/**
* Get what type we want
*
* @return int The type of item
*/
protected function getTarget()
{
if (isset($_COOKIE['itemType']) && is_pos_int($_COOKIE['itemType'])) {
return $_COOKIE['itemType'];
}
throw new Exception('No cookies found. Import aborted.');
}
/**
* Main loop
*
*/
private function loopIdArr()
{
$this->idArr = explode(" ", $this->idList);
foreach ($this->idArr as $id) {
if (!is_pos_int($id)) {
throw new Exception('Bad id.');
}
$this->checkVisibility($id);
$this->initData($id);
$this->setUrl($id);
$this->addLine();
}
$this->writeCsv();
}
/**
* Validate the id we get.
*
* @throws Exception if id is bad
*/
private function validateId()
{
if (!is_pos_int($this->id)) {
throw new Exception('Bad id!');
}
}
$sql = "SELECT name FROM team_groups WHERE id = :id";
$visreq = $pdo->prepare($sql);
$visreq->bindParam(':id', $data['visibility']);
$visreq->execute();
$visibility = $visreq->fetchColumn();
} else {
$visibility = $data['visibility'];
}
// Check id is owned by connected user to show read only message if not
if ($data['userid'] != $_SESSION['userid']) {
// Can the user see this experiment which is not his ?
if ($data['visibility'] == 'user') {
display_message('error', _("<strong>Access forbidden:</strong> the visibility setting of this experiment is set to 'owner only'."));
require_once 'inc/footer.php';
exit;
} elseif (is_pos_int($data['visibility'])) {
// the visibility of this experiment is set to a group
// we must check if current user is in this group
$sql = "SELECT DISTINCT userid FROM users2team_groups WHERE groupid = :groupid";
$team_group_req = $pdo->prepare($sql);
$team_group_req->bindParam(':groupid', $data['visibility']);
$team_group_req->execute();
$auth_users_arr = array();
while ($auth_users = $team_group_req->fetch()) {
$auth_users_arr[] = $auth_users['userid'];
}
if (!in_array($_SESSION['userid'], $auth_users_arr)) {
display_message('error', _("<strong>Access forbidden:</strong> you don't have the rights to access this."));
require_once 'inc/footer.php';
exit;
}
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR *
* PURPOSE. See the GNU Affero General Public License for more details. *
* *
* You should have received a copy of the GNU Affero General Public *
* License along with eLabFTW. If not, see <http://www.gnu.org/licenses/>. *
* *
********************************************************************************/
require_once 'inc/common.php';
// Check id is valid and assign it to $id
if (isset($_POST['id']) && is_pos_int($_POST['id'])) {
$id = $_POST['id'];
} else {
die("The id parameter in the URL isn't a valid link ID");
}
// Check item_id is valid and assign it to $item_id
if (isset($_POST['item_id']) && is_pos_int($_POST['item_id'])) {
$item_id = $_POST['item_id'];
} else {
die("The item id parameter in the URL isn't valid!");
}
// Check item_id is owned by connected user
$sql = "SELECT userid_creator FROM experiments WHERE id = " . $item_id;
$req = $bdd->prepare($sql);
$req->execute();
$data = $req->fetch();
if ($data['userid_creator'] == $_SESSION['userid']) {
// SQL for DELETE TAG
$sql = "DELETE FROM experiments_links WHERE id=" . $id;
$req = $bdd->prepare($sql);
$result = $req->execute();
if (!$result) {
} else {
echo "<div id='search_count'>" . $count . " results</div>";
}
echo "<div class='search_results_div'>";
// Display results
echo "<hr>";
foreach ($results_id as $id) {
showXP($id, $_SESSION['prefs']['display']);
}
} else {
// no results
$message = "Sorry, I couldn't find anything :(";
echo display_message('error', $message);
}
// DATABASE ADVANCED SEARCH
} elseif (is_pos_int($_REQUEST['type'])) {
// SQL
// the BETWEEN stuff makes the date mandatory, so we switch the $sql with/without date
if (isset($_REQUEST['to']) && !empty($_REQUEST['to'])) {
$sql = "SELECT * FROM items WHERE type = :type AND title LIKE '%{$title}%' AND body LIKE '%{$body}%' AND rating LIKE '%{$rating}%' AND date BETWEEN '{$from}' AND '{$to}'";
} elseif (isset($_REQUEST['from']) && !empty($_REQUEST['from'])) {
$sql = "SELECT * FROM items WHERE type = :type AND title LIKE '%{$title}%' AND body LIKE '%{$body}%' AND rating LIKE '%{$rating}%' AND date BETWEEN '{$from}' AND '991212'";
} else {
// no date input
$sql = "SELECT * FROM items WHERE type = :type AND title LIKE '%{$title}%' AND body LIKE '%{$body}%' AND rating LIKE '%{$rating}%'";
}
$req = $bdd->prepare($sql);
$req->execute(array('type' => $_REQUEST['type']));
$count = $req->rowCount();
if ($count > 0) {
// make array of results id
if (isset($_GET['id']) && !empty($_GET['id']) && is_pos_int($_GET['id'])) {
$id = $_GET['id'];
} else {
die(_("The id parameter is not valid!"));
}
if ($_GET['type'] === 'exp') {
$type = 'experiments';
} elseif ($_GET['type'] === 'db') {
$type = 'items';
} else {
die(_("The type parameter is not valid."));
}
// this function will return the ID of the new experiment
// or 0 if it failed somewhere
$newid = duplicate_item($id, $type);
if (is_pos_int($newid)) {
if ($type === 'experiments') {
$msg_arr[] = _('Experiment successfully duplicated.');
$_SESSION['infos'] = $msg_arr;
header('location: ../experiments.php?mode=edit&id=' . $newid . '');
exit;
} else {
$msg_arr[] = _('Database entry successfully duplicated.');
$_SESSION['infos'] = $msg_arr;
header('location: ../database.php?mode=edit&id=' . $newid . '');
exit;
}
} else {
$msg_arr[] = sprintf(_("There was an unexpected problem! Please %sopen an issue on GitHub%s if you think this is a bug."), "<a href='https://github.com/elabftw/elabftw/issues/'>", "</a>");
$_SESSION['errors'] = $msg_arr;
header('location: ../experiments.php');
/**
* Check visibility for an experiment.
*
* @param string $input The visibility
* @return string Will return team if the visibility is wrong
*/
function check_visibility($input)
{
$valid_visibility = array('public', 'organization', 'team', 'user');
if (in_array($input, $valid_visibility) || is_pos_int($input)) {
return $input;
}
// default is team
return 'team';
}
</div>
</div>
<?php
// CODE TO IMPORT CSV
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$row = 0;
$inserted = 0;
$column = array();
// open the file
$handle = fopen($_FILES['csvfile']['tmp_name'], 'r');
if ($handle == false) {
die('Could not open the file.');
}
// get what type we want
if (isset($_COOKIE['itemType']) && is_pos_int($_COOKIE['itemType'])) {
$type = $_COOKIE['itemType'];
} else {
die('No cookies found');
}
// loop the lines
while ($data = fgetcsv($handle, 0, ",")) {
$num = count($data);
// get the column names (first line)
if ($row == 0) {
for ($i = 0; $i < $num; $i++) {
$column[] = $data[$i];
}
$row++;
continue;
}
}
if (isset($_GET['filter'])) {
if ($_GET['filter'] != '' && is_pos_int($_GET['filter'])) {
$filter = "AND st.id = '" . $_GET['filter'] . "' ";
}
}
// SQL for showXP
// reminder : order by and sort must be passed to the prepare(), not during execute()
// SEARCH
if (isset($_GET['q'])) {
// if there is a query
$search_type = 'query';
$query = filter_var($_GET['q'], FILTER_SANITIZE_STRING);
$results_arr = search_item('xp', $query, $_SESSION['userid']);
// RELATED
} elseif (isset($_GET['related']) && is_pos_int($_GET['related'])) {
// search for related experiments to DB item id
$search_type = 'related';
$item_id = $_GET['related'];
// search in title date and body
$sql = "SELECT item_id FROM experiments_links\n WHERE link_id = :link_id LIMIT 100";
$req = $pdo->prepare($sql);
$req->execute(array('link_id' => $item_id));
while ($data = $req->fetch()) {
$results_arr[] = $data['item_id'];
}
// TAG SEARCH
} elseif (isset($_GET['tag']) && !empty($_GET['tag'])) {
$search_type = 'tag';
$tag = filter_var($_GET['tag'], FILTER_SANITIZE_STRING);
$sql = "SELECT ex.id, ex.date, ex.title, st.name, ta.item_id\n FROM experiments AS ex, experiments_tags AS ta, status AS st\n WHERE ex.userid = :userid\n AND ta.userid = :userid\n AND ex.status = st.id\n AND st.team = :teamid\n AND ex.id = ta.item_id\n AND ta.tag LIKE :tag\n " . $filter . "\n ORDER BY {$order} {$sort}\n LIMIT 100";
if (isset($_POST['mail_from'])) {
$mail_from = filter_var($_POST['mail_from'], FILTER_SANITIZE_EMAIL);
} else {
$mail_from = '';
}
if (isset($_POST['smtp_address'])) {
$smtp_address = filter_var($_POST['smtp_address'], FILTER_SANITIZE_STRING);
} else {
$smtp_address = '';
}
if (isset($_POST['smtp_encryption'])) {
$smtp_encryption = filter_var($_POST['smtp_encryption'], FILTER_SANITIZE_STRING);
} else {
$smtp_encryption = '';
}
if (isset($_POST['smtp_port']) && is_pos_int($_POST['smtp_port'])) {
$smtp_port = $_POST['smtp_port'];
} else {
$smtp_port = '';
}
if (isset($_POST['smtp_username'])) {
$smtp_username = filter_var($_POST['smtp_username'], FILTER_SANITIZE_STRING);
} else {
$smtp_username = '';
}
if (isset($_POST['smtp_password'])) {
// the password is stored encrypted in the database
$smtp_password = $crypto->encrypt($_POST['smtp_password']);
} else {
$smtp_password = '';
}
/**
* Loop on each id and add it to our zip archive
* This could be called the main function.
*
* @throws Exception If the zip failed
*/
private function loopIdArr()
{
$this->idArr = explode(" ", $this->idList);
foreach ($this->idArr as $id) {
if (!is_pos_int($id)) {
throw new Exception('Bad id.');
}
$this->addToZip($id);
}
$this->addJson();
$this->zip->close();
// check if it failed for some reason
if (!is_file($this->filePath)) {
throw new Exception(_('Error making the zip archive!'));
}
}
* *
* You should have received a copy of the GNU Affero General Public *
* License along with eLabFTW. If not, see <http://www.gnu.org/licenses/>. *
* *
********************************************************************************/
require_once '../inc/common.php';
/*
we receive the file in $_FILES['file']. The array looks like that :
name : filename.pdf
type : "application/pdf"
tmp_name "/tmp/phpLzaurte"
error : 0
size 134482
*/
// check the item_id
if (is_pos_int($_GET['item_id'])) {
$item_id = $_GET['item_id'];
} else {
die('Bad ID');
}
// are we uploading for an experiment or a database item ?
if ($_GET['type'] === 'experiments' || $_GET['type'] === 'items') {
$type = $_GET['type'];
} else {
die('Bad type');
}
if ($type === 'experiments') {
// we check that the user owns the experiment before adding things to it
if (!is_owned_by_user($item_id, 'experiments', $_SESSION['userid'])) {
die('Not your experiment');
}
if ($type === 'items') {
$location = 'database';
// check item is in team
if (!item_is_in_team($id, $_SESSION['team_id'])) {
$msg_arr[] = _('This section is out of your reach.');
$errflag = true;
}
} else {
// check we own the experiment
if (!is_owned_by_user($id, 'experiments', $_SESSION['userid'])) {
$msg_arr[] = _('This section is out of your reach.');
$errflag = true;
}
}
// THE RESTORE ACTION
if (isset($_GET['action']) && $_GET['action'] === 'restore' && is_pos_int($_GET['rev_id'])) {
// we don't update if the item is locked
$sql = "SELECT locked FROM " . $type . " WHERE id = :id";
$req = $pdo->prepare($sql);
$req->bindParam(':id', $id, PDO::PARAM_INT);
$req->execute();
$locked = $req->fetch();
if ($locked['locked'] == 1) {
$msg_arr = _('You cannot restore a revision of a locked item!');
$errflag = true;
}
if (!$errflag) {
// get the body of the restored time
$sql = "SELECT body FROM " . $type . "_revisions WHERE id = :rev_id";
$req = $pdo->prepare($sql);
$req->bindParam(':rev_id', $_GET['rev_id'], PDO::PARAM_INT);
<script type="text/javascript" src="js/chemdoodleweb/ChemDoodleWeb-libs.js"></script>
<script type="text/javascript" src="js/chemdoodleweb/ChemDoodleWeb.js"></script>
<!-- these are required by the SketcherCanvas plugin -->
<script type="text/javascript" src="js/chemdoodleweb/sketcher/jquery-ui-1.9.2.custom.min.js"></script>
<script type="text/javascript" src="js/chemdoodleweb/sketcher/ChemDoodleWeb-sketcher.js"></script>
<!-- now all the slickgrid stuff-->
<script type="text/javascript" src="js/chem-editors.js"></script>
<script type="text/javascript" src="js/chem-formatters.js"></script>
<script type="text/javascript" src="js/chemistry-functions.js"></script>
<?php
// ID
if (isset($_GET['regid']) && !empty($_GET['regid']) && is_pos_int($_GET['regid'])) {
$id = $_GET['regid'];
} else {
if (isset($_REQUEST['mode']) && $_REQUEST['mode'] === 'create') {
$id = 0;
} else {
die("The id parameter in the URL isn't a valid registration ID.");
}
}
$parentregno = '';
if ($id > 0) {
$sql = "SELECT reg.cpd_id, reg.regno, reg.no_structure, reg.validated, reg.userid_entrant, reg.userid_registrar, reg.is_salt, \n reg.parent_regid, cpd.name, cpd.cas_number, cpd.pubchem_id,\n cpd.chemspider_id, cpd.notes, cpd.iupac_name, prop.mwt, prop.exact_mass, prop.formula, prop.is_chiral, prop.density, 1d.inchi\n FROM compound_registry AS reg JOIN compounds AS cpd ON reg.cpd_id = cpd.id JOIN compound_properties AS prop\n ON reg.cpd_id = prop.compound_id JOIN 1D_structures AS 1d ON reg.cpd_id = 1d.compound_id WHERE reg.id = :id";
$req = $bdd->prepare($sql);
$req->execute(array('id' => $id));
$reg_data = $req->fetch();
$cpdid = $reg_data['cpd_id'];
$url = str_replace('app/editinplace.php', 'experiments.php', $url);
$full_url = $url . "?mode=view&id=" . $id;
$footer = "\n\n~~~\nSent from eLabFTW http://www.elabftw.net\n";
$message = Swift_Message::newInstance()->setSubject(_('[eLabFTW] New comment posted'))->setFrom(array(get_config('mail_from') => 'eLabFTW'))->setTo(array($users['email'] => 'Admin eLabFTW'))->setBody(sprintf(_('Hi. %s %s left a comment on your experiment. Have a look: %s'), $commenter['firstname'], $commenter['lastname'], $full_url) . $footer);
$mailer = getMailer();
// SEND EMAIL
try {
$mailer->send($message);
} catch (Exception $e) {
dblog('Error', 'smtp', $e->getMessage());
exit;
}
}
} else {
// UPDATE OF EXISTING COMMENT
if ($id_arr[0] === 'expcomment' && is_pos_int($id_arr[1])) {
$id = $id_arr[1];
// Update comment
if ($_POST['expcomment'] != '' && $_POST['expcomment'] != ' ') {
// we must first check
$expcomment = filter_var($_POST['expcomment'], FILTER_SANITIZE_STRING);
// SQL to update single exp comment
$sql = "UPDATE experiments_comments SET\n comment = :new_comment,\n datetime = :now\n WHERE id = :id";
$req = $pdo->prepare($sql);
$req->execute(array('new_comment' => $expcomment, 'now' => date("Y-m-d H:i:s"), 'id' => $id));
} else {
// Submitted comment is empty
// Get old comment
$sql = "SELECT comment FROM experiments_comments WHERE id = :id";
$req = $pdo->prepare($sql);
$req->execute(array('id' => $id));
/**
* Check if the date is valid.
*
* @param int $input The date to check
* @return integer|string $input The input date if it's valid, or the date of today if not
*/
function check_date($input)
{
// Check DATE (is != null ? is 8 in length ? is int ? is valable ?)
if (isset($input) && !empty($input) && strlen($input) == '8' && is_pos_int($input)) {
// Check if day/month are good
$datemonth = substr($input, 4, 2);
$dateday = substr($input, 6, 2);
if ($datemonth <= '12' && $dateday <= '31' && $datemonth > '0' && $dateday > '0') {
// SUCCESS on every test
return $input;
} else {
return kdate();
}
} else {
return kdate();
}
}
if (is_pos_int($_POST['id'])) {
$id = $_POST['id'];
} else {
die(_("The id parameter is not valid!"));
}
// we update the name of a team via sysconfig.php
if (isset($_POST['team_name'])) {
$team_name = filter_var($_POST['team_name'], FILTER_SANITIZE_STRING);
$sql = "UPDATE teams\n SET team_name = :team_name\n WHERE team_id = :team_id";
$req = $pdo->prepare($sql);
$result = $req->execute(array('team_name' => $team_name, 'team_id' => $id));
exit;
}
// we only update status
if (isset($_POST['status'])) {
if (is_pos_int($_POST['status'])) {
$status = $_POST['status'];
} else {
exit;
}
$sql = "UPDATE experiments \n SET status = :status \n WHERE userid = :userid \n AND id = :id";
$req = $pdo->prepare($sql);
$result = $req->execute(array('status' => $status, 'userid' => $_SESSION['userid'], 'id' => $id));
// we only update visibility
} elseif (isset($_POST['visibility'])) {
// will return 'team' in case of wrong visibility
$visibility = check_visibility($_POST['visibility']);
$sql = "UPDATE experiments \n SET visibility = :visibility \n WHERE userid = :userid \n AND id = :id";
$req = $pdo->prepare($sql);
$result = $req->execute(array('visibility' => $visibility, 'userid' => $_SESSION['userid'], 'id' => $id));
// or we update date, title, and body
}
// if you select from two tables but one is empty, as it makes a cross join, no results will be returned
// on a fresh install, if there is no tags, it will not find anything
// so we make a left join
// https://stackoverflow.com/questions/3171276/select-multiple-tables-when-one-table-is-empty-in-mysql
$sql = "SELECT exp.* FROM experiments as exp LEFT JOIN experiments_tags as exptag ON 1=1 WHERE" . $sqlFirst . $sqlTitle . $sqlBody . $sqlTag . $sqlStatus . $sqlDate . $sqlGroup;
$req = $pdo->prepare($sql);
// if there is a selection on 'owned by', we use the owner id as parameter
if ($owner_search) {
$req->execute(array('userid' => $owner));
} else {
$req->execute(array('userid' => $_SESSION['userid']));
}
$search_type = 'experiments';
// DATABASE SEARCH
} elseif (is_pos_int($_GET['type']) || $_GET['type'] === 'database') {
// we want only stuff from our team
$sqlTeam = " AND i.team = " . $_SESSION['team_id'];
// display entire team database
if ($_GET['type'] === 'database' && empty($title) && empty($body) && empty($tags) && empty($status) && empty($rating) && empty($from) && empty($to)) {
$sqlFirst = "SELECT i.* FROM items as i LEFT JOIN items_tags as itag ON 1=1 WHERE i.id > 0";
} elseif ($_GET['type'] === 'database') {
$sqlFirst = "SELECT i.* FROM items as i LEFT JOIN items_tags as itag ON 1=1 WHERE i.id > 0";
} else {
$sqlFirst = "SELECT i.* FROM items as i LEFT JOIN items_tags as itag ON 1=1 WHERE type = :type";
}
$sql = $sqlFirst . $sqlTeam . $sqlTitle . $sqlBody . $sqlTag . $sqlRating . $sqlDate . $sqlGroup;
$req = $pdo->prepare($sql);
if ($_GET['type'] === 'database') {
$req->execute();
} else {
$msg_arr = array();
$creator = new \Elabftw\Elabftw\Create();
// Check ID
if (isset($_GET['id']) && !empty($_GET['id']) && is_pos_int($_GET['id'])) {
$id = $_GET['id'];
} else {
die(_("The id parameter is not valid!"));
}
if ($_GET['type'] === 'exp') {
$new_id = $creator->duplicateExperiment($_GET['id']);
} elseif ($_GET['type'] === 'db') {
$new_id = $creator->duplicateItem($_GET['id']);
} else {
die(_("The type parameter is not valid."));
}
if (is_pos_int($new_id)) {
if ($_GET['type'] === 'exp') {
$msg_arr[] = _('Experiment successfully duplicated.');
$_SESSION['infos'] = $msg_arr;
header('location: ../experiments.php?mode=edit&id=' . $new_id . '');
exit;
} else {
$msg_arr[] = _('Database entry successfully duplicated.');
$_SESSION['infos'] = $msg_arr;
header('location: ../database.php?mode=edit&id=' . $new_id . '');
exit;
}
} else {
$msg_arr[] = sprintf(_("There was an unexpected problem! Please %sopen an issue on GitHub%s if you think this is a bug."), "<a href='https://github.com/elabftw/elabftw/issues/'>", "</a>");
$_SESSION['errors'] = $msg_arr;
header('location: ../experiments.php');
// What do we create ?
if (isset($_GET['type']) && !empty($_GET['type']) && is_pos_int($_GET['type'])) {
// $type is int for DB items
$type = $_GET['type'];
} elseif (isset($_GET['type']) && !empty($_GET['type']) && $_GET['type'] === 'exp') {
$type = 'experiments';
} else {
$msg_arr[] = _('Wrong item type!');
$_SESSION['infos'] = $msg_arr;
header('location: ../index.php');
exit;
}
if ($type === 'experiments') {
$elabid = generate_elabid();
// do we want template ?
if (isset($_GET['tpl']) && is_pos_int($_GET['tpl'])) {
// SQL to get template
$sql = "SELECT name, body FROM experiments_templates WHERE id = :id";
$get_tpl = $pdo->prepare($sql);
$get_tpl->execute(array('id' => $_GET['tpl']));
$get_tpl_info = $get_tpl->fetch();
// the title is the name of the template
$title = $get_tpl_info['name'];
$body = $get_tpl_info['body'];
} else {
// if there is no template, title is 'Untitled' and the body is the default exp_tpl
$title = _('Untitled');
// SQL to get body
$sql = "SELECT body FROM experiments_templates WHERE userid = 0 AND team = :team";
$get_body = $pdo->prepare($sql);
$get_body->execute(array('team' => $_SESSION['team_id']));
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* eLabFTW is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with eLabFTW. If not, see <http://www.gnu.org/licenses/>.
*
********************************************************************************/
require_once 'inc/common.php';
// get $id from $_POST['id']
if (is_pos_int($_POST['id'])) {
$id = $_POST['id'];
} else {
die('Bad id value.');
}
// we only update status
if (isset($_POST['status'])) {
$status = check_status($_POST['status']);
$sql = "UPDATE experiments \n SET status = :status \n WHERE userid_creator = :userid \n AND id = :id";
$req = $bdd->prepare($sql);
$result = $req->execute(array('status' => $status, 'userid' => $_SESSION['userid'], 'id' => $id));
// we only update visibility
} elseif (isset($_POST['visibility'])) {
// will return 'team' in case of wrong visibility
$visibility = check_visibility($_POST['visibility']);
$sql = "UPDATE experiments \n SET visibility = :visibility \n WHERE userid_creator = :userid \n AND id = :id";
function validate_tacs($options)
{
$output = array();
$old_settings = fablab_get_tac();
foreach ($options as $key => $value) {
if ($key == 'tac_date') {
$date = strtotime($value);
if ($date) {
$output[$key] = $date;
} else {
add_settings_error('tac_fields', 'naDate', 'Bitte ein Datum eingeben!');
$output[$key] = $old_settings[$key];
}
} else {
if ($key == 'tac_pageid') {
if (is_pos_int($value)) {
$output[$key] = sanitize_text_field($value);
} else {
add_settings_error('tac_fields', 'naN', 'Bitte eine verfügbare Page auswählen!');
$output[$key] = $old_settings[$key];
}
} else {
if (is_pos_int($old_settings[$key])) {
if (is_pos_int($value)) {
$output[$key] = sanitize_text_field($value);
} else {
add_settings_error('tac_fields', 'naN', 'Bitte eine positive Zahl eingeben!');
$output[$key] = $old_settings[$key];
}
} else {
if (!empty($value)) {
$output[$key] = sanitize_text_field($value);
} else {
add_settings_error('tac_fields', 'empty', 'Leeres Feld ist nicht erlaubt!');
$output[$key] = $old_settings[$key];
}
}
}
}
}
return $output;
}
if (isset($_GET['order'])) {
if ($_GET['order'] != '') {
if ($_GET['order'] === 'cat') {
$order = 'ty.name';
} elseif ($_GET['order'] === 'date' || $_GET['order'] === 'rating' || $_GET['order'] === 'title') {
$order = 'it.' . $_GET['order'];
}
}
}
if (isset($_GET['sort'])) {
if ($_GET['sort'] != '' && ($_GET['sort'] === 'asc' || $_GET['sort'] === 'desc')) {
$sort = $_GET['sort'];
}
}
if (isset($_GET['filter'])) {
if ($_GET['filter'] != '' && is_pos_int($_GET['filter'])) {
$filter = "AND ty.id = '" . $_GET['filter'] . "' ";
}
}
// ///////////////////////////////////////////////////////////////////////
// SQL for showDB
// TAG SEARCH
if (isset($_GET['tag']) && !empty($_GET['tag'])) {
$tag = filter_var($_GET['tag'], FILTER_SANITIZE_STRING);
$sql = "SELECT it.id, ty.name, ta.item_id\n FROM items AS it, items_types AS ty, items_tags AS ta\n WHERE it.type = ty.id\n AND it.team = :teamid\n AND it.id = ta.item_id\n AND ta.tag LIKE :tag\n " . $filter . "\n ORDER BY {$order} {$sort}\n LIMIT 100";
$req = $pdo->prepare($sql);
$req->bindParam(':tag', $tag, PDO::PARAM_STR);
$req->bindParam(':teamid', $_SESSION['team_id'], PDO::PARAM_INT);
$req->execute();
// put resulting ids in the results array
while ($get_id = $req->fetch()) {
/**
* Check if we have a template to load for experiments
*
* @param int $tpl The template ID
* @return bool
*/
private function checkTpl($tpl)
{
return is_pos_int($tpl);
}
********************************************************************************/
require_once 'inc/common.php';
//Array to store validation errors
$msg_arr = array();
//Validation error flag
$errflag = false;
// CHECKS
// ID
if (is_pos_int($_POST['regid']) || $_POST['regid'] == 0) {
$regid = $_POST['regid'];
} else {
$regid = '';
$msg_arr[] = 'The id parameter is not valid !';
$errflag = true;
}
if (is_pos_int($_POST['cpdid'])) {
$cpdid = $_POST['cpdid'];
} else {
$cpdid = '';
}
$name = check_title($_POST['name']);
$iupacname = check_title($_POST['iupac_name']);
if (isset($_POST['validated'])) {
if ($_POST['validated'] === 'true') {
$validated = 1;
} else {
$validated = 0;
}
} else {
$validated = 0;
}
$group_name = filter_var($_POST['create_teamgroup'], FILTER_SANITIZE_STRING);
$sql = "INSERT INTO team_groups(name, team) VALUES(:name, :team)";
$req = $pdo->prepare($sql);
$req->bindParam(':name', $group_name);
$req->bindParam(':team', $_SESSION['team_id']);
if ($req->execute()) {
echo '1';
} else {
echo '0';
}
}
// EDIT TEAM GROUP NAME FROM JEDITABLE
if (isset($_POST['teamgroup']) && !empty($_POST['teamgroup'])) {
$name = filter_var($_POST['teamgroup'], FILTER_SANITIZE_STRING);
$id_arr = explode('_', $_POST['id']);
if ($id_arr[0] === 'teamgroup' && is_pos_int($id_arr[1])) {
// SQL to update single exp comment
$sql = "UPDATE team_groups SET name = :name WHERE id = :id AND team = :team";
$req = $pdo->prepare($sql);
$req->bindParam(':name', $name);
$req->bindParam(':team', $_SESSION['team_id']);
$req->bindParam(':id', $id_arr[1], PDO::PARAM_INT);
if ($req->execute()) {
echo stripslashes($name);
}
}
}
// ADD OR REMOVE USER TO/FROM TEAM GROUP
if (isset($_POST['teamgroup_user'])) {
if ($_POST['action'] === 'add') {
$sql = "INSERT INTO users2team_groups(userid, groupid) VALUES(:userid, :groupid)";
$tab = '4';
$item_type_id = $_POST['item_type_id'];
$item_type_name = filter_var($_POST['item_type_name'], FILTER_SANITIZE_STRING);
// we remove the # of the hexacode and sanitize string
$item_type_bgcolor = filter_var(substr($_POST['item_type_bgcolor'], 1, 6), FILTER_SANITIZE_STRING);
$item_type_template = check_body($_POST['item_type_template']);
$sql = "UPDATE items_types SET\n name = :name,\n team = :team,\n bgcolor = :bgcolor,\n template = :template\n WHERE id = :id";
$req = $pdo->prepare($sql);
$result = $req->execute(array('name' => $item_type_name, 'team' => $_SESSION['team_id'], 'bgcolor' => $item_type_bgcolor, 'template' => $item_type_template, 'id' => $item_type_id));
if (!$result) {
$errflag = true;
$error = '14';
}
}
// ADD NEW ITEM TYPE
if (isset($_POST['new_item_type']) && is_pos_int($_POST['new_item_type'])) {
$tab = '4';
$item_type_name = filter_var($_POST['new_item_type_name'], FILTER_SANITIZE_STRING);
if (strlen($item_type_name) < 1) {
$item_type_name = 'Unnamed';
}
// we remove the # of the hexacode and sanitize string
$item_type_bgcolor = filter_var(substr($_POST['new_item_type_bgcolor'], 1, 6), FILTER_SANITIZE_STRING);
$item_type_template = check_body($_POST['new_item_type_template']);
$sql = "INSERT INTO items_types(name, team, bgcolor, template) VALUES(:name, :team, :bgcolor, :template)";
$req = $pdo->prepare($sql);
$result = $req->execute(array('name' => $item_type_name, 'team' => $_SESSION['team_id'], 'bgcolor' => $item_type_bgcolor, 'template' => $item_type_template));
if (!$result) {
$errflag = true;
$error = '15';
}
* the License, or (at your option) any later version. *
* *
* eLabFTW is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied *
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR *
* PURPOSE. See the GNU Affero General Public License for more details. *
* *
* You should have received a copy of the GNU Affero General Public *
* License along with eLabFTW. If not, see <http://www.gnu.org/licenses/>. *
* *
********************************************************************************/
require_once 'inc/common.php';
require_once ELAB_ROOT . 'inc/locale.php';
require_once ELAB_ROOT . 'vendor/autoload.php';
// Check id is valid and assign it to $id
if (isset($_GET['id']) && is_pos_int($_GET['id'])) {
$id = $_GET['id'];
} else {
die(_("The id parameter is not valid!"));
}
// check the type
if ($_GET['type'] === 'experiments' || $_GET['type'] === 'items') {
$type = $_GET['type'];
} else {
die(_("The type parameter is not valid."));
}
// do the pdf
$pdf = new \Elabftw\Elabftw\MakePdf($id, $type);
$mpdf = new mPDF();
$mpdf->SetAuthor($pdf->author);
$mpdf->SetTitle($pdf->title);
/**
* Verify the itemId received
*
* @param int itemId Id of our item
* @throws Exception if id is not pos int
*/
private function checkItemId($itemId)
{
if (is_pos_int($itemId)) {
$this->itemId = $itemId;
} else {
throw new Exception('Bad item id');
}
}
