Menu
▾
▴
[Helpmeict-cvs] Helpdesk newissue.php,1.11,1.12
|
From: Scott P. <wht...@us...> - 2007-09-10 00:08:02
|
Update of /cvsroot/helpmeict/Helpdesk
In directory sc8-pr-cvs17:/tmp/cvs-serv31255
Modified Files:
newissue.php
Log Message:
Santize all $_POST items.
Added magic_quotes dectection.
Fixed all Undefined Constansts and Variables.
Index: newissue.php
===================================================================
RCS file: /cvsroot/helpmeict/Helpdesk/newissue.php,v
retrieving revision 1.11
retrieving revision 1.12
diff -C2 -d -r1.11 -r1.12
*** newissue.php 11 Mar 2007 15:23:48 -0000 1.11
--- newissue.php 10 Sep 2007 00:07:57 -0000 1.12
***************
*** 10,13 ****
--- 10,14 ----
Changelog:
+ 2007-09-09 whtghst1: Added magic_quotes detection and sanitized all $_post inputs
2006-01-14 dave: Cleaned up code for v1.0 release
2005-07-02 arne_sf: Replaced all instances of column name 'user' for table tbl_UserSites with 'userid'
***************
*** 60,83 ****
require 'header.php';
// Language selection
set_text_domain("newissue");
!
// Retrieve Get/Post variables
! $act = $_POST['act'];
! $createdby = $_POST['createdby'];
! $level = $_POST['level'];
! $status = $_POST['status'];
! $reportedby = $_POST['reportedby'];
! $contact = $_POST['contact'];
! $site = $_POST['site'];
! $assignedto = $_POST['assignedto'];
! $location = $_POST['location'];
! $categories = $_POST['categories'];
! $details = $_POST['details'];
! $summary = $_POST['summary'];
! $description = $_POST['description'];
! $priority = $_POST['priority'];
! $level = $_POST['level'];
! $close = $_POST['close'];
// Action: Add issue to the database
--- 61,131 ----
require 'header.php';
+ global $act, $site, $location, $contact, $categories, $summary, $description, $details, $close, $status;
// Language selection
set_text_domain("newissue");
!
! //Clean oall POST values
! foreach($_POST as $key => $val) {
! // scubbing the field NAME...
! if (preg_match('/%/', urlencode($key))) die('FATAL::XSS hack attempt detected. Your IP has been logged.');
! if ($key != "attachments") {
! if (!get_magic_quotes_gpc()) {
! $_POST[$key] = addslashes(htmlentities(strip_tags($val, '<a>'), ENT_QUOTES));
! }
! else {
! $_POST[$key] = htmlentities(strip_tags($val, '<a>'), ENT_QUOTES);
! }
! }
! }
!
// Retrieve Get/Post variables
! if (isset($_POST['act'])) {
! $act = $_POST['act'];
! }
! if (isset($_POST['createdby'])) {
! $createdby = $_POST['createdby'];
! }
! if (isset($_POST['level'])) {
! $level = $_POST['level'];
! }
! if (isset($_POST['status'])) {
! $status = $_POST['status'];
! }
! if (isset($_POST['reportedby'])) {
! $reportedby = $_POST['reportedby'];
! }
! if (isset($_POST['contact'])) {
! $contact = $_POST['contact'];
! }
! if (isset($_POST['site'])) {
! $site = $_POST['site'];
! }
! if (isset($_POST['assignedto'])) {
! $assignedto = $_POST['assignedto'];
! }
! if (isset($_POST['location'])) {
! $location = $_POST['location'];
! }
! if (isset($_POST['categories'])) {
! $categories = $_POST['categories'];
! }
! if (isset($_POST['details'])) {
! $details = $_POST['details'];
! }
! if (isset($_POST['summary'])) {
! $summary = $_POST['summary'];
! }
! if (isset($_POST['description'])) {
! $description = $_POST['description'];
! }
! if (isset($_POST['priority'])) {
! $priority = $_POST['priority'];
! }
! if (isset($_POST['level'])) {
! $level = $_POST['level'];
! }
! if (isset($_POST['close'])) {
! $close = $_POST['close'];
! }
// Action: Add issue to the database
***************
*** 110,114 ****
$statusRS = db_recordset("SELECT id FROM tbl_Statuses WHERE (sortorder=0 AND domain=$_SESSION[_domain]) OR domain=0 ORDER BY domain DESC");
if (count($statusRS) > 0) {
! $status = $statusRS[0][id];
} else {
$status = 0;
--- 158,162 ----
$statusRS = db_recordset("SELECT id FROM tbl_Statuses WHERE (sortorder=0 AND domain=$_SESSION[_domain]) OR domain=0 ORDER BY domain DESC");
if (count($statusRS) > 0) {
! $status = $statusRS[0]['id'];
} else {
$status = 0;
***************
*** 128,138 ****
$user_details = get_user_details($assignedto);
// Mail user if they have just been assigned an issue
! if ($close != 'true' && $assignedto!=$_SESSION['_id'] &&
($user_prefs['email-assign'] == 'true' || $user_prefs['email-remark'] == 'true')
&& $user_details['email']!='') {
// send_mail($user_prefs['language'],"newissue",$issue, $user_details['email'],gettext("You have been assigned a new issue in the helpdesk issue manager, please view this issue as soon as possible."),2);
send_mail('assign', $user_prefs['language'], $user_details['email'], $issue, $_SESSION['_name'], "");
}
-
// Mail address if
$user_prefs = get_user_prefs($_SESSION['_id']);
--- 176,187 ----
$user_details = get_user_details($assignedto);
// Mail user if they have just been assigned an issue
! if (isset($user_prefs['email-assign'])) {
! if ($close != 'true' && $assignedto!=$_SESSION['_id'] &&
($user_prefs['email-assign'] == 'true' || $user_prefs['email-remark'] == 'true')
&& $user_details['email']!='') {
// send_mail($user_prefs['language'],"newissue",$issue, $user_details['email'],gettext("You have been assigned a new issue in the helpdesk issue manager, please view this issue as soon as possible."),2);
send_mail('assign', $user_prefs['language'], $user_details['email'], $issue, $_SESSION['_name'], "");
+ }
}
// Mail address if
$user_prefs = get_user_prefs($_SESSION['_id']);
***************
*** 214,218 ****
$index = 0;
foreach ($categoriesRS as $record) {
! $current = filter_records($detailsRS,'category',$record[id]);
$flag = TRUE;
print (" var problems_$index = new Array('");
--- 263,267 ----
$index = 0;
foreach ($categoriesRS as $record) {
! $current = filter_records($detailsRS,'category',$record['id']);
$flag = TRUE;
print (" var problems_$index = new Array('");
***************
*** 223,227 ****
print ("','");
}
! print ($res_record[id] . "','" . addslashes(preg_replace('/Unknown/',gettext('Unknown'),$res_record[description])));
}
print ("');\n");
--- 272,276 ----
print ("','");
}
! print ($res_record['id'] . "','" . addslashes(preg_replace('/Unknown/',gettext('Unknown'),$res_record['description'])));
}
print ("');\n");
***************
*** 315,319 ****
<?php
if (count($sitesRS) == 0 || count($sitesRS) == 1) {
! $site = (count($sitesRS) == 0) ? 0 : $site = $sitesRS[0][id];
?>
<input type="hidden" name="site" id="site" value="<?php echo $site?>" />
--- 364,368 ----
<?php
if (count($sitesRS) == 0 || count($sitesRS) == 1) {
! $site = (count($sitesRS) == 0) ? 0 : $site = $sitesRS[0]['id'];
?>
<input type="hidden" name="site" id="site" value="<?php echo $site?>" />
***************
*** 345,350 ****
foreach ($sitesRS as $record) {
// Set as default if chosen
! if ($record[id] == $site) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record[id]}\"$checked>".$record[site]."</option>\n");
}
?>
--- 394,399 ----
foreach ($sitesRS as $record) {
// Set as default if chosen
! if ($record['id'] == $site) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record['id']}\"$checked>".$record['site']."</option>\n");
}
?>
***************
*** 370,374 ****
AND tbl_UserSites.site=$site
AND tbl_UserSites.usertype=tbl_UserTypes.id");
! $usertype = $usertypesRS[0][usertypename];
}
--- 419,423 ----
AND tbl_UserSites.site=$site
AND tbl_UserSites.usertype=tbl_UserTypes.id");
! $usertype = $usertypesRS[0]['usertypename'];
}
***************
*** 398,403 ****
foreach ($usersRS as $record) {
// Set issue to be reported by this user by default
! $checked = ($record[id] == $_SESSION['_id']) ? ' selected="selected"' : $checked = '';
! print (" <option value=\"${record[id]}\"$checked>".$record[name]."</option>\n");
}
?>
--- 447,452 ----
foreach ($usersRS as $record) {
// Set issue to be reported by this user by default
! $checked = ($record['id'] == $_SESSION['_id']) ? ' selected="selected"' : $checked = '';
! print (" <option value=\"${record['id']}\"$checked>".$record['name']."</option>\n");
}
?>
***************
*** 426,430 ****
ORDER BY tbl_Users.name)");
if (0) { // Think a issue must not be assigned automatically. That's out of logic.
! print " <input type=\"hidden\" name=\"assignedto\" id=\"assignedto\" value=\"" . $usersRS[0][id] . "\" />\n";
} else {
if ($usertype == 'Client' || $usertype == 'Site Contact') {
--- 475,479 ----
ORDER BY tbl_Users.name)");
if (0) { // Think a issue must not be assigned automatically. That's out of logic.
! print " <input type=\"hidden\" name=\"assignedto\" id=\"assignedto\" value=\"" . $usersRS[0]['id'] . "\" />\n";
} else {
if ($usertype == 'Client' || $usertype == 'Site Contact') {
***************
*** 443,451 ****
foreach ($usersRS as $record) {
// Set issue to be assigned to this user by default
! $checked = ($record[id] == $_SESSION['_id']) ? ' selected="selected"' : '';
! if ($record[name] == "* unassigned *") {
! print (" <option value=\"${record[id]}\"$checked>".gettext('* unassigned *')."</option>\n");
} else {
! print (" <option value=\"${record[id]}\"$checked>$record[name]</option>\n");
}
}
--- 492,500 ----
foreach ($usersRS as $record) {
// Set issue to be assigned to this user by default
! $checked = ($record['id'] == $_SESSION['_id']) ? ' selected="selected"' : '';
! if ($record['name'] == "* unassigned *") {
! print (" <option value=\"${record['id']}\"$checked>".gettext('* unassigned *')."</option>\n");
} else {
! print (" <option value=\"${record['id']}\"$checked>$record[name]</option>\n");
}
}
***************
*** 490,495 ****
foreach ($categoriesRS as $record) {
// Set category by default
! if ($categories != '' && $record[id] == $categories) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record[id]}\"$checked>".preg_replace('/Unknown/',gettext('Unknown'),$record[description])."</option>\n");
}
?>
--- 539,544 ----
foreach ($categoriesRS as $record) {
// Set category by default
! if ($categories != '' && $record['id'] == $categories) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record['id']}\"$checked>".preg_replace('/Unknown/',gettext('Unknown'),$record['description'])."</option>\n");
}
?>
***************
*** 552,561 ****
foreach ($prioritiesRS as $record) {
// Choose the lowest priority as the default
! if ($record[id] == $defaultpriority[0][defaultpriority]) {
$checked = ' selected="selected"';
} else {
$checked = '';
}
! print (" <option value=\"${record[id]}\"$checked>".preg_replace('/Ungraded/',gettext('Ungraded'),$record[priority])."</option>\n");
}
?>
--- 601,610 ----
foreach ($prioritiesRS as $record) {
// Choose the lowest priority as the default
! if ($record['id'] == $defaultpriority[0]['defaultpriority']) {
$checked = ' selected="selected"';
} else {
$checked = '';
}
! print (" <option value=\"${record['id']}\"$checked>".preg_replace('/Ungraded/',gettext('Ungraded'),$record['priority'])."</option>\n");
}
?>
***************
*** 569,573 ****
$levelsRS = db_recordset("SELECT * FROM tbl_Levels WHERE (active=1 AND domain=$_SESSION[_domain]) ORDER BY sortorder");
if ($_SESSION['_usertype'] == 'Client' || $_SESSION['_usertype'] == 'Site Contact' || count($levelsRS) <= 1) {
! $level = (count($levelsRS) == 0) ? 0 : $level = $levelsRS[0][id];
?>
<input type="hidden" name="level" id="level" value="<?php echo $level?>" />
--- 618,622 ----
$levelsRS = db_recordset("SELECT * FROM tbl_Levels WHERE (active=1 AND domain=$_SESSION[_domain]) ORDER BY sortorder");
if ($_SESSION['_usertype'] == 'Client' || $_SESSION['_usertype'] == 'Site Contact' || count($levelsRS) <= 1) {
! $level = (count($levelsRS) == 0) ? 0 : $level = $levelsRS[0]['id'];
?>
<input type="hidden" name="level" id="level" value="<?php echo $level?>" />
***************
*** 583,589 ****
<?php
foreach ($levelsRS as $record) {
! if ($record[id] == $level) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record[id]}\"$checked>".
! preg_replace('/None/',gettext('None'),$record[level])."</option>\n");
}
?>
--- 632,638 ----
<?php
foreach ($levelsRS as $record) {
! if ($record['id'] == $level) { $checked = ' selected="selected"'; } else { $checked = ''; }
! print (" <option value=\"${record['id']}\"$checked>".
! preg_replace('/None/',gettext('None'),$record['level'])."</option>\n");
}
?>
|
