Example #1
0
function mystery_display_view_data_page()
{
    global $_MYSTERY;
    // shortcut to make life easier
    $t =& $_MYSTERY['table_info'][$_REQUEST['table']];
    //mystery_print_r($t);
    echo '<h1>Data from ', $t['display_name'], '</h1>';
    $query_string = @$_REQUEST['query_string'];
    if ($query_string == '') {
        // if the admin added a semicolon at the end, strip it
        $query_string = preg_replace('~;\\s*?$~', '', $t['default_query']);
        // if the admin didn't enter a default query, make the simple select *
        if ($query_string == '') {
            $query_string = 'SELECT * FROM ' . $t['real_name'];
        }
    }
    // Make sure that this query is displayable (i.e., contains SELECT)
    if (!preg_match('~^select ~i', $query_string) || preg_match('~into (outfile|dumpfile)~i', $query_string)) {
        mystery_log_violation('Green', 'View data query contained an outfile phrase or did not begin with select - ' . $query_string);
    }
    // Store the value of the $query_string variable without any order_by clauses
    $prev_query_string = $query_string;
    // Check for foreign keys and add data to associative array that can be referenced
    // by the field values later in the script
    if (count($t['foreign_keys'] > 0)) {
        reset($t['foreign_keys']);
        $fk_field_display = array();
        for ($i = 0; $i < count($t['foreign_keys']); $i++) {
            while (list($eds_key, $eds_value) = each($t['foreign_keys'])) {
                $query = 'SELECT DISTINCT ' . mystery_convert_csv_to_concat($t['foreign_keys'][$eds_key]['label']) . ' AS fk_label, ' . $foreign_keys[$eds_key]['value'] . ' AS fk_value FROM ' . $foreign_keys[$eds_key]['table'] . ' ORDER BY fk_label';
                $params = array();
                $result = mystery_select_query($query, $params);
                for ($i = 0; $i < count($result); $i++) {
                    $fk_field_display[$eds_key][$result[$i]['fk_value']] = htmlspecialchars($result[$i]['fk_label']);
                }
            }
        }
    }
    // If the user is a row access user, only grab her rows
    //PAUL, START HERE>>>>
    if ($this_access_type == 'row' && $this_table_owner_key != '') {
        $glue_word = ' WHERE ';
        if (preg_match('~ where ~i', $query_string)) {
            $glue_word = ' AND ';
        }
        $user_term = $this_table_owner_key . '="' . $this_owner_id . '"';
        $where_clause = $glue_word . $user_term;
        if (!preg_match("~{$user_term}~i", $query_string)) {
            $query_string .= $where_clause;
            $glue_word = ' AND ';
        }
    }
    // Set the field to sort the results by and the direction
    if ($order_by == '') {
        $order_by = $this_table_default_order_field;
    }
    if ($reverse_sort == '') {
        $reverse_sort = $this_table_default_reverse_sort;
    }
    if ($reverse_sort == 'yes') {
        $desc = ' DESC';
    } else {
        $desc = '';
    }
    if ($order_by != '') {
        $query_string .= ' ORDER BY ' . $order_by . $desc;
    }
    if ($in_admin_group == 'yes') {
        echo '<p><small>', $query_string, '</small></p>';
    }
    // Perform the query
    $result = mysql_query($query_string, $dbh);
    $error_message = mysql_error();
    // Show an error if one occurs now
    if ($error_message != '') {
        $error_message = mysql_errno() . ': ' . $error_message;
        echo '<p><span class="error">ERROR: ', $error_message, '</span></p>';
    }
}
Example #2
0
function mystery_get_table_configuration($table_id)
{
    // this function gets the configuration information for a particular
    // table and places it in the $_MYSTERY['table_info'] array.  If the
    // info already exists, the function just returns.
    global $_MYSTERY;
    // put in an array like this $tables[$table_id]['key'] = $value;
    if (isset($_MYSTERY['table_info'][$table_id])) {
        return;
    }
    // Query to see if this user has access to this table.
    if ($_SESSION['is_administrator'] == 'yes') {
        $query = 'SELECT * FROM ' . $_MYSTERY['table_prefix'] . 'tables WHERE table_id = ?';
        $params = array($table_id);
    } else {
        $query = 'SELECT * FROM ' . $_MYSTERY['table_prefix'] . 'groups_tables AS gtt LEFT JOIN ' . $_MYSTERY['table_prefix'] . 'tables AS tt ON gtt.table_id=tt.table_id WHERE gtt.table_id = ? AND group_id IN ("' . implode('","', $_SESSION['user_groups']) . '") ORDER BY access_type DESC';
        $params = array($table_id);
    }
    $table_info = mystery_select_query($query, $params);
    if (count($table_info) == 0) {
        // user has selected a table that he doesn't have access to.  Bad user...
        mystery_log_violation('Purple', 'User entered a table_id they did not have access to');
    }
    // We only get the first row.  If a user is in more than one group that has access to
    // this table, results will be unpredictable.  The results are sorted by type, so if a
    // user has table access in one of the groups, it should show up above the row level access.
    $_MYSTERY['table_info'][$table_id]['database'] = $table_info[0]['table_database'];
    $_MYSTERY['table_info'][$table_id]['real_name'] = $table_info[0]['table_real_name'];
    $_MYSTERY['table_info'][$table_id]['display_name'] = $table_info[0]['table_display_name'];
    $_MYSTERY['table_info'][$table_id]['display_comment'] = $table_info[0]['table_display_comment'];
    $_MYSTERY['table_info'][$table_id]['display_data_word'] = $table_info[0]['table_display_data_word'];
    $_MYSTERY['table_info'][$table_id]['display_field_type'] = $table_info[0]['table_display_field_type'];
    $_MYSTERY['table_info'][$table_id]['display_functions'] = $table_info[0]['table_display_functions'];
    $_MYSTERY['table_info'][$table_id]['default_action'] = $table_info[0]['table_default_action'];
    $_MYSTERY['table_info'][$table_id]['default_query'] = $table_info[0]['table_default_query'];
    $_MYSTERY['table_info'][$table_id]['default_order_field'] = $table_info[0]['table_default_order_field'];
    $_MYSTERY['table_info'][$table_id]['default_reverse_sort'] = $table_info[0]['table_default_reverse_sort'];
    $_MYSTERY['table_info'][$table_id]['default_display'] = $table_info[0]['table_default_display'];
    $_MYSTERY['table_info'][$table_id]['default_display_fields'] = $table_info[0]['table_default_display_fields'];
    $_MYSTERY['table_info'][$table_id]['default_display_rows'] = $table_info[0]['table_default_display_rows'];
    $_MYSTERY['table_info'][$table_id]['default_display_width'] = $table_info[0]['table_default_display_width'];
    $_MYSTERY['table_info'][$table_id]['primary_key'] = $table_info[0]['table_primary_key'];
    $_MYSTERY['table_info'][$table_id]['owner_key'] = $table_info[0]['table_owner_key'];
    $_MYSTERY['table_info'][$table_id]['owner_type'] = $table_info[0]['table_owner_type'];
    $_MYSTERY['table_info'][$table_id]['is_many_to_many'] = $table_info[0]['table_is_many_to_many'];
    if ($_SESSION['is_administrator'] == 'yes') {
        // allow administrator all access
        $_MYSTERY['table_info'][$table_id]['access_type'] = 'table';
        $_MYSTERY['table_info'][$table_id]['select_access'] = 'yes';
        $_MYSTERY['table_info'][$table_id]['insert_access'] = 'yes';
        $_MYSTERY['table_info'][$table_id]['update_access'] = 'yes';
        $_MYSTERY['table_info'][$table_id]['delete_access'] = 'yes';
        $_MYSTERY['table_info'][$table_id]['effective_group_id'] = '1';
    } else {
        // set access depending on the user's group's permissions
        $_MYSTERY['table_info'][$table_id]['access_type'] = $table_info[0]['access_type'];
        $_MYSTERY['table_info'][$table_id]['select_access'] = $table_info[0]['select_access'];
        $_MYSTERY['table_info'][$table_id]['insert_access'] = $table_info[0]['insert_access'];
        $_MYSTERY['table_info'][$table_id]['update_access'] = $table_info[0]['update_access'];
        $_MYSTERY['table_info'][$table_id]['delete_access'] = $table_info[0]['delete_access'];
        $_MYSTERY['table_info'][$table_id]['effective_group_id'] = $table_info[0]['group_id'];
    }
    if ($_MYSTERY['table_info'][$table_id]['select_access'] != 'yes' && $_MYSTERY['table_info'][$table_id]['insert_access'] != 'yes' && $_MYSTERY['table_info'][$table_id]['update_access'] != 'yes' && $_MYSTERY['table_info'][$table_id]['delete_access'] != 'yes') {
        mystery_display_user_error('Cannot access ' . $_MYSTERY['word_that_means_table']);
        echo '
		<p>The groups that you are a member of do not have any access to 
		the ' . $_MYSTERY['word_that_means_table'] . ': 
		' . $_MYSTERY['table_info'][$table_id]['display_name'] . '</p>
		';
        mystery_display_admin_contact_info();
        mystery_footer();
    }
    // Get all of the related items for this table
    mystery_get_table_owners_list($table_id);
    mystery_get_table_custom_menu_items($table_id);
    mystery_get_table_custom_actions($table_id);
    mystery_get_table_foreign_keys($table_id);
    mystery_get_table_hidden_fields($table_id);
    mystery_get_table_view_only_fields($table_id);
    mystery_get_table_binary_fields($table_id);
    mystery_get_table_custom_triggers($table_id);
    mystery_get_table_related_tables($table_id);
    mystery_get_table_portal_relation_1($table_id);
    mystery_get_table_portal_relation_2($table_id);
}