if (isset($engine->cleanGet['MYSQL']['ajax'])) {
$result = array();
if (isset($engine->cleanPost['MYSQL']['action'])) {
switch ($engine->cleanPost['MYSQL']['action']) {
case 'updateUserProjects':
$result = users::updateUserProjects();
break;
default:
break;
}
} else {
if (isset($engine->cleanGet['MYSQL']['action'])) {
switch ($engine->cleanGet['MYSQL']['action']) {
case 'selectChoices':
$field = forms::getField($engine->cleanGet["MYSQL"]['formID'], $engine->cleanGet["MYSQL"]['fieldName']);
$fieldChoices = forms::getFieldChoices($field);
$result = forms::drawFieldChoices($field, $fieldChoices);
die($result);
break;
case 'searchFormFields':
die(mfcsSearch::formFieldOptions($engine->cleanGet["MYSQL"]['formID']));
break;
case 'paginationPerPage':
$result = users::setField('pagination', $engine->cleanGet["MYSQL"]['perPage']);
die(json_encode($result ? "TRUE" : "FALSE"));
break;
case 'paginationJumpToIDNO':
$objects = objects::getAllObjectsForForm($engine->cleanGet['MYSQL']['formID'], "idno");
for ($I = 0; $I < count($objects); $I++) {
if (strtolower($objects[$I]['idno']) == strtolower($engine->cleanGet['MYSQL']['idno'])) {
header('Location: ' . localvars::get("siteroot") . "dataView/list.php?listType=form&formID=" . $engine->cleanGet['MYSQL']['formID'] . "&page=" . ceil($I / 25));
public static function build($formID, $objectID = NULL, $error = FALSE)
{
$engine = EngineAPI::singleton();
// Get the current Form
$form = self::get($formID);
if ($form === FALSE) {
return FALSE;
}
$fields = $form['fields'];
if (usort($fields, 'sortFieldsByPosition') !== TRUE) {
errorHandle::newError(__METHOD__ . "() - usort", errorHandle::DEBUG);
errorHandle::errorMsg("Error retrieving form.");
return FALSE;
}
if (!isnull($objectID)) {
$object = objects::get($objectID, TRUE);
if ($object === FALSE) {
errorHandle::errorMsg("Error retrieving object.");
return FALSE;
}
} else {
if (isnull($objectID) && $error === TRUE) {
$object = array();
$object['data'] = array();
}
}
$output = sprintf('<form action="%s?formID=%s%s" method="%s" name="insertForm" data-formid="%s">', $_SERVER['PHP_SELF'], htmlSanitize($formID), !isnull($objectID) ? '&objectID=' . $objectID : "", "post", mfcs::$engine->openDB->escape($formID));
$output .= sessionInsertCSRF();
if (isset($engine->cleanGet['HTML']['parentID'])) {
$output .= sprintf('<input type="hidden" name="parentID" value="%s">', $engine->cleanGet['HTML']['parentID']);
}
// $output .= sprintf('<header><h1>%s</h1><h2>%s</h2></header>',
// htmlSanitize($form['title']),
// htmlSanitize($form['description']));
$currentFieldset = "";
foreach ($fields as $field) {
if ($field['type'] == "fieldset") {
continue;
}
if ($field['type'] == "idno" && (strtolower($field['managedBy']) == "system" && isnull($objectID))) {
continue;
}
// deal with field sets
if ($field['fieldset'] != $currentFieldset) {
if ($currentFieldset != "") {
$output .= "</fieldset>";
}
if (!isempty($field['fieldset'])) {
$output .= sprintf('<fieldset><legend>%s</legend>', $field['fieldset']);
}
$currentFieldset = $field['fieldset'];
}
if ($error === TRUE) {
// This is RAW because it is post data being displayed back out to the user who submitted it
// during a submission error. we don't want to corrupt the data by sanitizing it and then
// sanitizing it again on submissions
//
// it should not be a security issue because it is being displayed back out to the user that is submissing the data.
// this will likely cause issues with security scans
//
// @SECURITY False Positive 1
if (isset($engine->cleanPost['RAW'][$field['name']])) {
$object['data'][$field['name']] = $engine->cleanPost['RAW'][$field['name']];
if ($field['type'] == "select") {
$field['choicesDefault'] = $engine->cleanPost['RAW'][$field['name']];
}
}
}
// build the actual input box
$output .= '<div class="">';
// Handle disabled on insert form
if (isset($field['disabledInsert']) && $field['disabledInsert'] == "true" && isnull($objectID)) {
$field['disabled'] = "true";
}
// Handle Read Only on Update form
if (isset($field['disabledUpdate']) && $field['disabledUpdate'] == "true" && !isnull($objectID)) {
$field['readonly'] = "true";
}
// @TODO There is excessive logic here. We have already continued/skipped passed IDNOs that we aren't displaying at this point.
// version 2.0 cleanup.
if ($field['type'] != "idno" || $field['type'] == "idno" && isset($field['managedBy']) && strtolower($field['managedBy']) != "system" || $field['type'] == "idno" && isset($field['managedBy']) && strtolower($field['managedBy']) == "system" && !isnull($objectID)) {
$output .= sprintf('<label for="%s" class="formLabel %s">%s:</label>', htmlSanitize($field['id']), strtolower($field['required']) == "true" ? "requiredField" : "", htmlSanitize($field['label']));
}
if ($field['type'] == "textarea" || $field['type'] == "wysiwyg") {
$output .= sprintf('<textarea name="%s" placeholder="%s" id="%s" class="%s" %s %s %s %s>%s</textarea>', htmlSanitize($field['name']), htmlSanitize($field['placeholder']), htmlSanitize($field['id']), htmlSanitize($field['class']), !isempty($field['style']) ? 'style="' . htmlSanitize($field['style']) . '"' : "", strtoupper($field['required']) == "TRUE" ? "required" : "", strtoupper($field['readonly']) == "TRUE" ? "readonly" : "", strtoupper($field['disabled']) == "TRUE" ? "disabled" : "", self::getFieldValue($field, isset($object) ? $object : NULL));
if ($field['type'] == "wysiwyg") {
$output .= sprintf('<script type="text/javascript">window.CKEDITOR_BASEPATH="%sincludes/js/CKEditor/"</script>', localvars::get("siteRoot"));
$output .= sprintf('<script type="text/javascript" src="%sincludes/js/CKEditor/ckeditor.js"></script>', localvars::get("siteRoot"));
$output .= '<script type="text/javascript">';
$output .= sprintf('if (CKEDITOR.instances["%s"]) { CKEDITOR.remove(CKEDITOR.instances["%s"]); }', htmlSanitize($field['id']), htmlSanitize($field['id']));
$output .= sprintf('CKEDITOR.replace("%s");', htmlSanitize($field['id']));
$output .= 'htmlParser = "";';
$output .= 'if (CKEDITOR.instances["' . $field['name'] . '"].dataProcessor) {';
$output .= sprintf(' htmlParser = CKEDITOR.instances["%s"].dataProcessor.htmlFilter;', htmlSanitize($field['id']));
$output .= '}';
$output .= '</script>';
}
} else {
if ($field['type'] == "checkbox" || $field['type'] == "radio") {
if (($fieldChoices = forms::getFieldChoices($field)) === FALSE) {
return FALSE;
}
$output .= sprintf('<div data-type="%s" data-formid="%s" data-fieldname="%s" %s>', $field['type'], $formID, htmlSanitize($field['name']), isset($field['choicesForm']) && !isempty($field['choicesForm']) ? 'data-choicesForm="' . $field['choicesForm'] . '"' : "");
$output .= self::drawFieldChoices($field, $fieldChoices);
$output .= '</div>';
} else {
if ($field['type'] == "select") {
if (($fieldChoices = forms::getFieldChoices($field)) === FALSE) {
return FALSE;
}
$output .= sprintf('<select name="%s" id="%s" data-type="%s" data-formid="%s" data-fieldname="%s" %s>', htmlSanitize($field['name']), htmlSanitize($field['name']), $field['type'], $formID, htmlSanitize($field['name']), isset($field['choicesForm']) && !isempty($field['choicesForm']) ? 'data-choicesForm="' . $field['choicesForm'] . '"' : "");
$output .= self::drawFieldChoices($field, $fieldChoices, isset($object['data'][$field['name']]) ? $object['data'][$field['name']] : NULL);
$output .= "</select>";
} else {
if ($field['type'] == 'multiselect') {
$output .= '<div class="multiSelectContainer">';
$output .= sprintf('<select name="%s[]" id="%s" size="5" multiple="multiple">', htmlSanitize($field['name']), htmlSanitize($field['name']));
if (isset($object['data'][$field['name']]) && is_array($object['data'][$field['name']])) {
foreach ($object['data'][$field['name']] as $selectedItem) {
$tmpObj = objects::get($selectedItem);
$output .= sprintf('<option value="%s">%s</option>', htmlSanitize($selectedItem), htmlSanitize($tmpObj['data'][$field['choicesField']]));
}
}
$output .= '</select><br />';
if (isset($field['choicesType']) && !isempty($field['choicesType']) && $field['choicesType'] == "manual") {
if (($fieldChoices = forms::getFieldChoices($field)) === FALSE) {
return FALSE;
}
$output .= sprintf('<select name="%s_available" id="%s_available" data-type="%s" data-formid="%s" data-fieldname="%s" %s onchange="addItemToID(\'%s\', this.options[this.selectedIndex]);">%s</select>', htmlSanitize($field['name']), htmlSanitize($field['name']), $field['type'], $formID, htmlSanitize($field['name']), isset($field['choicesForm']) && !isempty($field['choicesForm']) ? 'data-choicesForm="' . $field['choicesForm'] . '"' : "", htmlSanitize($field['name']), self::drawFieldChoices($field, $fieldChoices));
} else {
$output .= sprintf('<input type="hidden" name="%s_available" id="%s_available" data-type="%s" data-formid="%s" data-fieldname="%s" %s>', htmlSanitize($field['name']), htmlSanitize($field['name']), $field['type'], $formID, htmlSanitize($field['name']), isset($field['choicesForm']) && !isempty($field['choicesForm']) ? 'data-choicesForm="' . $field['choicesForm'] . '"' : "", htmlSanitize($field['name']));
$output .= sprintf("<script charset=\"utf-8\">\n\t\t\t\t\t\t\t\$(function() {\n\t\t\t\t\t\t\t\t\$('#%s_available')\n\t\t\t\t\t\t\t\t\t.select2({\n\t\t\t\t\t\t\t\t\t\tminimumResultsForSearch: 10,\n\t\t\t\t\t\t\t\t\t\tplaceholder: 'Make a Selection',\n\t\t\t\t\t\t\t\t\t\tajax: {\n\t\t\t\t\t\t\t\t\t\t\turl: 'retrieveOptions.php',\n\t\t\t\t\t\t\t\t\t\t\tdataType: 'json',\n\t\t\t\t\t\t\t\t\t\t\tquietMillis: 300,\n\t\t\t\t\t\t\t\t\t\t\tdata: function(term, page) {\n\t\t\t\t\t\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\t\t\t\t\t\tq: term,\n\t\t\t\t\t\t\t\t\t\t\t\t\tpage: page,\n\t\t\t\t\t\t\t\t\t\t\t\t\tpageSize: 1000,\n\t\t\t\t\t\t\t\t\t\t\t\t\tformID: '%s',\n\t\t\t\t\t\t\t\t\t\t\t\t\tfieldName: '%s'\n\t\t\t\t\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tresults: function(data, page) {\n\t\t\t\t\t\t\t\t\t\t\t\tvar more = (page * data.pageSize) < data.total;\n\n\t\t\t\t\t\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\t\t\t\t\t\tresults: data.options,\n\t\t\t\t\t\t\t\t\t\t\t\t\tmore: more\n\t\t\t\t\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t})\n\t\t\t\t\t\t\t\t\t.on('select2-selecting', function(e) {\n\t\t\t\t\t\t\t\t\t\taddToID('%s', e.val, e.choice.text);\n\t\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t</script>", htmlSanitize($field['name']), htmlSanitize($field['choicesForm']), htmlSanitize($field['choicesField']), htmlSanitize($field['name']));
}
$output .= "<br />";
$output .= sprintf('<button type="button" onclick="removeFromList(\'%s\')" class="btn">Remove Selected</button>', htmlSanitize($field['name']));
$output .= "</div>";
} else {
if ($field['type'] == 'file') {
$formHasFiles = true;
$output .= '<div style="display: inline-block;">';
if (!isnull($objectID)) {
$output .= empty($object['data'][$field['name']]) ? '<span style="color: #666;font-style: italic;">No file uploaded</span><br>' : '<a href="javascript:;" onclick="$(\'#filesTab\').click();">Click to view files tab</a><br>';
}
$uploadID = md5($field['name'] . mt_rand());
$output .= sprintf('<div class="fineUploader" data-multiple="%s" data-upload_id="%s" data-allowed_extensions="%s" style="display: inline-block;"></div><input type="hidden" name="%s" value="%s">', htmlSanitize($field['multipleFiles']), $uploadID, htmlSanitize(implode(',', $field['allowedExtensions'])), htmlSanitize($field['name']), $uploadID);
$output .= '</div>';
} else {
// populate the idno field
if ($field['type'] == "idno") {
$field['type'] = "text";
if (isset($object) && !isset($object['data'][$field['name']])) {
$object['data'][$field['name']] = $object['idno'];
}
}
// get the field value, if the object exists
$fieldValue = self::getFieldValue($field, isset($object) ? $object : NULL);
$output .= sprintf('<input type="%s" name="%s" value="%s" placeholder="%s" %s id="%s" class="%s" %s %s %s %s />', htmlSanitize($field['type']), htmlSanitize($field['name']), $fieldValue, htmlSanitize($field['placeholder']), $field['type'] == "number" ? buildNumberAttributes($field) : "", htmlSanitize($field['id']), htmlSanitize($field['class']), !isempty($field['style']) ? 'style="' . htmlSanitize($field['style']) . '"' : "", strtoupper($field['required']) == "TRUE" ? "required" : "", strtoupper($field['readonly']) == "TRUE" ? "readonly" : "", strtoupper($field['disabled']) == "TRUE" ? "disabled" : "");
}
}
}
}
}
// Output field's help (if needed)
if (isset($field['help']) && $field['help']) {
list($helpType, $helpValue) = explode('|', $field['help'], 2);
switch ($helpType) {
case 'text':
$output .= sprintf(' <a href="javascript:;" rel="tooltip" class="icon-question-sign" data-placement="right" data-title="%s"></a>', $helpValue);
break;
case 'html':
$output .= sprintf(' <a href="javascript:;" rel="popover" class="icon-question-sign" data-html="true" data-placement="right" data-trigger="hover" data-content="%s"></a>', $helpValue);
break;
case 'web':
$output .= sprintf(' <a href="javascript:;" title="Click for help" class="icon-question-sign" onclick="$(\'#helpModal_%s\').modal(\'show\');"></a>', $field['id']);
$output .= sprintf('<div id="helpModal_%s" rel="modal" class="modal hide fade" data-show="false">', $field['id']);
$output .= ' <div class="modal-header">';
$output .= ' <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>';
$output .= ' <h3 id="myModalLabel">Field Help</h3>';
$output .= ' </div>';
$output .= ' <div class="modal-body">';
$output .= sprintf(' <iframe src="%s" seamless="seamless" style="width: 100%%; height: 100%%;"></iframe>', $helpValue);
$output .= ' </div>';
$output .= '</div>';
break;
}
}
$output .= "</div>";
}
if (!isempty($currentFieldset)) {
$output .= "</fieldset>";
}
$output .= sprintf('<input type="submit" value="%s" name="%s" id="objectSubmitBtn" class="btn" />', isnull($objectID) ? htmlSanitize($form["submitButton"]) : htmlSanitize($form["updateButton"]), $objectID ? "updateForm" : "submitForm");
if (isset($formHasFiles) and $formHasFiles) {
$output .= '<div class="alert alert-block" id="objectSubmitProcessing"><strong>Processing Files</strong><br>Please Wait...</div>';
}
$output .= "</form>";
return $output;
}
