// Start and end times are also used to clip the times for summary info. $report_start = mktime(0, 0, 0, $From_month + 0, $From_day + 0, $From_year + 0); $report_end = mktime(0, 0, 0, $To_month + 0, $To_day + 1, $To_year + 0); // SQL result will contain the following columns: // Col Index Description: // 1 [0] Entry ID, not displayed -- used for linking to View script. // 2 [1] Start time as Unix time_t // 3 [2] End time as Unix time_t // 4 [3] Entry name or short description, must be HTML escaped // 5 [4] Entry description, must be HTML escaped // 6 [5] Type, single char mapped to a string // 7 [6] Created by (user name or IP addr), must be HTML escaped // 8 [7] Creation timestamp, converted to Unix time_t by the database // 9 [8] Area name, must be HTML escaped // 10 [9] Room name, must be HTML escaped $sql = "SELECT e.id AS entry_id, e.start_time, e.end_time, e.name, e.description, " . "e.type, e.create_by, " . sql_syntax_timestamp_to_unix("e.timestamp") . " AS last_updated" . ", a.area_name, r.room_name" . " FROM {$tbl_entry} e, {$tbl_area} a, {$tbl_room} r" . " WHERE e.room_id = r.id AND r.area_id = a.id" . " AND e.start_time < {$report_end} AND e.end_time > {$report_start}"; if (!empty($areamatch)) { // sql_syntax_caseless_contains() does the SQL escaping $sql .= " AND" . sql_syntax_caseless_contains("a.area_name", $areamatch); } if (!empty($roommatch)) { // sql_syntax_caseless_contains() does the SQL escaping $sql .= " AND" . sql_syntax_caseless_contains("r.room_name", $roommatch); } if (!empty($typematch)) { $sql .= " AND "; if (count($typematch) > 1) { $or_array = array(); foreach ($typematch as $type) { $or_array[] = "e.type = '" . addslashes($type) . "'"; }
} ${$var} = get_form_var($var, $var_type); } // Set the field order list $field_order_list = array('name', 'area_name', 'room_name', 'start_time', 'end_time', 'description', 'type', 'create_by', 'confirmation_enabled', 'approval_enabled'); foreach ($custom_fields as $key => $value) { $field_order_list[] = $key; } $field_order_list[] = 'last_updated'; // PHASE 2: SQL QUERY. We do the SQL query now to see if there's anything there if ($phase == 2) { // Start and end times are also used to clip the times for summary info. $report_start = mktime(0, 0, 0, $from_month + 0, $from_day + 0, $from_year + 0); $report_end = mktime(0, 0, 0, $to_month + 0, $to_day + 1, $to_year + 0); // Construct the SQL query $sql = "SELECT E.*, " . sql_syntax_timestamp_to_unix("E.timestamp") . " AS last_updated, " . "A.area_name, R.room_name, " . "A.approval_enabled, A.confirmation_enabled, A.enable_periods"; if ($output_format == OUTPUT_ICAL) { // If we're producing an iCalendar then we'll also need the repeat // information in order to construct the recurrence rule $sql .= ", T.rep_type, T.end_date, T.rep_opt, T.rep_num_weeks, T.month_absolute, T.month_relative"; } $sql .= " FROM {$tbl_area} A, {$tbl_room} R, {$tbl_entry} E"; if ($output_format == OUTPUT_ICAL) { // We do a LEFT JOIN because we still want the single entries, ie the ones // that won't have a match in the repeat table $sql .= " LEFT JOIN {$tbl_repeat} T ON E.repeat_id=T.id"; } $sql .= " WHERE E.room_id=R.id AND R.area_id=A.id" . " AND E.start_time < {$report_end} AND E.end_time > {$report_start}"; if ($output_format == OUTPUT_ICAL) { // We can't export periods in an iCalendar yet $sql .= " AND A.enable_periods=0";
display_buttons($row, FALSE); echo "</td>\n"; echo "</tr>\n"; } // Check the user is authorised for this page checkAuthorised(); // Also need to know whether they have admin rights $user = getUserName(); $is_admin = authGetUserLevel($user) >= 2; $user_level = authGetUserLevel($user); print_header($day, $month, $year, $area, isset($room) ? $room : ""); echo "<h1>" . get_vocab("pending") . "</h1>\n"; // Get a list of all bookings awaiting approval // We are only interested in areas where approval is required $sql_approval_enabled = some_area_predicate('approval_enabled'); $sql = "SELECT E.id, E.name, E.room_id, E.start_time, E.create_by, " . sql_syntax_timestamp_to_unix("E.timestamp") . " AS last_updated,\n E.reminded, E.repeat_id,\n M.room_name, M.area_id, A.area_name, A.enable_periods,\n E.info_time AS entry_info_time, E.info_user AS entry_info_user,\n T.info_time AS repeat_info_time, T.info_user AS repeat_info_user\n FROM {$tbl_room} AS M, {$tbl_area} AS A,"; if ($user_level != 0) { $sql .= " mrbs_users U,"; } $sql .= "{$tbl_entry} AS E\n LEFT JOIN {$tbl_repeat} AS T ON E.repeat_id=T.id\n WHERE E.room_id = M.id\n AND M.area_id = A.id\n AND M.disabled = 0\n AND A.disabled = 0\n AND {$sql_approval_enabled}\n AND (E.status&" . STATUS_AWAITING_APPROVAL . " != 0)"; // Ordinary users can only see their own bookings // if (!$is_admin) if ($user_level == 0) { // echo "here0"; $sql .= " AND E.create_by='" . sql_escape($user) . "'"; } if ($user_level > 0) { // echo "here1"; // $sql .= " AND A.area_admin='" . sql_escape($user) . "'"; $sql .= " AND U.name ='" . $user . "' AND U.area_id = A.id"; }
echo "<td>\n"; display_buttons($row, FALSE); echo "</td>\n"; echo "</tr>\n"; } // Check the user is authorised for this page checkAuthorised(); // Also need to know whether they have admin rights $user = getUserName(); $is_admin = authGetUserLevel($user) >= 2; print_header($day, $month, $year, $area, isset($room) ? $room : ""); echo "<h1>" . get_vocab("pending") . "</h1>\n"; // Get a list of all bookings awaiting approval // We are only interested in areas where approval is required $sql_approval_enabled = some_area_predicate('approval_enabled'); $sql = "SELECT E.id, E.name, E.room_id, E.start_time, E.create_by, " . sql_syntax_timestamp_to_unix("E.timestamp") . " AS last_updated,\n E.reminded, E.repeat_id,\n M.room_name, M.area_id, A.area_name, A.enable_periods,\n E.info_time AS entry_info_time, E.info_user AS entry_info_user,\n T.info_time AS repeat_info_time, T.info_user AS repeat_info_user\n FROM {$tbl_room} AS M, {$tbl_area} AS A, {$tbl_entry} AS E\n LEFT JOIN {$tbl_repeat} AS T ON E.repeat_id=T.id\n WHERE E.room_id = M.id\n AND M.area_id = A.id\n AND M.disabled = 0\n AND A.disabled = 0\n AND {$sql_approval_enabled}\n AND (E.status&" . STATUS_AWAITING_APPROVAL . " != 0)"; // Ordinary users can only see their own bookings if (!$is_admin) { $sql .= " AND E.create_by='" . sql_escape($user) . "'"; } // We want entries for a series to appear together so that we can display // them as a separate table below the main entry for the series. $sql .= " ORDER BY repeat_id, start_time"; $res = sql_query($sql); if (!$res) { trigger_error(sql_error(), E_USER_WARNING); fatal_error(FALSE, get_vocab("fatal_db_error")); } if (sql_count($res) == 0) { echo "<p>" . get_vocab("none_outstanding") . "</p>\n"; } else {
# Start and end times are also used to clip the times for summary info. $report_start = mktime(0, 0, 0, $From_month, $From_day, $From_year); $report_end = mktime(0, 0, 0, $To_month, $To_day + 1, $To_year); # SQL result will contain the following columns: # Col Index Description: # 1 [0] Entry ID, not displayed -- used for linking to View script. # 2 [1] Start time as Unix time_t # 3 [2] End time as Unix time_t # 4 [3] Entry name or short description, must be HTML escaped # 5 [4] Entry description, must be HTML escaped # 6 [5] Type, single char mapped to a string # 7 [6] Created by (user name or IP addr), must be HTML escaped # 8 [7] Creation timestamp, converted to Unix time_t by the database # 9 [8] Area name, must be HTML escaped # 10 [9] Room name, must be HTML escaped $sql = "SELECT e.id, e.start_time, e.end_time, e.name, e.description, " . "e.type, e.create_by, " . sql_syntax_timestamp_to_unix("e.timestamp") . ", a.area_name, r.room_name" . " FROM mrbs_entry e, mrbs_area a, mrbs_room r" . " WHERE e.room_id = r.id AND r.area_id = a.id" . " AND e.start_time < {$report_end} AND e.end_time > {$report_start}"; if (!empty($areamatch)) { $sql .= " AND" . sql_syntax_caseless_contains("a.area_name", $areamatch); } if (!empty($roommatch)) { $sql .= " AND" . sql_syntax_caseless_contains("r.room_name", $roommatch); } if (!empty($namematch)) { $sql .= " AND" . sql_syntax_caseless_contains("e.name", $namematch); } if (!empty($descrmatch)) { $sql .= " AND" . sql_syntax_caseless_contains("e.description", $descrmatch); } # Order by Area, Room, Start date/time: $sql .= " ORDER BY 9,10,2"; # echo "<p>DEBUG: SQL: <tt> $sql </tt>\n";
$month = date("m"); $year = date("Y"); } if (empty($area)) { $area = get_default_area(); } print_header($day, $month, $year, $area, isset($room) ? $room : ""); if (empty($series)) { $series = 0; } else { $series = 1; } if ($series) { $sql = "\n SELECT {$tbl_repeat}.name,\n {$tbl_repeat}.description,\n {$tbl_repeat}.create_by,\n {$tbl_room}.room_name,\n {$tbl_area}.area_name,\n {$tbl_repeat}.type,\n {$tbl_repeat}.room_id,\n " . sql_syntax_timestamp_to_unix("{$tbl_repeat}.timestamp") . " AS last_updated,\n ({$tbl_repeat}.end_time - {$tbl_repeat}.start_time) AS duration,\n {$tbl_repeat}.start_time,\n {$tbl_repeat}.end_time,\n {$tbl_repeat}.rep_type,\n {$tbl_repeat}.end_date,\n {$tbl_repeat}.rep_opt,\n {$tbl_repeat}.rep_num_weeks\n\n FROM {$tbl_repeat}, {$tbl_room}, {$tbl_area}\n WHERE {$tbl_repeat}.room_id = {$tbl_room}.id\n AND {$tbl_room}.area_id = {$tbl_area}.id\n AND {$tbl_repeat}.id={$id}\n "; } else { $sql = "\n SELECT {$tbl_entry}.name,\n {$tbl_entry}.description,\n {$tbl_entry}.create_by,\n {$tbl_room}.room_name,\n {$tbl_area}.area_name,\n {$tbl_entry}.type,\n {$tbl_entry}.room_id,\n " . sql_syntax_timestamp_to_unix("{$tbl_entry}.timestamp") . " AS last_updated,\n ({$tbl_entry}.end_time - {$tbl_entry}.start_time) AS duration,\n {$tbl_entry}.start_time,\n {$tbl_entry}.end_time,\n {$tbl_entry}.repeat_id\n\n FROM {$tbl_entry}, {$tbl_room}, {$tbl_area}\n WHERE {$tbl_entry}.room_id = {$tbl_room}.id\n AND {$tbl_room}.area_id = {$tbl_area}.id\n AND {$tbl_entry}.id={$id}\n "; } $res = sql_query($sql); if (!$res) { fatal_error(0, sql_error()); } if (sql_count($res) < 1) { fatal_error(0, $series ? get_vocab("invalid_series_id") : get_vocab("invalid_entry_id")); } $row = sql_row_keyed($res, 0); sql_free($res); $name = htmlspecialchars($row['name']); $description = htmlspecialchars($row['description']); $create_by = htmlspecialchars($row['create_by']); $room_name = htmlspecialchars($row['room_name']); $area_name = htmlspecialchars($row['area_name']);
# SQL result will contain the following columns: # Col Index Description: # 1 [0] Entry ID, not displayed -- used for linking to View script. # 2 [1] Start time as Unix time_t # 3 [2] End time as Unix time_t # 4 [3] Entry name or short description, must be HTML escaped # 5 [4] Entry description, must be HTML escaped # 6 [5] Type, single char mapped to a string # 7 [6] Created by (user name or IP addr), must be HTML escaped # 8 [7] Creation timestamp, converted to Unix time_t by the database # 9 [8] Area name, must be HTML escaped # 10 [9] Room name, must be HTML escaped $sql = "SELECT e.id, e.start_time, e.end_time, e.name, e.description, " . "e.type, e.create_by, " . sql_syntax_timestamp_to_unix("e.timestamp") . ", a.area_name, r.room_name" . " FROM mrbs_entry e, mrbs_area a, mrbs_room r" . " WHERE e.room_id = r.id AND r.area_id = a.id" . " AND e.start_time < $report_end AND e.end_time > $report_start"; if (!empty($areamatch)) $sql .= " AND" . sql_syntax_caseless_contains("a.area_name", $areamatch); if (!empty($roommatch)) $sql .= " AND" . sql_syntax_caseless_contains("r.room_name", $roommatch); if (!empty($namematch)) $sql .= " AND" . sql_syntax_caseless_contains("e.name", $namematch); if (!empty($descrmatch)) $sql .= " AND" . sql_syntax_caseless_contains("e.description", $descrmatch); # Order by Area, Room, Start date/time:
# $Id$ require_once "grab_globals.inc.php"; include "config.inc"; include "functions.inc"; include "{$dbsys}.inc"; #If we dont know the right date then make it up if (!isset($day) or !isset($month) or !isset($year)) { $day = date("d"); $month = date("m"); $year = date("Y"); } if (empty($area)) { $area = get_default_area(); } print_header($day, $month, $year, $area); $sql = "\nSELECT mrbs_entry.name,\n mrbs_entry.description,\n mrbs_entry.create_by,\n mrbs_room.room_name,\n mrbs_area.area_name,\n mrbs_entry.type,\n mrbs_entry.room_id,\n mrbs_entry.repeat_id,\n " . sql_syntax_timestamp_to_unix("mrbs_entry.timestamp") . ",\n (mrbs_entry.end_time - mrbs_entry.start_time),\n mrbs_entry.start_time,\n mrbs_entry.end_time\n\nFROM mrbs_entry, mrbs_room, mrbs_area\nWHERE mrbs_entry.room_id = mrbs_room.id\n AND mrbs_room.area_id = mrbs_area.id\n AND mrbs_entry.id={$id}\n"; $res = sql_query($sql); if (!$res) { fatal_error(0, sql_error()); } if (sql_count($res) < 1) { fatal_error(0, $vocab['invalid_entry_id']); } $row = sql_row($res, 0); sql_free($res); # Note: Removed stripslashes() calls from name and description. Previous # versions of MRBS mistakenly had the backslash-escapes in the actual database # records because of an extra addslashes going on. Fix your database and # leave this code alone, please. $name = htmlspecialchars($row[0]); $description = htmlspecialchars($row[1]);
$year = date("Y"); } if (empty($area)) { $area = get_default_area(); } if (!getAuthorised(1)) { showAccessDenied($day, $month, $year, $area, isset($room) ? $room : ""); exit; } $user = getUserName(); $is_admin = authGetUserLevel($user) >= 2; print_header($day, $month, $year, $area, isset($room) ? $room : ""); echo "<h1>" . get_vocab("pending") . "</h1>\n"; // Get a list of all the provisional bookings // We are only interested in areas where provisional bookings are enabled $sql = "SELECT E.id, E.name, E.room_id, E.start_time, E.create_by, " . sql_syntax_timestamp_to_unix("E.timestamp") . " AS last_updated,\n E.reminded, E.repeat_id,\n R.room_name, R.area_id, A.area_name\n FROM {$tbl_room} AS R, {$tbl_area} AS A, {$tbl_entry} AS E\n WHERE E.room_id = R.id\n AND R.area_id = A.id\n AND A.provisional_enabled>0\n AND status=" . STATUS_PROVISIONAL; // Ordinary users can only see their own bookings if (!$is_admin) { $sql .= " AND E.create_by='" . addslashes($user) . "'"; } // We want entries for a series to appear together so that we can display // them as a separate table below the main entry for the series. $sql .= " ORDER BY repeat_id, start_time"; $res = sql_query($sql); if (!$res) { fatal_error(0, sql_error()); } if (sql_count($res) == 0) { echo "<p>" . get_vocab("none_outstanding") . "</p>\n"; } else { echo "<table id=\"pending_list\" class=\"admin_table\">\n";
$month = date("m"); $year = date("Y"); } if (empty($area)) { $area = get_default_area(); } print_header($day, $month, $year, $area); if (empty($series)) { $series = 0; } else { $series = 1; } if ($series) { $sql = "\n\tSELECT {$tbl_repeat}.name,\n\t {$tbl_repeat}.description,\n\t {$tbl_repeat}.create_by,\n\t {$tbl_room}.room_name,\n\t {$tbl_area}.area_name,\n\t {$tbl_repeat}.type,\n\t {$tbl_repeat}.room_id,\n\t " . sql_syntax_timestamp_to_unix("{$tbl_repeat}.timestamp") . ",\n\t ({$tbl_repeat}.end_time - {$tbl_repeat}.start_time),\n\t {$tbl_repeat}.start_time,\n\t {$tbl_repeat}.end_time,\n\t {$tbl_repeat}.rep_type,\n\t {$tbl_repeat}.end_date,\n\t {$tbl_repeat}.rep_opt,\n\t {$tbl_repeat}.rep_num_weeks\n\n\tFROM {$tbl_repeat}, {$tbl_room}, {$tbl_area}\n\tWHERE {$tbl_repeat}.room_id = {$tbl_room}.id\n\t\tAND {$tbl_room}.area_id = {$tbl_area}.id\n\t\tAND {$tbl_repeat}.id={$id}\n\t"; } else { $sql = "\n\tSELECT {$tbl_entry}.name,\n\t {$tbl_entry}.description,\n\t {$tbl_entry}.create_by,\n\t {$tbl_room}.room_name,\n\t {$tbl_area}.area_name,\n\t {$tbl_entry}.type,\n\t {$tbl_entry}.room_id,\n\t " . sql_syntax_timestamp_to_unix("{$tbl_entry}.timestamp") . ",\n\t ({$tbl_entry}.end_time - {$tbl_entry}.start_time),\n\t {$tbl_entry}.start_time,\n\t {$tbl_entry}.end_time,\n\t {$tbl_entry}.repeat_id\n\n\tFROM {$tbl_entry}, {$tbl_room}, {$tbl_area}\n\tWHERE {$tbl_entry}.room_id = {$tbl_room}.id\n\t\tAND {$tbl_room}.area_id = {$tbl_area}.id\n\t\tAND {$tbl_entry}.id={$id}\n\t"; } $res = sql_query($sql); if (!$res) { fatal_error(0, sql_error()); } if (sql_count($res) < 1) { fatal_error(0, $series ? get_vocab("invalid_series_id") : get_vocab("invalid_entry_id")); } $row = sql_row($res, 0); sql_free($res); # Note: Removed stripslashes() calls from name and description. Previous # versions of MRBS mistakenly had the backslash-escapes in the actual database # records because of an extra addslashes going on. Fix your database and # leave this code alone, please. $name = htmlspecialchars($row[0]);
// Start and end times are also used to clip the times for summary info. $report_start = mktime(0, 0, 0, $From_month + 0, $From_day + 0, $From_year + 0); $report_end = mktime(0, 0, 0, $To_month + 0, $To_day + 1, $To_year + 0); // SQL result will contain the following columns: // Col Index Description: // 1 [0] Entry ID, not displayed -- used for linking to View script. // 2 [1] Start time as Unix time_t // 3 [2] End time as Unix time_t // 4 [3] Entry name or short description, must be HTML escaped // 5 [4] Entry description, must be HTML escaped // 6 [5] Type, single char mapped to a string // 7 [6] Created by (user name or IP addr), must be HTML escaped // 8 [7] Creation timestamp, converted to Unix time_t by the database // 9 [8] Area name, must be HTML escaped // 10 [9] Room name, must be HTML escaped $sql = "SELECT E.id AS entry_id, E.start_time, E.end_time, E.name, E.description, " . "E.type, E.create_by, " . sql_syntax_timestamp_to_unix("E.timestamp") . " AS last_updated" . ", A.area_name, R.room_name" . " FROM {$tbl_entry} E, {$tbl_area} A, {$tbl_room} R" . " WHERE E.room_id = R.id AND R.area_id = A.id" . " AND E.start_time < {$report_end} AND E.end_time > {$report_start}"; if (!empty($areamatch)) { // sql_syntax_caseless_contains() does the SQL escaping $sql .= " AND" . sql_syntax_caseless_contains("A.area_name", $areamatch); } if (!empty($roommatch)) { // sql_syntax_caseless_contains() does the SQL escaping $sql .= " AND" . sql_syntax_caseless_contains("R.room_name", $roommatch); } if (!empty($typematch)) { $sql .= " AND "; if (count($typematch) > 1) { $or_array = array(); foreach ($typematch as $type) { $or_array[] = "E.type = '" . addslashes($type) . "'"; }