/**
* Method to check the fixed param keyword for validity and further more escape the free text elems (even if this is not semantic)
* @param array $whereParam
* @param ParameterObject $d
* @param bool $escapeFreeText if the function shall also escape the free text of the where clause
* @return boolean
*/
public static function isWhereClauseValid($whereParam, $d, $escapeFreeText = true)
{
if (Config::useSecureMode() && $whereParam) {
//error_log(print_r($whereParam,true));
$validFields = Config::getValidTables()[$d->getAttribute(PO::ATTR_TABLE)];
$validOperators = array('LIKE', '=', '<=', '>=', '!=');
$validConcaters = array('OR', 'AND');
foreach ($whereParam as $param_group) {
if (in_array($param_group[0], $validFields)) {
if (in_array($param_group[1], $validOperators)) {
if (in_array($param_group[3], $validConcaters) || $param_group[3] === null) {
continue;
}
}
}
return false;
}
if ($escapeFreeText) {
// secure free text elems
$whereParam = array_map(function ($i) {
$i[2] = sprintf('"%s"', addslashes($i[2]));
return $i;
}, $whereParam);
$d->setAttribute(PO::ATTR_CONDITION, $whereParam);
}
return true;
} else {
return true;
}
}
require_once 'inheritance/iConnector.inter.php';
require_once 'inheritance/bConnector.class.php';
require_once 'inheritance/iConfig.inter.php';
// helper
require_once 'helper/ConnectorSelector.class.php';
require_once 'helper/ParameterObject.class.php';
require_once 'helper/SecureModeHelper.class.php';
$dObj = new ParameterObject($_POST['options']);
require_once 'config.class.inc.php';
// the point where the user config is loaded (removed dynamic path configuration from js for security reasons)
$desired_connector = $dObj->getAttribute(PO::ATTR_CONNECTOR);
$cs = new ConnectorSelector();
$connector = $cs->getConector($desired_connector);
// try to select the connector
// host, username, password, db
$authRes = $connector->authenticate(Config::getHost(), Config::getUsername(), Config::getPassword(), $dObj->getAttribute(PO::ATTR_DATABASE_NAME));
$checkRes = SecureModeHelper::checkTable($dObj->getAttribute(PO::ATTR_TABLE), $dObj);
if (is_numeric($checkRes)) {
// we are returned a string in valid case or an int in failure case
$data = array('success' => false);
if ($checkRes === SecureModeHelper::FAILURE_TABLE_INVALID) {
$data['error_str'] = 'You tried to us a table which is not on the whitelist due Secure Mode. Disable Secure Mode or add ' . $dObj->getAttribute(PO::ATTR_TABLE) . ' to the list of allowed tables';
} elseif ($checkRes === SecureModeHelper::FAILURE_FIELD_INVALID) {
$data['error_str'] = 'You tried to us a table field which is not on the whitelist due Secure Mode. Disable Secure Mode or add all desired fields to the list of allowed fields';
} elseif ($checkRes === SecureModeHelper::FAILURE_DB_INVALID) {
$data['error_str'] = 'You tried to select a DB which is not on the whitelist due Secure Mode. Disable Secure Mode or add ' . $dObj->getAttribute(PO::ATTR_DATABASE_NAME) . ' to the list of allowed DBs';
}
} elseif (!is_numeric($dObj->getAttribute(PO::ATTR_ELEMENTS_PER_PAGE))) {
$data = array('success' => false, 'error_str' => 'You configured Elements-PerPage failed the Security rules');
} elseif (!is_numeric($dObj->getAttribute(PO::ATTR_PAGE)) && !is_null($dObj->getAttribute(PO::ATTR_PAGE))) {
$data = array('success' => false, 'error_str' => 'You desired page failed the Security rules');
