Menu
▾
▴
helpmeict-cvs — List for automated distribution of CVS changes
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(103) |
Aug
(43) |
Sep
(2) |
Oct
(8) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(32) |
Feb
|
Mar
|
Apr
(10) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(30) |
Nov
(7) |
Dec
|
| 2007 |
Jan
|
Feb
(39) |
Mar
(12) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(48) |
Oct
(6) |
Nov
|
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
(4) |
May
|
Jun
(2) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Scott P. <wht...@us...> - 2007-09-16 23:21:11
|
Update of /cvsroot/helpmeict/Helpdesk/install
In directory sc8-pr-cvs17:/tmp/cvs-serv8533
Modified Files:
DB-PostgreSQL.sql DB-MySQL.sql
Log Message:
Add missing ).
Index: DB-PostgreSQL.sql
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/install/DB-PostgreSQL.sql,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** DB-PostgreSQL.sql 16 Sep 2007 22:23:36 -0000 1.4
--- DB-PostgreSQL.sql 16 Sep 2007 23:21:07 -0000 1.5
***************
*** 1030,1034 ****
INSERT INTO tbl_preference_descriptions VALUES ('ldap-basedn', 'text', 'LDAP BaseDN', 0);
INSERT INTO tbl_preference_descriptions VALUES ('ldap-host', 'text', 'LDAP Hostname', 0);
! INSERT INTO tbl_preference_descriptions VALUES ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2 (No means version 3', 0);
--- 1030,1034 ----
INSERT INTO tbl_preference_descriptions VALUES ('ldap-basedn', 'text', 'LDAP BaseDN', 0);
INSERT INTO tbl_preference_descriptions VALUES ('ldap-host', 'text', 'LDAP Hostname', 0);
! INSERT INTO tbl_preference_descriptions VALUES ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2 (No means version 3)', 0);
***************
*** 1082,1086 ****
INSERT INTO tbl_system_preferences VALUES (4, 'maxupload', '10000', 'Maximum file upload size in bytes', 0);
INSERT INTO tbl_system_preferences VALUES (5, 'excessivehours', '10', 'Number of hours spent on a problem that is considered excessive and should be confirmed', 0);
! INSERT INTO tbl_system_preferences VALUES (1, 'version', '0.9.3', 'This is the current version number for the system', 1);
--- 1082,1086 ----
INSERT INTO tbl_system_preferences VALUES (4, 'maxupload', '10000', 'Maximum file upload size in bytes', 0);
INSERT INTO tbl_system_preferences VALUES (5, 'excessivehours', '10', 'Number of hours spent on a problem that is considered excessive and should be confirmed', 0);
! INSERT INTO tbl_system_preferences VALUES (1, 'version', '1.0', 'This is the current version number for the system', 1);
Index: DB-MySQL.sql
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/install/DB-MySQL.sql,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** DB-MySQL.sql 16 Sep 2007 22:23:36 -0000 1.5
--- DB-MySQL.sql 16 Sep 2007 23:21:07 -0000 1.6
***************
*** 294,298 ****
('ldap-basedn', 'text', 'LDAP BaseDN', 0),
('ldap-host', 'text', 'LDAP Hostname', 0),
! ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2 (No means Version 3', 0);
--- 294,298 ----
('ldap-basedn', 'text', 'LDAP BaseDN', 0),
('ldap-host', 'text', 'LDAP Hostname', 0),
! ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2 (No means Version 3)', 0);
***************
*** 458,462 ****
--
! INSERT INTO `tbl_System_Preferences` (`id`, `identifier`, `value`, `comment`, `system`) VALUES (1, 'version', '0.9.3', 'This is the current version number for the system', 1),
(2, 'pagesize', '30', 'Page size for paging of issues', 0),
(3, 'closedpagesize', '10', 'Page size for restriction of closed issues', 0),
--- 458,462 ----
--
! INSERT INTO `tbl_System_Preferences` (`id`, `identifier`, `value`, `comment`, `system`) VALUES (1, 'version', '1.0', 'This is the current version number for the system', 1),
(2, 'pagesize', '30', 'Page size for paging of issues', 0),
(3, 'closedpagesize', '10', 'Page size for restriction of closed issues', 0),
|
|
From: Scott P. <wht...@us...> - 2007-09-16 22:23:43
|
Update of /cvsroot/helpmeict/Helpdesk/install
In directory sc8-pr-cvs17:/tmp/cvs-serv17321/install
Modified Files:
DB-PostgreSQL.sql DB-MySQL.sql
Log Message:
Change ldap version description.
Index: DB-PostgreSQL.sql
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/install/DB-PostgreSQL.sql,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** DB-PostgreSQL.sql 15 Sep 2007 08:41:32 -0000 1.3
--- DB-PostgreSQL.sql 16 Sep 2007 22:23:36 -0000 1.4
***************
*** 1030,1034 ****
INSERT INTO tbl_preference_descriptions VALUES ('ldap-basedn', 'text', 'LDAP BaseDN', 0);
INSERT INTO tbl_preference_descriptions VALUES ('ldap-host', 'text', 'LDAP Hostname', 0);
! INSERT INTO tbl_preference_descriptions VALUES ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2', 0);
--- 1030,1034 ----
INSERT INTO tbl_preference_descriptions VALUES ('ldap-basedn', 'text', 'LDAP BaseDN', 0);
INSERT INTO tbl_preference_descriptions VALUES ('ldap-host', 'text', 'LDAP Hostname', 0);
! INSERT INTO tbl_preference_descriptions VALUES ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2 (No means version 3', 0);
Index: DB-MySQL.sql
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/install/DB-MySQL.sql,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** DB-MySQL.sql 15 Sep 2007 08:41:32 -0000 1.4
--- DB-MySQL.sql 16 Sep 2007 22:23:36 -0000 1.5
***************
*** 294,298 ****
('ldap-basedn', 'text', 'LDAP BaseDN', 0),
('ldap-host', 'text', 'LDAP Hostname', 0),
! ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2', 0);
--- 294,298 ----
('ldap-basedn', 'text', 'LDAP BaseDN', 0),
('ldap-host', 'text', 'LDAP Hostname', 0),
! ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2 (No means Version 3', 0);
|
|
From: Scott P. <wht...@us...> - 2007-09-16 22:00:43
|
Update of /cvsroot/helpmeict/Helpdesk/system In directory sc8-pr-cvs17:/tmp/cvs-serv7391/system Modified Files: authentication.php functions.php mail.php Log Message: Added backend for LDAP Authentication Index: functions.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/system/functions.php,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** functions.php 7 Feb 2007 01:20:17 -0000 1.2 --- functions.php 16 Sep 2007 22:00:38 -0000 1.3 *************** *** 1,61 **** ! <?php ! ! /* ! ! functions.php ! ! Generally useful functions can be found in this script. ! ! Changelog: ! 2006-01-14 dave: Cleaned up code for v1.0 release ! ! ## PAGE CONTAINS HANDYANDY MYSQL MODS ## ! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ## ! ! ---- ! ! Copyright (C) 2004 Central Manchester CLC ! Copyright (C) 2004 Mark Harrison ! ! This program is free software; you can redistribute it and/or ! modify it under the terms of the GNU General Public License ! as published by the Free Software Foundation version 2. ! ! This program is distributed in the hope that it will be useful, ! but WITHOUT ANY WARRANTY; without even the implied warranty of ! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ! GNU General Public License for more details. ! ! You should have received a copy of the GNU General Public License ! along with this program; if not, write to the Free Software ! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ! ! */ ! ! // Security... ! if (strpos($_SERVER["SCRIPT_NAME"],basename(__FILE__, '.php')) !== false) { ! header("location: index.php"); ! } ! ! require_once "db.php"; ! ! function get_closed_status($domain) { ! // Find the highest status (the terminal status) and treat it as closed ! $sql = "SELECT * FROM tbl_Statuses WHERE (domain=$domain AND ! active=1) OR domain=0 ORDER BY domain DESC,sortorder DESC"; ! $statusesRS = db_recordset($sql); ! ! if (count($statusesRS) <= 2) { ! // 0 rows shouldn't happen ! // 1 row == Ungraded (from domain 0) ! // 2 rows == Ungraded + 1 status for the domain (treat as open) ! // 3+ rows == more than 1 status for the domain (treat bottom one as ! // closed. ! $closedstatus = '-1'; ! } else { ! $closedstatus = $statusesRS[0]['id']; ! } ! return $closedstatus; ! } ! ! ?> --- 1,90 ---- ! <?php ! ! /* ! ! functions.php ! ! Generally useful functions can be found in this script. ! ! Changelog: ! 2006-01-14 dave: Cleaned up code for v1.0 release ! ! ## PAGE CONTAINS HANDYANDY MYSQL MODS ## ! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ## ! ! ---- ! ! Copyright (C) 2004 Central Manchester CLC ! Copyright (C) 2004 Mark Harrison ! ! This program is free software; you can redistribute it and/or ! modify it under the terms of the GNU General Public License ! as published by the Free Software Foundation version 2. ! ! This program is distributed in the hope that it will be useful, ! but WITHOUT ANY WARRANTY; without even the implied warranty of ! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ! GNU General Public License for more details. ! ! You should have received a copy of the GNU General Public License ! along with this program; if not, write to the Free Software ! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ! ! */ ! ! // Security... ! if (strpos($_SERVER["SCRIPT_NAME"],basename(__FILE__, '.php')) !== false) { ! header("location: index.php"); ! } ! ! require_once "db.php"; ! ! function get_closed_status($domain) { ! // Find the highest status (the terminal status) and treat it as closed ! $sql = "SELECT * FROM tbl_Statuses WHERE (domain=$domain AND ! active=1) OR domain=0 ORDER BY domain DESC,sortorder DESC"; ! $statusesRS = db_recordset($sql); ! ! if (count($statusesRS) <= 2) { ! // 0 rows shouldn't happen ! // 1 row == Ungraded (from domain 0) ! // 2 rows == Ungraded + 1 status for the domain (treat as open) ! // 3+ rows == more than 1 status for the domain (treat bottom one as ! // closed. ! $closedstatus = '-1'; ! } else { ! $closedstatus = $statusesRS[0]['id']; ! } ! return $closedstatus; ! } ! ! function search_ldap($filter) { ! $sql = "SELECT * FROM tbl_default_Preferences"; ! $default_prefs = Array(); ! $result = db_recordset($sql); ! foreach ($result as $pref) { ! $default_prefs[$pref['identifier']] = $pref['value']; ! } ! $ds = ldap_connect($default_prefs['ldap-host'])or die("Could not connect to LDAP server."); ! if($default_prefs['ldap-v2'] == 'true') { ! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 2) or die("Could not set LDAP Protocol Version."); ! } ! else { ! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3) or die("Could not set LDAP Protocol Version."); ! } ! $ldapbind = ldap_bind($ds) or die ("Could not anonymously bind to LDAP"); ! if (isset($filter)) { ! $sr = ldap_search($ds, $default_prefs['ldap-basedn'],$filter); ! $info = ldap_get_entries($ds, $sr); ! ldap_close($ds); ! return $info; ! } ! else { ! $sr = ldap_search($ds, $default_prefs['ldap-basedn']); ! $info = ldap_get_entries($ds, $sr); ! ldap_close($ds); ! return $info; ! } ! } ! ! ?> Index: mail.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/system/mail.php,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** mail.php 11 Mar 2007 16:57:52 -0000 1.3 --- mail.php 16 Sep 2007 22:00:38 -0000 1.4 *************** *** 28,31 **** --- 28,33 ---- require_once 'system/db.php'; require_once 'system/lang.php'; + + global $mailtemplate; $mailtemplate['verify'] = "mail_verifyemail.tpl"; *************** *** 34,37 **** --- 36,40 ---- $mailtemplate['newissue'] = "mail_newissue.tpl"; $mailtemplate['resolve'] = "mail_resolveissue.tpl"; + $mailtemplate['newldap'] = "mail_newldapuser.tpl"; function send_mail($which, $language, $recipient, $id, $user, $message) *************** *** 49,53 **** if ($fp = fopen($template,"r")) { $repl = false; ! $https = 'http'.($_SERVER['HTTPS'] ? 's' : ''); $dirname = dirname($_SERVER['PHP_SELF']); if (substr($dirname,-1) != '/') $dirname .= '/'; --- 52,56 ---- if ($fp = fopen($template,"r")) { $repl = false; ! $https = 'http'.(isset($_SERVER['HTTPS']) ? 's' : ''); $dirname = dirname($_SERVER['PHP_SELF']); if (substr($dirname,-1) != '/') $dirname .= '/'; *************** *** 69,73 **** $repl = true; } ! $header_search = true; --- 72,83 ---- $repl = true; } ! ! if ($which == "newldap") { ! $link = "$https://{$_SERVER['SERVER_NAME']}{$dirname}sitesandusers.php"; ! } ! else { ! $link = "$https://{$_SERVER['SERVER_NAME']}{$dirname}issue.php?id=$id"; ! } ! $header_search = true; *************** *** 367,369 **** } ! ?> \ No newline at end of file --- 377,379 ---- } ! ?> Index: authentication.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/system/authentication.php,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** authentication.php 10 Sep 2007 00:32:33 -0000 1.6 --- authentication.php 16 Sep 2007 22:00:38 -0000 1.7 *************** *** 44,65 **** } function auth($user, $password) { // Try to find the submitted username and password combination in the // tbl_Users database table. $passwordhash = md5($password); $sql = "SELECT id,username,name,email,root,restricted FROM tbl_Users WHERE active=1 AND username='" . strtolower($user) . "' AND pass='" . md5($password) . "'"; ! $result = db_recordset($sql); ! ! if (count($result) == 0) { ! //Attempt unsucessful ! makelog(0,0,"ATTEMPTED LOGIN - FAILURE","User: $user, with password: ($passwordhash"); ! return 0; ! } elseif (count($result) != 1) { ! // If the user / password cannot be reconciled, then return 0 ! return 0; ! } else { ! return array( $result[0]['username'], $result[0]['name'], --- 44,98 ---- } + function ldap_authenticate($ldapuser, $ldappassword) { + $sql = "SELECT * FROM tbl_default_Preferences"; + $result = db_recordset($sql); + $default_prefs = Array(); + foreach ($result as $pref) { + $default_prefs[$pref['identifier']] = $pref['value']; + } + if ($default_prefs['ldap-ause'] == 'true' && strtolower($ldapuser) != 'root') { + $ds = ldap_connect($default_prefs['ldap-host'])or die("Could not connect to LDAP server."); + if($default_prefs['ldap-v2'] == 'true') { + ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 2) or die("Could not set LDAP Protocol Version."); + } + else { + ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3) or die("Could not set LDAP Protocol Version."); + } + $ldapbind = ldap_bind($ds) or die ("Could not anonymously bind to LDAP"); + $r = ldap_search($ds, $default_prefs['ldap-basedn'], 'uid=' . strtolower($ldapuser)) or die("Could not search LDAP Server for name."); + if ($r) { + $result = @ldap_get_entries( $ds, $r); + if ($result[0]) { + if (@ldap_bind( $ds, $result[0]['dn'], $ldappassword)) { + ldap_close($ds); + return $result[0]; + } + } + } + ldap_close($ds); + return NULL; + } + return NULL; + } + + function auth($user, $password) { // Try to find the submitted username and password combination in the // tbl_Users database table. $passwordhash = md5($password); + $ldapck ="SELECT id,username,name,email,root,restricted,ldap FROM tbl_Users + WHERE active=1 AND username='" . strtolower($user) . "' + AND ldap=1"; $sql = "SELECT id,username,name,email,root,restricted FROM tbl_Users WHERE active=1 AND username='" . strtolower($user) . "' AND pass='" . md5($password) . "'"; ! $result = db_recordset($ldapck); ! if (count($result) == 1) { ! if(ldap_authenticate($user, $password) == NULL) { ! makelog(0,0,"ATTEMPTED LOGIN - FAILUREldap","User: $user, with password: $passwordhash"); ! return 0; ! } ! else { ! return array( $result[0]['username'], $result[0]['name'], *************** *** 67,74 **** $result[0]['id'], $result[0]['root'], ! $result[0]['restricted'] ! ); } } - ?> --- 100,129 ---- $result[0]['id'], $result[0]['root'], ! $result[0]['restricted'], ! $result[0]['ldap'] ! ); ! } ! } ! else { ! $result = db_recordset($sql); ! ! if (count($result) == 0) { ! //Attempt unsucessful ! makelog(0,0,"ATTEMPTED LOGIN - FAILURE","User: $user, with password: ($passwordhash"); ! return 0; ! } elseif (count($result) != 1) { ! // If the user / password cannot be reconciled, then return 0 ! return 0; ! } else { ! return array( ! $result[0]['username'], ! $result[0]['name'], ! $result[0]['email'], ! $result[0]['id'], ! $result[0]['root'], ! $result[0]['restricted'] ! ); ! } } } ?> |
|
From: Scott P. <wht...@us...> - 2007-09-16 22:00:42
|
Update of /cvsroot/helpmeict/Helpdesk/share/templates/en_UK In directory sc8-pr-cvs17:/tmp/cvs-serv7391/share/templates/en_UK Added Files: mail_newldapuser.tpl Log Message: Added backend for LDAP Authentication --- NEW FILE: mail_newldapuser.tpl --- Signature = On Issue = No ; set to Yes,On or 1 if you want to send Issue with mail. IssueFile = No Remarks = No ;FCharset = iso-8859-1 Sender = <noreply> (Helmeict Helpdesk 0.9.2) ;SCharset = iso-8859-1 Subject = New ldap user automatically added.; Subject of the mail. ; Need to use UTF-8 inside body. <MAILBODY> A new LDAP user %%USER%% has been automatically added to the system. Please import the user to their default domain and assign their permissions. Import and Modify pemissions here: %%LINK%% |
|
From: Scott P. <wht...@us...> - 2007-09-16 22:00:42
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv7391
Modified Files:
login.php sitesandusers.php
Log Message:
Added backend for LDAP Authentication
Index: login.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/login.php,v
retrieving revision 1.16
retrieving revision 1.17
diff -C2 -d -r1.16 -r1.17
*** login.php 12 Sep 2007 23:32:13 -0000 1.16
--- login.php 16 Sep 2007 22:00:38 -0000 1.17
***************
*** 37,40 ****
--- 37,43 ----
require_once 'system/global_preferences.php';
require_once 'system/logs.php';
+ require_once 'system/functions.php';
+ require_once 'system/security.php';
+ require_once 'system/mail.php';
global $user, $password;
***************
*** 81,127 ****
// Default action: Login
if (!isset($act)) {
! $result = (auth($user, $password));
! if ($result == 0) {
! $ptitle = "Login Failed";
! include 'header.php';
! set_text_domain("login");
! print "<h1>".gettext('Access Error')."</h1>\n";
! print "<h2>".gettext('Your username or password is incorrect.')."</h2>\n";
! print "<div class=\"block\" align=\"center\"><p><a href=\"index.php\">".gettext('Please try again.')."</a></p></div>";
! include 'footer.php';
! exit;
! }
//build array resulting from authentication
! $user = array(
! array (
! 'user' => "$result[0]",
! 'name' => "$result[1]",
! 'email' => "$result[2]",
! 'id' => "$result[3]",
! 'root' => "$result[4]",
! 'restricted' => "$result[5]"
! ),
! );
!
! // Register session variables
! session_register('_username');
! session_register('_name');
! session_register('_email');
! session_register('_id');
! session_register('_usertype');
! session_register('_usertypesortorder');
! session_register('_restricted');
! session_register('_domain');
! session_register('_domaincss');
! // Set user associated session variables
! $_SESSION['_username'] = $user[0]['user'];
! $_SESSION['_name'] = $user[0]['name'];
! $_SESSION['_email'] = $user[0]['email'];
! $_SESSION['_id'] = $user[0]['id'];
! $_SESSION['_restricted'] = $user[0]['restricted'];
// If this user is the root user then bypass finding the user type.
if ($user[0]['root'] == 1) {
--- 84,163 ----
// Default action: Login
+
if (!isset($act)) {
! $sql = "SELECT * FROM tbl_users WHERE username='".strtolower($user)."' AND active=1 AND ldap=1";
! $result = db_recordset($sql);
! if (ldap_authenticate(strtolower($user), $password) && $result == NULL) {
! //todo create user
! $ldapfilter = "uid=".strtolower($user);
! $ldapresult = search_ldap($ldapfilter);
! for ($i=0; $i<$ldapresult['count']; $i++) {
! $nextid = db_next_id('tbl_users_id');
! db_send("INSERT INTO tbl_users (id,name,username,pass,available,email,ldap) VALUES ($nextid, '".$ldapresult[$i]['cn'][0]."', '".strtolower($user)."', '".md5($password)."', '1', '".$ldapresult[$i]['mail'][0]."', '1')");
! db_send("INSERT INTO tbl_UserDomains (userid,domain,defaultflag) VALUES ($nextid,0,1);");
! }
! $address = db_recordset("SELECT value from tbl_default_preferences WHERE identifier='newissue-email'");
! if ($address[0]['value'] != '') {
! $lng = db_recordset("SELECT value from tbl_default_preferences WHERE identifier='language'");
! send_mail('newldap',$lng[0]['value'],$address[0]['value'],"",$user,"");
! }
!
! $ptitle = "User Account Created";
! include 'header.php';
! set_text_domain("login");
! print "<h1>".gettext('Account Created')."</h1>\n";
! print "<h2>".gettext('Your username authenticated but you have not had an account before.')."</h2>\n";
! print "<div class=\"block\" align=\"center\"><p>".gettext('An email has been sent to the administrator to setup your permissions.')."<br />\n".gettext('After this has been completed this ') . "<a href=\"index.php\">".gettext('please try again.')."</a></p></div>";
! include 'footer.php';
! exit;
! }
! else {
! $result = (auth($user, $password));
! if ($result == 0) {
! $ptitle = "Login Failed";
! include 'header.php';
! set_text_domain("login");
! print "<h1>".gettext('Access Error')."</h1>\n";
! print "<h2>".gettext('Your username or password is incorrect.')."</h2>\n";
! print "<div class=\"block\" align=\"center\"><p><a href=\"index.php\">".gettext('Please try again.')."</a></p></div>";
! include 'footer.php';
! exit;
! }
//build array resulting from authentication
! $user = array(
! array (
! 'user' => "$result[0]",
! 'name' => "$result[1]",
! 'email' => "$result[2]",
! 'id' => "$result[3]",
! 'root' => "$result[4]",
! 'restricted' => "$result[5]",
! 'ldap' => "$result[6]"
! ),
! );
!
! // Register session variables
! session_register('_username');
! session_register('_name');
! session_register('_email');
! session_register('_id');
! session_register('_usertype');
! session_register('_usertypesortorder');
! session_register('_restricted');
! session_register('_ldap');
! session_register('_domain');
! session_register('_domaincss');
+ // Set user associated session variables
+ $_SESSION['_username'] = $user[0]['user'];
+ $_SESSION['_name'] = $user[0]['name'];
+ $_SESSION['_email'] = $user[0]['email'];
+ $_SESSION['_id'] = $user[0]['id'];
+ $_SESSION['_restricted'] = $user[0]['restricted'];
+ $_SESSION['_ldap'] = $user[0]['ldap'];
+
+ }
// If this user is the root user then bypass finding the user type.
if ($user[0]['root'] == 1) {
***************
*** 129,133 ****
$act = 'acceptroot';
! } else {
// Find the default domain of this user
--- 165,170 ----
$act = 'acceptroot';
! }
! else {
// Find the default domain of this user
Index: sitesandusers.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/sitesandusers.php,v
retrieving revision 1.19
retrieving revision 1.20
diff -C2 -d -r1.19 -r1.20
*** sitesandusers.php 15 Sep 2007 08:41:32 -0000 1.19
--- sitesandusers.php 16 Sep 2007 22:00:38 -0000 1.20
***************
*** 544,547 ****
--- 544,556 ----
if ($userrecord > 1) {
db_send("INSERT INTO tbl_UserDomains (userid,domain,defaultflag) VALUES ($userrecord,$_SESSION[_domain],0)");
+ //Search to find if User is in System domain from LDAP auto adding.
+ $result = db_recordset("SELECT * from tbl_userdomains WHERE userid=$userrecord");
+ //Remove user from System domian and set defaultflag for LDAP auto add users.
+ foreach ($result as $key) {
+ if ($result[$key]['domain'] == 0) {
+ db_send("DELETE FROM tbl_userdomains WHERE userid=$userrecord AND domain=0");
+ db_send("UPDATE tbl_userdomains SET defaultflag=1 WHERE userid=$userrecord");
+ }
+ }
}
}
|
|
From: Scott P. <wht...@us...> - 2007-09-15 08:41:39
|
Update of /cvsroot/helpmeict/Helpdesk/install
In directory sc8-pr-cvs17:/tmp/cvs-serv4819/install
Modified Files:
DB-MySQL.sql DB-PostgreSQL.sql
Log Message:
LDAP authentication frontend/schema changes.
Index: DB-PostgreSQL.sql
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/install/DB-PostgreSQL.sql,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** DB-PostgreSQL.sql 7 Feb 2007 01:20:05 -0000 1.2
--- DB-PostgreSQL.sql 15 Sep 2007 08:41:32 -0000 1.3
***************
*** 710,714 ****
active smallint DEFAULT (1)::smallint NOT NULL,
root smallint DEFAULT (0)::smallint NOT NULL,
! restricted smallint DEFAULT (0)::smallint NOT NULL
);
--- 710,715 ----
active smallint DEFAULT (1)::smallint NOT NULL,
root smallint DEFAULT (0)::smallint NOT NULL,
! restricted smallint DEFAULT (0)::smallint NOT NULL,
! ldap smallint DEFAULT (0)::smallint NOT NULL
);
***************
*** 891,894 ****
--- 892,899 ----
INSERT INTO tbl_default_preferences VALUES ('newissue-email', '');
INSERT INTO tbl_default_preferences VALUES ('wrk-timer', 'true');
+ INSERT INTO tbl_default_preferences VALUES ('ldap-ause', 'false');
+ INSERT INTO tbl_default_preferences VALUES ('ldap-basedn', '');
+ INSERT INTO tbl_default_preferences VALUES ('ldap-host', '');
+ INSERT INTO tbl_default_preferences VALUES ('ldap-v2', 'false');
***************
*** 1022,1025 ****
--- 1027,1034 ----
INSERT INTO tbl_preference_descriptions VALUES ('newissue-email', 'text', 'Email address to receive new unassigned issues (or leave blank)', 0);
INSERT INTO tbl_preference_descriptions VALUES ('wrk-timer', 'boolean', 'Turn on usage of Timer', 0);
+ INSERT INTO tbl_preference_descriptions VALUES ('ldap-ause', 'boolean', 'Use LDAP Authentication', 0);
+ INSERT INTO tbl_preference_descriptions VALUES ('ldap-basedn', 'text', 'LDAP BaseDN', 0);
+ INSERT INTO tbl_preference_descriptions VALUES ('ldap-host', 'text', 'LDAP Hostname', 0);
+ INSERT INTO tbl_preference_descriptions VALUES ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2', 0);
Index: DB-MySQL.sql
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/install/DB-MySQL.sql,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** DB-MySQL.sql 15 Sep 2007 03:50:31 -0000 1.3
--- DB-MySQL.sql 15 Sep 2007 08:41:32 -0000 1.4
***************
*** 34,38 ****
('email-resolve', 'false'),
('newissue-email', ''),
! ('wrk-timer', 'true');
-- --------------------------------------------------------
--- 34,43 ----
('email-resolve', 'false'),
('newissue-email', ''),
! ('wrk-timer', 'true'),
! ('ldap-ause', 'false'),
! ('ldap-basedn', ''),
! ('ldap-host', ''),
! ('ldap-v2', 'false');
!
-- --------------------------------------------------------
***************
*** 285,289 ****
('email-resolve', 'boolean', 'Email notification of issue resolutions.', 1),
('newissue-email', 'text', 'Email address to receive new unassigned issues (or leave blank)', 0),
! ('wrk-timer', 'boolean', 'Turn on usage of Timer', 0);
-- --------------------------------------------------------
--- 290,299 ----
('email-resolve', 'boolean', 'Email notification of issue resolutions.', 1),
('newissue-email', 'text', 'Email address to receive new unassigned issues (or leave blank)', 0),
! ('wrk-timer', 'boolean', 'Turn on usage of Timer', 0),
! ('ldap-ause', 'boolean', 'Use LDAP Authentication', 0),
! ('ldap-basedn', 'text', 'LDAP BaseDN', 0),
! ('ldap-host', 'text', 'LDAP Hostname', 0),
! ('ldap-v2', 'boolean', 'Use LDAP Protocol Version 2', 0);
!
-- --------------------------------------------------------
***************
*** 604,607 ****
--- 614,618 ----
`root` int(2) NOT NULL default '0',
`restricted` int(2) NOT NULL default '0',
+ `ldap` int(2) NOT NULL default '0',
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=3 ;
|
|
From: Scott P. <wht...@us...> - 2007-09-15 08:41:38
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv4819
Modified Files:
preferences.php sitesandusers.php
Log Message:
LDAP authentication frontend/schema changes.
Index: sitesandusers.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/sitesandusers.php,v
retrieving revision 1.18
retrieving revision 1.19
diff -C2 -d -r1.18 -r1.19
*** sitesandusers.php 15 Sep 2007 05:30:30 -0000 1.18
--- sitesandusers.php 15 Sep 2007 08:41:32 -0000 1.19
***************
*** 57,64 ****
require_once 'system/lang.php';
require_once 'system/message.php';
require_once 'system/global_preferences.php';
require 'header.php';
! global $act, $usertype, $message, $users, $is_pgsql;
// Language selection
set_text_domain("sitesandusers");
--- 57,65 ----
require_once 'system/lang.php';
require_once 'system/message.php';
+ require_once 'system/user_preferences.php';
require_once 'system/global_preferences.php';
require 'header.php';
! global $act, $usertype, $message, $users, $is_pgsql, $iuds, $ldap;
// Language selection
set_text_domain("sitesandusers");
***************
*** 128,132 ****
'resolve',
'email',
! 'oldusername'
);
--- 129,134 ----
'resolve',
'email',
! 'oldusername',
! 'ldap'
);
***************
*** 281,287 ****
} else {
if ($available == 'true') { $available = '1'; } else { $available = '0'; }
// Add user
$user = db_next_id('tbl_Users_id');
! db_send("INSERT INTO tbl_Users (id,name,username,pass,available,email) VALUES ($user, '$name','" . strtolower($username) . "','" . md5($password) . "',$available, '$email')");
// Add user to the current domain
--- 283,290 ----
} else {
if ($available == 'true') { $available = '1'; } else { $available = '0'; }
+ if ($ldap == 'true') { $ldap = '1'; } else { $ldap = '0'; }
// Add user
$user = db_next_id('tbl_Users_id');
! db_send("INSERT INTO tbl_Users (id,name,username,pass,available,email,ldap) VALUES ($user, '$name','" . strtolower($username) . "','" . md5($password) . "',$available, '$email', '$ldap')");
// Add user to the current domain
***************
*** 330,333 ****
--- 333,347 ----
<div class="field"><input type="checkbox" name="available" id="available" checked="checked" value="true" /></div>
</div>
+ <?php
+ $prefs=get_user_prefs($_SESSION['_id']);
+ if ($prefs['ldap-ause'] == 'true') {
+ ?>
+ <div class="labelfieldpair">
+ <div class="name"><label for="ldap"><?php echo gettext('LDAP Account');?></label></div>
+ <div class="field"><input type="checkbox" name="ldap" id="ldap" value="true" /></div>
+ </div>
+ <?php
+ }
+ ?>
<div class="buttonpanel">
<input name="submit" type="submit" id="submit" value="<?php echo gettext('Add User')?>" />
***************
*** 361,365 ****
$sql = "UPDATE tbl_Users SET name='" . $name . "',username='" . strtolower($username) . "'";
if ($password <> '') { $sql .= ",pass='" . md5($password) . "'"; }
! $sql .= ",email='$email' WHERE ID=" . $user;
db_send($sql);
--- 375,380 ----
$sql = "UPDATE tbl_Users SET name='" . $name . "',username='" . strtolower($username) . "'";
if ($password <> '') { $sql .= ",pass='" . md5($password) . "'"; }
! if ($ldap == 'true') { $ldap = '1'; } else { $ldap = '0'; }
! $sql .= ",email='$email', ldap='$ldap' WHERE ID=" . $user;
db_send($sql);
***************
*** 648,651 ****
--- 663,677 ----
<div class="field"><input type="text" name="email" id="email" size="20" maxlength="40" value="<?php echo $usersRS[0]['email']?>" /></div>
</div>
+ <?php
+ $prefs=get_user_prefs($_SESSION['_id']);
+ if ($prefs['ldap-ause'] == 'true') {
+ ?>
+ <div class="labelfieldpair">
+ <div class="name"><label for="ldap"><?php echo gettext('LDAP Account');?></label></div>
+ <div class="field"><input type="checkbox" name="ldap" id="ldap" <?php if (isset($usersRS[0]['ldap'])) {if ($usersRS[0]['ldap'] == '1') {echo 'checked';} }?> value="true" /></div>
+ </div>
+ <?php
+ }
+ ?>
<div class="buttonpanel">
<input name="submit" type="submit" id="submit" value="<?php echo gettext('Submit Changes')?>" />
Index: preferences.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/preferences.php,v
retrieving revision 1.15
retrieving revision 1.16
diff -C2 -d -r1.15 -r1.16
*** preferences.php 12 Sep 2007 23:32:13 -0000 1.15
--- preferences.php 15 Sep 2007 08:41:32 -0000 1.16
***************
*** 130,134 ****
$defprefs = db_recordset("SELECT *, 'default' AS level
FROM tbl_Default_Preferences, tbl_Preference_Descriptions
! WHERE tbl_Default_Preferences.identifier = tbl_Preference_Descriptions.identifier");
$domprefs = db_recordset("SELECT *, 'domain' AS level
FROM tbl_Domain_Preferences, tbl_Preference_Descriptions
--- 130,135 ----
$defprefs = db_recordset("SELECT *, 'default' AS level
FROM tbl_Default_Preferences, tbl_Preference_Descriptions
! WHERE tbl_Default_Preferences.identifier = tbl_Preference_Descriptions.identifier
! AND tbl_Default_Preferences.identifier NOT LIKE 'ldap-%'");
$domprefs = db_recordset("SELECT *, 'domain' AS level
FROM tbl_Domain_Preferences, tbl_Preference_Descriptions
|
|
From: Scott P. <wht...@us...> - 2007-09-15 05:30:47
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv26809
Modified Files:
sitesandusers.php
Log Message:
fix missing undefined variable is_pgsql
Index: sitesandusers.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/sitesandusers.php,v
retrieving revision 1.17
retrieving revision 1.18
diff -C2 -d -r1.17 -r1.18
*** sitesandusers.php 13 Sep 2007 01:12:43 -0000 1.17
--- sitesandusers.php 15 Sep 2007 05:30:30 -0000 1.18
***************
*** 60,64 ****
require 'header.php';
! global $act, $usertype, $message, $users;
// Language selection
set_text_domain("sitesandusers");
--- 60,64 ----
require 'header.php';
! global $act, $usertype, $message, $users, $is_pgsql;
// Language selection
set_text_domain("sitesandusers");
|
|
From: Scott P. <wht...@us...> - 2007-09-15 03:50:38
|
Update of /cvsroot/helpmeict/Helpdesk/install In directory sc8-pr-cvs17:/tmp/cvs-serv20350 Modified Files: DB-MySQL.sql Log Message: Fix Insert statements that fail table creation. Index: DB-MySQL.sql =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/install/DB-MySQL.sql,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** DB-MySQL.sql 7 Feb 2007 01:20:05 -0000 1.2 --- DB-MySQL.sql 15 Sep 2007 03:50:31 -0000 1.3 *************** *** 203,213 **** (2, 'About', 'about.php', 1, 1), (3, 'News', 'news.php', 1, 2), ! (4, 'Documentation', 'docs/index.html', 1, 3); (5, 'F.A.Q.', 'faq.php', 1, 4), ! (6, 'Download', 'download.php', 1, 5); (7, 'Features', 'features.php', 1, 6), (8, 'Change Log', 'changelog.php', 1, 7), (9, 'Central Mcr. CLC', 'http://helpdesk.centralmanclc.com/', 2, 0), ! (10, 'Oxford Archeology', 'http://www.thehumanjourney.net/', 2, 1); (11, 'European Electronique', 'http://www.euroele.co.uk/', 2, 2); --- 203,213 ---- (2, 'About', 'about.php', 1, 1), (3, 'News', 'news.php', 1, 2), ! (4, 'Documentation', 'docs/index.html', 1, 3), (5, 'F.A.Q.', 'faq.php', 1, 4), ! (6, 'Download', 'download.php', 1, 5), (7, 'Features', 'features.php', 1, 6), (8, 'Change Log', 'changelog.php', 1, 7), (9, 'Central Mcr. CLC', 'http://helpdesk.centralmanclc.com/', 2, 0), ! (10, 'Oxford Archeology', 'http://www.thehumanjourney.net/', 2, 1), (11, 'European Electronique', 'http://www.euroele.co.uk/', 2, 2); |
|
From: Scott P. <wht...@us...> - 2007-09-13 01:12:48
|
Update of /cvsroot/helpmeict/Helpdesk In directory sc8-pr-cvs17:/tmp/cvs-serv5544 Modified Files: sitesandusers.php statuses.php summary.php unassignedissues.php Log Message: Last of the sanitizing, magic_quotes detection, undefined constants, undefined variables, and undefined indexes. Index: statuses.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/statuses.php,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** statuses.php 7 Feb 2007 01:20:04 -0000 1.6 --- statuses.php 13 Sep 2007 01:12:43 -0000 1.7 *************** *** 1,296 **** ! <?php ! ! /* ! ! statuses.php ! ! Status Admin. Allows the user to administer the list of statuses ! for this domain an put them in order. The order given is that of the ! life cycle of an issue (open->closed). [Commented] ! ! Changelog: ! 2006-01-14 dave: Cleaned up code for v1.0 release ! ! ## PAGE CONTAINS HANDYANDY MYSQL MODS ## ! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ## ! ! ---- ! ! Copyright (C) 2003 Central Manchester CLC ! Copyright (C) 2003 David Thorne (dav...@gm...) ! ! This program is free software; you can redistribute it and/or ! modify it under the terms of the GNU General Public License ! as published by the Free Software Foundation version 2. ! ! This program is distributed in the hope that it will be useful, ! but WITHOUT ANY WARRANTY; without even the implied warranty of ! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ! GNU General Public License for more details. ! ! You should have received a copy of the GNU General Public License ! along with this program; if not, write to the Free Software ! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ! ! */ ! ! // Start session and populate it with data ! session_start(); ! ! // Page Security ! if ($_SESSION['_usertype'] != 'Administrator' ! && $_SESSION['_usertype'] != 'Domain Administrator' ! && $_SESSION['_usertype'] != 'Root') { ! require_once 'system/security.php'; ! ThrowOut(); ! } ! ! // Page Title ! $ptitle = 'Statuses'; ! ! // Includes ! require_once 'system/db.php'; ! require_once 'system/lang.php'; ! require_once 'system/message.php'; ! require 'header.php'; ! ! // Language selection ! set_text_domain("statuses"); ! ! // Retrieve Get/Post variables ! $act = $_REQUEST['act']; ! $status = $_POST['status']; ! $statuses = $_REQUEST['statuses']; ! ! // Action: Add a status to the system ! if ($act == 'addstatusaction') { ! $act = 'addstatus'; ! // Make sure the status has a name ! if ($status == '') { ! $message = gettext("CORRECTION: You must give this status a name."); ! } else { ! $statuscount = db_recordset("SELECT * FROM tbl_Statuses WHERE active=1 AND domain=$_SESSION[_domain] AND id>0"); ! $statuses = ''; ! // Add the status ! db_send("INSERT INTO tbl_Statuses (status,domain,sortorder) VALUES ('" . $status . "',$_SESSION[_domain]" . ',' . count($statuscount) . ")"); ! ! $act = ''; ! $message = gettext("NOTE: Status successfully added to system."); ! } ! } ! ! // Action: Request details to add a status to the system ! if ($act == 'addstatus') { ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to add a status:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="addstatusaction" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="status"><?php echo gettext('Status Name')?></label></div> ! <div class="field"><input type="text" name="status" id="status" size="35" maxlength="50" value="<?php echo $status?>" /></div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Add Status')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='statuses.php?statuses=<?php echo $statuses?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Action: Edit a status ! if ($act == 'editstatusaction') { ! $act = 'editstatus'; ! // Make sure the status has a name ! if ($status == '') { ! $message = gettext("CORRECTION: You must give this status a name."); ! } else { ! // Edit the status ! db_send("UPDATE tbl_Statuses SET status='" . $status . "' WHERE id=$statuses"); ! $message = gettext("NOTE: Status successfully updated."); ! $act = ''; ! } ! } ! ! // Action: Move a status up ! if ($act == 'up') { ! // Find this status' sort order ! $status = db_recordset("SELECT sortorder,active FROM tbl_Statuses WHERE id=$statuses"); ! ! // Only change the ordering of active statuses ! if ($status[0][active] == 1) { ! // Only move a status up if it isn't at the top already ! if ($status[0][sortorder] > 0) { ! // Find the status that is one in line above it ! $newstatus = db_recordset("SELECT id FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($status[0][sortorder]-1)); ! // Swap the sort orders for the two statuses ! db_send("UPDATE tbl_Statuses SET sortorder=" . ($status[0][sortorder]-1) . " WHERE id=$statuses"); ! db_send("UPDATE tbl_Statuses SET sortorder=" . $status[0][sortorder] . " WHERE id=" . $newstatus[0][id]); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ""; ! } ! ! // Action: Move a status down ! if ($act == 'down') { ! // Find the lowest status ! $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1"); ! // Find this status' sort order ! $status = db_recordset("SELECT sortorder,active FROM tbl_Statuses WHERE id=$statuses"); ! ! // Only change the ordering of active statuses ! if ($status[0][active] == 1) { ! // Only move a status down if it isn't at the bottom already ! if ($status[0][sortorder] < (count($statusesRS)-1)) { ! // Find the status that is one in line below it ! $newstatus = db_recordset("SELECT id FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($status[0][sortorder]+1)); ! // Swap the sort orders for the two statuses ! db_send("UPDATE tbl_Statuses SET sortorder=" . ($status[0][sortorder]+1) . " WHERE id=$statuses"); ! db_send("UPDATE tbl_Statuses SET sortorder=" . $status[0][sortorder] . " WHERE id=" . $newstatus[0][id]); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ""; ! } ! ! // Action: Remove a status from the system ! if ($act == 'removestatus') { ! // Find the sort order of this status ! $status = db_recordset("SELECT sortorder FROM tbl_Statuses WHERE id=$statuses"); ! // deactivate it and negate the sort order ! db_send("UPDATE tbl_Statuses SET active=0,sortorder=-1 WHERE id=$statuses"); ! // change all the higher sort orders in order to fill the gap that has now been made ! db_send("UPDATE tbl_Statuses SET sortorder=sortorder-1 WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder>" . $status[0][sortorder]); ! $act = ""; ! $statuses = ''; ! $message = gettext("NOTE: Status successfully removed."); ! } ! ! // Action: Request details to edit a status ! if ($act == 'editstatus') { ! ! // Retrieve Status information ! $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE id=" . $statuses); ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to edit a status:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="editstatusaction" /> ! <input type="hidden" name="statuses" value="<?php echo $statuses?>" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="status"><?php echo gettext('Status Name')?></label></div> ! <div class="field"><input type="text" name="status" id="status" size="35" maxlength="50" value="<?php echo $statusesRS[0][status]?>"></div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Submit Changes')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='statuses.php?statuses=<?php echo $statuses?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Default action: Show statuses and invite user to choose action... ! if ($act == '') { ! // Retrieve statuses ! $sql = "SELECT * FROM tbl_Statuses WHERE domain=$_SESSION[_domain]"; ! if ($_SESSION['_usertype'] != 'Root') { ! $sql .= " AND active=1"; ! } ! $sql .= " ORDER BY active DESC,sortorder"; ! $statusesRS = db_recordset($sql); ! $num_statuses = count($statusesRS); ! ! if (!$statuses) $statuses=$statusesRS[0][id]; ! ! if ($message) { display($message); } ! ?> ! ! <script language="javascript" type="text/javascript"> ! //<![CDATA[ ! <!-- ! ! function mainSubmit (act) { ! var flag = true; ! if ((act == 'removestatus' || act == 'editstatus') && document.mainform.statuses.value == 0) { ! alert('<?php echo gettext('There are no statuses on which to action your request.')?>'); ! flag = false; ! } ! if (act == 'removestatus' && flag && !confirm('<?php echo gettext('Are you sure you wish to delete this status?')?>')) flag = false; ! if (flag) { ! document.mainform.act.value=act; ! document.mainform.submit(); ! } ! } ! ! //--> ! //]]> ! </script> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please use the lists below to administer the statuses of issues in this system:')?></h2> ! ! <div class="block"> ! <p><?php echo gettext("The first status in this list is the default status of a new issue. Movement through this list would be synonymous with the life cycle of the issue. The final status will be classed as 'closed' and as such will be the terminal status of issues, regardless of the actual name of the status. Note that if only one status is present, then the status will not be treated as closed.")?></p> ! <form name="mainform" id="mainform" method="post" action=""> ! <input type="hidden" name="act" value="" /> ! <div class="columnleft"> ! <div class="labelright"><label for="statuses"><?php echo gettext('Statuses')?></label></div> ! <div class="columnright"> ! <input type="button" value="<?php echo gettext('New')?>..." onclick="mainSubmit('addstatus')" /><br /> ! <input type="button" value="<?php echo gettext('Edit')?>" onclick="mainSubmit('editstatus')" /><br /> ! <input type="button" value="<?php echo gettext('Delete')?>" onclick="mainSubmit('removestatus')" /> ! </div> ! <div class="columnleft"> ! <select name="statuses" id="statuses" size="10"> ! <?php ! if ($num_statuses == 0) { ! print (" <option value=\"0\" selected=\"selected\">[".gettext('No Statuses')."]</option>\n"); ! } ! foreach ($statusesRS as $record) { ! // Set as default if this was previously chosen ! if ($record[id] == $statuses) {$checked = " selected=\"selected\"";} else {$checked = "";}; ! if ($record[active] == 0) {$style = " class=\"inactive\"";} else {$style = "";}; ! print (" <option value=\"${record[id]}\"${checked}${style}>${record[status]}</option>\n"); ! } ! ?> ! </select> ! </div> ! </div> ! <div class="columnleft"> ! <div class="labelleft"> </div> ! <div class="columnleft"> ! <input type="button" value="<?php echo gettext('Up')?>" onclick="mainSubmit('up')" /><br /> ! <input type="button" value="<?php echo gettext('Down')?>" onclick="mainSubmit('down')" /><br /> ! </div> ! </div> ! </form> ! <hr class="hide" /> ! </div> ! ! <?php ! } ! ! // Include ! require 'footer.php'; ! ?> --- 1,361 ---- ! <?php ! ! /* ! ! statuses.php ! ! Status Admin. Allows the user to administer the list of statuses ! for this domain an put them in order. The order given is that of the ! life cycle of an issue (open->closed). [Commented] ! ! Changelog: ! 2006-01-14 dave: Cleaned up code for v1.0 release ! ! ## PAGE CONTAINS HANDYANDY MYSQL MODS ## ! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ## ! ! ---- ! ! Copyright (C) 2003 Central Manchester CLC ! Copyright (C) 2003 David Thorne (dav...@gm...) ! ! This program is free software; you can redistribute it and/or ! modify it under the terms of the GNU General Public License ! as published by the Free Software Foundation version 2. ! ! This program is distributed in the hope that it will be useful, ! but WITHOUT ANY WARRANTY; without even the implied warranty of ! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ! GNU General Public License for more details. ! ! You should have received a copy of the GNU General Public License ! along with this program; if not, write to the Free Software ! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ! ! */ ! ! // Start session and populate it with data ! session_start(); ! ! // Page Security ! if ($_SESSION['_usertype'] != 'Administrator' ! && $_SESSION['_usertype'] != 'Domain Administrator' ! && $_SESSION['_usertype'] != 'Root') { ! require_once 'system/security.php'; ! ThrowOut(); ! } ! ! // Page Title ! $ptitle = 'Statuses'; ! ! // Includes ! require_once 'system/db.php'; ! require_once 'system/lang.php'; ! require_once 'system/message.php'; ! require 'header.php'; ! ! // Language selection ! set_text_domain("statuses"); ! ! global $act, $statuses, $message, $status; ! ! // Retrieve Get/Post variables ! foreach($_POST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_POST[$key])) { ! foreach ($_POST[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (!get_magic_quotes_gpc()) { ! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! foreach($_REQUEST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! $postarg = Array( ! 'status' ! ); ! ! $requestarg = Array( ! 'act', ! 'statuses' ! ); ! ! foreach ($postarg as $post) { ! if (isset($_POST[$post])) { ! $$post = $_POST[$post]; ! } ! } ! ! foreach ($requestarg as $request) { ! if (isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; ! } ! } ! ! // Action: Add a status to the system ! if ($act == 'addstatusaction') { ! $act = 'addstatus'; ! // Make sure the status has a name ! if ($status == '') { ! $message = gettext("CORRECTION: You must give this status a name."); ! } else { ! $statuscount = db_recordset("SELECT * FROM tbl_Statuses WHERE active=1 AND domain=$_SESSION[_domain] AND id>0"); ! $statuses = ''; ! // Add the status ! db_send("INSERT INTO tbl_Statuses (status,domain,sortorder) VALUES ('" . $status . "',$_SESSION[_domain]" . ',' . count($statuscount) . ")"); ! ! $act = ''; ! $message = gettext("NOTE: Status successfully added to system."); ! } ! } ! ! // Action: Request details to add a status to the system ! if ($act == 'addstatus') { ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to add a status:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="addstatusaction" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="status"><?php echo gettext('Status Name')?></label></div> ! <div class="field"><input type="text" name="status" id="status" size="35" maxlength="50" value="<?php echo $status?>" /></div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Add Status')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='statuses.php?statuses=<?php echo $statuses?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Action: Edit a status ! if ($act == 'editstatusaction') { ! $act = 'editstatus'; ! // Make sure the status has a name ! if ($status == '') { ! $message = gettext("CORRECTION: You must give this status a name."); ! } else { ! // Edit the status ! db_send("UPDATE tbl_Statuses SET status='" . $status . "' WHERE id=$statuses"); ! $message = gettext("NOTE: Status successfully updated."); ! $act = ''; ! } ! } ! ! // Action: Move a status up ! if ($act == 'up') { ! // Find this status' sort order ! $status = db_recordset("SELECT sortorder,active FROM tbl_Statuses WHERE id=$statuses"); ! ! // Only change the ordering of active statuses ! if ($status[0]['active'] == 1) { ! // Only move a status up if it isn't at the top already ! if ($status[0]['sortorder'] > 0) { ! // Find the status that is one in line above it ! $newstatus = db_recordset("SELECT id FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($status[0]['sortorder']-1)); ! // Swap the sort orders for the two statuses ! db_send("UPDATE tbl_Statuses SET sortorder=" . ($status[0]['sortorder']-1) . " WHERE id=$statuses"); ! db_send("UPDATE tbl_Statuses SET sortorder=" . $status[0]['sortorder'] . " WHERE id=" . $newstatus[0]['id']); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ""; ! } ! ! // Action: Move a status down ! if ($act == 'down') { ! // Find the lowest status ! $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1"); ! // Find this status' sort order ! $status = db_recordset("SELECT sortorder,active FROM tbl_Statuses WHERE id=$statuses"); ! ! // Only change the ordering of active statuses ! if ($status[0]['active'] == 1) { ! // Only move a status down if it isn't at the bottom already ! if ($status[0]['sortorder'] < (count($statusesRS)-1)) { ! // Find the status that is one in line below it ! $newstatus = db_recordset("SELECT id FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($status[0]['sortorder']+1)); ! // Swap the sort orders for the two statuses ! db_send("UPDATE tbl_Statuses SET sortorder=" . ($status[0]['sortorder']+1) . " WHERE id=$statuses"); ! db_send("UPDATE tbl_Statuses SET sortorder=" . $status[0]['sortorder'] . " WHERE id=" . $newstatus[0]['id']); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ""; ! } ! ! // Action: Remove a status from the system ! if ($act == 'removestatus') { ! // Find the sort order of this status ! $status = db_recordset("SELECT sortorder FROM tbl_Statuses WHERE id=$statuses"); ! // deactivate it and negate the sort order ! db_send("UPDATE tbl_Statuses SET active=0,sortorder=-1 WHERE id=$statuses"); ! // change all the higher sort orders in order to fill the gap that has now been made ! db_send("UPDATE tbl_Statuses SET sortorder=sortorder-1 WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder>" . $status[0]['sortorder']); ! $act = ""; ! $statuses = ''; ! $message = gettext("NOTE: Status successfully removed."); ! } ! ! // Action: Request details to edit a status ! if ($act == 'editstatus') { ! ! // Retrieve Status information ! $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE id=" . $statuses); ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to edit a status:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="editstatusaction" /> ! <input type="hidden" name="statuses" value="<?php echo $statuses?>" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="status"><?php echo gettext('Status Name')?></label></div> ! <div class="field"><input type="text" name="status" id="status" size="35" maxlength="50" value="<?php echo $statusesRS[0]['status']?>"></div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Submit Changes')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='statuses.php?statuses=<?php echo $statuses?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Default action: Show statuses and invite user to choose action... ! if ($act == '') { ! // Retrieve statuses ! $sql = "SELECT * FROM tbl_Statuses WHERE domain=$_SESSION[_domain]"; ! if ($_SESSION['_usertype'] != 'Root') { ! $sql .= " AND active=1"; ! } ! $sql .= " ORDER BY active DESC,sortorder"; ! $statusesRS = db_recordset($sql); ! $num_statuses = count($statusesRS); ! ! if (!$statuses) $statuses=$statusesRS[0]['id']; ! ! if ($message) { display($message); } ! ?> ! ! <script language="javascript" type="text/javascript"> ! //<![CDATA[ ! <!-- ! ! function mainSubmit (act) { ! var flag = true; ! if ((act == 'removestatus' || act == 'editstatus') && document.mainform.statuses.value == 0) { ! alert('<?php echo gettext('There are no statuses on which to action your request.')?>'); ! flag = false; ! } ! if (act == 'removestatus' && flag && !confirm('<?php echo gettext('Are you sure you wish to delete this status?')?>')) flag = false; ! if (flag) { ! document.mainform.act.value=act; ! document.mainform.submit(); ! } ! } ! ! //--> ! //]]> ! </script> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please use the lists below to administer the statuses of issues in this system:')?></h2> ! ! <div class="block"> ! <p><?php echo gettext("The first status in this list is the default status of a new issue. Movement through this list would be synonymous with the life cycle of the issue. The final status will be classed as 'closed' and as such will be the terminal status of issues, regardless of the actual name of the status. Note that if only one status is present, then the status will not be treated as closed.")?></p> ! <form name="mainform" id="mainform" method="post" action=""> ! <input type="hidden" name="act" value="" /> ! <div class="columnleft"> ! <div class="labelright"><label for="statuses"><?php echo gettext('Statuses')?></label></div> ! <div class="columnright"> ! <input type="button" value="<?php echo gettext('New')?>..." onclick="mainSubmit('addstatus')" /><br /> ! <input type="button" value="<?php echo gettext('Edit')?>" onclick="mainSubmit('editstatus')" /><br /> ! <input type="button" value="<?php echo gettext('Delete')?>" onclick="mainSubmit('removestatus')" /> ! </div> ! <div class="columnleft"> ! <select name="statuses" id="statuses" size="10"> ! <?php ! if ($num_statuses == 0) { ! print (" <option value=\"0\" selected=\"selected\">[".gettext('No Statuses')."]</option>\n"); ! } ! foreach ($statusesRS as $record) { ! // Set as default if this was previously chosen ! if ($record['id'] == $statuses) {$checked = " selected=\"selected\"";} else {$checked = "";}; ! if ($record['active'] == 0) {$style = " class=\"inactive\"";} else {$style = "";}; ! print (" <option value=\"${record['id']}\"${checked}${style}>${record['status']}</option>\n"); ! } ! ?> ! </select> ! </div> ! </div> ! <div class="columnleft"> ! <div class="labelleft"> </div> ! <div class="columnleft"> ! <input type="button" value="<?php echo gettext('Up')?>" onclick="mainSubmit('up')" /><br /> ! <input type="button" value="<?php echo gettext('Down')?>" onclick="mainSubmit('down')" /><br /> ! </div> ! </div> ! </form> ! <hr class="hide" /> ! </div> ! ! <?php ! } ! ! // Include ! require 'footer.php'; ! ?> Index: summary.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/summary.php,v retrieving revision 1.12 retrieving revision 1.13 diff -C2 -d -r1.12 -r1.13 *** summary.php 11 Mar 2007 15:23:48 -0000 1.12 --- summary.php 13 Sep 2007 01:12:43 -0000 1.13 *************** *** 50,62 **** require_once 'system/lang.php'; require_once 'system/functions.php'; ! // Retrieve Get/Post variables ! $act = $_REQUEST['act']; ! $x = $_REQUEST['x']; ! $y = $_REQUEST['y']; ! $display = $_REQUEST['display']; ! $datefrom = $_REQUEST['datefrom']; ! $dateto = $_REQUEST['dateto']; ! $display2 = $_REQUEST['display']; if ($act == 'csv') { --- 50,96 ---- require_once 'system/lang.php'; require_once 'system/functions.php'; ! ! global $act, $display2; // Retrieve Get/Post variables ! foreach($_REQUEST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! $requestarg = Array( ! 'act', ! 'x', ! 'y', ! 'display', ! 'datefrom', ! 'dateto' ! ); ! ! foreach ($requestarg as $request) { ! if (isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; ! if ($request == 'display') { ! $$display2 = $_REQUEST[$request]; ! } ! } ! } if ($act == 'csv') { Index: sitesandusers.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/sitesandusers.php,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** sitesandusers.php 8 Sep 2007 23:56:50 -0000 1.16 --- sitesandusers.php 13 Sep 2007 01:12:43 -0000 1.17 *************** *** 64,147 **** set_text_domain("sitesandusers"); foreach($_POST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); } ! foreach($_GET as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } foreach($_REQUEST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! } ! ! // Retrieve Get/Post variables ! ! if (!get_magic_quotes_gpc()) { ! if (isset($_REQUEST['act'])) { ! $act = addslashes($_REQUEST['act']); ! } ! if (isset($_POST['site'])) { ! $site = addslashes($_POST['site']); ! } ! if (isset($_POST['sites'])) { ! $sites = $_POST['sites']; } else { ! $sites = array(); ! } ! if (isset($_POST['name'])) { ! $name = addslashes($_POST['name']); ! } ! if (isset($_POST['username'])) { ! $username = addslashes($_POST['username']); ! } ! if (isset($_POST['password'])) { ! $password = addslashes($_POST['password']); ! } ! if (isset($_POST['available'])) { ! $available = addslashes($_POST['available']); ! } ! if (isset($_POST['user'])) { ! $user = addslashes($_POST['user']); ! } ! if (isset($_POST['users'])) { ! $users = $_POST['users']; ! } ! if (isset($_POST['usertype'])) { ! $usertype = addslashes($_POST['usertype']); ! } ! if (isset($_POST['support'])) { ! $support = $_POST['support']; } ! if (isset($_POST['resolve'])) { ! $resolve = addslashes($_POST['resolve']); } ! if (isset($_POST['email'])) { ! $email = addslashes($_POST['email']); } ! if (isset($_POST['oldusername'])) { ! $oldusername = addslashes($_POST['oldusername']); } } - else { - $act = $_REQUEST['act']; - $site = $_POST['site']; - $sites = $_POST['sites']; - if ($sites == '') { $sites = array(); } - $name = $_POST['name']; - $username = $_POST['username']; - $password = $_POST['password']; - $available = $_POST['available']; - $user = $_POST['user']; - $users = $_POST['users']; - $usertype = $_POST['usertype']; - $support = $_POST['support']; - $resolve = $_POST['resolve']; - $email = $_POST['email']; - $oldusername = $_POST['oldusername']; - } if ($conf_db['dsn']['phptype'] == 'pgsql') { --- 64,148 ---- set_text_domain("sitesandusers"); + // Retrieve Get/Post variables foreach($_POST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); + if(is_array($_POST[$key])) { + foreach ($_POST[$key] as $key2 => $val2) { + if (!get_magic_quotes_gpc()) { + $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); + } + else { + $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); + } + } + } + else { + if (!get_magic_quotes_gpc()) { + $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); + } + else { + $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); + } + } } ! foreach($_REQUEST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } } else { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } } ! } ! ! $requestarg = Array( ! 'act' ! ); ! ! $postarg = Array( ! 'site', ! 'sites', ! 'name', ! 'username', ! 'password', ! 'available', ! 'user', ! 'users', ! 'usertype', ! 'support', ! 'resolve', ! 'email', ! 'oldusername' ! ); ! ! foreach ($requestarg as $request) { ! if(isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; } ! } ! ! foreach ($postarg as $post) { ! if(isset($_POST[$post])) { ! $$post = $_POST[$post]; } ! elseif (!isset($_POST[$post]) && $post == 'sites') { ! $$post = Array(); } } if ($conf_db['dsn']['phptype'] == 'pgsql') { Index: unassignedissues.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/unassignedissues.php,v retrieving revision 1.8 retrieving revision 1.9 diff -C2 -d -r1.8 -r1.9 *** unassignedissues.php 10 Sep 2007 00:32:33 -0000 1.8 --- unassignedissues.php 13 Sep 2007 01:12:43 -0000 1.9 *************** *** 56,67 **** require 'header.php'; // Language selection set_text_domain("unassignedissues"); // Retrieve Get/Post variables ! $act = $_GET['act']; ! $orderby = $_GET['orderby']; ! $orderdir = $_GET['orderdir']; ! $page = $_GET['page']; if ($_SESSION['_usertype'] == 'Client') { ThrowOut(); } --- 56,100 ---- require 'header.php'; + global $act, $orderby, $page, $categories; + // Language selection set_text_domain("unassignedissues"); // Retrieve Get/Post variables ! foreach($_GET as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_GET[$key])) { ! foreach ($_GET[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (!get_magic_quotes_gpc()) { ! $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! $getarg = Array( ! 'act', ! 'orderby', ! 'orderdir', ! 'page' ! ); ! ! foreach ($getarg as $get) { ! if (isset($_GET[$get])) { ! $$get = $_GET[$get]; ! } ! } ! if ($_SESSION['_usertype'] == 'Client') { ThrowOut(); } *************** *** 75,79 **** // Set up sorting and grouping values for the unresolved issue list ! if ($orderby == '' && $_SESSION['_orderby-unassigned'] != '') { // Use stored ordering unless another selection has been made $orderby = $_SESSION['_orderby-unassigned']; --- 108,112 ---- // Set up sorting and grouping values for the unresolved issue list ! if ($orderby == '' && isset($_SESSION['_orderby-unassigned'])) { // Use stored ordering unless another selection has been made $orderby = $_SESSION['_orderby-unassigned']; *************** *** 273,294 **** // Show attributes ! if ($record[id] == $categories) {$checked = " selected=\"selected\"";} else {$checked = "";}; print " <tr valign=\"top\">\n"; ! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">${record[id]}</a></td>\n"; print " <td class=\"$class\">"; ! if (strftime('%d/%m/%y',$record[createdon]) == strftime('%d/%m/%y')) { ! print strftime('%H:%M',$record[createdon]); } else { ! print strftime('%d/%m/%y',$record[createdon]); } print "</td>\n"; ! print " <td class=\"$class\">".$record[reportedbyname]."</td>\n"; ! print " <td class=\"$class\">".$record[sitename]."</td>\n"; ! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">".$record[summary]."</a></td>\n"; print " <td align=\"center\" class=\"$priority\">"; if ($record['recalled'] == 1) { print gettext('Recalled'); } else { ! print preg_replace('/Ungraded/',gettext('Ungraded'),$record[priorityname]); } print "</td>\n"; --- 306,327 ---- // Show attributes ! if ($record['id'] == $categories) {$checked = " selected=\"selected\"";} else {$checked = "";}; print " <tr valign=\"top\">\n"; ! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">${record['id']}</a></td>\n"; print " <td class=\"$class\">"; ! if (strftime('%d/%m/%y',$record['createdon']) == strftime('%d/%m/%y')) { ! print strftime('%H:%M',$record['createdon']); } else { ! print strftime('%d/%m/%y',$record['createdon']); } print "</td>\n"; ! print " <td class=\"$class\">".$record['reportedbyname']."</td>\n"; ! print " <td class=\"$class\">".$record['sitename']."</td>\n"; ! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">".$record['summary']."</a></td>\n"; print " <td align=\"center\" class=\"$priority\">"; if ($record['recalled'] == 1) { print gettext('Recalled'); } else { ! print preg_replace('/Ungraded/',gettext('Ungraded'),$record['priorityname']); } print "</td>\n"; |
|
From: Scott P. <wht...@us...> - 2007-09-13 00:01:30
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv7989
Modified Files:
issue.php
Log Message:
Fix undefined index.
Index: issue.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/issue.php,v
retrieving revision 1.43
retrieving revision 1.44
diff -C2 -d -r1.43 -r1.44
*** issue.php 12 Sep 2007 23:32:13 -0000 1.43
--- issue.php 13 Sep 2007 00:01:26 -0000 1.44
***************
*** 1254,1258 ****
<label for="level"><?php echo gettext("Level");?></label>
</div>
! <?php if (count($levelsRS) > 1 && $acl['edit_level']) {?>
<div class="field">
<select name="level" id="level">
--- 1254,1258 ----
<label for="level"><?php echo gettext("Level");?></label>
</div>
! <?php if (count($levelsRS) > 1 && isset($acl['edit_level'])) {?>
<div class="field">
<select name="level" id="level">
|
|
From: Scott P. <wht...@us...> - 2007-09-12 23:37:39
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv29711
Modified Files:
index.php
Log Message:
fix bustage from missing }
Index: index.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/index.php,v
retrieving revision 1.13
retrieving revision 1.14
diff -C2 -d -r1.13 -r1.14
*** index.php 12 Sep 2007 23:32:13 -0000 1.13
--- index.php 12 Sep 2007 23:37:32 -0000 1.14
***************
*** 68,71 ****
--- 68,72 ----
if(isset($_GET['redirect'])) {
$redirect = htmlentities(strip_tags($_GET['redirect']), ENT_QUOTES);
+ }
}
?>
|
|
From: Scott P. <wht...@us...> - 2007-09-12 23:32:24
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv27190
Modified Files:
details.php domains.php find.php index.php issue.php
levels.php login.php myissues.php mysitesissues.php
newissue.php preferences.php priorities.php
problemcategories.php reports.php search.php
Log Message:
Fix reveresed logic from last checkin.
Index: priorities.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/priorities.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** priorities.php 11 Sep 2007 20:21:01 -0000 1.6
--- priorities.php 12 Sep 2007 23:32:13 -0000 1.7
***************
*** 71,75 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 71,75 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 80,84 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 80,84 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
***************
*** 93,97 ****
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 93,97 ----
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 102,106 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 102,106 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: login.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/login.php,v
retrieving revision 1.15
retrieving revision 1.16
diff -C2 -d -r1.15 -r1.16
*** login.php 11 Sep 2007 19:14:10 -0000 1.15
--- login.php 12 Sep 2007 23:32:13 -0000 1.16
***************
*** 48,52 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 48,52 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 57,61 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 57,61 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: domains.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/domains.php,v
retrieving revision 1.8
retrieving revision 1.9
diff -C2 -d -r1.8 -r1.9
*** domains.php 11 Sep 2007 16:17:32 -0000 1.8
--- domains.php 12 Sep 2007 23:32:12 -0000 1.9
***************
*** 57,61 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 57,61 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 66,70 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 66,70 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
***************
*** 80,84 ****
if(is_array($_GET[$key])) {
foreach ($_GET[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 80,84 ----
if(is_array($_GET[$key])) {
foreach ($_GET[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 89,93 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 89,93 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
***************
*** 103,107 ****
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 103,107 ----
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 112,116 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 112,116 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: search.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/search.php,v
retrieving revision 1.8
retrieving revision 1.9
diff -C2 -d -r1.8 -r1.9
*** search.php 7 Feb 2007 01:20:04 -0000 1.8
--- search.php 12 Sep 2007 23:32:13 -0000 1.9
***************
*** 56,77 ****
require 'header.php';
// Language selection
set_text_domain("search");
// Retrieve Get/Post variables
! $act = $_REQUEST['act'];
! $id = $_REQUEST['id'];
! $orderby = $_GET['orderby'];
! $orderdir = $_GET['orderdir'];
! $page = $_GET['page'];
! $freetextscope = $_POST['freetextscope'];
! $freetext = $_POST['freetext'];
! $site = $_POST['site'];
! $reportedby = $_POST['reportedby'];
! $priority = $_POST['priority'];
! $level = $_POST['level'];
! $status = $_POST['status'];
! $category = $_POST['category'];
! $detail = $_POST['detail'];
// Do we display the sites/usernames?
--- 56,173 ----
require 'header.php';
+ global $act;
+
// Language selection
set_text_domain("search");
// Retrieve Get/Post variables
! foreach($_POST as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_POST[$key])) {
! foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (!get_magic_quotes_gpc()) {
! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
! }
!
! foreach($_GET as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_GET[$key])) {
! foreach ($_GET[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
! $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (!get_magic_quotes_gpc()) {
! $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
! }
!
! foreach($_REQUEST as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_REQUEST[$key])) {
! foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (!get_magic_quotes_gpc()) {
! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
! }
!
! $postarg = Array(
! 'freetextscope',
! 'freetext',
! 'site',
! 'reportedby',
! 'priority',
! 'level',
! 'status',
! 'category',
! 'detail'
! );
!
! $getarg = Array(
! 'orderby',
! 'orderdir',
! 'page'
! );
!
! $requestarg = Array(
! 'act',
! 'id'
! );
! foreach ($postarg as $post) {
! if (isset($_POST[$post])) {
! $$post = $_POST[$post];
! }
! }
!
! foreach ($getarg as $get) {
! if (isset($_GET[$get])) {
! $$post = $_GET[$get];
! }
! }
!
! foreach ($requestarg as $request) {
! if (isset($_REQUEST[$request])) {
! $$post = $_REQUEST[$request];
! }
! }
// Do we display the sites/usernames?
***************
*** 281,285 ****
$operator = 'AND';
foreach ($field as $sfield) {
! $sql .= " $operator $sfield LIKE '%".addslashes($searchstring)."%'";
$operator = 'OR';
}
--- 377,381 ----
$operator = 'AND';
foreach ($field as $sfield) {
! $sql .= " $operator $sfield LIKE '%".$searchstring."%'";
$operator = 'OR';
}
***************
*** 298,304 ****
//echo "SELECT count(vw_Issues.ID) AS num FROM $sql\n<br>";
// How many issues would be in this category
! $num_issues = $issuesRS[0][num];
// Set page size and limit issues to that number
! $pagesize = $global_prefs[pagesize];
$num_pages = ceil($num_issues/$pagesize);
$sql = "SELECT vw_Issues.* FROM $sql ORDER BY $orderby $orderdir";
--- 394,400 ----
//echo "SELECT count(vw_Issues.ID) AS num FROM $sql\n<br>";
// How many issues would be in this category
! $num_issues = $issuesRS[0]['num'];
// Set page size and limit issues to that number
! $pagesize = $global_prefs['pagesize'];
$num_pages = ceil($num_issues/$pagesize);
$sql = "SELECT vw_Issues.* FROM $sql ORDER BY $orderby $orderdir";
***************
*** 309,313 ****
$num_issues = count($issuesRS);
// Set page size and limit issues to that number
! $pagesize = $global_prefs[pagesize];
$num_pages = ceil($num_issues/$pagesize);
$sql = "SELECT DISTINCT $aselects FROM $afrom $sql ORDER BY $orderby $orderdir";
--- 405,409 ----
$num_issues = count($issuesRS);
// Set page size and limit issues to that number
! $pagesize = $global_prefs['pagesize'];
$num_pages = ceil($num_issues/$pagesize);
$sql = "SELECT DISTINCT $aselects FROM $afrom $sql ORDER BY $orderby $orderdir";
Index: issue.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/issue.php,v
retrieving revision 1.42
retrieving revision 1.43
diff -C2 -d -r1.42 -r1.43
*** issue.php 11 Sep 2007 19:14:09 -0000 1.42
--- issue.php 12 Sep 2007 23:32:13 -0000 1.43
***************
*** 75,79 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2, '<a>'), ENT_QUOTES));
}
--- 75,79 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2, '<a>'), ENT_QUOTES));
}
***************
*** 84,88 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
}
--- 84,88 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
}
***************
*** 97,101 ****
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2, '<a>'), ENT_QUOTES));
}
--- 97,101 ----
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2, '<a>'), ENT_QUOTES));
}
***************
*** 106,110 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
}
--- 106,110 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
}
Index: index.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/index.php,v
retrieving revision 1.12
retrieving revision 1.13
diff -C2 -d -r1.12 -r1.13
*** index.php 8 Sep 2007 23:56:49 -0000 1.12
--- index.php 12 Sep 2007 23:32:13 -0000 1.13
***************
*** 65,68 ****
--- 65,72 ----
}
}
+ else {
+ if(isset($_GET['redirect'])) {
+ $redirect = htmlentities(strip_tags($_GET['redirect']), ENT_QUOTES);
+ }
?>
Index: problemcategories.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/problemcategories.php,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** problemcategories.php 11 Sep 2007 20:21:01 -0000 1.7
--- problemcategories.php 12 Sep 2007 23:32:13 -0000 1.8
***************
*** 67,71 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 67,71 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 76,80 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 76,80 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
***************
*** 89,93 ****
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 89,93 ----
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 98,102 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 98,102 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: preferences.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/preferences.php,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -d -r1.14 -r1.15
*** preferences.php 11 Sep 2007 19:14:10 -0000 1.14
--- preferences.php 12 Sep 2007 23:32:13 -0000 1.15
***************
*** 47,51 ****
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 47,51 ----
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 56,60 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 56,60 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: mysitesissues.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/mysitesissues.php,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** mysitesissues.php 11 Sep 2007 19:14:10 -0000 1.5
--- mysitesissues.php 12 Sep 2007 23:32:13 -0000 1.6
***************
*** 66,70 ****
if(is_array($_GET[$key])) {
foreach ($_GET[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 66,70 ----
if(is_array($_GET[$key])) {
foreach ($_GET[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 75,79 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 75,79 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: find.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/find.php,v
retrieving revision 1.16
retrieving revision 1.17
diff -C2 -d -r1.16 -r1.17
*** find.php 11 Sep 2007 22:22:26 -0000 1.16
--- find.php 12 Sep 2007 23:32:12 -0000 1.17
***************
*** 67,71 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 67,71 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 76,80 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 76,80 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
***************
*** 89,93 ****
if(is_array($_GET[$key])) {
foreach ($_GET[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 89,93 ----
if(is_array($_GET[$key])) {
foreach ($_GET[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 98,102 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 98,102 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
***************
*** 111,115 ****
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 111,115 ----
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 120,124 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 120,124 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: reports.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/reports.php,v
retrieving revision 1.9
retrieving revision 1.10
diff -C2 -d -r1.9 -r1.10
*** reports.php 7 Feb 2007 01:20:04 -0000 1.9
--- reports.php 12 Sep 2007 23:32:13 -0000 1.10
***************
*** 60,85 ****
set_text_domain("reports");
// Retrieve Get/Post variables
! $act = $_REQUEST['act'];
! $orderby = $_GET['orderby'];
! $orderdir = $_GET['orderdir'];
! $site = $_REQUEST['site'];
! $reportedby = $_REQUEST['reportedby'];
! $priority = $_REQUEST['priority'];
! $level = $_REQUEST['level'];
! $status = $_REQUEST['status'];
! $category = $_REQUEST['category'];
! $detail = $_REQUEST['detail'];
! $datefrom = $_REQUEST['datefrom'];
! $dateto = $_REQUEST['dateto'];
! $assignedto = $_REQUEST['assignedto'];
! $createdby = $_REQUEST['createdby'];
! if ($conf_db['dsn']['phptype'] == 'pgsql') {
! $is_pgsql = true;
}
! $reset = $_REQUEST['reset'];
if ($reset == 'yes') {
// Reset remembered sql restrictions
--- 60,150 ----
set_text_domain("reports");
+ global $act, $message, $reset, $orderby, $id, $category, $reportedby,
+ $createdby, $assignedto, $level, $priority, $status, $detail,
+ $referer, $site, $datefrom, $dateto;
+
// Retrieve Get/Post variables
! foreach($_GET as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_GET[$key])) {
! foreach ($_GET[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
! $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (!get_magic_quotes_gpc()) {
! $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
! }
! foreach($_REQUEST as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_REQUEST[$key])) {
! foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (!get_magic_quotes_gpc()) {
! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
}
+ $getarg = Array(
+ 'orderby',
+ 'orderdir'
+ );
! $requestarg = Array(
! 'act',
! 'site',
! 'reportedby',
! 'priority',
! 'level',
! 'status',
! 'category',
! 'detail',
! 'datefrom',
! 'dateto',
! 'assignedto',
! 'createdby',
! 'reset'
! );
+ foreach ($getarg as $get) {
+ if (isset($_GET[$get])) {
+ $$get = $_GET[$get];
+ }
+ }
+
+ foreach ($requestarg as $request) {
+ if (isset($_REQUEST[$request])) {
+ $$request = $_REQUEST[$request];
+ }
+ }
+
+ if ($conf_db['dsn']['phptype'] == 'pgsql') {
+ $is_pgsql = true;
+ }
+
if ($reset == 'yes') {
// Reset remembered sql restrictions
***************
*** 361,365 ****
$issuesRS = db_recordset("SELECT count(vw_Issues.ID) AS num FROM $sql");
// How many issues would be in this category
! $num_issues = $issuesRS[0][num];
$issuesRS = db_recordset("SELECT sum(tbl_times.time) AS totaltime FROM
tbl_times, $sql AND tbl_times.issue = vw_issues.id");
--- 426,430 ----
$issuesRS = db_recordset("SELECT count(vw_Issues.ID) AS num FROM $sql");
// How many issues would be in this category
! $num_issues = $issuesRS[0]['num'];
$issuesRS = db_recordset("SELECT sum(tbl_times.time) AS totaltime FROM
tbl_times, $sql AND tbl_times.issue = vw_issues.id");
***************
*** 392,396 ****
// Make the back button work correctly for searches initiated from
// an issue page (i.e. more issues like this links)
! $referer = $_SERVER['HTTP_REFERER'];
if ($referer == '') $referer = 'reports.php';
?>
--- 457,463 ----
// Make the back button work correctly for searches initiated from
// an issue page (i.e. more issues like this links)
! if (isset($_SERVER['HTTP_REFERER'])) {
! $referer = $_SERVER['HTTP_REFERER'];
! }
if ($referer == '') $referer = 'reports.php';
?>
***************
*** 480,489 ****
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">${record[id]}</a></td>\n";
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record[createdon]) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record[createdon]);
} else {
! print strftime('%d/%m/%y',$record[createdon]);
}
print "</td>\n";
--- 547,556 ----
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">${record['id']}</a></td>\n";
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record['createdon']) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record['createdon']);
} else {
! print strftime('%d/%m/%y',$record['createdon']);
}
print "</td>\n";
***************
*** 497,501 ****
print 'Recalled';
} else {
! print $record[priorityname];
}
print "</td>\n";
--- 564,568 ----
print 'Recalled';
} else {
! print $record['priorityname'];
}
print "</td>\n";
***************
*** 556,560 ****
<?php
foreach ($sitesRS as $record) {
! print (" <option value=\"${record[id]}\">${record[site]}</option>\n");
}
?>
--- 623,627 ----
<?php
foreach ($sitesRS as $record) {
! print (" <option value=\"${record['id']}\">${record['site']}</option>\n");
}
?>
***************
*** 604,608 ****
<?php
foreach ($prioritiesRS as $record) {
! print (" <option value=\"${record[id]}\">${record[priority]}</option>\n");
}
?>
--- 671,675 ----
<?php
foreach ($prioritiesRS as $record) {
! print (" <option value=\"${record['id']}\">${record['priority']}</option>\n");
}
?>
***************
*** 616,620 ****
<?php
foreach ($levelsRS as $record) {
! print (" <option value=\"${record[id]}\">${record[level]}</option>\n");
}
?>
--- 683,687 ----
<?php
foreach ($levelsRS as $record) {
! print (" <option value=\"${record['id']}\">${record['level']}</option>\n");
}
?>
***************
*** 628,632 ****
<?php
foreach ($statusesRS as $record) {
! print (" <option value=\"${record[id]}\">${record[status]}</option>\n");
}
?>
--- 695,699 ----
<?php
foreach ($statusesRS as $record) {
! print (" <option value=\"${record['id']}\">${record['status']}</option>\n");
}
?>
***************
*** 643,647 ****
<?php
foreach ($categoriesRS as $record) {
! print (" <option value=\"${record[id]}\">${record[description]}</option>\n");
}
?>
--- 710,714 ----
<?php
foreach ($categoriesRS as $record) {
! print (" <option value=\"${record['id']}\">${record['description']}</option>\n");
}
?>
***************
*** 657,664 ****
// Create a grouped <select> list, grouping details on categories
foreach ($categoriesRS as $record) {
! print " <optgroup label=\"${record[description]}\">\n";
! $current = filter_records($detailsRS,'category',$record[id]);
foreach ($current as $recorddetail) {
! print " <option value=\"${recorddetail[id]}\">${recorddetail[description]}</option>\n";
}
print " </optgroup>\n";
--- 724,731 ----
// Create a grouped <select> list, grouping details on categories
foreach ($categoriesRS as $record) {
! print " <optgroup label=\"${record['description']}\">\n";
! $current = filter_records($detailsRS,'category',$record['id']);
foreach ($current as $recorddetail) {
! print " <option value=\"${recorddetail['id']}\">${recorddetail['description']}</option>\n";
}
print " </optgroup>\n";
Index: levels.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/levels.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** levels.php 11 Sep 2007 19:14:10 -0000 1.6
--- levels.php 12 Sep 2007 23:32:13 -0000 1.7
***************
*** 72,76 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 72,76 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 81,85 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 81,85 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
***************
*** 94,98 ****
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 94,98 ----
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 103,107 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 103,107 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: myissues.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/myissues.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** myissues.php 11 Sep 2007 19:14:10 -0000 1.6
--- myissues.php 12 Sep 2007 23:32:13 -0000 1.7
***************
*** 69,73 ****
if(is_array($_GET[$key])) {
foreach ($_GET[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 69,73 ----
if(is_array($_GET[$key])) {
foreach ($_GET[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 78,82 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 78,82 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: details.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/details.php,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -d -r1.11 -r1.12
*** details.php 11 Sep 2007 20:21:00 -0000 1.11
--- details.php 12 Sep 2007 23:32:12 -0000 1.12
***************
*** 61,65 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 61,65 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 70,74 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 70,74 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
***************
*** 84,88 ****
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 84,88 ----
if(is_array($_REQUEST[$key])) {
foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 93,97 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 93,97 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
Index: newissue.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/newissue.php,v
retrieving revision 1.13
retrieving revision 1.14
diff -C2 -d -r1.13 -r1.14
*** newissue.php 11 Sep 2007 19:14:10 -0000 1.13
--- newissue.php 12 Sep 2007 23:32:13 -0000 1.14
***************
*** 73,77 ****
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
--- 73,77 ----
if(is_array($_POST[$key])) {
foreach ($_POST[$key] as $key2 => $val2) {
! if (!get_magic_quotes_gpc()) {
$_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
}
***************
*** 82,86 ****
}
else {
! if (get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
--- 82,86 ----
}
else {
! if (!get_magic_quotes_gpc()) {
$_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
}
|
|
From: Scott P. <wht...@us...> - 2007-09-11 22:22:29
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv23259
Modified Files:
find.php
Log Message:
Missed some items on cleanup from last checkin.
Index: find.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/find.php,v
retrieving revision 1.15
retrieving revision 1.16
diff -C2 -d -r1.15 -r1.16
*** find.php 11 Sep 2007 15:51:30 -0000 1.15
--- find.php 11 Sep 2007 22:22:26 -0000 1.16
***************
*** 314,323 ****
foreach ($site as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 314,318 ----
foreach ($site as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
***************
*** 332,341 ****
foreach ($reportedby as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 327,331 ----
foreach ($reportedby as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
***************
*** 350,359 ****
foreach ($createdby as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 340,344 ----
foreach ($createdby as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
***************
*** 377,386 ****
foreach ($assignedto as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 362,366 ----
foreach ($assignedto as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
***************
*** 395,404 ****
foreach ($level as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 375,379 ----
foreach ($level as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
***************
*** 413,422 ****
foreach ($priority as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 388,392 ----
foreach ($priority as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
***************
*** 431,440 ****
foreach ($status as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 401,405 ----
foreach ($status as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
***************
*** 451,460 ****
foreach ($category as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 416,420 ----
foreach ($category as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
***************
*** 469,478 ****
foreach ($detail as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! if (!get_magic_quotes_gpc()) {
! $sql .= addslashes(htmlentities(strip_tags($record), ENT_QUOTES));
! }
! else {
! $sql .= $record;
! }
}
$sql .= ') AND ';
--- 429,433 ----
foreach ($detail as $record) {
if ($flag == 0) { $flag = 1; } else { $sql .= ','; }
! $sql .= htmlentities(strip_tags($record), ENT_QUOTES);
}
$sql .= ') AND ';
|
|
From: Scott P. <wht...@us...> - 2007-09-11 20:21:09
|
Update of /cvsroot/helpmeict/Helpdesk In directory sc8-pr-cvs17:/tmp/cvs-serv7056 Modified Files: details.php priorities.php problemcategories.php Log Message: More elegant way of sanitizing inputs and assinging GET/POST/REQUEST variables. Index: priorities.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/priorities.php,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** priorities.php 7 Feb 2007 01:20:04 -0000 1.5 --- priorities.php 11 Sep 2007 20:21:01 -0000 1.6 *************** *** 1,326 **** ! <?php ! ! /* ! ! priorities.php ! ! Priority Admin. Allows the user to administer the list of priorities ! for this domain an put them in order. The order given is from lowest ! severity to highest. [Commented] ! ! Changelog: ! 2006-01-14 dave: Cleaned up code for v1.0 release ! ! ## PAGE CONTAINS HANDYANDY MYSQL MODS ## ! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ## ! ! ---- ! ! Copyright (C) 2003 Central Manchester CLC ! Copyright (C) 2003 David Thorne (dav...@gm...) ! ! This program is free software; you can redistribute it and/or ! modify it under the terms of the GNU General Public License ! as published by the Free Software Foundation version 2. ! ! This program is distributed in the hope that it will be useful, ! but WITHOUT ANY WARRANTY; without even the implied warranty of ! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ! GNU General Public License for more details. ! ! You should have received a copy of the GNU General Public License ! along with this program; if not, write to the Free Software ! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ! ! */ ! ! // Start session and populate it with data ! session_start(); ! ! // Page security ! if ($_SESSION['_usertype'] != 'Administrator' ! && $_SESSION['_usertype'] != 'Domain Administrator' ! && $_SESSION['_usertype'] != 'Root') { ! require_once 'system/security.php'; ! ThrowOut(); ! } ! ! // Page Title ! $ptitle = 'Priorities'; ! ! // Includes ! require_once 'system/db.php'; ! require_once 'system/lang.php'; ! require_once 'system/message.php'; ! require 'header.php'; ! ! // Language selection ! set_text_domain("priorities"); ! ! // Retrieve Get/Post variables ! $act = $_REQUEST['act']; ! $priority = $_POST['priority']; ! $class = $_POST['class']; ! $priorities = $_REQUEST['priorities']; ! ! // Action: Add a priority to the system ! if ($act == 'addpriorityaction') { ! $act = 'addpriority'; ! // Make sure the priority has a name ! if ($priority == '') { ! $message = gettext("CORRECTION: You must give this priority a name."); ! } else { ! $prioritycount = db_recordset("SELECT * FROM tbl_Priorities WHERE active=1 AND domain=$_SESSION[_domain] AND id>0"); ! $priorities = ''; ! // Add the priority ! db_send("INSERT INTO tbl_Priorities (priority,class,domain,sortorder) VALUES ('" . $priority . "'," . $class . "," . $_SESSION['_domain'] . ',' . count($prioritycount) . ")"); ! ! $act = ''; ! $message = gettext("NOTE: Priority successfully added to system."); ! } ! } ! ! // Action: Request details to add a priority to the system ! if ($act == 'addpriority') { ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Priority Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to add a priority:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="addpriorityaction" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="priority"><?php echo gettext('Priority Name')?></label></div> ! <div class="field"><input type="text" name="priority" id="priority" size="35" maxlength="50" value="<?php echo $priority?>" /></div> ! </div> ! <div class="labelfieldpair"> ! <div class="name"> ! <label for="class"><?php echo gettext('Tag Colour')?>:</label> ! </div> ! <div class="field"> ! <select name="class" id="class"> ! <option value="2"><?php echo gettext('Red')?></option> ! <option value="1"><?php echo gettext('Yellow')?></option> ! <option value="0" selected="selected"><?php echo gettext('Green')?></option> ! </select> ! </div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Add Priority')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='priorities.php?priorities=<?php echo $priorities?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Action: Edit a priority ! if ($act == 'editpriorityaction') { ! $act = 'editpriority'; ! // Make sure the priority has a name ! if ($priority == '') { ! $message = gettext("CORRECTION: You must give this priority a name."); ! } else { ! // Edit the priority ! db_send("UPDATE tbl_Priorities SET priority='" . $priority . "',class=" . $class . " WHERE id=$priorities"); ! $message = gettext("NOTE: Priority successfully updated."); ! $act = ''; ! } ! } ! ! // Action: Move a priority up ! if ($act == 'up') { ! // Find this priority's sort order ! $priority = db_recordset("SELECT sortorder,active FROM tbl_Priorities WHERE id=$priorities"); ! ! // Only change the ordering of active priorities ! if ($priority[0][active] == 1) { ! // Only move a priority up if it isn't at the top already ! if ($priority[0][sortorder] > 0) { ! // Find the priority that is one in line above it ! $newpriority = db_recordset("SELECT id FROM tbl_Priorities WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($priority[0][sortorder]-1)); ! // Swap the sort orders for the two priorities ! db_send("UPDATE tbl_Priorities SET sortorder=" . ($priority[0][sortorder]-1) . " WHERE id=$priorities"); ! db_send("UPDATE tbl_Priorities SET sortorder=" . $priority[0][sortorder] . " WHERE id=" . $newpriority[0][id]); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ''; ! } ! ! // Action: Move a priority down ! if ($act == 'down') { ! // Find the lowest priority ! $prioritiesRS = db_recordset("SELECT * FROM tbl_Priorities WHERE domain=$_SESSION[_domain] AND active=1"); ! // Find this priority's sort order ! $priority = db_recordset("SELECT sortorder,active FROM tbl_Priorities WHERE id=$priorities"); ! ! // Only change the ordering of active priorities ! if ($priority[0][active] == 1) { ! // Only move a priority down if it isn't at the bottom already ! if ($priority[0][sortorder] < (count($prioritiesRS)-1)) { ! // Find the priority that is one in line below it ! $newpriority = db_recordset("SELECT id FROM tbl_Priorities WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($priority[0][sortorder]+1)); ! // Swap the sort orders for the two priorities ! db_send("UPDATE tbl_Priorities SET sortorder=" . ($priority[0][sortorder]+1) . " WHERE id=$priorities"); ! db_send("UPDATE tbl_Priorities SET sortorder=" . $priority[0][sortorder] . " WHERE id=" . $newpriority[0][id]); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ''; ! } ! ! // Action: Remove a priority from the system ! if ($act == 'removepriority') { ! // Find the sort order of this priority ! $priority = db_recordset("SELECT sortorder FROM tbl_Priorities WHERE id=$priorities"); ! // deactivate it and negate the sort order ! db_send("UPDATE tbl_Priorities SET active=0,sortorder=-1 WHERE id=$priorities"); ! // change all the higher sort orders in order to fill the gap that has now been made ! db_send("UPDATE tbl_Priorities SET sortorder=sortorder-1 WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder>" . $priority[0][sortorder]); ! $act = ''; ! $priorities = ''; ! $message = gettext("NOTE: Priority successfully removed."); ! } ! ! // Action: Request details to edit a priority ! if ($act == 'editpriority') { ! ! // Retrieve Priority information ! $prioritiesRS = db_recordset("SELECT * FROM tbl_Priorities WHERE id=" . $priorities); ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Priority Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to edit a priority:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="editpriorityaction" /> ! <input type="hidden" name="priorities" value="<?php echo $priorities?>" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="priority"><?php echo gettext('Priority Name')?></label></div> ! <div class="field"><input type="text" name="priority" id="priority" size="35" maxlength="50" value="<?php echo $prioritiesRS[0][priority]?>"></div> ! </div> ! <div class="labelfieldpair"> ! <div class="name"> ! <label for="class"><?php echo gettext('Tag Colour')?>:</label> ! </div> ! <div class="field"> ! <?php ! if ($prioritiesRS[0]['class'] == 0) $class_green=' selected="selected"'; ! if ($prioritiesRS[0]['class'] == 1) $class_yellow=' selected="selected"'; ! if ($prioritiesRS[0]['class'] == 2) $class_red=' selected="selected"'; ! ?> ! <select name="class" id="class"> ! <option value="2"<?php echo $class_red?>><?php echo gettext('Red')?></option> ! <option value="1"<?php echo $class_yellow?>><?php echo gettext('Yellow')?></option> ! <option value="0"<?php echo $class_green?>><?php echo gettext('Green')?></option> ! </select> ! </div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Submit Changes')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='priorities.php?priorities=<?php echo $priorities?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Default action: Show priorities and invite user to choose action... ! if ($act == '') { ! // Retrieve priorities ! $sql = "SELECT * FROM tbl_Priorities WHERE domain=$_SESSION[_domain]"; ! if ($_SESSION['_usertype'] != 'Root') { ! $sql .= " AND active=1"; ! } ! $sql .= " ORDER BY active DESC,sortorder"; ! $prioritiesRS = db_recordset($sql); ! $num_priorities = count($prioritiesRS); ! ! if (!$priorities) $priorities=$prioritiesRS[0][id]; ! ! if ($message) { display($message); } ! ?> ! ! <script language="javascript" type="text/javascript"> ! //<![CDATA[ ! <!-- ! ! function mainSubmit (act) { ! var flag = true; ! if ((act == 'removepriority' || act == 'editpriority') && document.mainform.priorities.value == 0) { ! alert('<?php echo gettext('There are no priorities on which to action your request.')?>'); ! flag = false; ! } ! if (act == 'removepriority' && flag && !confirm('<?php echo gettext('Are you sure you wish to delete this priority?')?>')) flag = false; ! if (flag) { ! document.mainform.act.value=act; ! document.mainform.submit(); ! } ! } ! ! //--> ! //]]> ! </script> ! ! <h1><?php echo gettext('Priority Admin')?></h1> ! <h2><?php echo gettext('Please use the lists below to administer the priorities of issues in this system:')?></h2> ! ! <div class="block"> ! <p><?php echo gettext('The first priority in this list is of lowest priority, and movement through the list would be synonymous with an increase in severity.')?></p> ! <form name="mainform" id="mainform" method="post" action=""> ! <input type="hidden" name="act" value="" /> ! <div class="columnleft"> ! <div class="labelright"><label for="priorities"><?php echo gettext('Priorities')?></label></div> ! <div class="columnright"> ! <input type="button" value="<?php echo gettext('New')?>..." onclick="mainSubmit('addpriority')" /><br /> ! <input type="button" value="<?php echo gettext('Edit')?>" onclick="mainSubmit('editpriority')" /><br /> ! <input type="button" value="<?php echo gettext('Delete')?>" onclick="mainSubmit('removepriority')" /> ! </div> ! <div class="columnleft"> ! <select name="priorities" id="priorities" size="10"> ! <?php ! if ($num_priorities == 0) { ! print (" <option value=\"0\" selected=\"selected\">[".gettext('No Priorities')."]</option>\n"); ! } ! foreach ($prioritiesRS as $record) { ! // Set as default if this was previously chosen ! if ($record[id] == $priorities) {$checked = " selected=\"selected\"";} else {$checked = '';}; ! if ($record[active] == 0) {$style = " class=\"inactive\"";} else {$style = '';}; ! print (" <option value=\"${record[id]}\"${checked}${style}>${record[priority]}</option>\n"); ! } ! ?> ! </select> ! </div> ! </div> ! <div class="columnleft"> ! <div class="labelleft"> </div> ! <div class="columnleft"> ! <input type="button" value="<?php echo gettext('Up')?>" onclick="mainSubmit('up')" /><br /> ! <input type="button" value="<?php echo gettext('Down')?>" onclick="mainSubmit('down')" /><br /> ! </div> ! </div> ! </form> ! <hr class="hide" /> ! </div> ! ! <?php ! } ! ! // Include ! require 'footer.php'; ! ?> --- 1,395 ---- ! <?php ! ! /* ! ! priorities.php ! ! Priority Admin. Allows the user to administer the list of priorities ! for this domain an put them in order. The order given is from lowest ! severity to highest. [Commented] ! ! Changelog: ! 2006-01-14 dave: Cleaned up code for v1.0 release ! ! ## PAGE CONTAINS HANDYANDY MYSQL MODS ## ! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ## ! ! ---- ! ! Copyright (C) 2003 Central Manchester CLC ! Copyright (C) 2003 David Thorne (dav...@gm...) ! ! This program is free software; you can redistribute it and/or ! modify it under the terms of the GNU General Public License ! as published by the Free Software Foundation version 2. ! ! This program is distributed in the hope that it will be useful, ! but WITHOUT ANY WARRANTY; without even the implied warranty of ! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ! GNU General Public License for more details. ! ! You should have received a copy of the GNU General Public License ! along with this program; if not, write to the Free Software ! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ! ! */ ! ! // Start session and populate it with data ! session_start(); ! ! // Page security ! if (isset($_SESSION['_usertype'])) { ! if ($_SESSION['_usertype'] != 'Administrator' ! && $_SESSION['_usertype'] != 'Domain Administrator' ! && $_SESSION['_usertype'] != 'Root') { ! require_once 'system/security.php'; ! ThrowOut(); ! } ! } ! else { ! require_once 'system/security.php'; ! ThrowOut(); ! } ! ! // Page Title ! $ptitle = 'Priorities'; ! ! // Includes ! require_once 'system/db.php'; ! require_once 'system/lang.php'; ! require_once 'system/message.php'; ! require 'header.php'; ! ! global $act, $message, $priority, $priorities, $class_green, $class_red, $class_yellow; ! // Language selection ! set_text_domain("priorities"); ! ! // Retrieve Get/Post variables ! foreach($_POST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_POST[$key])) { ! foreach ($_POST[$key] as $key2 => $val2) { ! if (get_magic_quotes_gpc()) { ! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (get_magic_quotes_gpc()) { ! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! foreach($_REQUEST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! $postarg = Array( ! 'priority', ! 'class' ! ); ! ! $requestarg = Array( ! 'act', ! 'priorities' ! ); ! ! foreach ($postarg as $post) { ! if (isset($_POST[$post])) { ! $$post = $_POST[$post]; ! } ! } ! ! foreach ($requestarg as $request) { ! if (isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; ! } ! } ! ! // Action: Add a priority to the system ! if ($act == 'addpriorityaction') { ! $act = 'addpriority'; ! // Make sure the priority has a name ! if ($priority == '') { ! $message = gettext("CORRECTION: You must give this priority a name."); ! } else { ! $prioritycount = db_recordset("SELECT * FROM tbl_Priorities WHERE active=1 AND domain=$_SESSION[_domain] AND id>0"); ! $priorities = ''; ! // Add the priority ! db_send("INSERT INTO tbl_Priorities (priority,class,domain,sortorder) VALUES ('" . $priority . "'," . $class . "," . $_SESSION['_domain'] . ',' . count($prioritycount) . ")"); ! ! $act = ''; ! $message = gettext("NOTE: Priority successfully added to system."); ! } ! } ! ! // Action: Request details to add a priority to the system ! if ($act == 'addpriority') { ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Priority Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to add a priority:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="addpriorityaction" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="priority"><?php echo gettext('Priority Name')?></label></div> ! <div class="field"><input type="text" name="priority" id="priority" size="35" maxlength="50" value="<?php echo $priority?>" /></div> ! </div> ! <div class="labelfieldpair"> ! <div class="name"> ! <label for="class"><?php echo gettext('Tag Colour')?>:</label> ! </div> ! <div class="field"> ! <select name="class" id="class"> ! <option value="2"><?php echo gettext('Red')?></option> ! <option value="1"><?php echo gettext('Yellow')?></option> ! <option value="0" selected="selected"><?php echo gettext('Green')?></option> ! </select> ! </div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Add Priority')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='priorities.php?priorities=<?php echo $priorities?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Action: Edit a priority ! if ($act == 'editpriorityaction') { ! $act = 'editpriority'; ! // Make sure the priority has a name ! if ($priority == '') { ! $message = gettext("CORRECTION: You must give this priority a name."); ! } else { ! // Edit the priority ! db_send("UPDATE tbl_Priorities SET priority='" . $priority . "',class=" . $class . " WHERE id=$priorities"); ! $message = gettext("NOTE: Priority successfully updated."); ! $act = ''; ! } ! } ! ! // Action: Move a priority up ! if ($act == 'up') { ! // Find this priority's sort order ! $priority = db_recordset("SELECT sortorder,active FROM tbl_Priorities WHERE id=$priorities"); ! ! // Only change the ordering of active priorities ! if ($priority[0]['active'] == 1) { ! // Only move a priority up if it isn't at the top already ! if ($priority[0]['sortorder'] > 0) { ! // Find the priority that is one in line above it ! $newpriority = db_recordset("SELECT id FROM tbl_Priorities WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($priority[0]['sortorder']-1)); ! // Swap the sort orders for the two priorities ! db_send("UPDATE tbl_Priorities SET sortorder=" . ($priority[0]['sortorder']-1) . " WHERE id=$priorities"); ! db_send("UPDATE tbl_Priorities SET sortorder=" . $priority[0]['sortorder'] . " WHERE id=" . $newpriority[0]['id']); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ''; ! } ! ! // Action: Move a priority down ! if ($act == 'down') { ! // Find the lowest priority ! $prioritiesRS = db_recordset("SELECT * FROM tbl_Priorities WHERE domain=$_SESSION[_domain] AND active=1"); ! // Find this priority's sort order ! $priority = db_recordset("SELECT sortorder,active FROM tbl_Priorities WHERE id=$priorities"); ! ! // Only change the ordering of active priorities ! if ($priority[0]['active'] == 1) { ! // Only move a priority down if it isn't at the bottom already ! if ($priority[0]['sortorder'] < (count($prioritiesRS)-1)) { ! // Find the priority that is one in line below it ! $newpriority = db_recordset("SELECT id FROM tbl_Priorities WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($priority[0]['sortorder']+1)); ! // Swap the sort orders for the two priorities ! db_send("UPDATE tbl_Priorities SET sortorder=" . ($priority[0]['sortorder']+1) . " WHERE id=$priorities"); ! db_send("UPDATE tbl_Priorities SET sortorder=" . $priority[0]['sortorder'] . " WHERE id=" . $newpriority[0]['id']); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ''; ! } ! ! // Action: Remove a priority from the system ! if ($act == 'removepriority') { ! // Find the sort order of this priority ! $priority = db_recordset("SELECT sortorder FROM tbl_Priorities WHERE id=$priorities"); ! // deactivate it and negate the sort order ! db_send("UPDATE tbl_Priorities SET active=0,sortorder=-1 WHERE id=$priorities"); ! // change all the higher sort orders in order to fill the gap that has now been made ! db_send("UPDATE tbl_Priorities SET sortorder=sortorder-1 WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder>" . $priority[0]['sortorder']); ! $act = ''; ! $priorities = ''; ! $message = gettext("NOTE: Priority successfully removed."); ! } ! ! // Action: Request details to edit a priority ! if ($act == 'editpriority') { ! ! // Retrieve Priority information ! $prioritiesRS = db_recordset("SELECT * FROM tbl_Priorities WHERE id=" . $priorities); ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Priority Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to edit a priority:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="editpriorityaction" /> ! <input type="hidden" name="priorities" value="<?php echo $priorities?>" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="priority"><?php echo gettext('Priority Name')?></label></div> ! <div class="field"><input type="text" name="priority" id="priority" size="35" maxlength="50" value="<?php echo $prioritiesRS[0]['priority']?>"></div> ! </div> ! <div class="labelfieldpair"> ! <div class="name"> ! <label for="class"><?php echo gettext('Tag Colour')?>:</label> ! </div> ! <div class="field"> ! <?php ! if ($prioritiesRS[0]['class'] == 0) $class_green=' selected="selected"'; ! if ($prioritiesRS[0]['class'] == 1) $class_yellow=' selected="selected"'; ! if ($prioritiesRS[0]['class'] == 2) $class_red=' selected="selected"'; ! ?> ! <select name="class" id="class"> ! <option value="2"<?php echo $class_red?>><?php echo gettext('Red')?></option> ! <option value="1"<?php echo $class_yellow?>><?php echo gettext('Yellow')?></option> ! <option value="0"<?php echo $class_green?>><?php echo gettext('Green')?></option> ! </select> ! </div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Submit Changes')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='priorities.php?priorities=<?php echo $priorities?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Default action: Show priorities and invite user to choose action... ! if ($act == '') { ! // Retrieve priorities ! $sql = "SELECT * FROM tbl_Priorities WHERE domain=$_SESSION[_domain]"; ! if ($_SESSION['_usertype'] != 'Root') { ! $sql .= " AND active=1"; ! } ! $sql .= " ORDER BY active DESC,sortorder"; ! $prioritiesRS = db_recordset($sql); ! $num_priorities = count($prioritiesRS); ! ! if (!$priorities) $priorities=$prioritiesRS[0]['id']; ! ! if ($message) { display($message); } ! ?> ! ! <script language="javascript" type="text/javascript"> ! //<![CDATA[ ! <!-- ! ! function mainSubmit (act) { ! var flag = true; ! if ((act == 'removepriority' || act == 'editpriority') && document.mainform.priorities.value == 0) { ! alert('<?php echo gettext('There are no priorities on which to action your request.')?>'); ! flag = false; ! } ! if (act == 'removepriority' && flag && !confirm('<?php echo gettext('Are you sure you wish to delete this priority?')?>')) flag = false; ! if (flag) { ! document.mainform.act.value=act; ! document.mainform.submit(); ! } ! } ! ! //--> ! //]]> ! </script> ! ! <h1><?php echo gettext('Priority Admin')?></h1> ! <h2><?php echo gettext('Please use the lists below to administer the priorities of issues in this system:')?></h2> ! ! <div class="block"> ! <p><?php echo gettext('The first priority in this list is of lowest priority, and movement through the list would be synonymous with an increase in severity.')?></p> ! <form name="mainform" id="mainform" method="post" action=""> ! <input type="hidden" name="act" value="" /> ! <div class="columnleft"> ! <div class="labelright"><label for="priorities"><?php echo gettext('Priorities')?></label></div> ! <div class="columnright"> ! <input type="button" value="<?php echo gettext('New')?>..." onclick="mainSubmit('addpriority')" /><br /> ! <input type="button" value="<?php echo gettext('Edit')?>" onclick="mainSubmit('editpriority')" /><br /> ! <input type="button" value="<?php echo gettext('Delete')?>" onclick="mainSubmit('removepriority')" /> ! </div> ! <div class="columnleft"> ! <select name="priorities" id="priorities" size="10"> ! <?php ! if ($num_priorities == 0) { ! print (" <option value=\"0\" selected=\"selected\">[".gettext('No Priorities')."]</option>\n"); ! } ! foreach ($prioritiesRS as $record) { ! // Set as default if this was previously chosen ! if ($record['id'] == $priorities) {$checked = " selected=\"selected\"";} else {$checked = '';}; ! if ($record['active'] == 0) {$style = " class=\"inactive\"";} else {$style = '';}; ! print (" <option value=\"${record['id']}\"${checked}${style}>${record['priority']}</option>\n"); ! } ! ?> ! </select> ! </div> ! </div> ! <div class="columnleft"> ! <div class="labelleft"> </div> ! <div class="columnleft"> ! <input type="button" value="<?php echo gettext('Up')?>" onclick="mainSubmit('up')" /><br /> ! <input type="button" value="<?php echo gettext('Down')?>" onclick="mainSubmit('down')" /><br /> ! </div> ! </div> ! </form> ! <hr class="hide" /> ! </div> ! ! <?php ! } ! ! // Include ! require 'footer.php'; ! ?> Index: problemcategories.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/problemcategories.php,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** problemcategories.php 8 Sep 2007 23:56:50 -0000 1.6 --- problemcategories.php 11 Sep 2007 20:21:01 -0000 1.7 *************** *** 54,106 **** require_once 'system/message.php'; require 'header.php'; global $act, $categories, $message, $description; // Language selection set_text_domain("problemcategories"); foreach($_POST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! $_POST[$key] = strip_tags($val); ! } ! foreach($_GET as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES); } foreach($_REQUEST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! ! // Retrieve Get/Post variables ! if (!get_magic_quotes_gpc()) { ! if (isset($_REQUEST['act'])) { ! $act = addslashes($_REQUEST['act']); ! } ! if (isset($_POST['description'])) { ! $description = addslashes($_POST['description']); ! } ! if (isset($_REQUEST['details'])) { ! $details = addslashes($_REQUEST['details']); } ! if (isset($_REQUEST['categories'])) { ! $categories = addslashes($_REQUEST['categories']); } } ! else { ! if (isset($_REQUEST['act'])) { ! $act = $_REQUEST['act']; ! } ! if (isset($_POST['description'])) { ! $description = $_POST['description']; ! } ! if (isset($_REQUEST['details'])) { ! $details = $_REQUEST['details']; } ! if (isset($_REQUEST['categories'])) { ! $categories = $_REQUEST['categories']; } } // Action: Add a category to the system if ($act == 'addcategoryaction') { --- 54,132 ---- require_once 'system/message.php'; require 'header.php'; + global $act, $categories, $message, $description; + // Language selection set_text_domain("problemcategories"); + + // Retrieve Get/Post variables foreach($_POST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_POST[$key])) { ! foreach ($_POST[$key] as $key2 => $val2) { ! if (get_magic_quotes_gpc()) { ! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (get_magic_quotes_gpc()) { ! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } } foreach($_REQUEST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } } ! else { ! if (get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } } } ! ! $postarg = Array( ! 'description' ! ); ! ! $requestarg = Array( ! 'act', ! 'details', ! 'categories' ! ); ! ! foreach ($postarg as $post) { ! if (isset($_POST[$post])) { ! $$post = $_POST[$post]; } ! } ! ! foreach ($requestarg as $request) { ! if (isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; } } + // Action: Add a category to the system if ($act == 'addcategoryaction') { *************** *** 185,189 **** <div class="labelfieldpair"> <div class="name"><label for="description"><?php echo gettext('Category Name')?></label></div> ! <div class="field"><input type="text" name="description" id="description" size="35" maxlength="50" value="<?php echo $categoriesRS[0]['description']?>"></div> </div> <div class="buttonpanel"> --- 211,215 ---- <div class="labelfieldpair"> <div class="name"><label for="description"><?php echo gettext('Category Name')?></label></div> ! <div class="field"><input type="text" name="description" id="description" size="35" maxlength="50" value="<?php echo html_entity_decode($categoriesRS[0]['description'])?>"></div> </div> <div class="buttonpanel"> *************** *** 340,344 **** print ("','"); } ! print ($res_record['id'] . "','" . addslashes($res_record['description'])); } } --- 366,370 ---- print ("','"); } ! print ($res_record['id'] . "','" . html_entity_decode($res_record['description'])); } } *************** *** 409,413 **** // Set as default if this was previously chosen if ($record['id'] == $categories) {$checked = " selected=\"selected\"";} else {$checked = "";}; ! print (" <option value=\"${record['id']}\"${checked}>${record['description']}</option>\n"); } ?> --- 435,439 ---- // Set as default if this was previously chosen if ($record['id'] == $categories) {$checked = " selected=\"selected\"";} else {$checked = "";}; ! print (" <option value=\"${record['id']}\"${checked}>".html_entity_decode($record['description'])."</option>\n"); } ?> Index: details.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/details.php,v retrieving revision 1.10 retrieving revision 1.11 diff -C2 -d -r1.10 -r1.11 *** details.php 7 Feb 2007 01:20:03 -0000 1.10 --- details.php 11 Sep 2007 20:21:00 -0000 1.11 *************** *** 50,64 **** require_once 'system/user_preferences.php'; // Language selection set_text_domain("details"); // Retrieve Get/Post variables ! $act = $_REQUEST['act']; ! $name = $_POST['name']; ! $email = $_POST['email']; ! $password = $_POST['password']; ! $password1 = $_POST['password1']; ! $password2 = $_POST['password2']; ! $defaultdomain = $_POST['defaultdomain']; $user_prefs = get_user_prefs($_SESSION['_id']); --- 50,128 ---- require_once 'system/user_preferences.php'; + global $act, $message, $defaultdomain; + // Language selection set_text_domain("details"); // Retrieve Get/Post variables ! foreach($_POST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_POST[$key])) { ! foreach ($_POST[$key] as $key2 => $val2) { ! if (get_magic_quotes_gpc()) { ! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (get_magic_quotes_gpc()) { ! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! foreach($_REQUEST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! $requestarg = Array( ! 'act' ! ); ! ! $postarg = Array( ! 'name', ! 'email', ! 'password', ! 'password1', ! 'password2', ! 'defaultdomain' ! ); ! foreach ($requestarg as $request) { ! if (isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; ! } ! } ! ! foreach ($postarg as $post) { ! if (isset($_POST[$post])) { ! $$post = $_POST[$post]; ! } ! } $user_prefs = get_user_prefs($_SESSION['_id']); *************** *** 80,84 **** // Is the entered password correct? ! if ($password != '' && $pass[0][pass] != md5($password)) { $message = gettext('ERROR: Incorrect password.'); } else { --- 144,148 ---- // Is the entered password correct? ! if ($password != '' && $pass[0]['pass'] != md5($password)) { $message = gettext('ERROR: Incorrect password.'); } else { *************** *** 194,198 **** <?php foreach ($domainsRS as $record) { ! if ($record[defaultflag] == 1) {$checked = " selected=\"selected\"";} else {$checked = "";}; print " <option value=\"${record[domain]}\"$checked>${record[domainname]}</option>"; } --- 258,262 ---- <?php foreach ($domainsRS as $record) { ! if ($record['defaultflag'] == 1) {$checked = " selected=\"selected\"";} else {$checked = "";}; print " <option value=\"${record[domain]}\"$checked>${record[domainname]}</option>"; } |
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv12579
Modified Files:
globalpreferences.php issue.php levels.php login.php
myissues.php mysitesissues.php newissue.php preferences.php
Log Message:
More elegant way of sanitizing inputs and assinging GET/POST/REQUEST variables.
Index: login.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/login.php,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -d -r1.14 -r1.15
*** login.php 10 Sep 2007 00:45:11 -0000 1.14
--- login.php 11 Sep 2007 19:14:10 -0000 1.15
***************
*** 38,77 ****
require_once 'system/logs.php';
// Start session and populate it with data
session_start();
// Retrieve Get/Post variables
! if (!get_magic_quotes_gpc()) {
! if (isset($_POST['user'])) {
! $user = addslashes($_POST['user']);
! }
! if (isset($_POST['password'])) {
! $password = addslashes($_POST['password']);
! }
! if (isset($_POST['act'])) {
! $act = addslashes($_POST['act']);
! }
! if (isset($_POST['domain'])) {
! $domain = addslashes($_POST['domain']);
}
! if (isset($_POST['redirect'])) {
! $redirect = addslashes($_POST['redirect']);
}
}
! else {
! if (isset($_POST['user'])) {
! $user = $_POST['user'];
! }
! if (isset($_POST['password'])) {
! $password = $_POST['password'];
! }
! if (isset($_POST['act'])) {
! $act = $_POST['act'];
! }
! if (isset($_POST['domain'])) {
! $domain = $_POST['domain'];
! }
! if (isset($_POST['redirect'])) {
! $redirect = $_POST['redirect'];
}
}
--- 38,80 ----
require_once 'system/logs.php';
+ global $user, $password;
// Start session and populate it with data
session_start();
// Retrieve Get/Post variables
! foreach($_POST as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_POST[$key])) {
! foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
}
! else {
! if (get_magic_quotes_gpc()) {
! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
}
}
!
! $postarg = Array(
! 'user',
! 'password',
! 'act',
! 'domain',
! 'redirect'
! );
!
! foreach ($postarg as $post) {
! if (isset($_POST[$post])) {
! $$post = $_POST[$post];
}
}
***************
*** 174,178 ****
// If a domain has not yet been picked then choose the first one in the database
! if ($domain == '') {
$sql = "SELECT * FROM tbl_Domains WHERE id>0 AND active=1";
$domains = db_recordset($sql);
--- 177,181 ----
// If a domain has not yet been picked then choose the first one in the database
! if (!isset($domain)) {
$sql = "SELECT * FROM tbl_Domains WHERE id>0 AND active=1";
$domains = db_recordset($sql);
Index: myissues.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/myissues.php,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** myissues.php 7 Feb 2007 01:46:40 -0000 1.5
--- myissues.php 11 Sep 2007 19:14:10 -0000 1.6
***************
*** 59,72 ****
require 'header.php';
// Language selection
set_text_domain("myissues");
// Retrieve Get/Post variables
! $act = $_GET['act'];
! $orderby = $_GET['orderby'];
! $orderdir = $_GET['orderdir'];
! $orderby2 = $_GET['orderby2'];
! $orderdir2 = $_GET['orderdir2'];
! $closed = $_GET['closed']; // Should this page show the closed issues?
// Default action: Show this user's issues
--- 59,104 ----
require 'header.php';
+ global $act, $orderby, $orderdir, $orderby2, $orderdir2, $closed;
// Language selection
set_text_domain("myissues");
// Retrieve Get/Post variables
! foreach($_GET as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_GET[$key])) {
! foreach ($_GET[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (get_magic_quotes_gpc()) {
! $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
! }
! $getarg = Array(
! 'act',
! 'orderby',
! 'orderdir',
! 'orderby2',
! 'orderdir2',
! 'closed'
! );
! //should this page show the closed issues?
!
! foreach ($getarg as $get) {
! if (isset($_GET[$get])) {
! $$get = $_GET[$get];
! }
! }
// Default action: Show this user's issues
***************
*** 76,83 ****
if ($_SESSION['_usertype'] == 'Domain Administrator' || $_SESSION['_usertype'] == 'Administrator' || $_SESSION['_usertype'] == 'Support Agent') {
// Set up sorting and grouping values for the unresolved issue list
! if ($orderby == '' && $_SESSION['_orderby-myissues'] != '') {
// Use stored ordering unless another selection has been made
$orderby = $_SESSION['_orderby-myissues'];
$orderdir = $_SESSION['_orderdir-myissues'];
}
if ($orderby == '') {
--- 108,117 ----
if ($_SESSION['_usertype'] == 'Domain Administrator' || $_SESSION['_usertype'] == 'Administrator' || $_SESSION['_usertype'] == 'Support Agent') {
// Set up sorting and grouping values for the unresolved issue list
! if ($orderby == '' && isset($_SESSION['_orderby-myissues'])) {
// Use stored ordering unless another selection has been made
+ if (isset($_SESSION['_orderby-myissues'])) {
$orderby = $_SESSION['_orderby-myissues'];
$orderdir = $_SESSION['_orderdir-myissues'];
+ }
}
if ($orderby == '') {
***************
*** 102,109 ****
// Set up sorting and grouping values for the pending issue list
! if ($orderby2 == '' && $_SESSION['_orderby-myissues2'] != '') {
// Use stored ordering unless another selection has been made
! $orderby2 = $_SESSION['_orderby-myissues2'];
! $orderdir2 = $_SESSION['_orderdir-myissues2'];
}
if ($orderby2 == '') {
--- 136,145 ----
// Set up sorting and grouping values for the pending issue list
! if ($orderby2 == '' && !isset($_SESSION['_orderby-myissues2'])) {
// Use stored ordering unless another selection has been made
! if (isset($_SESSION['_oderby-myissues2'] )) {
! $orderby2 = $_SESSION['_orderby-myissues2'];
! $orderdir2 = $_SESSION['_orderdir-myissues2'];
! }
}
if ($orderby2 == '') {
***************
*** 160,164 ****
// Choose open or closed
if ($closed == 'true') {
! $pagesize = $global_prefs[closedpagesize];
$sql .= ' AND status=' . $closedstatus;
} else {
--- 196,200 ----
// Choose open or closed
if ($closed == 'true') {
! $pagesize = $global_prefs['closedpagesize'];
$sql .= ' AND status=' . $closedstatus;
} else {
***************
*** 170,174 ****
// Choose open or closed
if ($closed == 'true') {
! $pagesize = $global_prefs[closedpagesize];
$sql .= ' AND tbl_Issues.status=' . $closedstatus;
} else {
--- 206,210 ----
// Choose open or closed
if ($closed == 'true') {
! $pagesize = $global_prefs['closedpagesize'];
$sql .= ' AND tbl_Issues.status=' . $closedstatus;
} else {
***************
*** 246,253 ****
$lastvalue = "\0";
foreach ($issuesRS as $record) {
! if ($lastvalue != $record[$grouporderby]) {
! // If different, toggle shading
! $flag = 1 - $flag;
! $lastvalue = $record[$grouporderby];
}
if ($flag == 0) {
--- 282,291 ----
$lastvalue = "\0";
foreach ($issuesRS as $record) {
! if (isset($record[$grouporderby])) {
! if ($lastvalue != $record[$grouporderby]) {
! // If different, toggle shading
! $flag = 1 - $flag;
! $lastvalue = $record[$grouporderby];
! }
}
if ($flag == 0) {
***************
*** 272,304 ****
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">${record[id]}</a></td>\n";
if ($closed == 'true') {
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record[closedon]) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record[closedon]);
} else {
! print strftime('%d/%m/%y',$record[closedon]);
}
print "</td>\n";
} else {
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record[createdon]) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record[createdon]);
} else {
! print strftime('%d/%m/%y',$record[createdon]);
}
print "</td>\n";
}
! print " <td class=\"$class\">".$record[reportedbyname]."</td>\n";
! print " <td class=\"$class\">".$record[sitename]."</td>\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">".$record[summary]."</a></td>\n";
print " <td align=\"center\" class=\"$priority\">";
if ($record['recalled'] == 1) {
print gettext('Recalled');
} else {
! if ($record[priorityname] == "Ungraded") {
print gettext('Ungraded');
} else {
! print $record[priorityname];
}
}
--- 310,342 ----
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">${record['id']}</a></td>\n";
if ($closed == 'true') {
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record['closedon']) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record['closedon']);
} else {
! print strftime('%d/%m/%y',$record['closedon']);
}
print "</td>\n";
} else {
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record['createdon']) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record['createdon']);
} else {
! print strftime('%d/%m/%y',$record['createdon']);
}
print "</td>\n";
}
! print " <td class=\"$class\">".$record['reportedbyname']."</td>\n";
! print " <td class=\"$class\">".$record['sitename']."</td>\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">".$record['summary']."</a></td>\n";
print " <td align=\"center\" class=\"$priority\">";
if ($record['recalled'] == 1) {
print gettext('Recalled');
} else {
! if ($record['priorityname'] == "Ungraded") {
print gettext('Ungraded');
} else {
! print $record['priorityname'];
}
}
***************
*** 431,468 ****
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">${record[id]}</a></td>\n";
if ($closed == 'true') {
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record[closedon]) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record[closedon]);
} else {
! print strftime('%d/%m/%y',$record[closedon]);
}
print "</td>\n";
! print " <td class=\"$class\">".$record[assignedtoname]."</td>\n";
} else {
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record[createdon]) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record[createdon]);
} else {
! print strftime('%d/%m/%y',$record[createdon]);
}
print "</td>\n";
! if ($record[assignedtoname] == "* unassigned *") {
print " <td class=\"$class\">".gettext("* unassigned *")."</td>\n";
} else {
! print " <td class=\"$class\">".$record[assignedtoname]."</td>\n";
}
}
! print " <td class=\"$class\">".$record[sitename]."</td>\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">".$record[summary]."</a></td>\n";
print " <td align=\"center\" class=\"$priority\">";
if ($record['recalled'] == 1) {
print gettext('Recalled');
} else {
! if ($record[priorityname] == "Ungraded") {
print gettext('Ungraded');
} else {
! print $record[priorityname];
}
}
--- 469,506 ----
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">${record['id']}</a></td>\n";
if ($closed == 'true') {
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record['closedon']) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record['closedon']);
} else {
! print strftime('%d/%m/%y',$record['closedon']);
}
print "</td>\n";
! print " <td class=\"$class\">".$record['assignedtoname']."</td>\n";
} else {
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record['createdon']) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record['createdon']);
} else {
! print strftime('%d/%m/%y',$record['createdon']);
}
print "</td>\n";
! if ($record['assignedtoname'] == "* unassigned *") {
print " <td class=\"$class\">".gettext("* unassigned *")."</td>\n";
} else {
! print " <td class=\"$class\">".$record['assignedtoname']."</td>\n";
}
}
! print " <td class=\"$class\">".$record['sitename']."</td>\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">".$record['summary']."</a></td>\n";
print " <td align=\"center\" class=\"$priority\">";
if ($record['recalled'] == 1) {
print gettext('Recalled');
} else {
! if ($record['priorityname'] == "Ungraded") {
print gettext('Ungraded');
} else {
! print $record['priorityname'];
}
}
Index: issue.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/issue.php,v
retrieving revision 1.41
retrieving revision 1.42
diff -C2 -d -r1.41 -r1.42
*** issue.php 10 Sep 2007 00:23:22 -0000 1.41
--- issue.php 11 Sep 2007 19:14:09 -0000 1.42
***************
*** 66,87 ****
// Language selection
set_text_domain("issue");
! global $details, $act, $acl_reload, $delete_attachments, $selectremark, $publish, $confidential, $hs, $an_additional, $timeminutes, $timehours;
//Clean oall POST values
foreach($_POST as $key => $val) {
! // scubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if ($key != "selectremark" && $key != "attachments" && $key != "delete_attachments" && $key != "existingkeywords") {
! if (!get_magic_quotes_gpc()) {
! $_POST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
}
else {
! $_POST[$key] = htmlentities(strip_tags($val, '<a>'), ENT_QUOTES);
}
}
}
foreach($_REQUEST as $key => $val) {
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if ($key != "selectremark" && $key != "attachments" && $key != "delete_attachments" && $key != "existingkeywords") {
! if (!get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
}
--- 66,110 ----
// Language selection
set_text_domain("issue");
!
! global $details, $act, $acl_reload, $delete_attachments, $selectremark, $publish, $confidential, $hs, $an_additional, $timeminutes, $timehours, $solution;
!
//Clean oall POST values
foreach($_POST as $key => $val) {
! // scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_POST[$key])) {
! foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2, '<a>'), ENT_QUOTES));
! }
! else {
! $_POST[$key2][$val2] = htmlentities(strip_tags($val2, '<a>'), ENT_QUOTES);
! }
! }
! }
! else {
! if (get_magic_quotes_gpc()) {
! $_POST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
}
else {
! $_POST[$key] = htmlentities(strip_tags($val, '<a>'), ENT_QUOTES);
}
}
}
foreach($_REQUEST as $key => $val) {
+ // scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_REQUEST[$key])) {
! foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2, '<a>'), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2, '<a>'), ENT_QUOTES);
! }
! }
! }
! else {
! if (get_magic_quotes_gpc()) {
$_REQUEST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
}
***************
*** 91,208 ****
}
}
// Retrieve Get/Post variables
! if(isset($_REQUEST['id'])) {
! $id = $_REQUEST['id'];
! }
! if(isset($_POST['delete_attachments'])) {
! $delete_attachments = $_POST['delete_attachments'];
! }
! if(isset($_POST['contact'])) {
! $contact = $_POST['contact'];
! }
! if(isset($_POST['location'])) {
! $location = $_POST['location'];
! }
! if(isset($_POST['summary'])) {
! $summary = $_POST['summary'];
! }
! if(isset($_POST['description'])) {
! $description = $_POST['description'];
! }
! if(isset($_POST['solution'])) {
! $solution = $_POST['solution'];
! }
! if(isset($_POST['remark'])) {
! $remark = $_POST['remark'];
! }
! if(isset($_POST['timehours'])) {
! $timehours = $_POST['timehours'];
! }
! if(isset($_POST['timeminutes'])) {
! $timeminutes = $_POST['timeminutes'];
! }
! if(isset($_POST['keywords'])) {
! $keywords = $_POST['keywords'];
! }
! if(isset($_REQUEST['act'])) {
! $act = $_REQUEST['act'];
! }
! if(isset($_POST['level'])) {
! $level = $_POST['level'];
! }
! if(isset($_POST['oldlevel'])) {
! $oldlevel = $_POST['oldlevel'];
! }
! if(isset($_POST['oldlevelname'])) {
! $oldlevelname = $_POST['oldlevelname'];
! }
! if(isset($_POST['publish'])) {
! $publish = $_POST['publish'];
! }
! if(isset($_POST['existingkeywords'])) {
! $existingkeywords = $_POST['existingkeywords'];
! }
! if(isset($_POST['status'])) {
! $status = $_POST['status'];
! }
! if(isset($_POST['oldstatus'])) {
! $oldstatus = $_POST['oldstatus'];
! }
! if(isset($_POST['oldstatusname'])) {
! $oldstatusname = $_POST['oldstatusname'];
! }
! if(isset($_REQUEST['site'])) {
! $site = $_REQUEST['site'];
! }
! if(isset($_POST['newsite'])) {
! $newsite = $_POST['newsite'];
! }
! if(isset($_REQUEST['sitename'])) {
! $sitename = $_REQUEST['sitename'];
! }
! if(isset($_POST['newsitename'])) {
! $newsitename = $_POST['newsitename'];
! }
! if(isset($_REQUEST['createdby'])) {
! $createdby = $_REQUEST['createdby'];
! }
! if(isset($_REQUEST['reportedby'])) {
! $reportedby = $_REQUEST['reportedby'];
! }
! if(isset($_REQUEST['assignedto'])) {
! $assignedto = $_REQUEST['assignedto'];
! }
! if(isset($_REQUEST['oldassignedto'])) {
! $oldassignedto = $_REQUEST['oldassignedto'];
! }
! if(isset($_REQUEST['oldassignedtoname'])) {
! $oldassignedtoname = $_REQUEST['oldassignedtoname'];
! }
! if(isset($_POST['details'])) {
! $details = $_POST['details'];
! }
! if(isset($_POST['categories'])) {
! $categories = $_POST['categories'];
! }
! if(isset($_POST['remarkaction'])) {
! $remarkaction = $_POST['remarkaction'];
! }
! if(isset($_POST['confidential'])) {
! $confidential = $_POST['confidential'];
! }
! if(isset($_POST['selectremark'])) {
! $selectremark = $_POST['selectremark'];
! }
! if(isset($_POST['priority'])) {
! $priority = $_POST['priority'];
! }
! if(isset($_POST['oldpriority'])) {
! $oldpriority = $_POST['oldpriority'];
}
! if(isset($_POST['oldpriorityname'])) {
! $oldpriorityname = $_POST['oldpriorityname'];
}
! if ($details == '') $details = 0;
if (!$id) {
--- 114,174 ----
}
}
+
// Retrieve Get/Post variables
! $postarg = Array(
! 'delete_attachments',
! 'contact',
! 'location',
! 'summary',
! 'description',
! 'remark',
! 'timehours',
! 'timeminutes',
! 'keywords',
! 'level',
! 'oldlevel',
! 'oldlevelname',
! 'publish',
! 'existingkeywords',
! 'status',
! 'oldstatus',
! 'oldstatusname',
! 'newsite',
! 'newsitename',
! 'details',
! 'categories',
! 'remarkaction',
! 'confidential',
! 'selectremark',
! 'priority',
! 'oldpriority',
! 'oldpriorityname',
! 'solution'
! );
!
! $requestarg = Array(
! 'id',
! 'act',
! 'site',
! 'sitename',
! 'createdby',
! 'reportedby',
! 'assignedto',
! 'oldassignedto',
! 'oldassignedtoname'
! );
!
! foreach($postarg as $post) {
! if (isset($_POST[$post])) {
! $$post = $_POST[$post];
! }
}
! foreach($requestarg as $request) {
! if (isset($_REQUEST[$request])) {
! $$request = $_REQUEST[$request];
! }
}
! if (!isset($details)) $details = 0;
if (!$id) {
Index: globalpreferences.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/globalpreferences.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** globalpreferences.php 10 Sep 2007 00:32:33 -0000 1.6
--- globalpreferences.php 11 Sep 2007 19:14:09 -0000 1.7
***************
*** 1,139 ****
! <?php
!
! /*
!
! globalpreferences.php
!
! Global Preferences page.
!
! Changelog:
! 2006-01-14 dave: Cleaned up code for v1.0 release
!
! ----
!
! Copyright (C) 2003 Central Manchester CLC
! Copyright (C) 2003 David Thorne (dav...@gm...)
!
! This program is free software; you can redistribute it and/or
! modify it under the terms of the GNU General Public License
! as published by the Free Software Foundation version 2.
!
! This program is distributed in the hope that it will be useful,
! but WITHOUT ANY WARRANTY; without even the implied warranty of
! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
! GNU General Public License for more details.
!
! You should have received a copy of the GNU General Public License
! along with this program; if not, write to the Free Software
! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
!
! */
!
! // Start session and populate it with data
! session_start();
!
! // Page security
! if ($_SESSION['_usertype'] != 'Root') {
! require_once 'system/security.php';
! ThrowOut();
! }
!
! // Page Title
! $ptitle = 'Global Preferences';
!
! // Includes
! require_once 'system/db.php';
! require_once 'system/lang.php';
! require_once 'system/message.php';
! require 'header.php';
!
! // Language selection
! set_text_domain("globalpreferences");
!
! // Retrieve Get/Post variables
! if (isset($_REQUEST['act'])) {
! $act = $_REQUEST['act'];
! }
!
! // Action: Edit prefs
! if ($act == 'action') {
! $prefs = db_recordset("SELECT * FROM tbl_System_Preferences WHERE system=0 ORDER BY identifier");
!
! $act = '';
!
! $flag = true;
! $message = gettext("ERROR:");
!
! foreach($prefs as $record) {
! if (isset($_REQUEST[$record['identifier']])) {
! if (is_numeric($_REQUEST[$record['identifier']])) {
! $value = $_REQUEST[$record['identifier']];
! db_send("UPDATE tbl_System_Preferences SET value='" . $_REQUEST[$record['identifier']] . "' WHERE id=". $record['id']);
! } else {
! $message .= " ". sprintf(gettext("Value entered for %s is not a number - preference not updated."),$record['identifier']);
! $flag = false;
! }
! }
! }
! if ($flag) $message = gettext("NOTE: Preferences successfully changed.");
! }
!
! // Default action: Display prefs
! if ($act == '') {
!
! $prefs = db_recordset("SELECT * FROM tbl_System_Preferences WHERE system=0 ORDER BY identifier");
!
! display($message);
! ?>
!
! <h1><?php echo gettext('Global Preferences')?></h1>
! <h2><?php echo gettext('Change the global preferences.')?></h2>
!
! <div class="block">
! <form name="mainform" id="mainform" method="post" action="">
! <input type="hidden" name="act" value="action" />
! <div class="buttonpanel">
! <input name="submit" type="submit" value="<?php echo gettext('Submit Changes')?>" />
! <input name="reset" type="reset" value="<?php echo gettext('Reset')?>" />
! </div>
! <?php
! $regex = array(
! '/Page size for restriction of closed issues/',
! '/Number of hours spent on a problem that is considered excessive and should be confirmed/',
! '/Maximum file upload size in bytes/',
! '/Page size for paging of issues/'
! );
! $repl = array(
! gettext('Page size for restriction of closed issues'),
! gettext('Number of hours spent on a problem that is considered excessive and should be confirmed'),
! gettext('Maximum file upload size in bytes'),
! gettext('Page size for paging of issues')
! );
!
! foreach($prefs as $record) {
! ?>
! <div class="labelfieldpair">
! <div class="name"><?php echo $record['identifier']?>:</div>
! <div class="value"><?php echo preg_replace($regex, $repl, $record['comment'])?></div>
! </div>
! <div class="labelfieldpair">
! <div class="name"> </div>
! <div class="field"><input type="text" name="<?php echo $record['identifier']?>" value="<?php echo $record['value']?>"></div>
! </div>
! <?php
! }
! ?>
! <div class="buttonpanel">
! <input name="submit" type="submit" value="<?php echo gettext('Submit Changes')?>" />
! <input name="reset" type="reset" value="<?php echo gettext('Reset')?>" />
! </div>
! </form>
! </div>
!
! <?php
!
! }
!
! // Include
! require 'footer.php';
! ?>
--- 1,139 ----
! <?php
!
! /*
!
! globalpreferences.php
!
! Global Preferences page.
!
! Changelog:
! 2006-01-14 dave: Cleaned up code for v1.0 release
!
! ----
!
! Copyright (C) 2003 Central Manchester CLC
! Copyright (C) 2003 David Thorne (dav...@gm...)
!
! This program is free software; you can redistribute it and/or
! modify it under the terms of the GNU General Public License
! as published by the Free Software Foundation version 2.
!
! This program is distributed in the hope that it will be useful,
! but WITHOUT ANY WARRANTY; without even the implied warranty of
! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
! GNU General Public License for more details.
!
! You should have received a copy of the GNU General Public License
! along with this program; if not, write to the Free Software
! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
!
! */
!
! // Start session and populate it with data
! session_start();
!
! // Page security
! if ($_SESSION['_usertype'] != 'Root') {
! require_once 'system/security.php';
! ThrowOut();
! }
!
! // Page Title
! $ptitle = 'Global Preferences';
!
! // Includes
! require_once 'system/db.php';
! require_once 'system/lang.php';
! require_once 'system/message.php';
! require 'header.php';
!
! // Language selection
! set_text_domain("globalpreferences");
!
! // Retrieve Get/Post variables
! if (isset($_REQUEST['act'])) {
! $act = $_REQUEST['act'];
! }
!
! // Action: Edit prefs
! if ($act == 'action') {
! $prefs = db_recordset("SELECT * FROM tbl_System_Preferences WHERE system=0 ORDER BY identifier");
!
! $act = '';
!
! $flag = true;
! $message = gettext("ERROR:");
!
! foreach($prefs as $record) {
! if (isset($_REQUEST[$record['identifier']])) {
! if (is_numeric($_REQUEST[$record['identifier']])) {
! $value = $_REQUEST[$record['identifier']];
! db_send("UPDATE tbl_System_Preferences SET value='" . $_REQUEST[$record['identifier']] . "' WHERE id=". $record['id']);
! } else {
! $message .= " ". sprintf(gettext("Value entered for %s is not a number - preference not updated."),$record['identifier']);
! $flag = false;
! }
! }
! }
! if ($flag) $message = gettext("NOTE: Preferences successfully changed.");
! }
!
! // Default action: Display prefs
! if ($act == '') {
!
! $prefs = db_recordset("SELECT * FROM tbl_System_Preferences WHERE system=0 ORDER BY identifier");
!
! display($message);
! ?>
!
! <h1><?php echo gettext('Global Preferences')?></h1>
! <h2><?php echo gettext('Change the global preferences.')?></h2>
!
! <div class="block">
! <form name="mainform" id="mainform" method="post" action="">
! <input type="hidden" name="act" value="action" />
! <div class="buttonpanel">
! <input name="submit" type="submit" value="<?php echo gettext('Submit Changes')?>" />
! <input name="reset" type="reset" value="<?php echo gettext('Reset')?>" />
! </div>
! <?php
! $regex = array(
! '/Page size for restriction of closed issues/',
! '/Number of hours spent on a problem that is considered excessive and should be confirmed/',
! '/Maximum file upload size in bytes/',
! '/Page size for paging of issues/'
! );
! $repl = array(
! gettext('Page size for restriction of closed issues'),
! gettext('Number of hours spent on a problem that is considered excessive and should be confirmed'),
! gettext('Maximum file upload size in bytes'),
! gettext('Page size for paging of issues')
! );
!
! foreach($prefs as $record) {
! ?>
! <div class="labelfieldpair">
! <div class="name"><?php echo $record['identifier']?>:</div>
! <div class="value"><?php echo preg_replace($regex, $repl, $record['comment'])?></div>
! </div>
! <div class="labelfieldpair">
! <div class="name"> </div>
! <div class="field"><input type="text" name="<?php echo $record['identifier']?>" value="<?php echo $record['value']?>"></div>
! </div>
! <?php
! }
! ?>
! <div class="buttonpanel">
! <input name="submit" type="submit" value="<?php echo gettext('Submit Changes')?>" />
! <input name="reset" type="reset" value="<?php echo gettext('Reset')?>" />
! </div>
! </form>
! </div>
!
! <?php
!
! }
!
! // Include
! require 'footer.php';
! ?>
Index: preferences.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/preferences.php,v
retrieving revision 1.13
retrieving revision 1.14
diff -C2 -d -r1.13 -r1.14
*** preferences.php 7 Feb 2007 01:20:04 -0000 1.13
--- preferences.php 11 Sep 2007 19:14:10 -0000 1.14
***************
*** 42,48 ****
// Retrieve Get/Post variables
! $act = $_REQUEST['act'];
! $identifier = $_REQUEST['identifier'];
! $type = $_REQUEST['type'] ? $_REQUEST['type'] : 'user';
// Specific page security and titles
--- 42,82 ----
// Retrieve Get/Post variables
! foreach($_REQUEST as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_REQUEST[$key])) {
! foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (get_magic_quotes_gpc()) {
! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
! }
!
! $requestarg = Array(
! 'act',
! 'identifier',
! 'type'
! );
!
! foreach ($requestarg as $request) {
! if (isset($_REQUEST[$request])) {
! $$request = $_REQUEST[$request];
! }
! elseif (!isset($_REQUEST[$request]) && $request == 'type') {
! $$request = 'user';
! }
! }
// Specific page security and titles
***************
*** 68,71 ****
--- 102,106 ----
require_once 'system/message.php';
+ global $act, $message;
// Prepare available language names
$somecounter=1;
***************
*** 251,257 ****
<div class="labelfieldpair">
<div class="name">
! <label for="<?php echo $pref[identifier]?>"><?php echo $pref[identifier]?>:</label>
</div>
! <div class="value"><?php echo gettext($pref[description])?></div>
</div>
<div class="labelfieldpair">
--- 286,292 ----
<div class="labelfieldpair">
<div class="name">
! <label for="<?php echo $pref['identifier']?>"><?php echo $pref['identifier']?>:</label>
</div>
! <div class="value"><?php echo gettext($pref['description'])?></div>
</div>
<div class="labelfieldpair">
***************
*** 272,283 ****
$value = $pref['value'];
?>
! <input type="radio" name="<?php echo $pref[identifier]?>" id="<?php echo $pref[identifier]?>true" value="true"<?php echo ($value == 'true'?' checked="checked"':'')?> />
! <label for="<?php echo $pref[identifier]?>true"><?php echo gettext("Yes");?></label>
! <input type="radio" name="<?php echo $pref[identifier]?>" id="<?php echo $pref[identifier]?>false" value="false"<?php echo ($value!='true'?' checked="checked"':'')?> />
! <label for="<?php echo $pref[identifier]?>false"><?php echo gettext("No");?></label>
<?php
}
! if (strtolower($pref[type]) == 'number' ||
! strtolower($pref[type]) == 'text') {
if (count($pref) > 0) {
$value = $pref[0]['value'];
--- 307,318 ----
$value = $pref['value'];
?>
! <input type="radio" name="<?php echo $pref['identifier']?>" id="<?php echo $pref['identifier']?>true" value="true"<?php echo ($value == 'true'?' checked="checked"':'')?> />
! <label for="<?php echo $pref['identifier']?>true"><?php echo gettext("Yes");?></label>
! <input type="radio" name="<?php echo $pref['identifier']?>" id="<?php echo $pref['identifier']?>false" value="false"<?php echo ($value!='true'?' checked="checked"':'')?> />
! <label for="<?php echo $pref['identifier']?>false"><?php echo gettext("No");?></label>
<?php
}
! if (strtolower($pref['type']) == 'number' ||
! strtolower($pref['type']) == 'text') {
if (count($pref) > 0) {
$value = $pref[0]['value'];
***************
*** 286,294 ****
}
?>
! <input type="text" name="<?php echo $pref[identifier]?>" id="<?php echo $pref[identifier]?>" value="<?php echo $pref['value']?>" size="20" maxlength="100" />
<?php
}
! if (strtolower($pref[type]) == 'multitext') {
if (count($pref) > 0) {
$value = $pref[0]['value'];
--- 321,329 ----
}
?>
! <input type="text" name="<?php echo $pref['identifier']?>" id="<?php echo $pref['identifier']?>" value="<?php echo $pref['value']?>" size="20" maxlength="100" />
<?php
}
! if (strtolower($pref['type']) == 'multitext') {
if (count($pref) > 0) {
$value = $pref[0]['value'];
***************
*** 297,308 ****
}
?>
! <textarea name="<?php echo $pref[identifier]?>" id="<?php echo $pref[identifier]?>"
cols="62" rows="7"><?php echo $pref['value']?></textarea>
<?php
}
! if (strtolower($pref[type]) == 'langlist') {
?>
! <select name="<?php echo $pref[identifier]?>">
<?php
foreach($avail_lang as $zelanguage) {
--- 332,343 ----
}
?>
! <textarea name="<?php echo $pref['identifier']?>" id="<?php echo $pref['identifier']?>"
cols="62" rows="7"><?php echo $pref['value']?></textarea>
<?php
}
! if (strtolower($pref['type']) == 'langlist') {
?>
! <select name="<?php echo $pref['identifier']?>">
<?php
foreach($avail_lang as $zelanguage) {
Index: mysitesissues.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/mysitesissues.php,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** mysitesissues.php 7 Feb 2007 01:20:04 -0000 1.4
--- mysitesissues.php 11 Sep 2007 19:14:10 -0000 1.5
***************
*** 56,67 ****
require 'header.php';
// Language selection
set_text_domain("mysitesissues");
// Retrieve Get/Post variables
! $act = $_GET['act'];
! $orderby = $_GET['orderby'];
! $orderdir = $_GET['orderdir'];
! $page = $_GET['page'];
// Default action: Show this user's issues
--- 56,99 ----
require 'header.php';
+ global $act, $orderby, $orderdir, $page;
// Language selection
set_text_domain("mysitesissues");
// Retrieve Get/Post variables
! foreach($_GET as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_GET[$key])) {
! foreach ($_GET[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (get_magic_quotes_gpc()) {
! $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
! }
!
! $getarg = Array(
! 'act',
! 'orderby',
! 'orderdir',
! 'page'
! );
!
! foreach ($getarg as $get) {
! if (isset($_GET[$get])) {
! $$get = $_GET[$get];
! }
! }
// Default action: Show this user's issues
***************
*** 71,78 ****
}
// Set up sorting and grouping values for the unresolved issue list
! if ($orderby == '' && $_SESSION['_orderby-site'] != '') {
// Use stored ordering unless another selection has been made
! $orderby = $_SESSION['_orderby-site'];
! $orderdir = $_SESSION['_orderdir-site'];
}
--- 103,112 ----
}
// Set up sorting and grouping values for the unresolved issue list
! if ($orderby == '' && isset($_SESSION['_orderby-site'])) {
// Use stored ordering unless another selection has been made
! if (isset($_SESSION['_orderby-site'])) {
! $orderby = $_SESSION['_orderby-site'];
! $orderdir = $_SESSION['_orderdir-site'];
! }
}
***************
*** 110,119 ****
// How many issues would be in this category
if ($is_pgsql) {
! $num_issues = $issuesRS[0][num];
} else {
$num_issues = count($issuesRS);
}
// Set page size and limit issues to that number
! $pagesize = $global_prefs[pagesize];
$num_pages = ceil($num_issues/$pagesize);
if ($is_pgsql) {
--- 144,153 ----
// How many issues would be in this category
if ($is_pgsql) {
! $num_issues = $issuesRS[0]['num'];
} else {
$num_issues = count($issuesRS);
}
// Set page size and limit issues to that number
! $pagesize = $global_prefs['pagesize'];
$num_pages = ceil($num_issues/$pagesize);
if ($is_pgsql) {
***************
*** 263,283 ****
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">${record[id]}</a></td>\n";
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record[createdon]) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record[createdon]);
} else {
! print strftime('%d/%m/%y',$record[createdon]);
}
print "</td>\n";
! print " <td class=\"$class\">".$record[reportedbyname]."</td>\n";
! print " <td class=\"$class\">".preg_replace('/\* unassigned \*/',gettext('* unassigned *'),$record[assignedtoname])."</td>\n";
! print " <td class=\"$class\">".$record[sitename]."</td>\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">".$record[summary]."</a></td>\n";
print " <td align=\"center\" class=\"$priority\">";
if ($record['recalled'] == 1) {
print gettext('Recalled');
} else {
! print preg_replace('/Ungraded/',gettext('Ungraded'),$record[priorityname]);
}
print "</td>\n";
--- 297,317 ----
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">${record['id']}</a></td>\n";
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record['createdon']) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record['createdon']);
} else {
! print strftime('%d/%m/%y',$record['createdon']);
}
print "</td>\n";
! print " <td class=\"$class\">".$record['reportedbyname']."</td>\n";
! print " <td class=\"$class\">".preg_replace('/\* unassigned \*/',gettext('* unassigned *'),$record['assignedtoname'])."</td>\n";
! print " <td class=\"$class\">".$record['sitename']."</td>\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">".$record['summary']."</a></td>\n";
print " <td align=\"center\" class=\"$priority\">";
if ($record['recalled'] == 1) {
print gettext('Recalled');
} else {
! print preg_replace('/Ungraded/',gettext('Ungraded'),$record['priorityname']);
}
print "</td>\n";
Index: levels.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/levels.php,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** levels.php 7 Feb 2007 01:20:03 -0000 1.5
--- levels.php 11 Sep 2007 19:14:10 -0000 1.6
***************
*** 1,301 ****
! <?php
!
! /*
!
! levels.php
!
! Level Admin. Allows the user to administer the list of levels
! for this domain an put them in order. The order given is that of the
! life cycle of an escalated issue (1st line support -> higher).
! [Commented]
!
! Changelog:
! 2006-01-14 dave: Cleaned up code for v1.0 release
!
! ## PAGE CONTAINS HANDYANDY MYSQL MODS ##
! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ##
!
! ----
!
! Copyright (C) 2003 Central Manchester CLC
! Copyright (C) 2003 David Thorne (dav...@gm...)
!
! This program is free software; you can redistribute it and/or
! modify it under the terms of the GNU General Public License
! as published by the Free Software Foundation version 2.
!
! This program is distributed in the hope that it will be useful,
! but WITHOUT ANY WARRANTY; without even the implied warranty of
! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
! GNU General Public License for more details.
!
! You should have received a copy of the GNU General Public License
! along with this program; if not, write to the Free Software
! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
!
! */
!
! // Start session and populate it with data
! session_start();
!
! // Page security
! if ($_SESSION['_usertype'] != 'Administrator' &&
! $_SESSION['_usertype'] != 'Domain Administrator' &&
! $_SESSION['_usertype'] != 'Root') {
! require_once 'system/security.php';
! ThrowOut();
! }
!
! // Page Title
! $ptitle = 'Levels';
!
! // Includes
! require_once 'system/db.php';
! require_once 'system/lang.php';
! require_once 'system/message.php';
! require 'header.php';
!
! // Language selection
! set_text_domain("levels");
!
! // Retrieve Get/Post variables
! $act = $_REQUEST['act'];
! $level = $_POST['level'];
! $levels = $_REQUEST['levels'];
!
! // Action: Add a level to the system
! if ($act == 'addlevelaction') {
! $act = 'addlevel';
! // Make sure the level has a name
! if ($level == '') {
! $message = gettext("CORRECTION: You must give this level a name.");
! } else {
! $levelcount = db_recordset("SELECT * FROM tbl_Levels WHERE active=1 AND domain=$_SESSION[_domain] AND id>0");
! // Add the level
! db_send("INSERT INTO tbl_Levels (level,domain,sortorder) VALUES ('" . $level . "'," . $_SESSION['_domain'] . ',' . count($levelcount) . ")");
!
! $levels = '';
! $act = '';
! $message = gettext("NOTE: Level successfully added to system.");
! }
! }
!
! // Action: Request details to add a level to the system
! if ($act == 'addlevel') {
!
! if ($message) { display($message); }
! ?>
!
! <h1><?php echo gettext('Level Admin')?></h1>
! <h2><?php echo gettext('Please enter the following information to add a level:')?></h2>
!
! <div class="block">
! <form name="mainform" method="post" action="">
! <input type="hidden" name="act" value="addlevelaction" />
! <div class="labelfieldpair">
! <div class="name"><label for="level"><?php echo gettext('Level Name')?></label></div>
! <div class="field"><input type="text" name="level" id="level" size="35" maxlength="50" value="<?php echo $level?>" /></div>
! </div>
! <div class="buttonpanel">
! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Add Level')?>" />
! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" />
! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='levels.php?levels=<?php echo $levels?>'" />
! </div>
! </form>
! </div>
!
! <?php
! }
!
! // Action: Edit a level
! if ($act == 'editlevelaction') {
! $act = 'editlevel';
! // Make sure the level has a name
! if ($level == '') {
! $message = gettext("CORRECTION: You must give this level a name.");
! } else {
! // Edit the level
! db_send("UPDATE tbl_Levels SET level='" . $level . "' WHERE ID=$levels");
! $message = gettext("NOTE: Level successfully updated");
! $act = '';
! }
! }
!
! // Action: Remove a level from the system
! if ($act == 'removelevel') {
! // Find the sort order of this level
! $level = db_recordset("SELECT sortorder,active FROM tbl_Levels WHERE id=$levels");
! // deactivate it and negate the sort order
! db_send("UPDATE tbl_Levels SET active=1-active,sortorder=-1 WHERE id=$levels");
! // change all the higher sort orders in order to fill the gap that has now been made
! if ($level[0][active] == 0) {
! db_send("UPDATE tbl_Levels SET sortorder=sortorder+1 WHERE domain=$_SESSION[_domain] AND active=1");
! }else{ db_send("UPDATE tbl_Levels SET sortorder=sortorder-1
! WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder>" . $level[0][sortorder]);
! }
! $act = "";
! $levels = '';
! $message = gettext("NOTE: Level successfully (de)activated.");
! }
!
! // Action: Move a level up
! if ($act == 'up') {
! // Find this level's sort order
! $level = db_recordset("SELECT sortorder,active FROM tbl_Levels WHERE id=$levels");
!
! // Only change the ordering of active levels
! if ($level[0][active] == 1) {
! // Only move a level up if it isn't at the top already
! if ($level[0][sortorder] > 0) {
! // Find the level that is one in line above it
! $newlevel = db_recordset("SELECT id FROM tbl_Levels WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($level[0][sortorder]-1));
! // Swap the sort orders for the two levels
! db_send("UPDATE tbl_Levels SET sortorder=" . ($level[0][sortorder]-1) . " WHERE id=$levels");
! db_send("UPDATE tbl_Levels SET sortorder=" . $level[0][sortorder] . " WHERE id=" . $newlevel[0][id]);
! }
! } else {
! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item.");
! }
!
! $act = "";
! }
!
! // Action: Move a level down
! if ($act == 'down') {
! // Find the lowest level
! $levelsRS = db_recordset("SELECT * FROM tbl_Levels WHERE domain=$_SESSION[_domain] AND active=1");
! // Find this level's sort order
! $level = db_recordset("SELECT sortorder,active FROM tbl_Levels WHERE id=$levels");
!
! // Only change the ordering of active levels
! if ($level[0][active] == 1) {
! // Only move a level down if it isn't at the bottom already
! if ($level[0][sortorder] < (count($levelsRS)-1)) {
! // Find the level that is one in line below it
! $newlevel = db_recordset("SELECT id FROM tbl_Levels WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($level[0][sortorder]+1));
! // Swap the sort orders for the two levels
! db_send("UPDATE tbl_Levels SET sortorder=" . ($level[0][sortorder]+1) . " WHERE id=$levels");
! db_send("UPDATE tbl_Levels SET sortorder=" . $level[0][sortorder] . " WHERE id=" . $newlevel[0][id]);
! }
! } else {
! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item.");
! }
!
! $act = "";
! }
!
! // Action: Request details to edit a level
! if ($act == 'editlevel') {
!
! // Retrieve Level information
! $levelsRS = db_recordset("SELECT * FROM tbl_Levels WHERE id=" . $levels);
!
! if ($message) { display($message); }
! ?>
!
! <h1><?php echo gettext('Level Admin')?></h1>
! <h2><?php echo gettext('Please enter the following information to edit a level:')?></h2>
!
! <div class="block">
! <form name="mainform" method="post" action="">
! <input type="hidden" name="act" value="editlevelaction" />
! <input type="hidden" name="levels" value="<?php echo $levels?>" />
! <div class="labelfieldpair">
! <div class="name"><label for="level"><?php echo gettext('Level Name')?></label></div>
! <div class="field"><input type="text" name="level" id="level" size="35" maxlength="50" value="<?php echo $levelsRS[0][level]?>"></div>
! </div>
! <div class="buttonpanel">
! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Submit Changes')?>" />
! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" />
! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='levels.php?levels=<?php echo $levels?>'" />
! </div>
! </form>
! </div>
!
! <?php
! }
!
! // Default action: Show levels and invite user to choose action...
! if ($act == '') {
! // Retrieve levels
! $sql = "SELECT * FROM tbl_Levels WHERE domain=$_SESSION[_domain]";
! if ($_SESSION['_usertype'] != 'Root') {
! $sql .= " AND active=1";
! }
! $sql .= " ORDER BY active DESC,sortorder";
! $levelsRS = db_recordset($sql);
! $num_levels = count($levelsRS);
!
! if (!$levels) $levels=$levelsRS[0][id];
!
! if ($message) { display($message); }
! ?>
!
! <script language="javascript" type="text/javascript">
! //<![CDATA[
! <!--
!
! function mainSubmit (act) {
! var flag = true;
! if ((act == 'removelevel' || act == 'editlevel') && document.mainform.levels.value == 0) {
! alert('<?php echo gettext("There are no levels on which to action your request.")?>');
! flag = false;
! }
! if (act == 'removelevel' && flag && !confirm('<?php echo gettext("Are you sure you wish to change the status of this level?")?>')) flag = false;
! if (flag) {
! document.mainform.act.value=act;
! document.mainform.submit();
! }
! }
!
! //-->
! //]]>
! </script>
!
! <h1><?php echo gettext('Level Admin')?></h1>
! <h2><?php echo gettext('Please use the lists below to administer the levels of issues in this system:')?></h2>
!
! <div class="block">
! <p><?php echo gettext('The first level in this list is of lowest priority, and movement through the list would be synonymous with escalation of an issue.')?></p>
! <form name="mainform" id="mainform" method="post" action="">
! <input type="hidden" name="act" value="" />
! <div class="columnleft">
! <div class="labelright"><label for="levels"><?php echo gettext('Levels')?></label></div>
! <div class="columnright">
! <input type="button" value="<?php echo gettext('New')?>..." onclick="mainSubmit('addlevel')" /><br />
! <input type="button" value="<?php echo gettext('Edit')?>" onclick="mainSubmit('editlevel')" /><br />
! <input type="button" value="<?php echo gettext('(De)activate')?>" onclick="mainSubmit('removelevel')" />
! </div>
! <div class="columnleft">
! <select name="levels" id="levels" size="10">
! <?php
! if ($num_levels == 0) {
! print (" <option value=\"0\" selected=\"selected\">[".gettext('No Levels')."]</option>\n");
! }
! foreach ($levelsRS as $record) {
! // Set as default if this was previously chosen
! if ($record[id] == $levels) {$checked = " selected=\"selected\"";} else {$checked = "";};
! if ($record[active] == 0) {$style = " class=\"inactive\"";} else {$style = "";};
! print (" <option value=\"${record[id]}\"${checked}${style}>${record[level]}</option>\n");
! }
! ?>
! </select>
! </div>
! </div>
! <div class="columnleft">
! <div class="labelleft"> </div>
! <div class="columnleft">
! <input type="button" value="<?php echo gettext('Up')?>" onclick="mainSubmit('up')" /><br />
! <input type="button" value="<?php echo gettext('Down')?>" onclick="mainSubmit('down')" /><br />
! </div>
! </div>
! </form>
! <hr class="hide" />
! </div>
!
! <?php
! }
!
! // Include
! require 'footer.php';
! ?>
--- 1,370 ----
! <?php
!
! /*
!
! levels.php
!
! Level Admin. Allows the user to administer the list of levels
! for this domain an put them in order. The order given is that of the
! life cycle of an escalated issue (1st line support -> higher).
! [Commented]
!
! Changelog:
! 2006-01-14 dave: Cleaned up code for v1.0 release
!
! ## PAGE CONTAINS HANDYANDY MYSQL MODS ##
! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ##
!
! ----
!
! Copyright (C) 2003 Central Manchester CLC
! Copyright (C) 2003 David Thorne (dav...@gm...)
!
! This program is free software; you can redistribute it and/or
! modify it under the terms of the GNU General Public License
! as published by the Free Software Foundation version 2.
!
! This program is distributed in the hope that it will be useful,
! but WITHOUT ANY WARRANTY; without even the implied warranty of
! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
! GNU General Public License for more details.
!
! You should have received a copy of the GNU General Public License
! along with this program; if not, write to the Free Software
! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
!
! */
!
! // Start session and populate it with data
! session_start();
!
! // Page security
! if (isset($_SESSION['_usertype'])) {
! if ($_SESSION['_usertype'] != 'Administrator' &&
! $_SESSION['_usertype'] != 'Domain Administrator' &&
! $_SESSION['_usertype'] != 'Root') {
! require_once 'system/security.php';
! ThrowOut();
! }
! }
! else {
! require_once 'system/security.php';
! ThrowOut();
! }
!
! // Page Title
! $ptitle = 'Levels';
!
! // Includes
! require_once 'system/db.php';
! require_once 'system/lang.php';
! require_once 'system/message.php';
! require 'header.php';
!
! // Language selection
! set_text_domain("levels");
!
! global $act, $level, $levels, $message;
! // Retrieve Get/Post variables
! foreach($_POST as $key => $val) {
! // scrubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_POST[$key])) {
! foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
...
[truncated message content] |
|
From: Scott P. <wht...@us...> - 2007-09-11 16:17:38
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv6666
Modified Files:
domains.php
Log Message:
More elegant way of sanitizing inputs and assinging GET/POST/REQUEST variables.
Index: domains.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/domains.php,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** domains.php 7 Sep 2007 22:04:21 -0000 1.7
--- domains.php 11 Sep 2007 16:17:32 -0000 1.8
***************
*** 48,52 ****
require_once 'system/message.php';
! global $act, $domain, $message;
// Set Language
set_text_domain("domains");
--- 48,52 ----
require_once 'system/message.php';
! global $act, $domain, $message, $domains;
// Set Language
set_text_domain("domains");
***************
*** 55,79 ****
// scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
}
foreach($_REQUEST as $key => $val) {
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
}
// Retrieve Get/Post variables
! if (!get_magic_quotes_gpc()) {
! $act = addslashes($_REQUEST['act']);
! $domain = addslashes($_POST['domain']);
! $domains = addslashes($_REQUEST['domains']);
! $defaultpriority = addslashes($_POST['defaultpriority']);
}
! else {
! $act = $_REQUEST['act'];
! $domain = $_POST['domain'];
! $domains = $_REQUEST['domains'];
! $defaultpriority = $_POST['defaultpriority'];
}
// Action: Add a domain to the system
if ($act == 'adddomainaction') {
--- 55,148 ----
// scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_POST[$key])) {
! foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (get_magic_quotes_gpc()) {
! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
}
+
+ foreach($_GET as $key => $val) {
+ // scrubbing the field NAME...
+ if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
+ if(is_array($_GET[$key])) {
+ foreach ($_GET[$key] as $key2 => $val2) {
+ if (get_magic_quotes_gpc()) {
+ $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
+ }
+ else {
+ $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
+ }
+ }
+ }
+ else {
+ if (get_magic_quotes_gpc()) {
+ $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
+ }
+ else {
+ $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
+ }
+ }
+ }
+
foreach($_REQUEST as $key => $val) {
+ // scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_REQUEST[$key])) {
! foreach ($_REQUEST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (get_magic_quotes_gpc()) {
! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
}
// Retrieve Get/Post variables
! $requestarg = Array(
! 'act',
! 'domains'
! );
!
! $postarg = Array(
! 'domain',
! 'defaultpriority'
! );
!
! foreach ($requestarg as $request) {
! if (isset($_REQUEST[$request])) {
! $$request = $_REQUEST[$request];
! }
}
!
! foreach ($postarg as $post) {
! if (isset($_POST[$post])) {
! $$post = $_POST[$post];
! }
}
+
// Action: Add a domain to the system
if ($act == 'adddomainaction') {
***************
*** 95,99 ****
$dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.($_SERVER['HTTPS'] ? 's' : '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php?domains='.$_SESSION['_domain'];
--- 164,168 ----
$dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.(isset($_SERVER['HTTPS']) ? 's' : '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php?domains='.$_SESSION['_domain'];
***************
*** 114,118 ****
$dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.($_SERVER['HTTPS'] ? 's' : '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php?domains='.$domains;
--- 183,187 ----
$dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.(isset($_SERVER['HTTPS']) ? 's' : '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php?domains='.$domains;
***************
*** 139,143 ****
$dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.($_SERVER['HTTPS'] ? 's' : '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php?domains='.$domains;
--- 208,212 ----
$dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.(isset($_SERVER['HTTPS']) ? 's' : '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php?domains='.$domains;
|
|
From: Scott P. <wht...@us...> - 2007-09-11 15:51:34
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv27518
Modified Files:
find.php
Log Message:
More elegant way of sanitizing inputs and assinging GET/POST/REQUEST variables.
Index: find.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/find.php,v
retrieving revision 1.14
retrieving revision 1.15
diff -C2 -d -r1.14 -r1.15
*** find.php 8 Sep 2007 05:27:03 -0000 1.14
--- find.php 11 Sep 2007 15:51:30 -0000 1.15
***************
*** 56,121 ****
require 'system/calendar.inc';
// Language selection
set_text_domain("find");
foreach($_POST as $key => $val) {
// scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
}
foreach($_GET as $key => $val) {
// scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
}
// Retrieve Get/Post variables
!
! ## There are a lot of variables here to protect!
! if (!get_magic_quotes_gpc()) {
! ## Need to do it this way because some the $_REQUEST arrays are an array of arrays do to the building of the
! ## of the multiple box's
! $act = addslashes(htmlentities(strip_tags($_REQUEST['act']), ENT_QUOTES));
! $id = addslashes(htmlentities(strip_tags($_REQUEST['id']), ENT_QUOTES));
! $orderby = addslashes(htmlentities(strip_tags($_GET['orderby']), ENT_QUOTES));
! $orderdir = addslashes(htmlentities(strip_tags($_GET['orderdir']), ENT_QUOTES));
! $page = addslashes(htmlentities(strip_tags($_GET['page']), ENT_QUOTES));
! $freetextscope = addslashes(htmlentities(strip_tags($_REQUEST['freetextscope']), ENT_QUOTES));
! $freetext = addslashes(htmlentities(strip_tags($_REQUEST['freetext']), ENT_QUOTES));
! $site = $_REQUEST['site'];
! $reportedby = $_REQUEST['reportedby'];
! $priority = $_REQUEST['priority'];
! $level = $_REQUEST['level'];
! $status = $_REQUEST['status'];
! $category = $_REQUEST['category'];
! $detail = $_REQUEST['detail'];
! $datefrom = addslashes(htmlentities(strip_tags($_REQUEST['datefrom']), ENT_QUOTES));
! $dateto = addslashes(htmlentities(strip_tags($_REQUEST['dateto']), ENT_QUOTES));
! $assignedto = $_REQUEST['assignedto'];
! $createdby = $_REQUEST['createdby'];
! $reset = addslashes(htmlentities(strip_tags($_REQUEST['reset']), ENT_QUOTES));
}
! else {
! $act = htmlentities(strip_tags($_REQUEST['act']), ENT_QUOTES);
! $id = htmlentities(strip_tags($_REQUEST['id']), ENT_QUOTES);
! $orderby = htmlentities(strip_tags($_GET['orderby']), ENT_QUOTES);
! $orderdir = htmlentities(strip_tags($_GET['orderdir']), ENT_QUOTES);
! $page = htmlentities(strip_tags($_GET['page']), ENT_QUOTES);
! $freetextscope = htmlentities(strip_tags($_REQUEST['freetextscope']), ENT_QUOTES);
! $freetext = htmlentities(strip_tags($_REQUEST['freetext']), ENT_QUOTES);
! $site = $_REQUEST['site'];
! $reportedby = $_REQUEST['reportedby'];
! $priority = $_REQUEST['priority'];
! $level = $_REQUEST['level'];
! $status = $_REQUEST['status'];
! $category = $_REQUEST['category'];
! $detail = $_REQUEST['detail'];
! $datefrom = htmlentities(strip_tags($_REQUEST['datefrom']), ENT_QUOTES);
! $dateto = htmlentities(strip_tags($_REQUEST['dateto']), ENT_QUOTES);
! $assignedto = $_REQUEST['assignedto'];
! $createdby = $_REQUEST['createdby'];
! $reset = $_REQUEST['reset'];
}
if ($reset == 'yes') {
// Reset remembered sql restrictions
--- 56,170 ----
require 'system/calendar.inc';
+ global $reset, $act, $orderby, $site, $reportedby, $createdby, $assignedto,
+ $level, $priority, $status, $category, $detail, $page;
// Language selection
set_text_domain("find");
+ ## There are a lot of variables here to protect!
foreach($_POST as $key => $val) {
// scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if(is_array($_POST[$key])) {
! foreach ($_POST[$key] as $key2 => $val2) {
! if (get_magic_quotes_gpc()) {
! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
! }
! else {
! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
! }
! }
! }
! else {
! if (get_magic_quotes_gpc()) {
! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
! }
! else {
! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
! }
! }
}
foreach($_GET as $key => $val) {
// scrubbing the field NAME...
if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
+ if(is_array($_GET[$key])) {
+ foreach ($_GET[$key] as $key2 => $val2) {
+ if (get_magic_quotes_gpc()) {
+ $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
+ }
+ else {
+ $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
+ }
+ }
+ }
+ else {
+ if (get_magic_quotes_gpc()) {
+ $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
+ }
+ else {
+ $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
+ }
+ }
+ }
+ foreach($_REQUEST as $key => $val) {
+ // scrubbing the field NAME...
+ if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
+ if(is_array($_REQUEST[$key])) {
+ foreach ($_REQUEST[$key] as $key2 => $val2) {
+ if (get_magic_quotes_gpc()) {
+ $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES));
+ }
+ else {
+ $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES);
+ }
+ }
+ }
+ else {
+ if (get_magic_quotes_gpc()) {
+ $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES));
+ }
+ else {
+ $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES);
+ }
+ }
}
// Retrieve Get/Post variables
! $requestarg = Array(
! 'act',
! 'id',
! 'freetextscope',
! 'freetext',
! 'site',
! 'reportedby',
! 'priority',
! 'level',
! 'status',
! 'category',
! 'detail',
! 'datefrom',
! 'dateto',
! 'assignedto',
! 'createdby',
! 'reset'
! );
! $getarg = Array(
! 'orderby',
! 'orderdir',
! 'page'
! );
! foreach ($requestarg as $request) {
! if (isset($_REQUEST[$request])) {
! $$request = $_REQUEST[$request];
! }
}
!
! foreach ($getarg as $get) {
! if (isset($_GET[$get])) {
! $$get = $_GET[$get];
! }
}
+
if ($reset == 'yes') {
// Reset remembered sql restrictions
|
|
From: Scott P. <wht...@us...> - 2007-09-10 00:45:16
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv13683
Modified Files:
login.php
Log Message:
cleanup some kludge from last checkin
Index: login.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/login.php,v
retrieving revision 1.13
retrieving revision 1.14
diff -C2 -d -r1.13 -r1.14
*** login.php 10 Sep 2007 00:32:33 -0000 1.13
--- login.php 10 Sep 2007 00:45:11 -0000 1.14
***************
*** 182,191 ****
if ($_SESSION['_domain'] == '') {
$dirname = dirname($_SERVER['PHP_SELF']);
! if(isset($_SERVER['HTTPS'])) {
! $https = 'https';
! }
! else {
! $https = 'http';
! }
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php';
--- 182,186 ----
if ($_SESSION['_domain'] == '') {
$dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.(isset($_SERVER['HTTPS']) ? 's': '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php';
***************
*** 242,251 ****
$dirname = dirname($_SERVER['PHP_SELF']);
$relative_url = $dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').$relative_url;
! if (isset($_SERVER['HTTPS'])) {
! $https = 'https';
! }
! else {
! $https = 'http';
! }
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$relative_url;
--- 237,241 ----
$dirname = dirname($_SERVER['PHP_SELF']);
$relative_url = $dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').$relative_url;
! $https = 'http'.(isset($_SERVER['HTTPS']) ? 's': '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$relative_url;
|
|
From: Scott P. <wht...@us...> - 2007-09-10 00:32:37
|
Update of /cvsroot/helpmeict/Helpdesk/system
In directory sc8-pr-cvs17:/tmp/cvs-serv8517/system
Modified Files:
acl_issue.inc authentication.php remark.php
Log Message:
more fixes to magic_quotes, undefined contstants and variables.
more fixes to input validation.
Index: authentication.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/system/authentication.php,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** authentication.php 7 Sep 2007 05:04:13 -0000 1.5
--- authentication.php 10 Sep 2007 00:32:33 -0000 1.6
***************
*** 62,71 ****
} else {
return array(
! $result[0][username],
! $result[0][name],
! $result[0][email],
! $result[0][id],
! $result[0][root],
! $result[0][restricted]
);
}
--- 62,71 ----
} else {
return array(
! $result[0]['username'],
! $result[0]['name'],
! $result[0]['email'],
! $result[0]['id'],
! $result[0]['root'],
! $result[0]['restricted']
);
}
Index: remark.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/system/remark.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** remark.php 7 Feb 2007 01:20:17 -0000 1.6
--- remark.php 10 Sep 2007 00:32:33 -0000 1.7
***************
*** 72,76 ****
AND tbl_UserSites.site=tbl_Issues.site";
$usertypes = db_recordset($sql);
! $usertype = $usertypes[0][usertypename];
if ($confidential != 1 || ($usertype!='Client' && $usertype!='Site Contact')) {
// $recipients .= $user_details[email] . ",";
--- 72,76 ----
AND tbl_UserSites.site=tbl_Issues.site";
$usertypes = db_recordset($sql);
! $usertype = $usertypes[0]['usertypename'];
if ($confidential != 1 || ($usertype!='Client' && $usertype!='Site Contact')) {
// $recipients .= $user_details[email] . ",";
Index: acl_issue.inc
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/system/acl_issue.inc,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** acl_issue.inc 7 Feb 2007 01:20:17 -0000 1.2
--- acl_issue.inc 10 Sep 2007 00:32:33 -0000 1.3
***************
*** 56,60 ****
if (get_closed_status($_SESSION['_domain']) == $issue['status'])
{
! if ($issue[published] == 0)
{
$acl['edit_publish'] = true;
--- 56,60 ----
if (get_closed_status($_SESSION['_domain']) == $issue['status'])
{
! if ($issue['published'] == 0)
{
$acl['edit_publish'] = true;
***************
*** 118,122 ****
else
{
! $sql = "SELECT tbl_UserTypes.type AS usertypename FROM tbl_UserTypes LEFT JOIN tbl_UserSites ON tbl_UserSites.usertype = tbl_UserTypes.id WHERE tbl_UserSites.userid=".$uid." AND tbl_UserSites.site=".$issue[site];
$usertypesRS = db_recordset($sql);
--- 118,122 ----
else
{
! $sql = "SELECT tbl_UserTypes.type AS usertypename FROM tbl_UserTypes LEFT JOIN tbl_UserSites ON tbl_UserSites.usertype = tbl_UserTypes.id WHERE tbl_UserSites.userid=".$uid." AND tbl_UserSites.site=".$issue['site'];
$usertypesRS = db_recordset($sql);
***************
*** 255,259 ****
}
}
! elseif ($issue[assignedto] == 0) // If issue is not assigned.
{
$acl['edit_style'] = true;
--- 255,259 ----
}
}
! elseif ($issue['assignedto'] == 0) // If issue is not assigned.
{
$acl['edit_style'] = true;
|
|
From: Scott P. <wht...@us...> - 2007-09-10 00:32:37
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv8517
Modified Files:
globalpreferences.php login.php logout.php recent.php
unassignedissues.php
Log Message:
more fixes to magic_quotes, undefined contstants and variables.
more fixes to input validation.
Index: login.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/login.php,v
retrieving revision 1.12
retrieving revision 1.13
diff -C2 -d -r1.12 -r1.13
*** login.php 8 Sep 2007 23:56:50 -0000 1.12
--- login.php 10 Sep 2007 00:32:33 -0000 1.13
***************
*** 42,59 ****
// Retrieve Get/Post variables
- $act = $_POST['act'];
- $domain = $_POST['domain'];
- $redirect = $_POST['redirect'];
if (!get_magic_quotes_gpc()) {
! $user = addslashes($_POST['user']);
! $password = addslashes($_POST['password']);
}
else {
! $user = $_POST['user'];
! $password = $_POST['password'];
}
// Default action: Login
! if ($act == '') {
$result = (auth($user, $password));
if ($result == 0) {
--- 42,82 ----
// Retrieve Get/Post variables
if (!get_magic_quotes_gpc()) {
! if (isset($_POST['user'])) {
! $user = addslashes($_POST['user']);
! }
! if (isset($_POST['password'])) {
! $password = addslashes($_POST['password']);
! }
! if (isset($_POST['act'])) {
! $act = addslashes($_POST['act']);
! }
! if (isset($_POST['domain'])) {
! $domain = addslashes($_POST['domain']);
! }
! if (isset($_POST['redirect'])) {
! $redirect = addslashes($_POST['redirect']);
! }
}
else {
! if (isset($_POST['user'])) {
! $user = $_POST['user'];
! }
! if (isset($_POST['password'])) {
! $password = $_POST['password'];
! }
! if (isset($_POST['act'])) {
! $act = $_POST['act'];
! }
! if (isset($_POST['domain'])) {
! $domain = $_POST['domain'];
! }
! if (isset($_POST['redirect'])) {
! $redirect = $_POST['redirect'];
! }
}
// Default action: Login
! if (!isset($act)) {
$result = (auth($user, $password));
if ($result == 0) {
***************
*** 68,83 ****
exit;
}
-
//build array resulting from authentication
$user = array(
array (
! user => "$result[0]",
! name => "$result[1]",
! email => "$result[2]",
! id => "$result[3]",
! root => "$result[4]",
! restricted => "$result[5]"
! ),
! );
// Register session variables
--- 91,105 ----
exit;
}
//build array resulting from authentication
$user = array(
array (
! 'user' => "$result[0]",
! 'name' => "$result[1]",
! 'email' => "$result[2]",
! 'id' => "$result[3]",
! 'root' => "$result[4]",
! 'restricted' => "$result[5]"
! ),
! );
// Register session variables
***************
*** 100,104 ****
// If this user is the root user then bypass finding the user type.
! if ($user[0][root] == 1) {
$act = 'acceptroot';
--- 122,126 ----
// If this user is the root user then bypass finding the user type.
! if ($user[0]['root'] == 1) {
$act = 'acceptroot';
***************
*** 130,137 ****
// Set the first domain to default
db_send("UPDATE tbl_UserDomains SET defaultflag=0 WHERE userid=$_SESSION[_id]");
! db_send("UPDATE tbl_UserDomains SET defaultflag=1 WHERE userid=$_SESSION[_id] AND domain=" . $domains[0][domain]);
}
! $domain = $domains[0][domain];
$act = 'accept';
--- 152,159 ----
// Set the first domain to default
db_send("UPDATE tbl_UserDomains SET defaultflag=0 WHERE userid=$_SESSION[_id]");
! db_send("UPDATE tbl_UserDomains SET defaultflag=1 WHERE userid=$_SESSION[_id] AND domain=" . $domains[0]['domain']);
}
! $domain = $domains[0]['domain'];
$act = 'accept';
***************
*** 148,153 ****
// Set user type session variables
! $_SESSION['_usertype'] = $user[0][type];
! $_SESSION['_usertypesortorder'] = $user[0][sortorder];
// If a domain has not yet been picked then choose the first one in the database
--- 170,175 ----
// Set user type session variables
! $_SESSION['_usertype'] = $user[0]['type'];
! $_SESSION['_usertypesortorder'] = $user[0]['sortorder'];
// If a domain has not yet been picked then choose the first one in the database
***************
*** 156,164 ****
$domains = db_recordset($sql);
! $_SESSION['_domain'] = $domains[0][id];
if ($_SESSION['_domain'] == '') {
$dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.($_SERVER['HTTPS'] ? 's' : '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php';
--- 178,191 ----
$domains = db_recordset($sql);
! $_SESSION['_domain'] = $domains[0]['id'];
if ($_SESSION['_domain'] == '') {
$dirname = dirname($_SERVER['PHP_SELF']);
! if(isset($_SERVER['HTTPS'])) {
! $https = 'https';
! }
! else {
! $https = 'http';
! }
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'domains.php';
***************
*** 189,194 ****
// Set user type session variables
! $_SESSION['_usertype'] = $user[0][usertypename];
! $_SESSION['_usertypesortorder'] = $user[0][usertypesortorder];
}
--- 216,221 ----
// Set user type session variables
! $_SESSION['_usertype'] = $user[0]['usertypename'];
! $_SESSION['_usertypesortorder'] = $user[0]['usertypesortorder'];
}
***************
*** 199,204 ****
// Set the domain session variables
! $_SESSION['_domaincss'] = $domains[0][css];
! $_SESSION['_domainname'] = $domains[0][domain];
$relative_url = $redirect;
--- 226,231 ----
// Set the domain session variables
! $_SESSION['_domaincss'] = $domains[0]['css'];
! $_SESSION['_domainname'] = $domains[0]['domain'];
$relative_url = $redirect;
***************
*** 215,220 ****
$dirname = dirname($_SERVER['PHP_SELF']);
$relative_url = $dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').$relative_url;
!
! $https = 'http'.($_SERVER['HTTPS'] ? 's' : '');
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$relative_url;
--- 242,251 ----
$dirname = dirname($_SERVER['PHP_SELF']);
$relative_url = $dirname.(strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').$relative_url;
! if (isset($_SERVER['HTTPS'])) {
! $https = 'https';
! }
! else {
! $https = 'http';
! }
$headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$relative_url;
***************
*** 230,234 ****
<h1><?php echo gettext('Helpdesk Management Tool')?></h1>
! <h2><?php echo gettext('You have successfully logged into the domain')?>: <?php echo $domains[0][domain]; ?></h2>
<div class="block">
--- 261,265 ----
<h1><?php echo gettext('Helpdesk Management Tool')?></h1>
! <h2><?php echo gettext('You have successfully logged into the domain')?>: <?php echo $domains[0]['domain']; ?></h2>
<div class="block">
Index: globalpreferences.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/globalpreferences.php,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** globalpreferences.php 7 Feb 2007 01:20:03 -0000 1.5
--- globalpreferences.php 10 Sep 2007 00:32:33 -0000 1.6
***************
*** 52,56 ****
// Retrieve Get/Post variables
! $act = $_REQUEST['act'];
// Action: Edit prefs
--- 52,58 ----
// Retrieve Get/Post variables
! if (isset($_REQUEST['act'])) {
! $act = $_REQUEST['act'];
! }
// Action: Edit prefs
Index: logout.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/logout.php,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** logout.php 7 Feb 2007 01:20:03 -0000 1.4
--- logout.php 10 Sep 2007 00:32:33 -0000 1.5
***************
*** 1,57 ****
! <?php
!
! /*
!
! logout.php
!
! This page Logs the user out of the system. [Commented]
!
! Changelog:
! 2006-01-14 dave: Cleaned up code for v1.0 release
!
! ## PAGE CONTAINS HANDYANDY MYSQL MODS ##
! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ##
!
! ----
! TO DO
!
! Sort out working with no domains.
! ----
!
! Copyright (C) 2002 David Thorne (dav...@gm...)
!
! This program is free software; you can redistribute it and/or
! modify it under the terms of the GNU General Public License
! as published by the Free Software Foundation version 2.
!
! This program is distributed in the hope that it will be useful,
! but WITHOUT ANY WARRANTY; without even the implied warranty of
! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
! GNU General Public License for more details.
!
! You should have received a copy of the GNU General Public License
! along with this program; if not, write to the Free Software
! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
!
! */
!
! require_once 'system/db.php';
! require_once 'system/logs.php';
!
! // Start session and populate it with data
! session_start();
!
! $dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.($_SERVER['HTTPS'] ? 's' : '');
! $headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.
! (strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'index.php';
!
! if ($_SESSION['_id'] != '') {
! makelog($_SESSION['_id'],$_SESSION['_domain'],'LOGOUT',"$_SESSION[_name] has successfully logged out.");
!
! // Destroy any session that might exist effectively logging off
! session_destroy();
! }
!
! header($headertext);
! ?>
--- 1,57 ----
! <?php
!
! /*
!
! logout.php
!
! This page Logs the user out of the system. [Commented]
!
! Changelog:
! 2006-01-14 dave: Cleaned up code for v1.0 release
!
! ## PAGE CONTAINS HANDYANDY MYSQL MODS ##
! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ##
!
! ----
! TO DO
!
! Sort out working with no domains.
! ----
!
! Copyright (C) 2002 David Thorne (dav...@gm...)
!
! This program is free software; you can redistribute it and/or
! modify it under the terms of the GNU General Public License
! as published by the Free Software Foundation version 2.
!
! This program is distributed in the hope that it will be useful,
! but WITHOUT ANY WARRANTY; without even the implied warranty of
! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
! GNU General Public License for more details.
!
! You should have received a copy of the GNU General Public License
! along with this program; if not, write to the Free Software
! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
!
! */
!
! require_once 'system/db.php';
! require_once 'system/logs.php';
!
! // Start session and populate it with data
! session_start();
!
! $dirname = dirname($_SERVER['PHP_SELF']);
! $https = 'http'.(isset($_SERVER['HTTPS']) ? 's' : '');
! $headertext = "Location: $https://".$_SERVER['HTTP_HOST'].$dirname.
! (strrpos($dirname,'/') == (strlen($dirname)-1)?'':'/').'index.php';
!
! if ($_SESSION['_id'] != '') {
! makelog($_SESSION['_id'],$_SESSION['_domain'],'LOGOUT',"$_SESSION[_name] has successfully logged out.");
!
! // Destroy any session that might exist effectively logging off
! session_destroy();
! }
!
! header($headertext);
! ?>
Index: unassignedissues.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/unassignedissues.php,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** unassignedissues.php 11 Mar 2007 16:57:50 -0000 1.7
--- unassignedissues.php 10 Sep 2007 00:32:33 -0000 1.8
***************
*** 116,122 ****
// How many issues would be in this category
! $num_issues = $issuesRS[0][num];
// Set page size and limit issues to that number
! $pagesize = $global_prefs[pagesize];
$num_pages = ceil($num_issues/$pagesize);
// Find the highest status (the terminal status) and treat it as closed
--- 116,122 ----
// How many issues would be in this category
! $num_issues = $issuesRS[0]['num'];
// Set page size and limit issues to that number
! $pagesize = $global_prefs['pagesize'];
$num_pages = ceil($num_issues/$pagesize);
// Find the highest status (the terminal status) and treat it as closed
Index: recent.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/recent.php,v
retrieving revision 1.5
retrieving revision 1.6
diff -C2 -d -r1.5 -r1.6
*** recent.php 7 Feb 2007 01:20:04 -0000 1.5
--- recent.php 10 Sep 2007 00:32:33 -0000 1.6
***************
*** 36,39 ****
--- 36,49 ----
session_start();
+ // Page security
+ require_once 'system/security.php';
+ if (!isset($_SESSION['_usertype'])) {
+ ThrowOut();
+ }
+ else {
+ if ($_SESSION['_usertype'] == '' || $_SESSION['_usertype'] == 'Root') {
+ ThrowOut();
+ }
+ }
// Page Title
$ptitle = 'Recent Issues';
***************
*** 118,134 ****
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">${record[id]}</a></td>\n";
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record[publishedon]) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record[publishedon]);
} else {
! print strftime('%d/%m/%y',$record[publishedon]);
}
print "</td>\n";
if (!$hidesu) {
! print " <td class=\"$class\">".$record[reportedbyname]."</td>\n";
! print " <td class=\"$class\">".$record[sitename]."</td>\n";
}
! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">".$record[summary]."</a></td>\n";
print " </tr>\n";
}
--- 128,144 ----
// Show attributes
print " <tr valign=\"top\">\n";
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">${record['id']}</a></td>\n";
print " <td class=\"$class\">";
! if (strftime('%d/%m/%y',$record['publishedon']) == strftime('%d/%m/%y')) {
! print strftime('%H:%M',$record['publishedon']);
} else {
! print strftime('%d/%m/%y',$record['publishedon']);
}
print "</td>\n";
if (!$hidesu) {
! print " <td class=\"$class\">".$record['reportedbyname']."</td>\n";
! print " <td class=\"$class\">".$record['sitename']."</td>\n";
}
! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">".$record['summary']."</a></td>\n";
print " </tr>\n";
}
|
|
From: Scott P. <wht...@us...> - 2007-09-10 00:23:32
|
Update of /cvsroot/helpmeict/Helpdesk In directory sc8-pr-cvs17:/tmp/cvs-serv3881 Modified Files: issue.php Log Message: Cleaned up magic_quotes detection and input santizing. Fixed all undefined variables and constants. Added basic functionality for <a> html tags to show up in remarks. Allows links to show up in remarks if you add a remark like the following: e.g. This is a link i want you to see. <a href="www.google.com">A link I want you to see</a> Index: issue.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/issue.php,v retrieving revision 1.40 retrieving revision 1.41 diff -C2 -d -r1.40 -r1.41 *** issue.php 7 Sep 2007 08:53:50 -0000 1.40 --- issue.php 10 Sep 2007 00:23:22 -0000 1.41 *************** *** 66,133 **** // Language selection set_text_domain("issue"); ! //Clean oall POST values foreach($_POST as $key => $val) { // scubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if ($key != "selectremark") { ! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); } } - // Retrieve Get/Post variables ! ! $act = $_REQUEST['act']; ! $level = $_POST['level']; ! $oldlevel = $_POST['oldlevel']; ! $oldlevelname = $_POST['oldlevelname']; ! $publish = $_POST['publish']; ! $existingkeywords = $_POST['existingkeywords']; ! $status = $_POST['status']; ! $oldstatus = $_POST['oldstatus']; ! $oldstatusname = $_POST['oldstatusname']; ! $site = $_REQUEST['site']; ! $newsite = $_POST['newsite']; ! $sitename = $_REQUEST['sitename']; ! $newsitename = $_POST['newsitename']; ! $createdby = $_REQUEST['createdby']; ! $reportedby = $_REQUEST['reportedby']; ! $assignedto = $_REQUEST['assignedto']; ! $oldassignedto = $_REQUEST['oldassignedto']; ! $oldassignedtoname = $_REQUEST['oldassignedtoname']; ! $details = $_POST['details']; ! $categories = $_POST['categories']; ! $remarkaction = $_POST['remarkaction']; ! $confidential = $_POST['confidential']; ! $selectremark = $_POST['selectremark']; ! $priority = $_POST['priority']; ! $oldpriority = $_POST['oldpriority']; ! $oldpriorityname = $_POST['oldpriorityname']; ! $id = $_REQUEST['id']; ! $delete_attachments = $_POST['delete_attachments']; ! ! if (!get_magic_quotes_gpc()) { ! $contact = addslashes($_POST['contact']); ! $location = addslashes($_POST['location']); ! $summary = addslashes($_POST['summary']); ! $description = addslashes($_POST['description']); ! $solution = addslashes($_POST['solution']); ! $remark = addslashes($_POST['remark']); ! $timehours = addslashes($_POST['timehours']); ! $timeminutes = addslashes($_POST['timeminutes']); ! $keywords = addslashes($_POST['keywords']); } ! ! else { $contact = $_POST['contact']; $location = $_POST['location']; $summary = $_POST['summary']; $description = $_POST['description']; $solution = $_POST['solution']; $remark = $_POST['remark']; $timehours = $_POST['timehours']; $timeminutes = $_POST['timeminutes']; $keywords = $_POST['keywords']; ! } --- 66,205 ---- // Language selection set_text_domain("issue"); ! global $details, $act, $acl_reload, $delete_attachments, $selectremark, $publish, $confidential, $hs, $an_additional, $timeminutes, $timehours; //Clean oall POST values foreach($_POST as $key => $val) { // scubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if ($key != "selectremark" && $key != "attachments" && $key != "delete_attachments" && $key != "existingkeywords") { ! if (!get_magic_quotes_gpc()) { ! $_POST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES)); ! } ! else { ! $_POST[$key] = htmlentities(strip_tags($val, '<a>'), ENT_QUOTES); ! } ! } ! } ! foreach($_REQUEST as $key => $val) { ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if ($key != "selectremark" && $key != "attachments" && $key != "delete_attachments" && $key != "existingkeywords") { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val, '<a>'), ENT_QUOTES); ! } } } // Retrieve Get/Post variables ! if(isset($_REQUEST['id'])) { ! $id = $_REQUEST['id']; } ! if(isset($_POST['delete_attachments'])) { ! $delete_attachments = $_POST['delete_attachments']; ! } ! if(isset($_POST['contact'])) { $contact = $_POST['contact']; + } + if(isset($_POST['location'])) { $location = $_POST['location']; + } + if(isset($_POST['summary'])) { $summary = $_POST['summary']; + } + if(isset($_POST['description'])) { $description = $_POST['description']; + } + if(isset($_POST['solution'])) { $solution = $_POST['solution']; + } + if(isset($_POST['remark'])) { $remark = $_POST['remark']; + } + if(isset($_POST['timehours'])) { $timehours = $_POST['timehours']; + } + if(isset($_POST['timeminutes'])) { $timeminutes = $_POST['timeminutes']; + } + if(isset($_POST['keywords'])) { $keywords = $_POST['keywords']; ! } ! if(isset($_REQUEST['act'])) { ! $act = $_REQUEST['act']; ! } ! if(isset($_POST['level'])) { ! $level = $_POST['level']; ! } ! if(isset($_POST['oldlevel'])) { ! $oldlevel = $_POST['oldlevel']; ! } ! if(isset($_POST['oldlevelname'])) { ! $oldlevelname = $_POST['oldlevelname']; ! } ! if(isset($_POST['publish'])) { ! $publish = $_POST['publish']; ! } ! if(isset($_POST['existingkeywords'])) { ! $existingkeywords = $_POST['existingkeywords']; ! } ! if(isset($_POST['status'])) { ! $status = $_POST['status']; ! } ! if(isset($_POST['oldstatus'])) { ! $oldstatus = $_POST['oldstatus']; ! } ! if(isset($_POST['oldstatusname'])) { ! $oldstatusname = $_POST['oldstatusname']; ! } ! if(isset($_REQUEST['site'])) { ! $site = $_REQUEST['site']; ! } ! if(isset($_POST['newsite'])) { ! $newsite = $_POST['newsite']; ! } ! if(isset($_REQUEST['sitename'])) { ! $sitename = $_REQUEST['sitename']; ! } ! if(isset($_POST['newsitename'])) { ! $newsitename = $_POST['newsitename']; ! } ! if(isset($_REQUEST['createdby'])) { ! $createdby = $_REQUEST['createdby']; ! } ! if(isset($_REQUEST['reportedby'])) { ! $reportedby = $_REQUEST['reportedby']; ! } ! if(isset($_REQUEST['assignedto'])) { ! $assignedto = $_REQUEST['assignedto']; ! } ! if(isset($_REQUEST['oldassignedto'])) { ! $oldassignedto = $_REQUEST['oldassignedto']; ! } ! if(isset($_REQUEST['oldassignedtoname'])) { ! $oldassignedtoname = $_REQUEST['oldassignedtoname']; ! } ! if(isset($_POST['details'])) { ! $details = $_POST['details']; ! } ! if(isset($_POST['categories'])) { ! $categories = $_POST['categories']; ! } ! if(isset($_POST['remarkaction'])) { ! $remarkaction = $_POST['remarkaction']; ! } ! if(isset($_POST['confidential'])) { ! $confidential = $_POST['confidential']; ! } ! if(isset($_POST['selectremark'])) { ! $selectremark = $_POST['selectremark']; ! } ! if(isset($_POST['priority'])) { ! $priority = $_POST['priority']; ! } ! if(isset($_POST['oldpriority'])) { ! $oldpriority = $_POST['oldpriority']; ! } ! if(isset($_POST['oldpriorityname'])) { ! $oldpriorityname = $_POST['oldpriorityname']; } *************** *** 173,177 **** // if the above query returns NO result, then the usertypename is BLANK ! if ($acl['denyall']) { print " <h1>".gettext('Error')."</h1>\n <h2 class=\"warning\">".gettext('You cannot view this issue')."</h2><div class=\"block\">\n</div>"; --- 245,249 ---- // if the above query returns NO result, then the usertypename is BLANK ! if (isset($acl['denyall'])) { print " <h1>".gettext('Error')."</h1>\n <h2 class=\"warning\">".gettext('You cannot view this issue')."</h2><div class=\"block\">\n</div>"; *************** *** 700,704 **** */ ! if ($acl['edit_details'] && $num_categories > 0) { $index = 0; foreach ($categoriesRS as $record) { --- 772,776 ---- */ ! if (isset($acl['edit_details']) && $num_categories > 0) { $index = 0; foreach ($categoriesRS as $record) { *************** *** 741,745 **** DetailsList[loop+shift] = new Option(eval('problems_' + i + '[loop*2+1]')); DetailsList[loop+shift].value = eval('problems_' + i + '[loop*2]'); ! if (DetailsList[loop+shift].value == <?php echo $issue[0][detail];?> && initialflag == 1) { DetailsList[loop+shift].selected = true; initialflag = 0; --- 813,817 ---- DetailsList[loop+shift] = new Option(eval('problems_' + i + '[loop*2+1]')); DetailsList[loop+shift].value = eval('problems_' + i + '[loop*2]'); ! if (DetailsList[loop+shift].value == <?php echo $issue[0]['detail'];?> && initialflag == 1) { DetailsList[loop+shift].selected = true; initialflag = 0; *************** *** 752,756 **** <?php } ! if ($acl['show_confidential']) { ?> --- 824,828 ---- <?php } ! if (isset($acl['show_confidential'])) { ?> *************** *** 797,801 **** if (document.mainform.assignedto.value != <?php echo $issue[0]['assignedto'];?> && document.mainform.assignedto.value != <?php echo $_SESSION['_id'];?> && !confirm('<?php echo gettext("Committing this action will re-assign this issue to another support agent.\\n\\nAre you sure you wish to commit?");?>')) flag = false; <?php ! if ($acl['edit_time']) { ?> if (document.mainform.timehours.value >= <?php echo $global_prefs['excessivehours'];?> && !confirm('<?php echo gettext("Committing this action will specify a large amount of time spent on the problem.\\n\\nAre you sure you wish to commit?");?>')) flag = false; --- 869,873 ---- if (document.mainform.assignedto.value != <?php echo $issue[0]['assignedto'];?> && document.mainform.assignedto.value != <?php echo $_SESSION['_id'];?> && !confirm('<?php echo gettext("Committing this action will re-assign this issue to another support agent.\\n\\nAre you sure you wish to commit?");?>')) flag = false; <?php ! if (isset($acl['edit_time'])) { ?> if (document.mainform.timehours.value >= <?php echo $global_prefs['excessivehours'];?> && !confirm('<?php echo gettext("Committing this action will specify a large amount of time spent on the problem.\\n\\nAre you sure you wish to commit?");?>')) flag = false; *************** *** 803,807 **** } ! if ($acl['edit_publish']) { ?> if (document.mainform.publish.checked && !confirm('<?php echo gettext("Committing this action will PUBLICLY publish this issue.\\n\\nAre you sure you wish to commit?");?>')) flag = false; --- 875,879 ---- } ! if (isset($acl['edit_publish'])) { ?> if (document.mainform.publish.checked && !confirm('<?php echo gettext("Committing this action will PUBLICLY publish this issue.\\n\\nAre you sure you wish to commit?");?>')) flag = false; *************** *** 826,830 **** } ! <?php if ($acl['recall_issue']) { ?> function recallSubmit () { if (confirm('<?php echo gettext("Are you sure you wish to recall the issue?");?>')) { --- 898,902 ---- } ! <?php if (isset($acl['recall_issue'])) { ?> function recallSubmit () { if (confirm('<?php echo gettext("Are you sure you wish to recall the issue?");?>')) { *************** *** 837,841 **** </script> ! <h1><?php echo gettext("Issue");?> #<?php echo $issue[0]['id'] . ($issue[0]['published'] == 0 ? ($closedstatus == $issue[0][status] ? ' ('.gettext('Closed').')' : '') : ' ('.gettext('Published').')');?></h1> <?php --- 909,913 ---- </script> ! <h1><?php echo gettext("Issue");?> #<?php echo $issue[0]['id'] . ($issue[0]['published'] == 0 ? ($closedstatus == $issue[0]['status'] ? ' ('.gettext('Closed').')' : '') : ' ('.gettext('Published').')');?></h1> <?php *************** *** 844,850 **** ?> <h2><?php echo gettext('Here is the information pertaining to the knowledge base item.')?> ! <?php if ($acl['view_remarks']) { echo gettext('Please check the <a href="#history">issue history</a> for the audit trail of this issue.');}?></h2> <?php ! } elseif ($issue[0][recalled] == 1) { if ($usertype != 'Client' && $usertype != 'Site Contact') { ?> --- 916,922 ---- ?> <h2><?php echo gettext('Here is the information pertaining to the knowledge base item.')?> ! <?php if (isset($acl['view_remarks'])) { echo gettext('Please check the <a href="#history">issue history</a> for the audit trail of this issue.');}?></h2> <?php ! } elseif ($issue[0]['recalled'] == 1) { if ($usertype != 'Client' && $usertype != 'Site Contact') { ?> *************** *** 864,868 **** <div class="block"> <form name="mainform" id="mainform" method="post" action="" class="login" enctype="multipart/form-data"> ! <?php if ($acl['edit_issue']) {?> <input type="hidden" name="act" value="action" /> <input type="hidden" name="oldlevel" value="<?php echo $issue[0]['level'];?>" /> --- 936,940 ---- <div class="block"> <form name="mainform" id="mainform" method="post" action="" class="login" enctype="multipart/form-data"> ! <?php if (isset($acl['edit_issue'])) {?> <input type="hidden" name="act" value="action" /> <input type="hidden" name="oldlevel" value="<?php echo $issue[0]['level'];?>" /> *************** *** 874,880 **** <input type="hidden" name="oldpriorityname" value="<?php echo $issue[0]['priorityname'];?>" /> <input type="hidden" name="oldassignedtoname" value="<?php echo $issue[0]['assignedtoname'];?>" /> ! <?php } elseif ($acl['recall_issue']) {?> <input type="hidden" name="act" value="revoke" /> ! <?php } elseif ($acl['unpublish_issue']) {?> <input type="hidden" name="act" value="unpublish" /> <?php }?> --- 946,952 ---- <input type="hidden" name="oldpriorityname" value="<?php echo $issue[0]['priorityname'];?>" /> <input type="hidden" name="oldassignedtoname" value="<?php echo $issue[0]['assignedtoname'];?>" /> ! <?php } elseif (isset($acl['recall_issue'])) {?> <input type="hidden" name="act" value="revoke" /> ! <?php } elseif (isset($acl['unpublish_issue'])) {?> <input type="hidden" name="act" value="unpublish" /> <?php }?> *************** *** 884,888 **** <?php //if ($usertype != 'Client' && $usertype != 'Site Contact' && $issue[0]['published'] == 0) { ! if ($acl['edit_style']) { // Top submit button, floating inline at the top - right // Note also the closing div tag just before the bottom submit button --- 956,960 ---- <?php //if ($usertype != 'Client' && $usertype != 'Site Contact' && $issue[0]['published'] == 0) { ! if (isset($acl['edit_style'])) { // Top submit button, floating inline at the top - right // Note also the closing div tag just before the bottom submit button *************** *** 890,898 **** <div class="rcolumn"> <div class="buttonpanel"> ! <?php if ($acl['edit_issue']) { ?> <input type="button" value="<?php echo gettext("Submit Changes");?>" onclick="mainSubmit()" /> ! <?php } if ($acl['reset_issue']) { ?> <input name="reset" type="reset" id="reset3" value="<?php echo gettext("Reset");?>" onclick="document.location='issue.php?id=<?php echo $issue[0]['id'];?>'" /> ! <?php } if ($acl['recall_issue']) { ?> <input type="button" value="<?php echo gettext("Recall Issue");?>" onclick="recallSubmit()" /> <?php } ?> --- 962,970 ---- <div class="rcolumn"> <div class="buttonpanel"> ! <?php if (isset($acl['edit_issue'])) { ?> <input type="button" value="<?php echo gettext("Submit Changes");?>" onclick="mainSubmit()" /> ! <?php } if (isset($acl['reset_issue'])) { ?> <input name="reset" type="reset" id="reset3" value="<?php echo gettext("Reset");?>" onclick="document.location='issue.php?id=<?php echo $issue[0]['id'];?>'" /> ! <?php } if (isset($acl['recall_issue'])) { ?> <input type="button" value="<?php echo gettext("Recall Issue");?>" onclick="recallSubmit()" /> <?php } ?> *************** *** 902,906 **** } ?> ! <?php if ($acl['view_createdby']) { ?> <div class="labelfieldpair"> <div class="name"><?php echo gettext("Created By");?>:</div> --- 974,978 ---- } ?> ! <?php if (isset($acl['view_createdby'])) { ?> <div class="labelfieldpair"> <div class="name"><?php echo gettext("Created By");?>:</div> *************** *** 912,916 **** <div class="value"><?php echo strftime('%d/%m/%y %H:%M',$issue[0]['createdon']);?></div> </div> ! <?php if ($acl['view_reportedby']) { ?> <div class="labelfieldpair"> <div class="name"><?php echo gettext("Reported By");?>:</div> --- 984,988 ---- <div class="value"><?php echo strftime('%d/%m/%y %H:%M',$issue[0]['createdon']);?></div> </div> ! <?php if (isset($acl['view_reportedby'])) { ?> <div class="labelfieldpair"> <div class="name"><?php echo gettext("Reported By");?>:</div> *************** *** 922,926 **** </div> <?php } ?> ! <?php if ($acl['view_site']) { ?> <div class="labelfieldpair"> <div class="name"> --- 994,998 ---- </div> <?php } ?> ! <?php if (isset($acl['view_site'])) { ?> <div class="labelfieldpair"> <div class="name"> *************** *** 928,932 **** </div> <div class="value" id="site"><?php echo $issue[0]['sitename'];?> ! <?php if ($acl['edit_site']) {?> [<a <?php print 'href="issue.php?id=' . $issue[0]['id'] . '&site=' . $issue[0]['site'] . '&sitename=' . $issue[0]['sitename'] . '&assignedto=' . $issue[0]['assignedto'] . '&act=changesite">'.gettext('Change Site');?></a>] <?php }?> --- 1000,1004 ---- </div> <div class="value" id="site"><?php echo $issue[0]['sitename'];?> ! <?php if (isset($acl['edit_site'])) {?> [<a <?php print 'href="issue.php?id=' . $issue[0]['id'] . '&site=' . $issue[0]['site'] . '&sitename=' . $issue[0]['sitename'] . '&assignedto=' . $issue[0]['assignedto'] . '&act=changesite">'.gettext('Change Site');?></a>] <?php }?> *************** *** 934,943 **** </div> <?php } ?> ! <?php if ($acl['view_assignedto']) {?> <div class="labelfieldpair"> <div class="name"> <label for="assignedto"><?php echo gettext("Assigned To");?></label> </div> ! <?php if (! $acl['edit_assignedto']) {?> <div class="value"> <input type="hidden" name="assignedto" id="assignedto" value="<?php echo $issue[0]['assignedto'];?>" /> --- 1006,1015 ---- </div> <?php } ?> ! <?php if (isset($acl['view_assignedto'])) {?> <div class="labelfieldpair"> <div class="name"> <label for="assignedto"><?php echo gettext("Assigned To");?></label> </div> ! <?php if (!isset($acl['edit_assignedto'])) {?> <div class="value"> <input type="hidden" name="assignedto" id="assignedto" value="<?php echo $issue[0]['assignedto'];?>" /> *************** *** 970,974 **** // Set as default if chosen if ($record['id'] == $issue[0]['assignedto']) { $checked = ' selected="selected"'; } else { $checked = ''; } ! print " <option value=\"${record[id]}\"$checked>".preg_replace('/\* unassigned \*/',gettext('* unassigned *'),$record['name'])."</option>\n"; } ?> --- 1042,1046 ---- // Set as default if chosen if ($record['id'] == $issue[0]['assignedto']) { $checked = ' selected="selected"'; } else { $checked = ''; } ! print " <option value=\"${record['id']}\"$checked>".preg_replace('/\* unassigned \*/',gettext('* unassigned *'),$record['name'])."</option>\n"; } ?> *************** *** 978,987 **** </div> <?php }?> ! <?php if ($acl['view_contactinfo']) { ?> <div class="labelfieldpair"> <div class="name"> <label for="contact"><?php echo gettext("Contact Info");?></label> </div> ! <?php if ($acl['edit_contactinfo']) {?> <div class="field"> <input name="contact" type="text" id="contact" size="60" maxlength="100" value="<?php echo $issue[0]['contact'];?>" /> --- 1050,1059 ---- </div> <?php }?> ! <?php if (isset($acl['view_contactinfo'])) { ?> <div class="labelfieldpair"> <div class="name"> <label for="contact"><?php echo gettext("Contact Info");?></label> </div> ! <?php if (isset($acl['edit_contactinfo'])) {?> <div class="field"> <input name="contact" type="text" id="contact" size="60" maxlength="100" value="<?php echo $issue[0]['contact'];?>" /> *************** *** 995,1004 **** </div> <?php }?> ! <?php if ($acl['view_location']) { ?> <div class="labelfieldpair"> <div class="name"> <label for="location"><?php echo gettext("Location");?></label> </div> ! <?php if ($acl['edit_location']) {?> <div class="field"> <input name="location" type="text" id="location" size="60" maxlength="100" value="<?php echo $issue[0]['location'];?>" /> --- 1067,1076 ---- </div> <?php }?> ! <?php if (isset($acl['view_location'])) { ?> <div class="labelfieldpair"> <div class="name"> <label for="location"><?php echo gettext("Location");?></label> </div> ! <?php if (isset($acl['edit_location'])) {?> <div class="field"> <input name="location" type="text" id="location" size="60" maxlength="100" value="<?php echo $issue[0]['location'];?>" /> *************** *** 1018,1027 **** <label for="categories"><?php echo gettext("Problem Category");?></label> </div> ! <?php if ($num_categories > 1 && $acl['edit_category']) {?> <div class="field"> <select name="categories" id="categories" onchange="SetupDetails()"> <?php foreach ($categoriesRS as $record) { if ($record['id'] == $issue[0]['category']) { $checked = ' selected="selected"'; } else { $checked = ''; } ! print (" <option value=\"${record[id]}\"$checked>".gettext($record['description'])."</option>\n"); }?> </select> --- 1090,1099 ---- <label for="categories"><?php echo gettext("Problem Category");?></label> </div> ! <?php if ($num_categories > 1 && isset($acl['edit_category'])) {?> <div class="field"> <select name="categories" id="categories" onchange="SetupDetails()"> <?php foreach ($categoriesRS as $record) { if ($record['id'] == $issue[0]['category']) { $checked = ' selected="selected"'; } else { $checked = ''; } ! print (" <option value=\"${record['id']}\"$checked>".gettext($record['description'])."</option>\n"); }?> </select> *************** *** 1040,1044 **** <label for="details"><?php echo gettext("Problem Detail");?></label> </div> ! <?php if (count($detailsRS) > 1 && $acl['edit_details']) {?> <div class="field"> <select name="details" id="details"> --- 1112,1116 ---- <label for="details"><?php echo gettext("Problem Detail");?></label> </div> ! <?php if (count($detailsRS) > 1 && isset($acl['edit_details'])) {?> <div class="field"> <select name="details" id="details"> *************** *** 1076,1080 **** </div> <div class="field"> ! <?php if ($acl['edit_summary']) {?> <textarea name="summary" id="summary" cols="60" rows="2"><?php echo $issue[0]['summary'];?></textarea> <?php } else {?> --- 1148,1152 ---- </div> <div class="field"> ! <?php if (isset($acl['edit_summary'])) {?> <textarea name="summary" id="summary" cols="60" rows="2"><?php echo $issue[0]['summary'];?></textarea> <?php } else {?> *************** *** 1090,1094 **** </div> <div class="field"> ! <?php if ($acl['edit_description']) {?> <textarea name="description" id="description" cols="60" rows="6"><?php echo $issue[0]['description'];?></textarea> <?php } else {?> --- 1162,1166 ---- </div> <div class="field"> ! <?php if (isset($acl['edit_description'])) {?> <textarea name="description" id="description" cols="60" rows="6"><?php echo $issue[0]['description'];?></textarea> <?php } else {?> *************** *** 1104,1108 **** </div> <div class="field"> ! <?php if ($acl['edit_solution']) {?> <textarea name="solution" id="solution" cols="60" rows="4"><?php echo $issue[0]['solution'];?></textarea> <?php } else {?> --- 1176,1180 ---- </div> <div class="field"> ! <?php if (isset($acl['edit_solution'])) {?> <textarea name="solution" id="solution" cols="60" rows="4"><?php echo $issue[0]['solution'];?></textarea> <?php } else {?> *************** *** 1112,1116 **** </div> <?php }?> ! <?php if ($acl['edit_publish']) {?> <div class="labelfieldpair"> <div class="name"> </div> --- 1184,1188 ---- </div> <?php }?> ! <?php if (isset($acl['edit_publish'])) {?> <div class="labelfieldpair"> <div class="name"> </div> *************** *** 1121,1125 **** </div> <?php }?> ! <?php if ($acl['view_time']) { if ($is_pgsql) { $userTimes=db_recordset('SELECT SUM(time) AS totaltime FROM tbl_Times, tbl_Users WHERE tbl_Times.userid = tbl_Users.id AND tbl_Times.issue = ' . $issue[0]['id']); --- 1193,1197 ---- </div> <?php }?> ! <?php if (isset($acl['view_time'])) { if ($is_pgsql) { $userTimes=db_recordset('SELECT SUM(time) AS totaltime FROM tbl_Times, tbl_Users WHERE tbl_Times.userid = tbl_Users.id AND tbl_Times.issue = ' . $issue[0]['id']); *************** *** 1145,1149 **** } ?> ! <?php if ($acl['edit_time']) {?> <div class="labelfieldpair"> <div class="name"> --- 1217,1221 ---- } ?> ! <?php if (isset($acl['edit_time'])) {?> <div class="labelfieldpair"> <div class="name"> *************** *** 1158,1162 **** </div> <?php }?> ! <?php if ($acl['view_priority']) { $prioritiesRS = db_recordset("SELECT * FROM tbl_Priorities WHERE (active=1 AND domain=$_SESSION[_domain]) OR id=" . $issue[0]['priority'] . " ORDER BY sortorder"); ?> --- 1230,1234 ---- </div> <?php }?> ! <?php if (isset($acl['view_priority'])) { $prioritiesRS = db_recordset("SELECT * FROM tbl_Priorities WHERE (active=1 AND domain=$_SESSION[_domain]) OR id=" . $issue[0]['priority'] . " ORDER BY sortorder"); ?> *************** *** 1165,1169 **** <label for="priority"><?php echo gettext("Priority");?></label> </div> ! <?php if (count($prioritiesRS) > 1 && $acl['edit_priority']) {?> <div class="field"> <select name="priority" id="priority"> --- 1237,1241 ---- <label for="priority"><?php echo gettext("Priority");?></label> </div> ! <?php if (count($prioritiesRS) > 1 && isset($acl['edit_priority'])) {?> <div class="field"> <select name="priority" id="priority"> *************** *** 1171,1175 **** foreach ($prioritiesRS as $record) { if ($record['id'] == $issue[0]['priority']) { $checked = ' selected="selected"'; } else { $checked = ''; } ! print (" <option value=\"${record[id]}\"$checked>". preg_replace('/Ungraded/',gettext('Ungraded'),$record['priority'])."</option>\n"); } --- 1243,1247 ---- foreach ($prioritiesRS as $record) { if ($record['id'] == $issue[0]['priority']) { $checked = ' selected="selected"'; } else { $checked = ''; } ! print (" <option value=\"${record['id']}\"$checked>". preg_replace('/Ungraded/',gettext('Ungraded'),$record['priority'])."</option>\n"); } *************** *** 1185,1189 **** </div> <?php }?> ! <?php if ($acl['view_status']) { $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE (active=1 AND domain=$_SESSION[_domain]) OR id=" . $issue[0]['status'] . " ORDER BY sortorder");?> <div class="labelfieldpair"> --- 1257,1261 ---- </div> <?php }?> ! <?php if (isset($acl['view_status'])) { $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE (active=1 AND domain=$_SESSION[_domain]) OR id=" . $issue[0]['status'] . " ORDER BY sortorder");?> <div class="labelfieldpair"> *************** *** 1191,1201 **** <label for="status"><?php echo gettext("Status");?></label> </div> ! <?php if (count($statusesRS) > 1 && $acl['edit_status']) {?> <div class="field"> <select name="status" id="status"> <?php foreach ($statusesRS as $record) { ! if ($record[id] == $issue[0]['status']) { $checked = ' selected="selected"'; } else { $checked = ''; } ! print (" <option value=\"${record[id]}\"$checked>${record[status]}</option>\n"); } ?> --- 1263,1273 ---- <label for="status"><?php echo gettext("Status");?></label> </div> ! <?php if (count($statusesRS) > 1 && isset($acl['edit_status'])) {?> <div class="field"> <select name="status" id="status"> <?php foreach ($statusesRS as $record) { ! if ($record['id'] == $issue[0]['status']) { $checked = ' selected="selected"'; } else { $checked = ''; } ! print (" <option value=\"${record['id']}\"$checked>${record['status']}</option>\n"); } ?> *************** *** 1210,1214 **** </div> <?php }?> ! <?php if ($acl['view_level']) { $levelsRS = db_recordset("SELECT * FROM tbl_Levels WHERE (active=1 AND domain=$_SESSION[_domain]) OR id=" . $issue[0]['level'] . " ORDER BY sortorder");?> <div class="labelfieldpair"> --- 1282,1286 ---- </div> <?php }?> ! <?php if (isset($acl['view_level'])) { $levelsRS = db_recordset("SELECT * FROM tbl_Levels WHERE (active=1 AND domain=$_SESSION[_domain]) OR id=" . $issue[0]['level'] . " ORDER BY sortorder");?> <div class="labelfieldpair"> *************** *** 1320,1332 **** } ! if ($acl['edit_style']) {?> <hr class="hide" /> <div class="buttonpanel"> ! <?php if ($acl['edit_issue']) { ?> <input type="button" value="<?php echo gettext("Submit Changes");?>" onclick="mainSubmit()" /> ! <?php } if ($acl['reset_issue']) { ?> <input name="reset" type="reset" id="reset4" value="<?php echo gettext("Reset");?>" onclick="document.location='issue.php?id=<?php echo $issue[0]['id'];?>'" /> <?php ! } elseif ($acl['recall_issue']) { ?> <input type="button" value="<?php echo gettext("Recall Issue");?>" onclick="recallSubmit()" /> --- 1392,1404 ---- } ! if (isset($acl['edit_style'])) {?> <hr class="hide" /> <div class="buttonpanel"> ! <?php if (isset($acl['edit_issue'])) { ?> <input type="button" value="<?php echo gettext("Submit Changes");?>" onclick="mainSubmit()" /> ! <?php } if (isset($acl['reset_issue'])) { ?> <input name="reset" type="reset" id="reset4" value="<?php echo gettext("Reset");?>" onclick="document.location='issue.php?id=<?php echo $issue[0]['id'];?>'" /> <?php ! } elseif (isset($acl['recall_issue'])) { ?> <input type="button" value="<?php echo gettext("Recall Issue");?>" onclick="recallSubmit()" /> *************** *** 1339,1343 **** <?php }?> </div><!--1--> ! <?php if ($acl['edit_details'] && $num_categories > 0) { ?> <script language="javascript" type="text/javascript"> --- 1411,1415 ---- <?php }?> </div><!--1--> ! <?php if (isset($acl['edit_details']) && $num_categories > 0) { ?> <script language="javascript" type="text/javascript"> *************** *** 1351,1360 **** </script> <?php } ?> ! <?php if ($acl['view_remarks'] || $acl['add_remark'] || $acl['edit_remark']) { if (count($issue) > 0) { // Get all the remarks for this issue $sql = "SELECT tbl_Remarks.*,tbl_Users.name AS reportedbyname FROM tbl_Remarks,tbl_Users WHERE tbl_Remarks.issue=" . $issue[0]['id'] . " AND tbl_Remarks.reportedby=tbl_Users.id"; //if ($usertype == 'Client' || $usertype == 'Site Contact') { ! if (! $acl['show_confidential']) { $sql .= " AND tbl_Remarks.confidential=0"; } --- 1423,1432 ---- </script> <?php } ?> ! <?php if (isset($acl['view_remarks']) || isset($acl['add_remark']) || isset($acl['edit_remark'])) { if (count($issue) > 0) { // Get all the remarks for this issue $sql = "SELECT tbl_Remarks.*,tbl_Users.name AS reportedbyname FROM tbl_Remarks,tbl_Users WHERE tbl_Remarks.issue=" . $issue[0]['id'] . " AND tbl_Remarks.reportedby=tbl_Users.id"; //if ($usertype == 'Client' || $usertype == 'Site Contact') { ! if (!isset($acl['show_confidential'])) { $sql .= " AND tbl_Remarks.confidential=0"; } *************** *** 1365,1369 **** <a name="history" id="history"></a><h1><?php echo gettext("Issue History");?></h1> <h2><?php echo gettext("This issue's history can be found below.")?> ! <?php if ($acl['add_remark']) { ?> <?php echo gettext('Please follow this link to <a href="#addremark">add a remark</a>.');?> <?php } ?> --- 1437,1441 ---- <a name="history" id="history"></a><h1><?php echo gettext("Issue History");?></h1> <h2><?php echo gettext("This issue's history can be found below.")?> ! <?php if (isset($acl['add_remark'])) { ?> <?php echo gettext('Please follow this link to <a href="#addremark">add a remark</a>.');?> <?php } ?> *************** *** 1376,1380 **** ?> <p><?php echo gettext("There are no remarks in this history so far.");?></p> ! <?php } else { if ($acl['edit_remark']) {?> <div class="remarklabelfieldpairtop"> <div class="remarklabelright"> --- 1448,1452 ---- ?> <p><?php echo gettext("There are no remarks in this history so far.");?></p> ! <?php } else { if (isset($acl['edit_remark'])) {?> <div class="remarklabelfieldpairtop"> <div class="remarklabelright"> *************** *** 1430,1439 **** }?> </div> ! <?php if ($acl['edit_remark']) {?> <div class="remarklabelright"> <input type="checkbox" name="selectremark[]" id="selectremark<?php echo $record['id'];?>" value="<?php echo $record['id'];?>" onclick="hideConfidentiality(this,'remark<?php echo $record['id'];?>','#FFFFFF')" /> </div> <?php }?> ! <div class="remark"><?php echo ($record['confidential'] == 1?'<strong>['. gettext("Confidential") .']</strong> ':'');?><?php loc_remarks($rmitems, $record['remark']);?></div> </div> <?php --- 1502,1511 ---- }?> </div> ! <?php if (isset($acl['edit_remark'])) {?> <div class="remarklabelright"> <input type="checkbox" name="selectremark[]" id="selectremark<?php echo $record['id'];?>" value="<?php echo $record['id'];?>" onclick="hideConfidentiality(this,'remark<?php echo $record['id'];?>','#FFFFFF')" /> </div> <?php }?> ! <div class="remark"><?php echo ($record['confidential'] == 1?'<strong>['. gettext("Confidential") .']</strong> ':'');?><?php loc_remarks($rmitems, html_entity_decode($record['remark']));?></div> </div> <?php *************** *** 1445,1449 **** <br /> <!-- <form name="historyform" id="historyform" method="post" action=""> --> ! <?php if ($acl['add_remark']) {?> <div class="labelfieldpair"> <div class="name"><label for="remark"><?php echo gettext("Add Remark");?></label></div> --- 1517,1521 ---- <br /> <!-- <form name="historyform" id="historyform" method="post" action=""> --> ! <?php if (isset($acl['add_remark'])) {?> <div class="labelfieldpair"> <div class="name"><label for="remark"><?php echo gettext("Add Remark");?></label></div> *************** *** 1452,1456 **** </div> </div> ! <?php if ($acl['show_confidential']) {?> <div class="labelfieldpair"> <div class="name"> </div> --- 1524,1528 ---- </div> </div> ! <?php if (isset($acl['show_confidential'])) {?> <div class="labelfieldpair"> <div class="name"> </div> *************** *** 1464,1468 **** <?php }?> <?php }?> ! <?php if ($acl['edit_remark'] || $acl['add_remark']) {?> <div class="buttonpanel"> <input name="submitremark" type="button" id="submitremark" value="<?php echo gettext("Submit Changes");?>" onclick="mainSubmit()" /> --- 1536,1540 ---- <?php }?> <?php }?> ! <?php if (isset($acl['edit_remark']) || isset($acl['add_remark'])) {?> <div class="buttonpanel"> <input name="submitremark" type="button" id="submitremark" value="<?php echo gettext("Submit Changes");?>" onclick="mainSubmit()" /> |
|
From: Scott P. <wht...@us...> - 2007-09-10 00:08:02
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv31255
Modified Files:
newissue.php
Log Message:
Santize all $_POST items.
Added magic_quotes dectection.
Fixed all Undefined Constansts and Variables.
Index: newissue.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/newissue.php,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -d -r1.11 -r1.12
*** newissue.php 11 Mar 2007 15:23:48 -0000 1.11
--- newissue.php 10 Sep 2007 00:07:57 -0000 1.12
***************
*** 10,13 ****
--- 10,14 ----
Changelog:
+ 2007-09-09 whtghst1: Added magic_quotes detection and sanitized all $_post inputs
2006-01-14 dave: Cleaned up code for v1.0 release
2005-07-02 arne_sf: Replaced all instances of column name 'user' for table tbl_UserSites with 'userid'
***************
*** 60,83 ****
require 'header.php';
// Language selection
set_text_domain("newissue");
!
// Retrieve Get/Post variables
! $act = $_POST['act'];
! $createdby = $_POST['createdby'];
! $level = $_POST['level'];
! $status = $_POST['status'];
! $reportedby = $_POST['reportedby'];
! $contact = $_POST['contact'];
! $site = $_POST['site'];
! $assignedto = $_POST['assignedto'];
! $location = $_POST['location'];
! $categories = $_POST['categories'];
! $details = $_POST['details'];
! $summary = $_POST['summary'];
! $description = $_POST['description'];
! $priority = $_POST['priority'];
! $level = $_POST['level'];
! $close = $_POST['close'];
// Action: Add issue to the database
--- 61,131 ----
require 'header.php';
+ global $act, $site, $location, $contact, $categories, $summary, $description, $details, $close, $status;
// Language selection
set_text_domain("newissue");
!
! //Clean oall POST values
! foreach($_POST as $key => $val) {
! // scubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if ($key != "attachments") {
! if (!get_magic_quotes_gpc()) {
! $_POST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
! }
! else {
! $_POST[$key] = htmlentities(strip_tags($val, '<a>'), ENT_QUOTES);
! }
! }
! }
!
// Retrieve Get/Post variables
! if (isset($_POST['act'])) {
! $act = $_POST['act'];
! }
! if (isset($_POST['createdby'])) {
! $createdby = $_POST['createdby'];
! }
! if (isset($_POST['level'])) {
! $level = $_POST['level'];
! }
! if (isset($_POST['status'])) {
! $status = $_POST['status'];
! }
! if (isset($_POST['reportedby'])) {
! $reportedby = $_POST['reportedby'];
! }
! if (isset($_POST['contact'])) {
! $contact = $_POST['contact'];
! }
! if (isset($_POST['site'])) {
! $site = $_POST['site'];
! }
! if (isset($_POST['assignedto'])) {
! $assignedto = $_POST['assignedto'];
! }
! if (isset($_POST['location'])) {
! $location = $_POST['location'];
! }
! if (isset($_POST['categories'])) {
! $categories = $_POST['categories'];
! }
! if (isset($_POST['details'])) {
! $details = $_POST['details'];
! }
! if (isset($_POST['summary'])) {
! $summary = $_POST['summary'];
! }
! if (isset($_POST['description'])) {
! $description = $_POST['description'];
! }
! if (isset($_POST['priority'])) {
! $priority = $_POST['priority'];
! }
! if (isset($_POST['level'])) {
! $level = $_POST['level'];
! }
! if (isset($_POST['close'])) {
! $close = $_POST['close'];
! }
// Action: Add issue to the database
***************
*** 110,114 ****
$statusRS = db_recordset("SELECT id FROM tbl_Statuses WHERE (sortorder=0 AND domain=$_SESSION[_domain]) OR domain=0 ORDER BY domain DESC");
if (count($statusRS) > 0) {
! $status = $statusRS[0][id];
} else {
$status = 0;
--- 158,162 ----
$statusRS = db_recordset("SELECT id FROM tbl_Statuses WHERE (sortorder=0 AND domain=$_SESSION[_domain]) OR domain=0 ORDER BY domain DESC");
if (count($statusRS) > 0) {
! $status = $statusRS[0]['id'];
} else {
$status = 0;
***************
*** 128,138 ****
$user_details = get_user_details($assignedto);
// Mail user if they have just been assigned an issue
! if ($close != 'true' && $assignedto!=$_SESSION['_id'] &&
($user_prefs['email-assign'] == 'true' || $user_prefs['email-remark'] == 'true')
&& $user_details['email']!='') {
// send_mail($user_prefs['language'],"newissue",$issue, $user_details['email'],gettext("You have been assigned a new issue in the helpdesk issue manager, please view this issue as soon as possible."),2);
send_mail('assign', $user_prefs['language'], $user_details['email'], $issue, $_SESSION['_name'], "");
}
-
// Mail address if
$user_prefs = get_user_prefs($_SESSION['_id']);
--- 176,187 ----
$user_details = get_user_details($assignedto);
// Mail user if they have just been assigned an issue
! if (isset($user_prefs['email-assign'])) {
! if ($close != 'true' && $assignedto!=$_SESSION['_id'] &&
($user_prefs['email-assign'] == 'true' || $user_prefs['email-remark'] == 'true')
&& $user_details['email']!='') {
// send_mail($user_prefs['language'],"newissue",$issue, $user_details['email'],gettext("You have been assigned a new issue in the helpdesk issue manager, please view this issue as soon as possible."),2);
send_mail('assign', $user_prefs['language'], $user_details['email'], $issue, $_SESSION['_name'], "");
+ }
}
// Mail address if
$user_prefs = get_user_prefs($_SESSION['_id']);
***************
*** 214,218 ****
$index = 0;
foreach ($categoriesRS as $record) {
! $current = filter_records($detailsRS,'category',$record[id]);
$flag = TRUE;
print (" var problems_$index = new Array('");
--- 263,267 ----
$index = 0;
foreach ($categoriesRS as $record) {
! $current = filter_records($detailsRS,'category',$record['id']);
$flag = TRUE;
print (" var problems_$index = new Array('");
***************
*** 223,227 ****
print ("','");
}
! print ($res_record[id] . "','" . addslashes(preg_replace('/Unknown/',gettext('Unknown'),$res_record[description])));
}
print ("');\n");
--- 272,276 ----
print ("','");
}
! print ($res_record['id'] . "','" . addslashes(preg_replace('/Unknown/',gettext('Unknown'),$res_record['description'])));
}
print ("');\n");
***************
*** 315,319 ****
<?php
if (count($sitesRS) == 0 || count($sitesRS) == 1) {
! $site = (count($sitesRS) == 0) ? 0 : $site = $sitesRS[0][id];
?>
<input type="hidden" name="site" id="site" value="<?php echo $site?>" />
--- 364,368 ----
<?php
if (count($sitesRS) == 0 || count($sitesRS) == 1) {
! $site = (count($sitesRS) == 0) ? 0 : $site = $sitesRS[0]['id'];
?>
<input type="hidden" name="site" id="site" value="<?php echo $site?>" />
***************
*** 345,350 ****
foreach ($sitesRS as $record) {
// Set as default if chosen
! if ($record[id] == $site) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record[id]}\"$checked>".$record[site]."</option>\n");
}
?>
--- 394,399 ----
foreach ($sitesRS as $record) {
// Set as default if chosen
! if ($record['id'] == $site) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record['id']}\"$checked>".$record['site']."</option>\n");
}
?>
***************
*** 370,374 ****
AND tbl_UserSites.site=$site
AND tbl_UserSites.usertype=tbl_UserTypes.id");
! $usertype = $usertypesRS[0][usertypename];
}
--- 419,423 ----
AND tbl_UserSites.site=$site
AND tbl_UserSites.usertype=tbl_UserTypes.id");
! $usertype = $usertypesRS[0]['usertypename'];
}
***************
*** 398,403 ****
foreach ($usersRS as $record) {
// Set issue to be reported by this user by default
! $checked = ($record[id] == $_SESSION['_id']) ? ' selected="selected"' : $checked = '';
! print (" <option value=\"${record[id]}\"$checked>".$record[name]."</option>\n");
}
?>
--- 447,452 ----
foreach ($usersRS as $record) {
// Set issue to be reported by this user by default
! $checked = ($record['id'] == $_SESSION['_id']) ? ' selected="selected"' : $checked = '';
! print (" <option value=\"${record['id']}\"$checked>".$record['name']."</option>\n");
}
?>
***************
*** 426,430 ****
ORDER BY tbl_Users.name)");
if (0) { // Think a issue must not be assigned automatically. That's out of logic.
! print " <input type=\"hidden\" name=\"assignedto\" id=\"assignedto\" value=\"" . $usersRS[0][id] . "\" />\n";
} else {
if ($usertype == 'Client' || $usertype == 'Site Contact') {
--- 475,479 ----
ORDER BY tbl_Users.name)");
if (0) { // Think a issue must not be assigned automatically. That's out of logic.
! print " <input type=\"hidden\" name=\"assignedto\" id=\"assignedto\" value=\"" . $usersRS[0]['id'] . "\" />\n";
} else {
if ($usertype == 'Client' || $usertype == 'Site Contact') {
***************
*** 443,451 ****
foreach ($usersRS as $record) {
// Set issue to be assigned to this user by default
! $checked = ($record[id] == $_SESSION['_id']) ? ' selected="selected"' : '';
! if ($record[name] == "* unassigned *") {
! print (" <option value=\"${record[id]}\"$checked>".gettext('* unassigned *')."</option>\n");
} else {
! print (" <option value=\"${record[id]}\"$checked>$record[name]</option>\n");
}
}
--- 492,500 ----
foreach ($usersRS as $record) {
// Set issue to be assigned to this user by default
! $checked = ($record['id'] == $_SESSION['_id']) ? ' selected="selected"' : '';
! if ($record['name'] == "* unassigned *") {
! print (" <option value=\"${record['id']}\"$checked>".gettext('* unassigned *')."</option>\n");
} else {
! print (" <option value=\"${record['id']}\"$checked>$record[name]</option>\n");
}
}
***************
*** 490,495 ****
foreach ($categoriesRS as $record) {
// Set category by default
! if ($categories != '' && $record[id] == $categories) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record[id]}\"$checked>".preg_replace('/Unknown/',gettext('Unknown'),$record[description])."</option>\n");
}
?>
--- 539,544 ----
foreach ($categoriesRS as $record) {
// Set category by default
! if ($categories != '' && $record['id'] == $categories) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record['id']}\"$checked>".preg_replace('/Unknown/',gettext('Unknown'),$record['description'])."</option>\n");
}
?>
***************
*** 552,561 ****
foreach ($prioritiesRS as $record) {
// Choose the lowest priority as the default
! if ($record[id] == $defaultpriority[0][defaultpriority]) {
$checked = ' selected="selected"';
} else {
$checked = '';
}
! print (" <option value=\"${record[id]}\"$checked>".preg_replace('/Ungraded/',gettext('Ungraded'),$record[priority])."</option>\n");
}
?>
--- 601,610 ----
foreach ($prioritiesRS as $record) {
// Choose the lowest priority as the default
! if ($record['id'] == $defaultpriority[0]['defaultpriority']) {
$checked = ' selected="selected"';
} else {
$checked = '';
}
! print (" <option value=\"${record['id']}\"$checked>".preg_replace('/Ungraded/',gettext('Ungraded'),$record['priority'])."</option>\n");
}
?>
***************
*** 569,573 ****
$levelsRS = db_recordset("SELECT * FROM tbl_Levels WHERE (active=1 AND domain=$_SESSION[_domain]) ORDER BY sortorder");
if ($_SESSION['_usertype'] == 'Client' || $_SESSION['_usertype'] == 'Site Contact' || count($levelsRS) <= 1) {
! $level = (count($levelsRS) == 0) ? 0 : $level = $levelsRS[0][id];
?>
<input type="hidden" name="level" id="level" value="<?php echo $level?>" />
--- 618,622 ----
$levelsRS = db_recordset("SELECT * FROM tbl_Levels WHERE (active=1 AND domain=$_SESSION[_domain]) ORDER BY sortorder");
if ($_SESSION['_usertype'] == 'Client' || $_SESSION['_usertype'] == 'Site Contact' || count($levelsRS) <= 1) {
! $level = (count($levelsRS) == 0) ? 0 : $level = $levelsRS[0]['id'];
?>
<input type="hidden" name="level" id="level" value="<?php echo $level?>" />
***************
*** 583,589 ****
<?php
foreach ($levelsRS as $record) {
! if ($record[id] == $level) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record[id]}\"$checked>".
! preg_replace('/None/',gettext('None'),$record[level])."</option>\n");
}
?>
--- 632,638 ----
<?php
foreach ($levelsRS as $record) {
! if ($record['id'] == $level) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record['id']}\"$checked>".
! preg_replace('/None/',gettext('None'),$record['level'])."</option>\n");
}
?>
|
|
From: Scott P. <wht...@us...> - 2007-09-09 21:52:31
|
Update of /cvsroot/helpmeict/Helpdesk/share/themes/blue
In directory sc8-pr-cvs17:/tmp/cvs-serv11944/share/themes/blue
Modified Files:
header
Log Message:
Fix my bustage of refresh header adding.
Fix call to undefined act varible by using isset().
Index: header
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/share/themes/blue/header,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** header 8 Sep 2007 23:56:50 -0000 1.4
--- header 9 Sep 2007 21:52:26 -0000 1.5
***************
*** 15,19 ****
<?php
// Add a timed refresh to certain pages
! $path = $HTTP_SERVER_VARS['SCRIPT_NAME'];
if (isset($_GET['act'])) {
if (($_GET['act'] == "action" && substr_count($path,'summary.php'))
--- 15,19 ----
<?php
// Add a timed refresh to certain pages
! $path = $_SERVER['SCRIPT_NAME'];
if (isset($_GET['act'])) {
if (($_GET['act'] == "action" && substr_count($path,'summary.php'))
***************
*** 28,31 ****
--- 28,41 ----
}
}
+ else {
+ if (substr_count($path,'unassignedissues.php')
+ || substr_count($path, 'myissues.php')
+ || substr_count($path, 'mysitesissues.php'))
+ {
+ ?>
+ <meta http-equiv="Refresh" content="<?php echo 120; ?>">
+ <?php
+ }
+ }
?>
|
|
From: Scott P. <wht...@us...> - 2007-09-08 23:56:57
|
Update of /cvsroot/helpmeict/Helpdesk/share/themes/blue
In directory sc8-pr-cvs17:/tmp/cvs-serv9207/share/themes/blue
Modified Files:
header
Log Message:
added $_GET, $_POST, $_REQUEST sanitizing
added magic_quotes dectection
added checking existince of superglobals index's before using them 'isset' is your friend \
this removes the Undefined Index notices from these files.
fixed all undefined constants in these files. This removes the undefined constants from these files.
added globals where needed to remove the undefined variable notices from these files.
Index: header
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/share/themes/blue/header,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** header 11 Mar 2007 15:23:48 -0000 1.3
--- header 8 Sep 2007 23:56:50 -0000 1.4
***************
*** 16,27 ****
// Add a timed refresh to certain pages
$path = $HTTP_SERVER_VARS['SCRIPT_NAME'];
! if (($_GET['act'] == "action" && substr_count($path,'summary.php'))
! || substr_count($path,'unassignedissues.php')
! || substr_count($path,'myissues.php')
! || substr_count($path,'mysitesissues.php'))
! {
?>
<meta http-equiv="Refresh" content="<?php echo 120; ?>">
<?php
}
?>
--- 16,30 ----
// Add a timed refresh to certain pages
$path = $HTTP_SERVER_VARS['SCRIPT_NAME'];
! if (isset($_GET['act'])) {
! if (($_GET['act'] == "action" && substr_count($path,'summary.php'))
! || substr_count($path,'unassignedissues.php')
! || substr_count($path,'myissues.php')
! || substr_count($path,'mysitesissues.php'))
!
! {
?>
<meta http-equiv="Refresh" content="<?php echo 120; ?>">
<?php
+ }
}
?>
***************
*** 43,45 ****
</head>
! <body>
\ No newline at end of file
--- 46,48 ----
</head>
! <body>
|
