defVal('csvFileName', "file.csv"); defVal('status'); defVal('fields'); //joinable stuff defVal('trackerIds'); //Order Items defVal('itemIdFields'); defVal('sortFieldIds'); defVal('removeFieldIds'); defVal('showFieldIds'); defVal('dateFieldIds', "45,16,158,159,103"); defVal('sortFieldNames'); defVal('search'); defVal('q'); defVal('start'); defVal('end'); //TODO: integrate into tracker query lib /** * @param $param */ function splitToTracker($param) { if (isset($_REQUEST[$param])) { $_REQUEST[$param] = explode("|", $_REQUEST[$param]); foreach ($_REQUEST[$param] as $key => $field) { $_REQUEST[$param][$key] = explode(',', $_REQUEST[$param][$key]); } } } splitToTracker('fields'); splitToTracker('search');
<?php /* $Id: addedit.php,v 1.11 2005/04/12 06:05:39 gregorerhardt Exp $ */ $history_id = defVal(@$_GET["history_id"], 0); /* // check permissions if (!$canEdit) { $AppUI->setMsg('Access denied', UI_MSG_ERROR); $AppUI->redirect(); } */ $action = @$_REQUEST["action"]; $q = new DBQuery(); if ($action) { $history_description = dPgetParam($_POST, 'history_description', ''); $history_project = dPgetParam($_POST, 'history_project', ''); $userid = $AppUI->user_id; if ($action == 'add') { $q->addTable('history'); $q->addInsert('history_table', "history"); $q->addInsert('history_action', "add"); $q->addInsert('history_date', str_replace("'", '', $db->DBTimeStamp(time()))); $q->addInsert('history_description', $history_description); $q->addInsert('history_user', $userid); $q->addInsert('history_project', $history_project); $okMsg = 'History added'; } else { if ($action == 'update') { $q->addTable('history'); $q->addUpdate('history_description', $history_description); $q->addUpdate('history_project', $history_project);
$task_child_search->peek($ganttTaskFilter); //$childrenlist[] = $ganttTaskFilter; //print_r($childrenlist); $childrenlist = $task_child_search->getDeepChildren(); //print_r($childrenlist); $where .= ' t.task_id IN (' . $ganttTaskFilter . ', ' . implode(', ', $childrenlist) . ')'; } //else { // $where = ''; //} //echo '<pre> $where = ' . $where . '</pre>'; //die; // gantt is called now by the todo page, too. There is a different filter approach in todo // so we have to tweak a little bit, also we do not have a special project available if ($caller == 'todo') { $user_id = defVal(@$_REQUEST['user_id'], 0); $projects[$project_id]['project_name'] = $AppUI->_('Todo for') . ' ' . dPgetUsernameFromID($user_id); $projects[$project_id]['project_color_identifier'] = 'ff6000'; $q->addTable('tasks', 't'); $q->innerJoin('projects', 'p', 'p.project_id = t.task_project'); $q->innerJoin('user_tasks', 'ut', 'ut.task_id = t.task_id AND ut.user_id = ' . $user_id); $q->leftJoin('user_task_pin', 'tp', 'tp.task_id = t.task_id AND tp.user_id = ' . $user_id); $q->addQuery('t.*, p.project_name, p.project_id, p.project_color_identifier, tp.task_pinned'); $q->addWhere('(t.task_percent_complete < 100 OR t.task_percent_complete IS NULL)'); $q->addWhere('t.task_status = 0'); if (!$showArcProjs) { $q->addWhere('project_status <> 7'); } if (!$showLowTasks) { $q->addWhere('task_priority >= 0'); }
/** * Alternative to protect from XSS attacks. */ function dPgetCleanParam(&$arr, $name, $def = null) { $val = defVal($arr[$name], $def); if (empty($val)) { return $val; } // Code from http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since // they *are* allowed in some inputs $val = preg_replace('/([\\x00-\\x08][\\x0b-\\x0c][\\x0e-\\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < mb_strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values // with a ; $val = preg_replace('/(&#[x|X]0{0,8}' . dechex(ord($search[$i])) . ';?)/i', $search[$i], $val); // @ @ 0{0,7} matches '0' zero to seven times // with a ; $val = preg_replace('/(�{0,8}' . ord($search[$i]) . ';?)/', $search[$i], $val); } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < mb_strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|(�{0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; // add in <> to nerf the tag $replacement = mb_substr($ra[$i], 0, 2) . '<x>' . mb_substr($ra[$i], 2); // filter out the hex tags $val = in_array($arr[$name], $ra) ? preg_replace($pattern, $replacement, $val) : $val; if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; }
<?php /* TASKS $Id: viewgantt.php 6149 2012-01-09 11:58:40Z ajdonnison $ */ if (!defined('DP_BASE_DIR')) { die('You should not access this file directly.'); } global $min_view, $m, $a, $user_id, $tab, $tasks; $min_view = defVal(@$min_view, false); $project_id = defVal(@$_GET['project_id'], 0); // sdate and edate passed as unix time stamps $sdate = dPgetCleanParam($_POST, 'sdate', 0); $edate = dPgetCleanParam($_POST, 'edate', 0); //if set GantChart includes user labels as captions of every GantBar $showLabels = (int) dPgetParam($_POST, 'showLabels', '0'); $showLabels = $showLabels != '0' ? '1' : $showLabels; $showWork = (int) dPgetParam($_POST, 'showWork', '0'); $showWork = $showWork != '0' ? '1' : $showWork; $sortByName = (int) dPgetParam($_POST, 'sortByName', '0'); $sortByName = $sortByName != '0' ? '1' : $sortByName; if ($a == 'todo') { if (isset($_POST['show_form'])) { $AppUI->setState('TaskDayShowArc', (int) dPgetParam($_POST, 'showArcProjs', 0)); $AppUI->setState('TaskDayShowLow', (int) dPgetParam($_POST, 'showLowTasks', 0)); $AppUI->setState('TaskDayShowHold', (int) dPgetParam($_POST, 'showHoldProjs', 0)); $AppUI->setState('TaskDayShowDyn', (int) dPgetParam($_POST, 'showDynTasks', 0)); $AppUI->setState('TaskDayShowPin', (int) dPgetParam($_POST, 'showPinned', 0)); } $showArcProjs = $AppUI->getState('TaskDayShowArc', 0); $showLowTasks = $AppUI->getState('TaskDayShowLow', 1); $showHoldProjs = $AppUI->getState('TaskDayShowHold', 0); $showDynTasks = $AppUI->getState('TaskDayShowDyn', 0);
<?php /* $Id: viewgantt.php 1966 2011-07-03 22:38:52Z caseydk $ $URL: https://web2project.svn.sourceforge.net/svnroot/web2project/tags/version2.4/modules/tasks/viewgantt.php $ */ if (!defined('W2P_BASE_DIR')) { die('You should not access this file directly.'); } global $AppUI, $min_view, $m, $a, $user_id, $tab, $tasks, $cal_sdf; global $sortByName, $project_id, $gantt_map, $currentGanttImgSource, $filter_task_list, $caller; $AppUI->loadCalendarJS(); $base_url = w2PgetConfig('base_url'); $min_view = defVal($min_view, false); $project_id = (int) w2PgetParam($_GET, 'project_id', 0); // sdate and edate passed as unix time stamps $sdate = w2PgetParam($_POST, 'project_start_date', 0); $edate = w2PgetParam($_POST, 'project_end_date', 0); //if set GantChart includes user labels as captions of every GantBar $showLabels = w2PgetParam($_POST, 'showLabels', '0'); $showLabels = $showLabels != '0' ? '1' : $showLabels; $showWork = w2PgetParam($_POST, 'showWork', '0'); $showWork = $showWork != '0' ? '1' : $showWork; $showWork_days = w2PgetParam($_POST, 'showWork_days', '0'); $showWork_days = $showWork_days != '0' ? '1' : $showWork_days; $printpdf = w2PgetParam($_POST, 'printpdf', '0'); $printpdf = $printpdf != '0' ? '1' : $printpdf; $printpdfhr = w2PgetParam($_POST, 'printpdfhr', '0'); $printpdfhr = $printpdfhr != '0' ? '1' : $printpdfhr; if ($a == 'todo') { if (isset($_POST['show_form'])) { $AppUI->setState('TaskDayShowArc', w2PgetParam($_POST, 'showArcProjs', 0)); $AppUI->setState('TaskDayShowLow', w2PgetParam($_POST, 'showLowTasks', 0)); $AppUI->setState('TaskDayShowHold', w2PgetParam($_POST, 'showHoldProjs', 0));
$titleBlock->addCell('<form name="searchform" action="?m=departments&search_string=' . $search_string . '" method="post" accept-charset="utf-8"> <table> <tr> <td> <strong>' . $AppUI->_('Search') . '</strong> <input class="text" type="text" name="search_string" value="' . $search_string . '" /><br /> <a href="index.php?m=departments&search_string=-1">' . $AppUI->_('Reset search') . '</a> </td> <td valign="top"> <strong>' . $AppUI->_('Owner filter') . '</strong> ' . $owner_combo . ' </td> </tr> </table> </form>'); $titleBlock->show(); if (isset($_GET['tab'])) { $AppUI->setState('DeptIdxTab', w2PgetParam($_GET, 'tab', null)); } $deptsTypeTab = defVal($AppUI->getState('DeptIdxTab'), 0); $deptsType = $deptsTypeTab; // load the department types $deptTypes = w2PgetSysVal('DepartmentType'); $tabBox = new CTabBox('?m=departments', W2P_BASE_DIR . '/modules/departments/', $deptsTypeTab); if ($tabBox->isTabbed()) { array_unshift($deptTypes, $AppUI->_('All Departments', UI_OUTPUT_RAW)); } // tabbed information boxes foreach ($deptTypes as $deptType) { $tabBox->add('vw_depts', $deptType); } $tabBox->show();
<?php /* TASKS $Id: viewgantt.php,v 1.7.4.8 2006/12/27 18:50:43 gregorerhardt Exp $ */ global $AppUI, $dPconfig, $company_id, $dept_ids, $department, $min_view, $m, $a, $user_id, $tab, $pstatus; //Secho dPgetConfig( 'jpLocale' ); ini_set('memory_limit', $dPconfig['reset_memory_limit']); $min_view = defVal(@$min_view, false); $project_id = defVal(@$_GET['project_id'], 0); $user_id = defVal(@$_GET['user_id'], $AppUI->user_id); // sdate and edate passed as unix time stamps $sdate = dPgetParam($_POST, 'sdate', 0); $edate = dPgetParam($_POST, 'edate', 0); $showInactive = dPgetParam($_POST, 'showInactive', '0'); $showLabels = dPgetParam($_POST, 'showLabels', '0'); $sortTasksByName = dPgetParam($_POST, 'sortTasksByName', '0'); $showAllGantt = dPgetParam($_POST, 'showAllGantt', '0'); $showTaskGantt = dPgetParam($_POST, 'showTaskGantt', '0'); $addPwOiD = dPgetParam($_POST, 'add_pwoid', 0); //if set GantChart includes user labels as captions of every GantBar if ($showLabels != '0') { $showLabels = '1'; } if ($showInactive != '0') { $showInactive = '1'; } if ($showAllGantt != '0') { $showAllGantt = '1'; } if (isset($_POST['proFilter'])) { $AppUI->setState('ProjectIdxFilter', $_POST['proFilter']); }
// pull valid projects and their percent complete information $q->addTable('projects', 'pr'); $q->addQuery('project_id, project_color_identifier, project_name' . ', project_start_date, project_end_date'); $q->addJoin('tasks', 't1', 'pr.project_id = t1.task_project'); $q->addWhere('project_status != 7'); $q->addGroup('project_id'); $q->addOrder('project_name'); $project->setAllowedSQL($AppUI->user_id, $q); $projects = $q->loadHashList('project_id'); $q->clear(); $caller = defVal(@$_REQUEST['caller'], null); /* gantt is called now by the todo page, too. There is a different filter approach in todo * so we have to tweak a little bit, also we do not have a special project available */ if ($caller == 'todo') { $user_id = defVal(@$_REQUEST['user_id'], $AppUI->user_id); $projects[$project_id]['project_name'] = $AppUI->_('Todo for') . ' ' . dPgetUsernameFromID($user_id); $projects[$project_id]['project_color_identifier'] = 'ff6000'; $q->addTable('tasks', 't'); $q->innerJoin('projects', 'p', 'p.project_id = t.task_project'); $q->innerJoin('user_tasks', 'ut', 'ut.task_id = t.task_id AND ut.user_id = ' . $user_id); $q->leftJoin('user_task_pin', 'tp', 'tp.task_id = t.task_id AND tp.user_id = ' . $user_id); $q->addQuery('t.*, p.project_name, p.project_id, p.project_color_identifier, tp.task_pinned'); $q->addWhere('(t.task_percent_complete < 100 OR t.task_percent_complete IS NULL)'); $q->addWhere('t.task_status = 0'); if (!$showArcProjs) { $q->addWhere('project_status <> 7'); } if (!$showLowTasks) { $q->addWhere('task_priority >= 0'); }
/** * Alternative to protect from XSS attacks. */ function dPgetCleanParam(&$arr, $name, $def = null) { if (is_array($arr[$name])) { $val = array(); foreach (array_keys($arr[$name]) as $key) { $val[$key] = dPgetCleanParam($arr[$name], $key, $def); } return $val; } $val = defVal($arr[$name], $def); if (empty($val)) { return $val; } return filter_xss($val); }
$q->addWhere('u.user_contact = con.contact_id'); $owner_list = array(-1 => $AppUI->_('All Users', UI_OUTPUT_RAW)) + $q->loadHashList(); //db_loadHashList($sql); $owner_combo = arraySelect($owner_list, 'owner_filter_id', 'class="text" onchange="javascript:document.searchform.submit()"', $owner_filter_id, false, true); // setup the title block $titleBlock = new CTitleBlock('Companies', 'handshake.png', $m, "{$m}.{$a}"); $titleBlock->addCell('<form name="searchform" action="?m=companies&search_string=' . dPformSafe($search_string) . '" method="post">' . "\n" . '<table><tr><td><strong>' . $AppUI->_('Search') . '</strong><input class="text" type="text" name="search_string" value="' . dPformSafe($search_string) . '" /><br />' . '<a href="index.php?m=companies&search_string=-1">' . $AppUI->_('Reset search') . '</a></td><td valign="top"><strong>' . $AppUI->_('Owner filter') . '</strong> ' . $owner_combo . ' </td></tr></table></form>'); $search_string = addslashes($search_string); if ($canEdit) { $titleBlock->addCell('<input type="submit" class="button" value="' . $AppUI->_('new company') . '">', '', '<form action="?m=companies&a=addedit" method="post">', '</form>'); } $titleBlock->show(); if (isset($_GET['tab'])) { $AppUI->setState('CompaniesIdxTab', $_GET['tab']); } $companiesTypeTab = defVal($AppUI->getState('CompaniesIdxTab'), 0); //$tabTypes = array(getCompanyTypeID('Client'), getCompanyTypeID('Supplier'), 0); $companiesType = $companiesTypeTab; $tabBox = new CTabBox('?m=companies', DP_BASE_DIR . '/modules/companies/', $companiesTypeTab); if ($tabbed = $tabBox->isTabbed()) { $add_na = true; if (isset($types[0])) { // They have a Not Applicable entry. $add_na = false; $types[] = $types[0]; } $types[0] = 'All Companies'; if ($add_na) { $types[] = 'Not Applicable'; } }
/** * Alternative to protect from XSS attacks. */ function dPgetCleanParam(&$arr, $name, $def = null) { if (is_array($arr[$name])) { $val = array(); foreach (array_keys($arr[$name]) as $key) { $val[$key] = dPgetCleanParam($arr[$name], $key, $def); } return $val; } $val = defVal($arr[$name], $def); if (empty($val)) { return $val; } return htmLawed($val, array('safe' => 1)); }
<?php ## ## holiday module - A dotProject module for keeping track of holidays ## ## Sensorlink AS (c) 2006 ## Vegard Fiksdal (fiksdal@sensorlink.no) ## $holiday_id = defVal(@$_GET["holiday_id"], 0); $holiday_white = defVal(@$_GET["white"], -1); // Create date objects $log_start_date = dPgetParam($_POST, "log_start_date", 0); $log_end_date = dPgetParam($_POST, "log_end_date", 0); $start_date = intval($log_start_date) ? new CDate($log_start_date) : new CDate(); $end_date = intval($log_end_date) ? new CDate($log_end_date) : new CDate(); $holiday_description = dPgetParam($_POST, "holiday_description", ''); $holiday_annual = dPgetParam($_POST, "holiday_annual", 0); $action = @$_REQUEST["action"]; if ($action) { if ($action == "add") { $sql = "INSERT INTO holiday (holiday_description,holiday_start_date,holiday_end_date,holiday_white,holiday_annual) "; $sql .= "VALUES ('"; $sql .= $holiday_description; $sql .= "','"; $sql .= $start_date->format(FMT_DATETIME_MYSQL); $sql .= "','"; $sql .= $end_date->format(FMT_DATETIME_MYSQL); $sql .= "','"; $sql .= $holiday_white; $sql .= "','"; $sql .= $holiday_annual;
if ($project_id > 0) { $criticalTasks = $project->getCriticalTasks($project_id); $project->load($project_id); } // pull valid projects and their percent complete information $q = new DBQuery(); $q->addTable('projects'); $q->addQuery('project_id, project_color_identifier, project_name' . ', project_start_date, project_end_date'); $q->addJoin('tasks', 't1', 'projects.project_id = t1.task_project'); $q->addWhere('project_status != 7'); $q->addGroup('project_id'); $q->addOrder('project_name'); $project->setAllowedSQL($AppUI->user_id, $q); $projects = $q->loadHashList('project_id'); $q->clear(); $caller = defVal(@$_REQUEST['a'], null); /** * if task filtering has been requested create the list of task_ids * which will be used to filter the query */ if ($ganttTaskFilter > 0) { $task_child_search = new CTask(); $task_child_search->peek($ganttTaskFilter); $childrenlist = $task_child_search->getDeepChildren(); $where .= ' t.task_id IN (' . $ganttTaskFilter . ', ' . implode(', ', $childrenlist) . ')'; } // gantt is called now by the todo page, too. There is a different filter approach in todo // so we have to tweak a little bit, also we do not have a special project available if ($caller == 'todo') { // $user_id = defVal( @$_REQUEST['user_id'], 0 ); $projects[$project_id]['project_name'] = $AppUI->_('Todo for') . ' ' . dPgetUsernameFromID($user_id);
<?php /* $Id: addedit.php,v 1.1 2004/03/30 23:21:40 jcgonz Exp $ */ ## ## journal module - a quick hack of the history module by HGS 3/16/2004 ## (c) Copyright ## J. Christopher Pereira (kripper@imatronix.cl) ## IMATRONIX ## $journal_id = defVal(@$_GET["journal_id"], 0); $project_id = intval(dPgetParam($_GET, "project_id", 0)); // check permissions if (!$canEdit) { $AppUI->redirect("m=public&a=access_denied"); } $action = @$_REQUEST["action"]; if ($action) { $journal_description = $_POST["journal_description"]; $journal_project = $_POST["journal_project"]; $userid = $AppUI->user_id; if ($action == "add") { $sql = "INSERT INTO journal (journal_date, journal_description, journal_user, journal_project) " . "VALUES (now(), '{$journal_description}', {$userid}, {$journal_project})"; $okMsg = "journal added"; } else { if ($action == "update") { $sql = "UPDATE journal SET journal_description = '{$journal_description}', journal_project = '{$journal_project}' WHERE journal_id = {$journal_id}"; $okMsg = "journal updated"; } else { if ($action == "del") { $sql = "DELETE FROM journal WHERE journal_id = {$journal_id}"; $okMsg = "journal deleted";
<?php /* TASKS $Id: gantt.php,v 1.47 2005/04/07 00:11:07 jcgonz Exp $ */ /* * Gantt.php - by J. Christopher Pereira * TASKS $Id: gantt.php,v 1.47 2005/04/07 00:11:07 jcgonz Exp $ */ include "{$dPconfig['root_dir']}/lib/jpgraph/src/jpgraph.php"; include "{$dPconfig['root_dir']}/lib/jpgraph/src/jpgraph_gantt.php"; $project_id = defVal(@$_REQUEST['project_id'], 0); $f = defVal(@$_REQUEST['f'], 0); global $showLabels; global $showWork; global $locale_char_set; $showLabels = dPgetParam($_REQUEST, 'showLabels', false); // get the prefered date format $df = $AppUI->getPref('SHDATEFORMAT'); require_once $AppUI->getModuleClass('projects'); $project =& new CProject(); $allowedProjects = $project->getAllowedRecords($AppUI->user_id, 'project_id, project_name'); $criticalTasks = $project_id > 0 ? $project->getCriticalTasks($project_id) : NULL; // pull valid projects and their percent complete information $psql = "\nSELECT project_id, project_color_identifier, project_name, project_start_date, project_end_date\nFROM permissions, projects\nLEFT JOIN tasks t1 ON projects.project_id = t1.task_project\nWHERE project_active <> 0\n" . (count($allowedProjects) ? "AND project_id IN (" . implode(',', array_keys($allowedProjects)) . ')' : '') . "\nGROUP BY project_id\nORDER BY project_name\n"; // echo "<pre>$psql</pre>"; $prc = db_exec($psql); echo db_error(); $pnums = db_num_rows($prc); $projects = array(); for ($x = 0; $x < $pnums; $x++) { $z = db_fetch_assoc($prc); $projects[$z["project_id"]] = $z;