extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-08 09:05:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

as talked with lars ;-)

Browse Source
This commit is contained in:
Ralf Becker 2004-04-04 20:50:29 +00:00
parent f6b1b8e03e
commit 53f20990de
1 changed files with 55 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
phpgwapi/inc/class.contacts_sql.inc.php
View File

@ -327,79 +327,44 @@
$check_stock = $this->stock_contact_fields + $this->non_contact_fields; $check_stock = $this->stock_contact_fields + $this->non_contact_fields;
if ($DEBUG) { echo 'DEBUG - Inbound filter is: #'.$filter.'#'; } if ($DEBUG) { echo 'DEBUG - Inbound filter is: #'.$filter.'#'; }
$filterarray = split(',',$filter);
if ($filterarray[1])
{
$i=0;
for ($i=0;$i<count($filterarray);$i++)
{
list($name,$value) = split('=',$filterarray[$i]);
if ($name)
{
if ($DEBUG) { echo '<br>DEBUG - Filter intermediate strings 1: #'.$name.'# => #'.$value.'#'; }
$filterfields[$name] = $value;
}
}
}
else
{
list($name,$value) = split('=',$filter);
if ($DEBUG)
{
echo '<br>DEBUG - Filter intermediate strings 1: #'.$name.'# => #'.$value.'#';
}
$filterfields = array($name => $value);
}
/* now check each element of the array and convert into SQL for queries below */ $filterlist = array();
$i = 0; foreach(explode(',',$filter) as $pair)
foreach($filterfields as $name => $value)
{ {
list($name,$value) = explode('=',$pair,2);
if (!$name || !isset($check_stock[$name])) // only use valid column-names
{
continue;
}
if ($DEBUG) { echo '<br>DEBUG - Filter intermediate strings 2: #'.$name.'# => #'.$value.'#'; } if ($DEBUG) { echo '<br>DEBUG - Filter intermediate strings 2: #'.$name.'# => #'.$value.'#'; }
$isstd=0;
if ($name && empty($value)) if (empty($value))
{ {
if ($DEBUG) { echo '<br>DEBUG - filter field "'.$name.'" is empty (NULL)'; } if ($DEBUG) { echo '<br>DEBUG - filter field "'.$name.'" is empty (NULL)'; }
foreach($check_stock as $fname => $fvalue)
{ $filterlist[] = $name.' is NULL';
if($fvalue == $name)
{
$filterlist .= $name.' is NULL,';
if ($DEBUG) { echo '<br>DEBUG - filter field "'.$name.'" is a stock field'; }
break;
}
}
} }
elseif($name && $value) else
{ {
foreach($check_stock as $fname => $fvalue) if($name == 'cat_id')
{ {
if($fvalue == $name) $filterlist[] = "(" . $name . " LIKE '%," . (int)$value . ",%' OR " . $name."='".(int)$value."')";
{ }
if($name == 'cat_id') elseif(@is_int($value))
{ {
$filterlist .= "(" . $name . " LIKE '%," . $value . ",%' OR " . $name."='".$value."');"; $filterlist[] = $name . '=' . $value;
} }
elseif(@is_int($value)) elseif ($value == "!''") // check for not empty
{ {
$filterlist .= $name . '=' . $value . ';'; $filterlist[] = $name . "!=''";
} }
elseif ($value == "!''") // check for not empty else
{ {
$filterlist .= $name . "!='';"; $filterlist[] = $name . "='" . $this->db->db_addslashes($value) . "'";
}
else
{
$filterlist .= $name . "='" . $value . "';";
}
break;
}
} }
} }
$i++;
} }
$filterlist = substr($filterlist,0,-1); $filterlist = implode(' AND ',$filterlist);
$filterlist = str_replace(';',' AND ',$filterlist);
if ($DEBUG) if ($DEBUG)
{ {
@ -447,7 +412,6 @@
{ {
$public_user_list[] = $user; $public_user_list[] = $user;
} }
reset($public_user_list);
$fwhere .= " OR (access='public' AND owner in(" . implode(',',$public_user_list) . "))) "; $fwhere .= " OR (access='public' AND owner in(" . implode(',',$public_user_list) . "))) ";
$fand .= " OR (access='public' AND owner in(" . implode(',',$public_user_list) . "))) "; $fand .= " OR (access='public' AND owner in(" . implode(',',$public_user_list) . "))) ";
} }
@ -463,13 +427,13 @@
if (!$sort) { $sort = 'ASC'; } if (!$sort) { $sort = 'ASC'; }
if ($order) if (!empty($order) && preg_match('/^[a-zA-Z_0-9, ]+$/',$order) && (empty($sort) || preg_match('/^(DESC|ASC|desc|asc)$/',$sort)))
{ {
$ordermethod = "ORDER BY $order $sort "; $ordermethod = "ORDER BY $order $sort ";
} }
else else
{ {
$ordermethod = "ORDER BY n_family,n_given,email $sort"; $ordermethod = "ORDER BY n_family,n_given,email ASC";
} }
if ($DEBUG && $ordermethod) if ($DEBUG && $ordermethod)
@ -479,11 +443,11 @@
if($lastmod >= 0 && $fwhere) if($lastmod >= 0 && $fwhere)
{ {
$fwhere .= " AND last_mod > $lastmod "; $fwhere .= " AND last_mod > ".(int)$lastmod.' ';
} }
elseif($lastmod >= 0) elseif($lastmod >= 0)
{ {
$fwhere = " WHERE last_mod > $lastmod "; $fwhere = " WHERE last_mod > ".(int)$lastmod.' ';
} }
if ($DEBUG && $last_mod_filter && $fwhere) if ($DEBUG && $last_mod_filter && $fwhere)
@ -495,17 +459,17 @@
if($cquery) if($cquery)
{ {
$cfields = array( $sql = 'SELECT * FROM ' . $this->std_table . ' WHERE (';
$sqlcount = 'SELECT COUNT(id) FROM ' . $this->std_table . ' WHERE (';
foreach(array(
'fn' => 'cn', 'fn' => 'cn',
'n_family' => 'sn', 'n_family' => 'sn',
'org_name' => 'o' 'org_name' => 'o'
); ) as $f => $x)
$sql = 'SELECT * FROM ' . $this->std_table . ' WHERE (';
$sqlcount = 'SELECT COUNT(id) FROM ' . $this->std_table . ' WHERE (';
while(list($f,$x) = each($cfields))
{ {
$sql .= " UPPER($f) LIKE UPPER('$cquery%') OR "; $cquery = strtoupper($this->db->db_addslashes($cquery));
$sqlcount .= " UPPER($f) LIKE UPPER('$cquery%') OR "; $sql .= " UPPER($f) LIKE '$cquery%' OR ";
$sqlcount .= " UPPER($f) LIKE '$cquery%' OR ";
} }
$sql = substr($sql,0,-3) . ') ' . $fand . $filtermethod . $ordermethod; $sql = substr($sql,0,-3) . ') ' . $fand . $filtermethod . $ordermethod;
$sqlcount = substr($sqlcount,0,-3) . ') ' . $fand . $filtermethod; $sqlcount = substr($sqlcount,0,-3) . ') ' . $fand . $filtermethod;
@ -519,13 +483,13 @@
$sqlcount = "SELECT COUNT(id) FROM $this->std_table WHERE ("; $sqlcount = "SELECT COUNT(id) FROM $this->std_table WHERE (";
foreach($query as $queryKey => $queryValue) foreach($query as $queryKey => $queryValue)
{ {
// how to do real addslashes???? if (!preg_match('/^[a-zA-Z0-9_]+$/',$queryKey))
$queryKey = str_replace("'",'',$queryKey); {
$queryKey = str_replace('"','',$queryKey); continue; // this can be something nasty
$queryValue = str_replace("'",'',$queryValue); }
$queryValue = str_replace('"','',$queryValue); $queryValue = strtoupper($this->db->db_addslashes($queryValue));
$sql .= " UPPER($queryKey) LIKE UPPER('$queryValue') AND "; $sql .= " UPPER($queryKey) LIKE '$queryValue' AND ";
$sqlcount .= " UPPER($queryKey) LIKE UPPER('$queryValue') AND "; $sqlcount .= " UPPER($queryKey) LIKE '$queryValue' AND ";
} }
$sql = substr($sql,0,-5) . ') ' . $fand . $filtermethod . $ordermethod; $sql = substr($sql,0,-5) . ') ' . $fand . $filtermethod . $ordermethod;
$sqlcount = substr($sqlcount,0,-5) . ') ' . $fand . $filtermethod; $sqlcount = substr($sqlcount,0,-5) . ') ' . $fand . $filtermethod;
@ -533,15 +497,14 @@
} }
else else
{ {
$query = str_replace("'",'',$query); $query = strtoupper($this->db->db_addslashes($query));
$query = str_replace('"','',$query);
$sql = "SELECT * FROM $this->std_table WHERE ("; $sql = "SELECT * FROM $this->std_table WHERE (";
$sqlcount = "SELECT COUNT(id) FROM $this->std_table WHERE ("; $sqlcount = "SELECT COUNT(id) FROM $this->std_table WHERE (";
foreach($this->stock_contact_fields as $f => $x) foreach($this->stock_contact_fields as $f => $x)
{ {
$sql .= " UPPER($f) LIKE UPPER('%$query%') OR "; $sql .= " UPPER($f) LIKE '%$query%' OR ";
$sqlcount .= " UPPER($f) LIKE UPPER('%$query%') OR "; $sqlcount .= " UPPER($f) LIKE '%$query%' OR ";
} }
$sql = substr($sql,0,-3) . ') ' . $fand . $filtermethod . $ordermethod; $sql = substr($sql,0,-3) . ') ' . $fand . $filtermethod . $ordermethod;
$sqlcount = substr($sqlcount,0,-3) . ') ' . $fand . $filtermethod; $sqlcount = substr($sqlcount,0,-3) . ') ' . $fand . $filtermethod;
@ -682,7 +645,7 @@
function add_single_extra_field($id,$owner,$field_name,$field_value) function add_single_extra_field($id,$owner,$field_name,$field_value)
{ {
$this->db->query("INSERT INTO $this->ext_table VALUES (" . (int)$id . ",'$owner','" . $this->db->db_addslashes($field_name) $this->db->query("INSERT INTO $this->ext_table VALUES (" . (int)$id . ",'".(int)$owner."','" . $this->db->db_addslashes($field_name)
. "','" . $this->db->db_addslashes($field_value) . "')",__LINE__,__FILE__); . "','" . $this->db->db_addslashes($field_value) . "')",__LINE__,__FILE__);
} }
@ -747,7 +710,7 @@
{ {
$this->db->query("UPDATE $this->ext_table SET contact_value='" . $this->db->db_addslashes($x_value) $this->db->query("UPDATE $this->ext_table SET contact_value='" . $this->db->db_addslashes($x_value)
. "',contact_owner=$owner WHERE contact_name='" . $this->db->db_addslashes($x_name) . "',contact_owner=$owner WHERE contact_name='" . $this->db->db_addslashes($x_name)
. "' AND contact_id=" . (int)$id,__LINE__,__FILE__); . "' AND contact_id=$id",__LINE__,__FILE__);
} }
} }
elseif($x_value) // dont write emtpy extra-fields elseif($x_value) // dont write emtpy extra-fields
@ -760,17 +723,16 @@
} }
/* Used by admin to change ownership on account delete */ /* Used by admin to change ownership on account delete */
function change_owner($old_owner='',$new_owner='') function change_owner($old_owner,$new_owner)
{ {
if (!($new_owner && $old_owner)) $old_owner = (int) $old_owner;
$new_owner = (int) $new_owner;
if (!$new_owner || !$old_owner)
{ {
return False; return False;
} }
$this->db->query("UPDATE $this->std_table SET owner='$new_owner' WHERE owner=$old_owner",__LINE__,__FILE__); $this->db->query("UPDATE $this->std_table SET owner='$new_owner' WHERE owner=$old_owner",__LINE__,__FILE__);
$this->db->query("UPDATE $this->ext_table SET contact_owner='$new_owner' WHERE contact_owner=$old_owner",__LINE__,__FILE__); $this->db->query("UPDATE $this->ext_table SET contact_owner='$new_owner' WHERE contact_owner=$old_owner",__LINE__,__FILE__);
return;
} }
/* This is where the real work of delete() is done, shared class file contains calling function */ /* This is where the real work of delete() is done, shared class file contains calling function */
@ -783,12 +745,12 @@
/* This is for the admin script deleteaccount.php */ /* This is for the admin script deleteaccount.php */
function delete_all($owner=0) function delete_all($owner=0)
{ {
$owner = (int) $owner;
if ($owner) if ($owner)
{ {
$this->db->query("DELETE FROM $this->std_table WHERE owner=$owner",__LINE__,__FILE__); $this->db->query("DELETE FROM $this->std_table WHERE owner=$owner",__LINE__,__FILE__);
$this->db->query("DELETE FROM $this->ext_table WHERE contact_owner=$owner",__LINE__,__FILE__); $this->db->query("DELETE FROM $this->ext_table WHERE contact_owner=$owner",__LINE__,__FILE__);
} }
return;
} }
} }
?> ?>