extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-08 00:54:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

making view typesafe, hardening view against sql-injection

Browse Source
This commit is contained in:
Klaus Leithoff 2009-03-16 13:08:33 +00:00
parent 6ef914fbbb
commit 81a8b7dda9
1 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
addressbook/inc/class.addressbook_so.inc.php
View File

@ -65,7 +65,7 @@ class addressbook_so
* @var string
*/
var $distributionlist_view ='(SELECT contact_id, egw_addressbook_lists.list_id as list_id, egw_addressbook_lists.list_name as list_name, egw_addressbook_lists.list_owner as list_owner FROM egw_addressbook_lists, egw_addressbook2list where egw_addressbook_lists.list_id=egw_addressbook2list.list_id) d_view ';
var $distributionlist_tabledef = array();
/**
* @var string
*/
@ -259,6 +259,17 @@ class addressbook_so
$this->account_extra_search = array('uid');
}
}
if ($this->contact_repository == 'sql' || $this->contact_repository = 'sql-ldap') {
$tda2list = $this->db->get_table_definitions('phpgwapi','egw_addressbook2list');
$tdlists = $this->db->get_table_definitions('phpgwapi','egw_addressbook_lists');
$this->distributionlist_tabledef = array('fd' => array(
$this->distri_id => $tda2list['fd'][$this->distri_id],
$this->distri_owner => $tdlists['fd'][$this->distri_owner],
$this->distri_key => $tdlists['fd'][$this->distri_key],
$this->distri_value => $tdlists['fd'][$this->distri_value],
), 'pk' => array(), 'fk' => array(), 'ix' => array(), 'uc' => array(),
);
}
// add grants for accounts: if account_selection not in ('none','groupmembers'): everyone has read access,
// if he has not set the hide_accounts preference
// ToDo: be more specific for 'groupmembers', they should be able to see the groupmembers
@ -362,7 +373,22 @@ class addressbook_so
$filter[$this->distri_id]=$ids;
if (count($dl_allowed)) $filter[$this->distri_key]=$dl_allowed;
$this->distributionlist_view = str_replace(') d_view',' and '.$this->distri_id.' in ('.implode(',',$ids).')) d_view',$this->distributionlist_view);
foreach($this->db->select($this->distributionlist_view,'*',$filter,__LINE__,__FILE__) as $row)
/*
#$ts= microtime(true);
$tda2list = $this->db->get_table_definitions('phpgwapi','egw_addressbook2list');
$tdlists = $this->db->get_table_definitions('phpgwapi','egw_addressbook_lists');
$this->distributionlist_tabledef = array('fd' => array(
$this->distri_id => $tda2list['fd'][$this->distri_id],
$this->distri_owner => $tdlists['fd'][$this->distri_owner],
$this->distri_key => $tdlists['fd'][$this->distri_key],
$this->distri_value => $tdlists['fd'][$this->distri_value],
), 'pk' => array(), 'fk' => array(), 'ix' => array(), 'uc' => array(),
);
#echo microtime(true)-$ts."seks to get def<br>";
*/
#_debug_array($this->distributionlist_tabledef);
foreach($this->db->select($this->distributionlist_view,'*',$filter,__LINE__,__FILE__,
false,'ORDER BY '.$this->distri_id,false,$num_rows=0,$join='',$this->distributionlist_tabledef) as $row)
{
if ((isset($row[$this->distri_id])&&strlen($row[$this->distri_value])>0))
{