Menu
▾
▴
helpmeict-cvs
|
From: Scott P. <wht...@us...> - 2007-09-13 01:12:48
|
Update of /cvsroot/helpmeict/Helpdesk In directory sc8-pr-cvs17:/tmp/cvs-serv5544 Modified Files: sitesandusers.php statuses.php summary.php unassignedissues.php Log Message: Last of the sanitizing, magic_quotes detection, undefined constants, undefined variables, and undefined indexes. Index: statuses.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/statuses.php,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** statuses.php 7 Feb 2007 01:20:04 -0000 1.6 --- statuses.php 13 Sep 2007 01:12:43 -0000 1.7 *************** *** 1,296 **** ! <?php ! ! /* ! ! statuses.php ! ! Status Admin. Allows the user to administer the list of statuses ! for this domain an put them in order. The order given is that of the ! life cycle of an issue (open->closed). [Commented] ! ! Changelog: ! 2006-01-14 dave: Cleaned up code for v1.0 release ! ! ## PAGE CONTAINS HANDYANDY MYSQL MODS ## ! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ## ! ! ---- ! ! Copyright (C) 2003 Central Manchester CLC ! Copyright (C) 2003 David Thorne (dav...@gm...) ! ! This program is free software; you can redistribute it and/or ! modify it under the terms of the GNU General Public License ! as published by the Free Software Foundation version 2. ! ! This program is distributed in the hope that it will be useful, ! but WITHOUT ANY WARRANTY; without even the implied warranty of ! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ! GNU General Public License for more details. ! ! You should have received a copy of the GNU General Public License ! along with this program; if not, write to the Free Software ! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ! ! */ ! ! // Start session and populate it with data ! session_start(); ! ! // Page Security ! if ($_SESSION['_usertype'] != 'Administrator' ! && $_SESSION['_usertype'] != 'Domain Administrator' ! && $_SESSION['_usertype'] != 'Root') { ! require_once 'system/security.php'; ! ThrowOut(); ! } ! ! // Page Title ! $ptitle = 'Statuses'; ! ! // Includes ! require_once 'system/db.php'; ! require_once 'system/lang.php'; ! require_once 'system/message.php'; ! require 'header.php'; ! ! // Language selection ! set_text_domain("statuses"); ! ! // Retrieve Get/Post variables ! $act = $_REQUEST['act']; ! $status = $_POST['status']; ! $statuses = $_REQUEST['statuses']; ! ! // Action: Add a status to the system ! if ($act == 'addstatusaction') { ! $act = 'addstatus'; ! // Make sure the status has a name ! if ($status == '') { ! $message = gettext("CORRECTION: You must give this status a name."); ! } else { ! $statuscount = db_recordset("SELECT * FROM tbl_Statuses WHERE active=1 AND domain=$_SESSION[_domain] AND id>0"); ! $statuses = ''; ! // Add the status ! db_send("INSERT INTO tbl_Statuses (status,domain,sortorder) VALUES ('" . $status . "',$_SESSION[_domain]" . ',' . count($statuscount) . ")"); ! ! $act = ''; ! $message = gettext("NOTE: Status successfully added to system."); ! } ! } ! ! // Action: Request details to add a status to the system ! if ($act == 'addstatus') { ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to add a status:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="addstatusaction" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="status"><?php echo gettext('Status Name')?></label></div> ! <div class="field"><input type="text" name="status" id="status" size="35" maxlength="50" value="<?php echo $status?>" /></div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Add Status')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='statuses.php?statuses=<?php echo $statuses?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Action: Edit a status ! if ($act == 'editstatusaction') { ! $act = 'editstatus'; ! // Make sure the status has a name ! if ($status == '') { ! $message = gettext("CORRECTION: You must give this status a name."); ! } else { ! // Edit the status ! db_send("UPDATE tbl_Statuses SET status='" . $status . "' WHERE id=$statuses"); ! $message = gettext("NOTE: Status successfully updated."); ! $act = ''; ! } ! } ! ! // Action: Move a status up ! if ($act == 'up') { ! // Find this status' sort order ! $status = db_recordset("SELECT sortorder,active FROM tbl_Statuses WHERE id=$statuses"); ! ! // Only change the ordering of active statuses ! if ($status[0][active] == 1) { ! // Only move a status up if it isn't at the top already ! if ($status[0][sortorder] > 0) { ! // Find the status that is one in line above it ! $newstatus = db_recordset("SELECT id FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($status[0][sortorder]-1)); ! // Swap the sort orders for the two statuses ! db_send("UPDATE tbl_Statuses SET sortorder=" . ($status[0][sortorder]-1) . " WHERE id=$statuses"); ! db_send("UPDATE tbl_Statuses SET sortorder=" . $status[0][sortorder] . " WHERE id=" . $newstatus[0][id]); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ""; ! } ! ! // Action: Move a status down ! if ($act == 'down') { ! // Find the lowest status ! $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1"); ! // Find this status' sort order ! $status = db_recordset("SELECT sortorder,active FROM tbl_Statuses WHERE id=$statuses"); ! ! // Only change the ordering of active statuses ! if ($status[0][active] == 1) { ! // Only move a status down if it isn't at the bottom already ! if ($status[0][sortorder] < (count($statusesRS)-1)) { ! // Find the status that is one in line below it ! $newstatus = db_recordset("SELECT id FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($status[0][sortorder]+1)); ! // Swap the sort orders for the two statuses ! db_send("UPDATE tbl_Statuses SET sortorder=" . ($status[0][sortorder]+1) . " WHERE id=$statuses"); ! db_send("UPDATE tbl_Statuses SET sortorder=" . $status[0][sortorder] . " WHERE id=" . $newstatus[0][id]); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ""; ! } ! ! // Action: Remove a status from the system ! if ($act == 'removestatus') { ! // Find the sort order of this status ! $status = db_recordset("SELECT sortorder FROM tbl_Statuses WHERE id=$statuses"); ! // deactivate it and negate the sort order ! db_send("UPDATE tbl_Statuses SET active=0,sortorder=-1 WHERE id=$statuses"); ! // change all the higher sort orders in order to fill the gap that has now been made ! db_send("UPDATE tbl_Statuses SET sortorder=sortorder-1 WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder>" . $status[0][sortorder]); ! $act = ""; ! $statuses = ''; ! $message = gettext("NOTE: Status successfully removed."); ! } ! ! // Action: Request details to edit a status ! if ($act == 'editstatus') { ! ! // Retrieve Status information ! $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE id=" . $statuses); ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to edit a status:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="editstatusaction" /> ! <input type="hidden" name="statuses" value="<?php echo $statuses?>" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="status"><?php echo gettext('Status Name')?></label></div> ! <div class="field"><input type="text" name="status" id="status" size="35" maxlength="50" value="<?php echo $statusesRS[0][status]?>"></div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Submit Changes')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='statuses.php?statuses=<?php echo $statuses?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Default action: Show statuses and invite user to choose action... ! if ($act == '') { ! // Retrieve statuses ! $sql = "SELECT * FROM tbl_Statuses WHERE domain=$_SESSION[_domain]"; ! if ($_SESSION['_usertype'] != 'Root') { ! $sql .= " AND active=1"; ! } ! $sql .= " ORDER BY active DESC,sortorder"; ! $statusesRS = db_recordset($sql); ! $num_statuses = count($statusesRS); ! ! if (!$statuses) $statuses=$statusesRS[0][id]; ! ! if ($message) { display($message); } ! ?> ! ! <script language="javascript" type="text/javascript"> ! //<![CDATA[ ! <!-- ! ! function mainSubmit (act) { ! var flag = true; ! if ((act == 'removestatus' || act == 'editstatus') && document.mainform.statuses.value == 0) { ! alert('<?php echo gettext('There are no statuses on which to action your request.')?>'); ! flag = false; ! } ! if (act == 'removestatus' && flag && !confirm('<?php echo gettext('Are you sure you wish to delete this status?')?>')) flag = false; ! if (flag) { ! document.mainform.act.value=act; ! document.mainform.submit(); ! } ! } ! ! //--> ! //]]> ! </script> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please use the lists below to administer the statuses of issues in this system:')?></h2> ! ! <div class="block"> ! <p><?php echo gettext("The first status in this list is the default status of a new issue. Movement through this list would be synonymous with the life cycle of the issue. The final status will be classed as 'closed' and as such will be the terminal status of issues, regardless of the actual name of the status. Note that if only one status is present, then the status will not be treated as closed.")?></p> ! <form name="mainform" id="mainform" method="post" action=""> ! <input type="hidden" name="act" value="" /> ! <div class="columnleft"> ! <div class="labelright"><label for="statuses"><?php echo gettext('Statuses')?></label></div> ! <div class="columnright"> ! <input type="button" value="<?php echo gettext('New')?>..." onclick="mainSubmit('addstatus')" /><br /> ! <input type="button" value="<?php echo gettext('Edit')?>" onclick="mainSubmit('editstatus')" /><br /> ! <input type="button" value="<?php echo gettext('Delete')?>" onclick="mainSubmit('removestatus')" /> ! </div> ! <div class="columnleft"> ! <select name="statuses" id="statuses" size="10"> ! <?php ! if ($num_statuses == 0) { ! print (" <option value=\"0\" selected=\"selected\">[".gettext('No Statuses')."]</option>\n"); ! } ! foreach ($statusesRS as $record) { ! // Set as default if this was previously chosen ! if ($record[id] == $statuses) {$checked = " selected=\"selected\"";} else {$checked = "";}; ! if ($record[active] == 0) {$style = " class=\"inactive\"";} else {$style = "";}; ! print (" <option value=\"${record[id]}\"${checked}${style}>${record[status]}</option>\n"); ! } ! ?> ! </select> ! </div> ! </div> ! <div class="columnleft"> ! <div class="labelleft"> </div> ! <div class="columnleft"> ! <input type="button" value="<?php echo gettext('Up')?>" onclick="mainSubmit('up')" /><br /> ! <input type="button" value="<?php echo gettext('Down')?>" onclick="mainSubmit('down')" /><br /> ! </div> ! </div> ! </form> ! <hr class="hide" /> ! </div> ! ! <?php ! } ! ! // Include ! require 'footer.php'; ! ?> --- 1,361 ---- ! <?php ! ! /* ! ! statuses.php ! ! Status Admin. Allows the user to administer the list of statuses ! for this domain an put them in order. The order given is that of the ! life cycle of an issue (open->closed). [Commented] ! ! Changelog: ! 2006-01-14 dave: Cleaned up code for v1.0 release ! ! ## PAGE CONTAINS HANDYANDY MYSQL MODS ## ! ## Copyright (C) 2005 Andy Deakin (handyandy.org.uk) ## ! ! ---- ! ! Copyright (C) 2003 Central Manchester CLC ! Copyright (C) 2003 David Thorne (dav...@gm...) ! ! This program is free software; you can redistribute it and/or ! modify it under the terms of the GNU General Public License ! as published by the Free Software Foundation version 2. ! ! This program is distributed in the hope that it will be useful, ! but WITHOUT ANY WARRANTY; without even the implied warranty of ! MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ! GNU General Public License for more details. ! ! You should have received a copy of the GNU General Public License ! along with this program; if not, write to the Free Software ! Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ! ! */ ! ! // Start session and populate it with data ! session_start(); ! ! // Page Security ! if ($_SESSION['_usertype'] != 'Administrator' ! && $_SESSION['_usertype'] != 'Domain Administrator' ! && $_SESSION['_usertype'] != 'Root') { ! require_once 'system/security.php'; ! ThrowOut(); ! } ! ! // Page Title ! $ptitle = 'Statuses'; ! ! // Includes ! require_once 'system/db.php'; ! require_once 'system/lang.php'; ! require_once 'system/message.php'; ! require 'header.php'; ! ! // Language selection ! set_text_domain("statuses"); ! ! global $act, $statuses, $message, $status; ! ! // Retrieve Get/Post variables ! foreach($_POST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_POST[$key])) { ! foreach ($_POST[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (!get_magic_quotes_gpc()) { ! $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! foreach($_REQUEST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! $postarg = Array( ! 'status' ! ); ! ! $requestarg = Array( ! 'act', ! 'statuses' ! ); ! ! foreach ($postarg as $post) { ! if (isset($_POST[$post])) { ! $$post = $_POST[$post]; ! } ! } ! ! foreach ($requestarg as $request) { ! if (isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; ! } ! } ! ! // Action: Add a status to the system ! if ($act == 'addstatusaction') { ! $act = 'addstatus'; ! // Make sure the status has a name ! if ($status == '') { ! $message = gettext("CORRECTION: You must give this status a name."); ! } else { ! $statuscount = db_recordset("SELECT * FROM tbl_Statuses WHERE active=1 AND domain=$_SESSION[_domain] AND id>0"); ! $statuses = ''; ! // Add the status ! db_send("INSERT INTO tbl_Statuses (status,domain,sortorder) VALUES ('" . $status . "',$_SESSION[_domain]" . ',' . count($statuscount) . ")"); ! ! $act = ''; ! $message = gettext("NOTE: Status successfully added to system."); ! } ! } ! ! // Action: Request details to add a status to the system ! if ($act == 'addstatus') { ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to add a status:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="addstatusaction" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="status"><?php echo gettext('Status Name')?></label></div> ! <div class="field"><input type="text" name="status" id="status" size="35" maxlength="50" value="<?php echo $status?>" /></div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Add Status')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='statuses.php?statuses=<?php echo $statuses?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Action: Edit a status ! if ($act == 'editstatusaction') { ! $act = 'editstatus'; ! // Make sure the status has a name ! if ($status == '') { ! $message = gettext("CORRECTION: You must give this status a name."); ! } else { ! // Edit the status ! db_send("UPDATE tbl_Statuses SET status='" . $status . "' WHERE id=$statuses"); ! $message = gettext("NOTE: Status successfully updated."); ! $act = ''; ! } ! } ! ! // Action: Move a status up ! if ($act == 'up') { ! // Find this status' sort order ! $status = db_recordset("SELECT sortorder,active FROM tbl_Statuses WHERE id=$statuses"); ! ! // Only change the ordering of active statuses ! if ($status[0]['active'] == 1) { ! // Only move a status up if it isn't at the top already ! if ($status[0]['sortorder'] > 0) { ! // Find the status that is one in line above it ! $newstatus = db_recordset("SELECT id FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($status[0]['sortorder']-1)); ! // Swap the sort orders for the two statuses ! db_send("UPDATE tbl_Statuses SET sortorder=" . ($status[0]['sortorder']-1) . " WHERE id=$statuses"); ! db_send("UPDATE tbl_Statuses SET sortorder=" . $status[0]['sortorder'] . " WHERE id=" . $newstatus[0]['id']); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ""; ! } ! ! // Action: Move a status down ! if ($act == 'down') { ! // Find the lowest status ! $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1"); ! // Find this status' sort order ! $status = db_recordset("SELECT sortorder,active FROM tbl_Statuses WHERE id=$statuses"); ! ! // Only change the ordering of active statuses ! if ($status[0]['active'] == 1) { ! // Only move a status down if it isn't at the bottom already ! if ($status[0]['sortorder'] < (count($statusesRS)-1)) { ! // Find the status that is one in line below it ! $newstatus = db_recordset("SELECT id FROM tbl_Statuses WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder=" . ($status[0]['sortorder']+1)); ! // Swap the sort orders for the two statuses ! db_send("UPDATE tbl_Statuses SET sortorder=" . ($status[0]['sortorder']+1) . " WHERE id=$statuses"); ! db_send("UPDATE tbl_Statuses SET sortorder=" . $status[0]['sortorder'] . " WHERE id=" . $newstatus[0]['id']); ! } ! } else { ! $message = gettext("CORRECTION: You cannot change the precedence of an inactive item."); ! } ! ! $act = ""; ! } ! ! // Action: Remove a status from the system ! if ($act == 'removestatus') { ! // Find the sort order of this status ! $status = db_recordset("SELECT sortorder FROM tbl_Statuses WHERE id=$statuses"); ! // deactivate it and negate the sort order ! db_send("UPDATE tbl_Statuses SET active=0,sortorder=-1 WHERE id=$statuses"); ! // change all the higher sort orders in order to fill the gap that has now been made ! db_send("UPDATE tbl_Statuses SET sortorder=sortorder-1 WHERE domain=$_SESSION[_domain] AND active=1 AND sortorder>" . $status[0]['sortorder']); ! $act = ""; ! $statuses = ''; ! $message = gettext("NOTE: Status successfully removed."); ! } ! ! // Action: Request details to edit a status ! if ($act == 'editstatus') { ! ! // Retrieve Status information ! $statusesRS = db_recordset("SELECT * FROM tbl_Statuses WHERE id=" . $statuses); ! ! if ($message) { display($message); } ! ?> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please enter the following information to edit a status:')?></h2> ! ! <div class="block"> ! <form name="mainform" method="post" action=""> ! <input type="hidden" name="act" value="editstatusaction" /> ! <input type="hidden" name="statuses" value="<?php echo $statuses?>" /> ! <div class="labelfieldpair"> ! <div class="name"><label for="status"><?php echo gettext('Status Name')?></label></div> ! <div class="field"><input type="text" name="status" id="status" size="35" maxlength="50" value="<?php echo $statusesRS[0]['status']?>"></div> ! </div> ! <div class="buttonpanel"> ! <input name="submit" type="submit" id="submit" value="<?php echo gettext('Submit Changes')?>" /> ! <input name="reset" type="reset" id="reset" value="<?php echo gettext('Reset')?>" /> ! <input name="cancel" type="button" id="cancel" value="<?php echo gettext('Cancel')?>" onclick="document.location='statuses.php?statuses=<?php echo $statuses?>'" /> ! </div> ! </form> ! </div> ! ! <?php ! } ! ! // Default action: Show statuses and invite user to choose action... ! if ($act == '') { ! // Retrieve statuses ! $sql = "SELECT * FROM tbl_Statuses WHERE domain=$_SESSION[_domain]"; ! if ($_SESSION['_usertype'] != 'Root') { ! $sql .= " AND active=1"; ! } ! $sql .= " ORDER BY active DESC,sortorder"; ! $statusesRS = db_recordset($sql); ! $num_statuses = count($statusesRS); ! ! if (!$statuses) $statuses=$statusesRS[0]['id']; ! ! if ($message) { display($message); } ! ?> ! ! <script language="javascript" type="text/javascript"> ! //<![CDATA[ ! <!-- ! ! function mainSubmit (act) { ! var flag = true; ! if ((act == 'removestatus' || act == 'editstatus') && document.mainform.statuses.value == 0) { ! alert('<?php echo gettext('There are no statuses on which to action your request.')?>'); ! flag = false; ! } ! if (act == 'removestatus' && flag && !confirm('<?php echo gettext('Are you sure you wish to delete this status?')?>')) flag = false; ! if (flag) { ! document.mainform.act.value=act; ! document.mainform.submit(); ! } ! } ! ! //--> ! //]]> ! </script> ! ! <h1><?php echo gettext('Status Admin')?></h1> ! <h2><?php echo gettext('Please use the lists below to administer the statuses of issues in this system:')?></h2> ! ! <div class="block"> ! <p><?php echo gettext("The first status in this list is the default status of a new issue. Movement through this list would be synonymous with the life cycle of the issue. The final status will be classed as 'closed' and as such will be the terminal status of issues, regardless of the actual name of the status. Note that if only one status is present, then the status will not be treated as closed.")?></p> ! <form name="mainform" id="mainform" method="post" action=""> ! <input type="hidden" name="act" value="" /> ! <div class="columnleft"> ! <div class="labelright"><label for="statuses"><?php echo gettext('Statuses')?></label></div> ! <div class="columnright"> ! <input type="button" value="<?php echo gettext('New')?>..." onclick="mainSubmit('addstatus')" /><br /> ! <input type="button" value="<?php echo gettext('Edit')?>" onclick="mainSubmit('editstatus')" /><br /> ! <input type="button" value="<?php echo gettext('Delete')?>" onclick="mainSubmit('removestatus')" /> ! </div> ! <div class="columnleft"> ! <select name="statuses" id="statuses" size="10"> ! <?php ! if ($num_statuses == 0) { ! print (" <option value=\"0\" selected=\"selected\">[".gettext('No Statuses')."]</option>\n"); ! } ! foreach ($statusesRS as $record) { ! // Set as default if this was previously chosen ! if ($record['id'] == $statuses) {$checked = " selected=\"selected\"";} else {$checked = "";}; ! if ($record['active'] == 0) {$style = " class=\"inactive\"";} else {$style = "";}; ! print (" <option value=\"${record['id']}\"${checked}${style}>${record['status']}</option>\n"); ! } ! ?> ! </select> ! </div> ! </div> ! <div class="columnleft"> ! <div class="labelleft"> </div> ! <div class="columnleft"> ! <input type="button" value="<?php echo gettext('Up')?>" onclick="mainSubmit('up')" /><br /> ! <input type="button" value="<?php echo gettext('Down')?>" onclick="mainSubmit('down')" /><br /> ! </div> ! </div> ! </form> ! <hr class="hide" /> ! </div> ! ! <?php ! } ! ! // Include ! require 'footer.php'; ! ?> Index: summary.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/summary.php,v retrieving revision 1.12 retrieving revision 1.13 diff -C2 -d -r1.12 -r1.13 *** summary.php 11 Mar 2007 15:23:48 -0000 1.12 --- summary.php 13 Sep 2007 01:12:43 -0000 1.13 *************** *** 50,62 **** require_once 'system/lang.php'; require_once 'system/functions.php'; ! // Retrieve Get/Post variables ! $act = $_REQUEST['act']; ! $x = $_REQUEST['x']; ! $y = $_REQUEST['y']; ! $display = $_REQUEST['display']; ! $datefrom = $_REQUEST['datefrom']; ! $dateto = $_REQUEST['dateto']; ! $display2 = $_REQUEST['display']; if ($act == 'csv') { --- 50,96 ---- require_once 'system/lang.php'; require_once 'system/functions.php'; ! ! global $act, $display2; // Retrieve Get/Post variables ! foreach($_REQUEST as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! ! $requestarg = Array( ! 'act', ! 'x', ! 'y', ! 'display', ! 'datefrom', ! 'dateto' ! ); ! ! foreach ($requestarg as $request) { ! if (isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; ! if ($request == 'display') { ! $$display2 = $_REQUEST[$request]; ! } ! } ! } if ($act == 'csv') { Index: sitesandusers.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/sitesandusers.php,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** sitesandusers.php 8 Sep 2007 23:56:50 -0000 1.16 --- sitesandusers.php 13 Sep 2007 01:12:43 -0000 1.17 *************** *** 64,147 **** set_text_domain("sitesandusers"); foreach($_POST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); } ! foreach($_GET as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } foreach($_REQUEST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! } ! ! // Retrieve Get/Post variables ! ! if (!get_magic_quotes_gpc()) { ! if (isset($_REQUEST['act'])) { ! $act = addslashes($_REQUEST['act']); ! } ! if (isset($_POST['site'])) { ! $site = addslashes($_POST['site']); ! } ! if (isset($_POST['sites'])) { ! $sites = $_POST['sites']; } else { ! $sites = array(); ! } ! if (isset($_POST['name'])) { ! $name = addslashes($_POST['name']); ! } ! if (isset($_POST['username'])) { ! $username = addslashes($_POST['username']); ! } ! if (isset($_POST['password'])) { ! $password = addslashes($_POST['password']); ! } ! if (isset($_POST['available'])) { ! $available = addslashes($_POST['available']); ! } ! if (isset($_POST['user'])) { ! $user = addslashes($_POST['user']); ! } ! if (isset($_POST['users'])) { ! $users = $_POST['users']; ! } ! if (isset($_POST['usertype'])) { ! $usertype = addslashes($_POST['usertype']); ! } ! if (isset($_POST['support'])) { ! $support = $_POST['support']; } ! if (isset($_POST['resolve'])) { ! $resolve = addslashes($_POST['resolve']); } ! if (isset($_POST['email'])) { ! $email = addslashes($_POST['email']); } ! if (isset($_POST['oldusername'])) { ! $oldusername = addslashes($_POST['oldusername']); } } - else { - $act = $_REQUEST['act']; - $site = $_POST['site']; - $sites = $_POST['sites']; - if ($sites == '') { $sites = array(); } - $name = $_POST['name']; - $username = $_POST['username']; - $password = $_POST['password']; - $available = $_POST['available']; - $user = $_POST['user']; - $users = $_POST['users']; - $usertype = $_POST['usertype']; - $support = $_POST['support']; - $resolve = $_POST['resolve']; - $email = $_POST['email']; - $oldusername = $_POST['oldusername']; - } if ($conf_db['dsn']['phptype'] == 'pgsql') { --- 64,148 ---- set_text_domain("sitesandusers"); + // Retrieve Get/Post variables foreach($_POST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); + if(is_array($_POST[$key])) { + foreach ($_POST[$key] as $key2 => $val2) { + if (!get_magic_quotes_gpc()) { + $_POST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); + } + else { + $_POST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); + } + } + } + else { + if (!get_magic_quotes_gpc()) { + $_POST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); + } + else { + $_POST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); + } + } } ! foreach($_REQUEST as $key => $val) { // scrubbing the field NAME... if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_REQUEST[$key])) { ! foreach ($_REQUEST[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } } else { ! if (!get_magic_quotes_gpc()) { ! $_REQUEST[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_REQUEST[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } } ! } ! ! $requestarg = Array( ! 'act' ! ); ! ! $postarg = Array( ! 'site', ! 'sites', ! 'name', ! 'username', ! 'password', ! 'available', ! 'user', ! 'users', ! 'usertype', ! 'support', ! 'resolve', ! 'email', ! 'oldusername' ! ); ! ! foreach ($requestarg as $request) { ! if(isset($_REQUEST[$request])) { ! $$request = $_REQUEST[$request]; } ! } ! ! foreach ($postarg as $post) { ! if(isset($_POST[$post])) { ! $$post = $_POST[$post]; } ! elseif (!isset($_POST[$post]) && $post == 'sites') { ! $$post = Array(); } } if ($conf_db['dsn']['phptype'] == 'pgsql') { Index: unassignedissues.php =================================================================== RCS file: /cvsroot/helpmeict/Helpdesk/unassignedissues.php,v retrieving revision 1.8 retrieving revision 1.9 diff -C2 -d -r1.8 -r1.9 *** unassignedissues.php 10 Sep 2007 00:32:33 -0000 1.8 --- unassignedissues.php 13 Sep 2007 01:12:43 -0000 1.9 *************** *** 56,67 **** require 'header.php'; // Language selection set_text_domain("unassignedissues"); // Retrieve Get/Post variables ! $act = $_GET['act']; ! $orderby = $_GET['orderby']; ! $orderdir = $_GET['orderdir']; ! $page = $_GET['page']; if ($_SESSION['_usertype'] == 'Client') { ThrowOut(); } --- 56,100 ---- require 'header.php'; + global $act, $orderby, $page, $categories; + // Language selection set_text_domain("unassignedissues"); // Retrieve Get/Post variables ! foreach($_GET as $key => $val) { ! // scrubbing the field NAME... ! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.'); ! if(is_array($_GET[$key])) { ! foreach ($_GET[$key] as $key2 => $val2) { ! if (!get_magic_quotes_gpc()) { ! $_GET[$key2][$val2] = addslashes(htmlentities(strip_tags($val2), ENT_QUOTES)); ! } ! else { ! $_GET[$key2][$val2] = htmlentities(strip_tags($val2), ENT_QUOTES); ! } ! } ! } ! else { ! if (!get_magic_quotes_gpc()) { ! $_GET[$key] = addslashes(htmlentities(strip_tags($val), ENT_QUOTES)); ! } ! else { ! $_GET[$key] = htmlentities(strip_tags($val), ENT_QUOTES); ! } ! } ! } ! $getarg = Array( ! 'act', ! 'orderby', ! 'orderdir', ! 'page' ! ); ! ! foreach ($getarg as $get) { ! if (isset($_GET[$get])) { ! $$get = $_GET[$get]; ! } ! } ! if ($_SESSION['_usertype'] == 'Client') { ThrowOut(); } *************** *** 75,79 **** // Set up sorting and grouping values for the unresolved issue list ! if ($orderby == '' && $_SESSION['_orderby-unassigned'] != '') { // Use stored ordering unless another selection has been made $orderby = $_SESSION['_orderby-unassigned']; --- 108,112 ---- // Set up sorting and grouping values for the unresolved issue list ! if ($orderby == '' && isset($_SESSION['_orderby-unassigned'])) { // Use stored ordering unless another selection has been made $orderby = $_SESSION['_orderby-unassigned']; *************** *** 273,294 **** // Show attributes ! if ($record[id] == $categories) {$checked = " selected=\"selected\"";} else {$checked = "";}; print " <tr valign=\"top\">\n"; ! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">${record[id]}</a></td>\n"; print " <td class=\"$class\">"; ! if (strftime('%d/%m/%y',$record[createdon]) == strftime('%d/%m/%y')) { ! print strftime('%H:%M',$record[createdon]); } else { ! print strftime('%d/%m/%y',$record[createdon]); } print "</td>\n"; ! print " <td class=\"$class\">".$record[reportedbyname]."</td>\n"; ! print " <td class=\"$class\">".$record[sitename]."</td>\n"; ! print " <td class=\"$class\"><a href=\"issue.php?id=${record[id]}\">".$record[summary]."</a></td>\n"; print " <td align=\"center\" class=\"$priority\">"; if ($record['recalled'] == 1) { print gettext('Recalled'); } else { ! print preg_replace('/Ungraded/',gettext('Ungraded'),$record[priorityname]); } print "</td>\n"; --- 306,327 ---- // Show attributes ! if ($record['id'] == $categories) {$checked = " selected=\"selected\"";} else {$checked = "";}; print " <tr valign=\"top\">\n"; ! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">${record['id']}</a></td>\n"; print " <td class=\"$class\">"; ! if (strftime('%d/%m/%y',$record['createdon']) == strftime('%d/%m/%y')) { ! print strftime('%H:%M',$record['createdon']); } else { ! print strftime('%d/%m/%y',$record['createdon']); } print "</td>\n"; ! print " <td class=\"$class\">".$record['reportedbyname']."</td>\n"; ! print " <td class=\"$class\">".$record['sitename']."</td>\n"; ! print " <td class=\"$class\"><a href=\"issue.php?id=${record['id']}\">".$record['summary']."</a></td>\n"; print " <td align=\"center\" class=\"$priority\">"; if ($record['recalled'] == 1) { print gettext('Recalled'); } else { ! print preg_replace('/Ungraded/',gettext('Ungraded'),$record['priorityname']); } print "</td>\n"; |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X