription', $this->iMimeTypeID, $this->iFolderID, $this->iMajorVersion, $this->iMinorVersion, " . ($this->bIsCheckedOut ? 1 : 0) . ", $this->iCheckedOutUserID, '$this->sParentFolderIDs','$this->sFullPath', $this->iStatusID)"); 349 + "VALUES (" . quote($this->iDocumentTypeID) . ", " .
  350 + quote($this->sName) . ", " .
  351 + quote($this->sFileName) . ", " .
  352 + quote($this->iSize) . ", " .
  353 + quote($this->iCreatorID) . ", " .
  354 + quote(getCurrentDateTime()) . ", " .
  355 + quote($this->sDescription) . ", " .
  356 + quote($this->iMimeTypeID) . ", " .
  357 + quote($this->iFolderID) . ", " .
  358 + quote($this->iMajorVersion) . ", " .
  359 + quote($this->iMinorVersion) . ", " .
  360 + quote($this->bIsCheckedOut) . ", " .
  361 + quote($this->iCheckedOutUserID) . ", " .
  362 + quote($this->sParentFolderIDs) . ", " .
  363 + quote($this->sFullPath) . ", " .
  364 + quote($this->iStatusID) . ")");
350 if ($result) { 365 if ($result) {
351 //set the current documents primary key 366 //set the current documents primary key
352 $this->iId = $sql->insert_id(); 367 $this->iId = $sql->insert_id();
@@ -354,10 +369,8 @@ class Document { @@ -354,10 +369,8 @@ class Document {
354 $this->insertDocumentPermissions(); 369 $this->insertDocumentPermissions();
355 return true; 370 return true;
356 } 371 }
357 - $_SESSION["errorMessage"] = $lang_err_database;  
358 return false; 372 return false;
359 } 373 }
360 - $_SESSION["errorMessage"] = $lang_err_object_exists . "id = " . $this->iId . " table = documents";  
361 return false; 374 return false;
362 375
363 } 376 }
@@ -373,7 +386,7 @@ class Document { @@ -373,7 +386,7 @@ class Document {
373 "FROM $default->documents_table AS D INNER JOIN folders AS F ON D.folder_id = F.id " . 386 "FROM $default->documents_table AS D INNER JOIN folders AS F ON D.folder_id = F.id " .
374 "INNER JOIN $default->groups_folders_table AS GFL ON GFL.folder_id = F.id " . 387 "INNER JOIN $default->groups_folders_table AS GFL ON GFL.folder_id = F.id " .
375 "INNER JOIN $default->users_groups_table AS UGL ON UGL.group_id = GFL.group_id " . 388 "INNER JOIN $default->users_groups_table AS UGL ON UGL.group_id = GFL.group_id " .
376 - "WHERE D.id=$this->iId"; 389 + "WHERE D.id=" . quote($this->iId);
377 $default->log->debug("addDocument groupPerms=$sGroupPerms"); 390 $default->log->debug("addDocument groupPerms=$sGroupPerms");
378 if ($sql->query($sGroupPerms)) { 391 if ($sql->query($sGroupPerms)) {
379 $default->log->debug("groupPerms succeeded"); 392 $default->log->debug("groupPerms succeeded");
@@ -384,7 +397,7 @@ class Document { @@ -384,7 +397,7 @@ class Document {
384 $sRolePerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " . 397 $sRolePerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " .
385 "SELECT user_id, document_id " . 398 "SELECT user_id, document_id " .
386 "FROM $default->folders_user_roles_table " . 399 "FROM $default->folders_user_roles_table " .
387 - "WHERE document_id=$this->iId"; 400 + "WHERE document_id=" . quote($this->iId);
388 $default->log->info("addDocument rolePerms=$sRolePerms"); 401 $default->log->info("addDocument rolePerms=$sRolePerms");
389 if ($sql->query($sRolePerms)) { 402 if ($sql->query($sRolePerms)) {
390 $default->log->debug("rolePerms succeeded"); 403 $default->log->debug("rolePerms succeeded");
@@ -397,7 +410,7 @@ class Document { @@ -397,7 +410,7 @@ class Document {
397 "SELECT U.id, D.id " . 410 "SELECT U.id, D.id " .
398 "FROM $default->users_table AS U, $default->documents_table AS D INNER JOIN $default->folders_table AS F ON D.folder_id = F.id " . 411 "FROM $default->users_table AS U, $default->documents_table AS D INNER JOIN $default->folders_table AS F ON D.folder_id = F.id " .
399 "WHERE F.is_public = 1 " . 412 "WHERE F.is_public = 1 " .
400 - "AND D.id=$this->iId"; 413 + "AND D.id=" . quote($this->iId);
401 $default->log->debug("addDocument publicFolder=$sPublicFolderPerms"); 414 $default->log->debug("addDocument publicFolder=$sPublicFolderPerms");
402 if ($sql->query($sPublicFolderPerms)) { 415 if ($sql->query($sPublicFolderPerms)) {
403 $default->log->debug("publicFolder succeeded"); 416 $default->log->debug("publicFolder succeeded");
@@ -409,7 +422,7 @@ class Document { @@ -409,7 +422,7 @@ class Document {
409 $sCreatorPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " . 422 $sCreatorPerms = "INSERT INTO $default->search_permissions_table (user_id, document_id) " .
410 "SELECT creator_id, id " . 423 "SELECT creator_id, id " .
411 "FROM $default->documents_table " . 424 "FROM $default->documents_table " .
412 - "WHERE id=$this->iId"; 425 + "WHERE id=" . quote($this->iId);
413 $default->log->debug("addDocument creatorPerms=$sCreatorPerms"); 426 $default->log->debug("addDocument creatorPerms=$sCreatorPerms");
414 if ($sql->query($sCreatorPerms)) { 427 if ($sql->query($sCreatorPerms)) {
415 $default->log->debug("creatorPerms succeeded"); 428 $default->log->debug("creatorPerms succeeded");
@@ -421,68 +434,65 @@ class Document { @@ -421,68 +434,65 @@ class Document {
421 /** 434 /**
422 * Update the documents current values in the database 435 * Update the documents current values in the database
423 * 436 *
424 - * @return boolean true on successful update, false otherwise and set $_SESSION["errorMessage"] 437 + * @return boolean true on successful update, false otherwise
425 */ 438 */
426 function update($aForMove = false) { 439 function update($aForMove = false) {
427 global $default, $lang_err_database, $lang_err_object_key; 440 global $default, $lang_err_database, $lang_err_object_key;
428 if ($this->iId >= 0) { 441 if ($this->iId >= 0) {
429 $sql = $default->db; 442 $sql = $default->db;
430 $sQuery = "UPDATE " . $default->documents_table . " SET " . 443 $sQuery = "UPDATE " . $default->documents_table . " SET " .
431 - "document_type_id = $this->iDocumentTypeID, " .  
432 - "name = '$this->sName', " .  
433 - "filename = '$this->sFileName', " .  
434 - "size = $this->iSize, " .  
435 - "creator_id = $this->iCreatorID, " .  
436 - "modified = '" . getCurrentDateTime() . "', " .  
437 - "description = '$this->sDescription', " .  
438 - "mime_id = $this->iMimeTypeID, " .  
439 - "folder_id = $this->iFolderID, " .  
440 - "major_version = $this->iMajorVersion, " .  
441 - "minor_version = $this->iMinorVersion, "; 444 + "document_type_id = " . quote($this->iDocumentTypeID) . ", " .
  445 + "name = " . quote($this->sName) . ", " .
  446 + "filename = " . quote($this->sFileName) . ", " .
  447 + "size = " . quote($this->iSize) . ", " .
  448 + "creator_id = " . quote($this->iCreatorID) . ", " .
  449 + "modified = " . quote(getCurrentDateTime()) . ", " .
  450 + "description = " . quote($this->sDescription) . ", " .
  451 + "mime_id = " . quote($this->iMimeTypeID) . ", " .
  452 + "folder_id = " . quote($this->iFolderID) . ", " .
  453 + "major_version = " . quote($this->iMajorVersion) . ", " .
  454 + "minor_version = " . quote($this->iMinorVersion) . ", ";
442 if ($aForMove) { 455 if ($aForMove) {
443 //only update these if the document is being moved 456 //only update these if the document is being moved
444 $this->sFullPath = $this->generateFolderPath($this->iFolderID); 457 $this->sFullPath = $this->generateFolderPath($this->iFolderID);
445 $this->sParentFolderIDs = $this->generateFolderIDs($this->iFolderID); 458 $this->sParentFolderIDs = $this->generateFolderIDs($this->iFolderID);
446 459
447 - $sQuery .= "parent_folder_ids = '$this->sParentFolderIDs'," .  
448 - "full_path = '$this->sFullPath', "; 460 + $sQuery .= "parent_folder_ids = " . quote($this->sParentFolderIDs) . ", " .
  461 + "full_path = " . quote($this->sFullPath) . ", ";
449 } 462 }
450 - $sQuery .= "is_checked_out = " . ($this->bIsCheckedOut ? "1" : "0") . ", " .  
451 - "checked_out_user_id = $this->iCheckedOutUserID, " .  
452 - "status_id = $this->iStatusID " .  
453 - "WHERE id = $this->iId"; 463 + $sQuery .= "is_checked_out = " . quote($this->bIsCheckedOut) . ", " .
  464 + "checked_out_user_id = " . quote($this->iCheckedOutUserID) . ", " .
  465 + "status_id = " . quote($this->iStatusID) . " " .
  466 + "WHERE id = " . quote($this->iId);
454 $result = $sql->query($sQuery); 467 $result = $sql->query($sQuery);
455 if ($result) { 468 if ($result) {
456 return true; 469 return true;
  470 + } else {
  471 + return false;
457 } 472 }
458 - $_SESSION["errorMessage"] = $lang_err_database;  
459 - return false;  
460 } 473 }
461 - $_SESSION["errorMessage"] = $lang_err_object_key;  
462 return false; 474 return false;
463 -  
464 } 475 }
465 476
466 /** 477 /**
467 * Delete the current document from the database. Set the primary key to -1 478 * Delete the current document from the database. Set the primary key to -1
468 * on successful deletion 479 * on successful deletion
469 * 480 *
470 - * @return boolean true and reset id to -1 on successful deletion, false otherwise and set $_SESSION["errorMessage"] 481 + * @return boolean true and reset id to -1 on successful deletion, false otherwise
471 */ 482 */
472 function delete() { 483 function delete() {
473 global $default, $lang_err_database, $lang_err_object_key; 484 global $default, $lang_err_database, $lang_err_object_key;
474 if ($this->iId >= 0) { 485 if ($this->iId >= 0) {
475 $sql = $default->db; 486 $sql = $default->db;
476 - $result = $sql->query("DELETE FROM " . $default->documents_table . " WHERE id = $this->iId"); 487 + $result = $sql->query("DELETE FROM " . $default->documents_table . " " .
  488 + "WHERE id = " . quote($this->iId));
477 if ($result) { 489 if ($result) {
478 $this->iId = -1; 490 $this->iId = -1;
479 // clean up for this deleted document 491 // clean up for this deleted document
480 return true; 492 return true;
481 } 493 }
482 - $_SESSION["errorMessage"] = $lang_err_database;  
483 return false; 494 return false;
484 } 495 }
485 - $_SESSION["errorMessage"] = $lang_err_object_key;  
486 return false; 496 return false;
487 } 497 }
488 498
@@ -495,9 +505,10 @@ class Document { @@ -495,9 +505,10 @@ class Document {
495 global $default; 505 global $default;
496 //get the steps in this document's collaboration process 506 //get the steps in this document's collaboration process
497 $sQuery = "SELECT FURL.id, GFAL.precedence " . 507 $sQuery = "SELECT FURL.id, GFAL.precedence " .
498 - "FROM $default->folders_user_roles_table AS FURL INNER JOIN $default->groups_folders_approval_table AS GFAL ON FURL.group_folder_approval_id = GFAL.id " .  
499 - "WHERE document_id = " . $this->iId . " " .  
500 - "ORDER BY GFAL.precedence ASC"; 508 + "FROM $default->folders_user_roles_table AS FURL " .
  509 + "INNER JOIN $default->groups_folders_approval_table AS GFAL ON FURL.group_folder_approval_id = GFAL.id " .
  510 + "WHERE document_id = " . quote($this->iId) . " " .
  511 + "ORDER BY GFAL.precedence ASC";
501 $sql = $default->db; 512 $sql = $default->db;
502 $sql->query($sQuery); 513 $sql->query($sQuery);
503 if ($sql->next_record()) { 514 if ($sql->next_record()) {
@@ -511,12 +522,11 @@ class Document { @@ -511,12 +522,11 @@ class Document {
511 $oRole = Role::get($oFolderCollaboration->getRoleID()); 522 $oRole = Role::get($oFolderCollaboration->getRoleID());
512 //get the user to email 523 //get the user to email
513 $oUser = User::get($oFolderUserRole->getUserID()); 524 $oUser = User::get($oFolderUserRole->getUserID());
514 - 525 + // FIXME: delegate this to message templating handling messaging layer
  526 + // construct and send the mail
515 $sBody = $oUser->getUserName() . ", your role of '" . $oRole->getName() . "' in the document, '" . $this->sName . "' collaboration process is now active. " . 527 $sBody = $oUser->getUserName() . ", your role of '" . $oRole->getName() . "' in the document, '" . $this->sName . "' collaboration process is now active. " .
516 "Click " . generateLink("/presentation/lookAndFeel/knowledgeTree/documentmanagement/viewBL.php", "fDocumentID=" . $this->iId, "here") . " to access " . 528 "Click " . generateLink("/presentation/lookAndFeel/knowledgeTree/documentmanagement/viewBL.php", "fDocumentID=" . $this->iId, "here") . " to access " .
517 "the document"; 529 "the document";
518 -  
519 -  
520 $oEmail = & new Email(); 530 $oEmail = & new Email();
521 $oEmail->send($oUser->getEmail(), "Document collaboration role active", $sBody); 531 $oEmail->send($oUser->getEmail(), "Document collaboration role active", $sBody);
522 DocumentCollaboration::createDependantDocuments($oFolderUserRole); 532 DocumentCollaboration::createDependantDocuments($oFolderUserRole);
@@ -532,11 +542,11 @@ class Document { @@ -532,11 +542,11 @@ class Document {
532 $oRole = Role::get($oFolderCollaboration->getRoleID()); 542 $oRole = Role::get($oFolderCollaboration->getRoleID());
533 //get the user to email 543 //get the user to email
534 $oUser = User::get($oFolderUserRole->getUserID()); 544 $oUser = User::get($oFolderUserRole->getUserID());
535 - 545 + // FIXME: delegate this to message templating handling messaging layer
  546 + // construct and send the mail
536 $sBody = $oUser->getUserName() . ", your role of '" . $oRole->getName() . "' in the document, '" . $this->sName . "' collaboration process is now active. " . 547 $sBody = $oUser->getUserName() . ", your role of '" . $oRole->getName() . "' in the document, '" . $this->sName . "' collaboration process is now active. " .
537 "Click " . generateLink("/presentation/lookAndFeel/knowledgeTree/documentmanagement/viewBL.php", "fDocumentID=" . $this->iId, "here") . " to access " . 548 "Click " . generateLink("/presentation/lookAndFeel/knowledgeTree/documentmanagement/viewBL.php", "fDocumentID=" . $this->iId, "here") . " to access " .
538 "the document"; 549 "the document";
539 -  
540 $oEmail = & new Email(); 550 $oEmail = & new Email();
541 $oEmail->send($oUser->getEmail(), "Document collaboration role active", $sBody); 551 $oEmail->send($oUser->getEmail(), "Document collaboration role active", $sBody);
542 DocumentCollaboration::createDependantDocuments($oFolderUserRole); 552 DocumentCollaboration::createDependantDocuments($oFolderUserRole);
@@ -554,8 +564,9 @@ class Document { @@ -554,8 +564,9 @@ class Document {
554 //if the user is assinged to two or more roles, make sure we get the current 564 //if the user is assinged to two or more roles, make sure we get the current
555 //one by ordering by precedence 565 //one by ordering by precedence
556 $sql->query("SELECT FURL.id AS id, GFAT.precedence " . 566 $sql->query("SELECT FURL.id AS id, GFAT.precedence " .
557 - "FROM $default->groups_folders_approval_table AS GFAT INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " .  
558 - "WHERE document_id = $this->iId AND FURL.user_id = " . $_SESSION["userID"] . " " . 567 + "FROM $default->groups_folders_approval_table AS GFAT " .
  568 + "INNER JOIN $default->folders_user_roles_table AS FURL ON GFAT.id = FURL.group_folder_approval_id " .
  569 + "WHERE document_id = $this->iId AND FURL.user_id = " . quote($_SESSION["userID"]) . " " .
559 "AND done = 0 " . 570 "AND done = 0 " .
560 "ORDER BY precedence ASC"); 571 "ORDER BY precedence ASC");
561 if ($sql->next_record()) { 572 if ($sql->next_record()) {
@@ -575,14 +586,13 @@ class Document { @@ -575,14 +586,13 @@ class Document {
575 * a document object and populate it with the corresponding 586 * a document object and populate it with the corresponding
576 * database values 587 * database values
577 * 588 *
578 - * @return Document populated Document object on success, false otherwise and set $_SESSION["errorMessage"] 589 + * @return Document populated Document object on success, false otherwise.
579 */ 590 */
580 function & get($iDocumentID) { 591 function & get($iDocumentID) {
581 global $default, $lang_err_doc_not_exist; 592 global $default, $lang_err_doc_not_exist;
582 if (strlen($iDocumentID) > 0) { 593 if (strlen($iDocumentID) > 0) {
583 $sql = $default->db; 594 $sql = $default->db;
584 - // TODO: join on sys_deleted  
585 - $sql->query("SELECT * FROM $default->documents_table WHERE id = $iDocumentID"); 595 + $sql->query("SELECT * FROM $default->documents_table WHERE id = " . quote($iDocumentID));
586 if ($sql->next_record()) { 596 if ($sql->next_record()) {
587 $oDocument = & new Document($sql->f("name"), $sql->f("filename"), $sql->f("size"), $sql->f("creator_id"), $sql->f("mime_id"), $sql->f("folder_id"), $sql->f("description")); 597 $oDocument = & new Document($sql->f("name"), $sql->f("filename"), $sql->f("size"), $sql->f("creator_id"), $sql->f("mime_id"), $sql->f("folder_id"), $sql->f("description"));
588 $oDocument->setDocumentTypeID($sql->f("document_type_id")); 598 $oDocument->setDocumentTypeID($sql->f("document_type_id"));
@@ -598,10 +608,8 @@ class Document { @@ -598,10 +608,8 @@ class Document {
598 $oDocument->iId = $iDocumentID; 608 $oDocument->iId = $iDocumentID;
599 return $oDocument; 609 return $oDocument;
600 } 610 }
601 - $_SESSION["errorMessage"] = $lang_err_object_not_exist . "id = " . $iDocumentID . " table = documents";  
602 return false; 611 return false;
603 } else { 612 } else {
604 - $_SESSION["errorMessage"] = "Document ID not set. Cannot retrieve document with no id";  
605 return false; 613 return false;
606 } 614 }
607 } 615 }
@@ -612,14 +620,15 @@ class Document { @@ -612,14 +620,15 @@ class Document {
612 * 620 *
613 * @param String Where clause (not required) 621 * @param String Where clause (not required)
614 * 622 *
615 - * @return Array array of Documents objects, false otherwise and set $_SESSION["errorMessage"] 623 + * @return Array array of Documents objects, false otherwise.
616 */ 624 */
617 function getList($sWhereClause = null) { 625 function getList($sWhereClause = null) {
618 global $default, $lang_err_database; 626 global $default, $lang_err_database;
619 $aDocumentArray; 627 $aDocumentArray;
620 settype($aDocumentArray, "array"); 628 settype($aDocumentArray, "array");
621 $sql = $default->db; 629 $sql = $default->db;
622 - $result = $sql->query("SELECT * FROM " . $default->documents_table . (isset($sWhereClause) ? " WHERE " . $sWhereClause : "")); 630 + $result = $sql->query("SELECT * FROM " . $default->documents_table .
  631 + (isset($sWhereClause) ? " WHERE " . $sWhereClause : ""));
623 if ($result) { 632 if ($result) {
624 $iCount = 0; 633 $iCount = 0;
625 while ($sql->next_record()) { 634 while ($sql->next_record()) {
@@ -629,7 +638,6 @@ class Document { @@ -629,7 +638,6 @@ class Document {
629 } 638 }
630 return $aDocumentArray; 639 return $aDocumentArray;
631 } 640 }
632 - $_SESSION["errorMessage"] = $lang_err_database;  
633 return false; 641 return false;
634 } 642 }
635 643
@@ -640,13 +648,17 @@ class Document { @@ -640,13 +648,17 @@ class Document {
640 * @param Document type primary key 648 * @param Document type primary key
641 * @param Get only the mandatory fields 649 * @param Get only the mandatory fields
642 * 650 *
643 - * @return array array of document field objects, false otherwise and $_SESSION["errorMessage"] 651 + * @return array array of document field objects, false otherwise
644 */ 652 */
645 function getDocumentFieldsForDocumentType($iDocumentTypeID, $bMandatoryOnly = false) { 653 function getDocumentFieldsForDocumentType($iDocumentTypeID, $bMandatoryOnly = false) {
646 $aDocumentFieldArray; 654 $aDocumentFieldArray;
647 settype($aDocumentFieldArray,"array"); 655 settype($aDocumentFieldArray,"array");
648 $sql = $default->db; 656 $sql = $default->db;
649 - $result = $sql->query("SELECT DF.id AS id, DF.name AS name, DF.data_type AS data_type FROM document_fields AS DF INNER JOIN document_type_fields_link AS DTFL ON DF.id = DTFL.field_id WHERE DTFL.document_type_id = $iDocumentTypeID " . ($bMandatoryOnly ? "AND DFTL.is_mandatory = 1 " : " ") . "ORDER BY DF.name ASC"); 657 + $result = $sql->query("SELECT DF.id AS id, DF.name AS name, DF.data_type AS data_type " .
  658 + "FROM $default->document_fields_table AS DF " .
  659 + "INNER JOIN $default->document_type_fields_table AS DTFL ON DF.id = DTFL.field_id " .
  660 + "WHERE DTFL.document_type_id = " . quote($iDocumentTypeID) . ($bMandatoryOnly ? "AND DFTL.is_mandatory = 1 " : " ") .
  661 + "ORDER BY DF.name ASC");
650 if ($result) { 662 if ($result) {
651 $iCount = 0; 663 $iCount = 0;
652 while ($sql->next_record()) { 664 while ($sql->next_record()) {
@@ -658,7 +670,6 @@ class Document { @@ -658,7 +670,6 @@ class Document {
658 } 670 }
659 return $aDocumentFieldArray; 671 return $aDocumentFieldArray;
660 } 672 }
661 - $_SESSION["errorMessage"] = $lang_err_database;  
662 return false; 673 return false;
663 674
664 } 675 }
@@ -671,10 +682,11 @@ class Document { @@ -671,10 +682,11 @@ class Document {
671 */ 682 */
672 function getDocumentHistory() { 683 function getDocumentHistory() {
673 global $default, $lang_err_database; 684 global $default, $lang_err_database;
674 - $aDocumentHistory;  
675 - settype($aDocumentHistory, "array"); 685 + $aDocumentHistory = array();
676 $sql = $default->db; 686 $sql = $default->db;
677 - $result = $sql->query("SELECT * FROM " . $default->document_transactions_table . " WHERE document_id = $this->iId ORDER BY datetime DESC"); 687 + $result = $sql->query("SELECT * FROM " . $default->document_transactions_table . " " .
  688 + "WHERE document_id = " . quote($this->iId) . " " .
  689 + "ORDER BY datetime DESC");
678 if ($result) { 690 if ($result) {
679 $iCount = 0; 691 $iCount = 0;
680 while($sql->next_record()) { 692 while($sql->next_record()) {
@@ -684,9 +696,7 @@ class Document { @@ -684,9 +696,7 @@ class Document {
684 } 696 }
685 return $history; 697 return $history;
686 } 698 }
687 - $_SESSION["errorMessage"] = $lang_err_database;  
688 return false; 699 return false;
689 -  
690 } 700 }
691 701
692 /** 702 /**
@@ -745,15 +755,15 @@ class Document { @@ -745,15 +755,15 @@ class Document {
745 * @param String File name of document 755 * @param String File name of document
746 * @param int Primary key of folder to which document is assigned 756 * @param int Primary key of folder to which document is assigned
747 * 757 *
748 - * @return boolean true if document exists, false otherwise and set $_SESSION["errorMessage"] 758 + * @return boolean true if document exists, false otherwise.
749 */ 759 */
750 function documentExists($sFileName, $iFolderID) { 760 function documentExists($sFileName, $iFolderID) {
751 global $default; 761 global $default;
752 $sql = $default->db; 762 $sql = $default->db;
753 $sQuery = "SELECT * FROM $default->documents_table " . 763 $sQuery = "SELECT * FROM $default->documents_table " .
754 - "WHERE filename = '$sFileName' " .  
755 - "AND folder_id = $iFolderID " .  
756 - "AND status_id = " . LIVE; 764 + "WHERE filename = " . quote($sFileName) .
  765 + " AND folder_id = " . quote($iFolderID) .
  766 + " AND status_id = " . LIVE;
757 $sql->query($sQuery); 767 $sql->query($sQuery);
758 if ($sql->next_record()) { 768 if ($sql->next_record()) {
759 return true; 769 return true;
@@ -765,20 +775,17 @@ class Document { @@ -765,20 +775,17 @@ class Document {
765 * Lookup the document name for the document 775 * Lookup the document name for the document
766 * 776 *
767 * @param int the ID of the document to lookup the document name for 777 * @param int the ID of the document to lookup the document name for
768 - * @return string the name of the document on success, false otherwise and set $_SESSION["errorMessage"] 778 + * @return string the name of the document on success, false otherwise.
769 */ 779 */
770 function getDocumentName($iDocumentID) { 780 function getDocumentName($iDocumentID) {
771 global $default, $lang_err_database, $lang_err_doc_not_exist; 781 global $default, $lang_err_database, $lang_err_doc_not_exist;
772 $sql = $default->db; 782 $sql = $default->db;
773 783
774 - if ($sql->query("SELECT name FROM " . $default->documents_table . " WHERE id = $iDocumentID")) { 784 + if ($sql->query("SELECT name FROM $default->documents_table " .
  785 + "WHERE id = " . quote($iDocumentID))) {
775 if ($sql->next_record()) { 786 if ($sql->next_record()) {
776 return $sql->f("name"); 787 return $sql->f("name");
777 - } else {  
778 - $_SESSION["errorMessage"] = $lang_err_doc_not_exist;  
779 - }  
780 - } else {  
781 - $_SESSION["errorMessage"] = $lang_err_database; 788 + }
782 } 789 }
783 return false; 790 return false;
784 } 791 }
@@ -807,8 +814,8 @@ class Document { @@ -807,8 +814,8 @@ class Document {
807 $sql->query("SELECT * " . 814 $sql->query("SELECT * " .
808 "FROM $default->folder_doctypes_table AS FDL " . 815 "FROM $default->folder_doctypes_table AS FDL " .
809 "INNER JOIN $default->documents_table AS D ON D.document_type_id = FDL.document_type_id " . 816 "INNER JOIN $default->documents_table AS D ON D.document_type_id = FDL.document_type_id " .
810 - "WHERE FDL.id = $iFolderDocTypeID " .  
811 - "AND D.folder_id = $iFolderID"); 817 + "WHERE FDL.id = " . quote($iFolderDocTypeID) . " " .
  818 + "AND D.folder_id = " . quote($iFolderID));
812 if ($sql->next_record()) { 819 if ($sql->next_record()) {
813 return true; 820 return true;
814 } 821 }
@@ -822,9 +829,9 @@ class Document { @@ -822,9 +829,9 @@ class Document {
822 function removeInvalidDocumentTypeEntries() { 829 function removeInvalidDocumentTypeEntries() {
823 global $default; 830 global $default;
824 $sQuery = "SELECT field_id FROM $default->document_type_fields_table DTFL " . 831 $sQuery = "SELECT field_id FROM $default->document_type_fields_table DTFL " .
825 - "INNER JOIN $default->document_fields_table AS DF ON DF.id = DTFL.field_id " .  
826 - "WHERE DTFL.document_type_id = $this->iDocumentTypeID " .  
827 - "AND DF.is_generic = 0"; 832 + "INNER JOIN $default->document_fields_table AS DF ON DF.id = DTFL.field_id " .
  833 + "WHERE DTFL.document_type_id = " . quote($this->iDocumentTypeID) . " " .
  834 + "AND DF.is_generic = 0";
828 $sql = $default->db; 835 $sql = $default->db;
829 $sql->query($sQuery); 836 $sql->query($sQuery);
830 $aFieldIDs = array(); 837 $aFieldIDs = array();
@@ -834,7 +841,9 @@ class Document { @@ -834,7 +841,9 @@ class Document {
834 } 841 }
835 if (count($aFieldIDs) > 0) { 842 if (count($aFieldIDs) > 0) {
836 //delete the entries 843 //delete the entries
837 - $sQuery = "DELETE FROM $default->document_fields_link_table WHERE document_id = $this->iId AND document_field_id IN (" . implode(",",$aFieldIDs) . ")"; 844 + $sQuery = "DELETE FROM $default->document_fields_link_table " .
  845 + "WHERE document_id = " . quote($this->iId) . "
  846 + AND document_field_id IN (" . implode(",",$aFieldIDs) . ")";
838 if ($sql->query($sQuery)) { 847 if ($sql->query($sQuery)) {
839 return true; 848 return true;
840 } 849 }