/** * Get what type we want * * @return int The type of item */ protected function getTarget() { if (isset($_COOKIE['itemType']) && is_pos_int($_COOKIE['itemType'])) { return $_COOKIE['itemType']; } throw new Exception('No cookies found. Import aborted.'); }
/** * Main loop * */ private function loopIdArr() { $this->idArr = explode(" ", $this->idList); foreach ($this->idArr as $id) { if (!is_pos_int($id)) { throw new Exception('Bad id.'); } $this->checkVisibility($id); $this->initData($id); $this->setUrl($id); $this->addLine(); } $this->writeCsv(); }
/** * Validate the id we get. * * @throws Exception if id is bad */ private function validateId() { if (!is_pos_int($this->id)) { throw new Exception('Bad id!'); } }
$sql = "SELECT name FROM team_groups WHERE id = :id"; $visreq = $pdo->prepare($sql); $visreq->bindParam(':id', $data['visibility']); $visreq->execute(); $visibility = $visreq->fetchColumn(); } else { $visibility = $data['visibility']; } // Check id is owned by connected user to show read only message if not if ($data['userid'] != $_SESSION['userid']) { // Can the user see this experiment which is not his ? if ($data['visibility'] == 'user') { display_message('error', _("<strong>Access forbidden:</strong> the visibility setting of this experiment is set to 'owner only'.")); require_once 'inc/footer.php'; exit; } elseif (is_pos_int($data['visibility'])) { // the visibility of this experiment is set to a group // we must check if current user is in this group $sql = "SELECT DISTINCT userid FROM users2team_groups WHERE groupid = :groupid"; $team_group_req = $pdo->prepare($sql); $team_group_req->bindParam(':groupid', $data['visibility']); $team_group_req->execute(); $auth_users_arr = array(); while ($auth_users = $team_group_req->fetch()) { $auth_users_arr[] = $auth_users['userid']; } if (!in_array($_SESSION['userid'], $auth_users_arr)) { display_message('error', _("<strong>Access forbidden:</strong> you don't have the rights to access this.")); require_once 'inc/footer.php'; exit; }
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR * * PURPOSE. See the GNU Affero General Public License for more details. * * * * You should have received a copy of the GNU Affero General Public * * License along with eLabFTW. If not, see <http://www.gnu.org/licenses/>. * * * ********************************************************************************/ require_once 'inc/common.php'; // Check id is valid and assign it to $id if (isset($_POST['id']) && is_pos_int($_POST['id'])) { $id = $_POST['id']; } else { die("The id parameter in the URL isn't a valid link ID"); } // Check item_id is valid and assign it to $item_id if (isset($_POST['item_id']) && is_pos_int($_POST['item_id'])) { $item_id = $_POST['item_id']; } else { die("The item id parameter in the URL isn't valid!"); } // Check item_id is owned by connected user $sql = "SELECT userid_creator FROM experiments WHERE id = " . $item_id; $req = $bdd->prepare($sql); $req->execute(); $data = $req->fetch(); if ($data['userid_creator'] == $_SESSION['userid']) { // SQL for DELETE TAG $sql = "DELETE FROM experiments_links WHERE id=" . $id; $req = $bdd->prepare($sql); $result = $req->execute(); if (!$result) {
} else { echo "<div id='search_count'>" . $count . " results</div>"; } echo "<div class='search_results_div'>"; // Display results echo "<hr>"; foreach ($results_id as $id) { showXP($id, $_SESSION['prefs']['display']); } } else { // no results $message = "Sorry, I couldn't find anything :("; echo display_message('error', $message); } // DATABASE ADVANCED SEARCH } elseif (is_pos_int($_REQUEST['type'])) { // SQL // the BETWEEN stuff makes the date mandatory, so we switch the $sql with/without date if (isset($_REQUEST['to']) && !empty($_REQUEST['to'])) { $sql = "SELECT * FROM items WHERE type = :type AND title LIKE '%{$title}%' AND body LIKE '%{$body}%' AND rating LIKE '%{$rating}%' AND date BETWEEN '{$from}' AND '{$to}'"; } elseif (isset($_REQUEST['from']) && !empty($_REQUEST['from'])) { $sql = "SELECT * FROM items WHERE type = :type AND title LIKE '%{$title}%' AND body LIKE '%{$body}%' AND rating LIKE '%{$rating}%' AND date BETWEEN '{$from}' AND '991212'"; } else { // no date input $sql = "SELECT * FROM items WHERE type = :type AND title LIKE '%{$title}%' AND body LIKE '%{$body}%' AND rating LIKE '%{$rating}%'"; } $req = $bdd->prepare($sql); $req->execute(array('type' => $_REQUEST['type'])); $count = $req->rowCount(); if ($count > 0) { // make array of results id
if (isset($_GET['id']) && !empty($_GET['id']) && is_pos_int($_GET['id'])) { $id = $_GET['id']; } else { die(_("The id parameter is not valid!")); } if ($_GET['type'] === 'exp') { $type = 'experiments'; } elseif ($_GET['type'] === 'db') { $type = 'items'; } else { die(_("The type parameter is not valid.")); } // this function will return the ID of the new experiment // or 0 if it failed somewhere $newid = duplicate_item($id, $type); if (is_pos_int($newid)) { if ($type === 'experiments') { $msg_arr[] = _('Experiment successfully duplicated.'); $_SESSION['infos'] = $msg_arr; header('location: ../experiments.php?mode=edit&id=' . $newid . ''); exit; } else { $msg_arr[] = _('Database entry successfully duplicated.'); $_SESSION['infos'] = $msg_arr; header('location: ../database.php?mode=edit&id=' . $newid . ''); exit; } } else { $msg_arr[] = sprintf(_("There was an unexpected problem! Please %sopen an issue on GitHub%s if you think this is a bug."), "<a href='https://github.com/elabftw/elabftw/issues/'>", "</a>"); $_SESSION['errors'] = $msg_arr; header('location: ../experiments.php');
/** * Check visibility for an experiment. * * @param string $input The visibility * @return string Will return team if the visibility is wrong */ function check_visibility($input) { $valid_visibility = array('public', 'organization', 'team', 'user'); if (in_array($input, $valid_visibility) || is_pos_int($input)) { return $input; } // default is team return 'team'; }
</div> </div> <?php // CODE TO IMPORT CSV if ($_SERVER['REQUEST_METHOD'] === 'POST') { $row = 0; $inserted = 0; $column = array(); // open the file $handle = fopen($_FILES['csvfile']['tmp_name'], 'r'); if ($handle == false) { die('Could not open the file.'); } // get what type we want if (isset($_COOKIE['itemType']) && is_pos_int($_COOKIE['itemType'])) { $type = $_COOKIE['itemType']; } else { die('No cookies found'); } // loop the lines while ($data = fgetcsv($handle, 0, ",")) { $num = count($data); // get the column names (first line) if ($row == 0) { for ($i = 0; $i < $num; $i++) { $column[] = $data[$i]; } $row++; continue; }
} if (isset($_GET['filter'])) { if ($_GET['filter'] != '' && is_pos_int($_GET['filter'])) { $filter = "AND st.id = '" . $_GET['filter'] . "' "; } } // SQL for showXP // reminder : order by and sort must be passed to the prepare(), not during execute() // SEARCH if (isset($_GET['q'])) { // if there is a query $search_type = 'query'; $query = filter_var($_GET['q'], FILTER_SANITIZE_STRING); $results_arr = search_item('xp', $query, $_SESSION['userid']); // RELATED } elseif (isset($_GET['related']) && is_pos_int($_GET['related'])) { // search for related experiments to DB item id $search_type = 'related'; $item_id = $_GET['related']; // search in title date and body $sql = "SELECT item_id FROM experiments_links\n WHERE link_id = :link_id LIMIT 100"; $req = $pdo->prepare($sql); $req->execute(array('link_id' => $item_id)); while ($data = $req->fetch()) { $results_arr[] = $data['item_id']; } // TAG SEARCH } elseif (isset($_GET['tag']) && !empty($_GET['tag'])) { $search_type = 'tag'; $tag = filter_var($_GET['tag'], FILTER_SANITIZE_STRING); $sql = "SELECT ex.id, ex.date, ex.title, st.name, ta.item_id\n FROM experiments AS ex, experiments_tags AS ta, status AS st\n WHERE ex.userid = :userid\n AND ta.userid = :userid\n AND ex.status = st.id\n AND st.team = :teamid\n AND ex.id = ta.item_id\n AND ta.tag LIKE :tag\n " . $filter . "\n ORDER BY {$order} {$sort}\n LIMIT 100";
if (isset($_POST['mail_from'])) { $mail_from = filter_var($_POST['mail_from'], FILTER_SANITIZE_EMAIL); } else { $mail_from = ''; } if (isset($_POST['smtp_address'])) { $smtp_address = filter_var($_POST['smtp_address'], FILTER_SANITIZE_STRING); } else { $smtp_address = ''; } if (isset($_POST['smtp_encryption'])) { $smtp_encryption = filter_var($_POST['smtp_encryption'], FILTER_SANITIZE_STRING); } else { $smtp_encryption = ''; } if (isset($_POST['smtp_port']) && is_pos_int($_POST['smtp_port'])) { $smtp_port = $_POST['smtp_port']; } else { $smtp_port = ''; } if (isset($_POST['smtp_username'])) { $smtp_username = filter_var($_POST['smtp_username'], FILTER_SANITIZE_STRING); } else { $smtp_username = ''; } if (isset($_POST['smtp_password'])) { // the password is stored encrypted in the database $smtp_password = $crypto->encrypt($_POST['smtp_password']); } else { $smtp_password = ''; }
/** * Loop on each id and add it to our zip archive * This could be called the main function. * * @throws Exception If the zip failed */ private function loopIdArr() { $this->idArr = explode(" ", $this->idList); foreach ($this->idArr as $id) { if (!is_pos_int($id)) { throw new Exception('Bad id.'); } $this->addToZip($id); } $this->addJson(); $this->zip->close(); // check if it failed for some reason if (!is_file($this->filePath)) { throw new Exception(_('Error making the zip archive!')); } }
* * * You should have received a copy of the GNU Affero General Public * * License along with eLabFTW. If not, see <http://www.gnu.org/licenses/>. * * * ********************************************************************************/ require_once '../inc/common.php'; /* we receive the file in $_FILES['file']. The array looks like that : name : filename.pdf type : "application/pdf" tmp_name "/tmp/phpLzaurte" error : 0 size 134482 */ // check the item_id if (is_pos_int($_GET['item_id'])) { $item_id = $_GET['item_id']; } else { die('Bad ID'); } // are we uploading for an experiment or a database item ? if ($_GET['type'] === 'experiments' || $_GET['type'] === 'items') { $type = $_GET['type']; } else { die('Bad type'); } if ($type === 'experiments') { // we check that the user owns the experiment before adding things to it if (!is_owned_by_user($item_id, 'experiments', $_SESSION['userid'])) { die('Not your experiment'); }
if ($type === 'items') { $location = 'database'; // check item is in team if (!item_is_in_team($id, $_SESSION['team_id'])) { $msg_arr[] = _('This section is out of your reach.'); $errflag = true; } } else { // check we own the experiment if (!is_owned_by_user($id, 'experiments', $_SESSION['userid'])) { $msg_arr[] = _('This section is out of your reach.'); $errflag = true; } } // THE RESTORE ACTION if (isset($_GET['action']) && $_GET['action'] === 'restore' && is_pos_int($_GET['rev_id'])) { // we don't update if the item is locked $sql = "SELECT locked FROM " . $type . " WHERE id = :id"; $req = $pdo->prepare($sql); $req->bindParam(':id', $id, PDO::PARAM_INT); $req->execute(); $locked = $req->fetch(); if ($locked['locked'] == 1) { $msg_arr = _('You cannot restore a revision of a locked item!'); $errflag = true; } if (!$errflag) { // get the body of the restored time $sql = "SELECT body FROM " . $type . "_revisions WHERE id = :rev_id"; $req = $pdo->prepare($sql); $req->bindParam(':rev_id', $_GET['rev_id'], PDO::PARAM_INT);
<script type="text/javascript" src="js/chemdoodleweb/ChemDoodleWeb-libs.js"></script> <script type="text/javascript" src="js/chemdoodleweb/ChemDoodleWeb.js"></script> <!-- these are required by the SketcherCanvas plugin --> <script type="text/javascript" src="js/chemdoodleweb/sketcher/jquery-ui-1.9.2.custom.min.js"></script> <script type="text/javascript" src="js/chemdoodleweb/sketcher/ChemDoodleWeb-sketcher.js"></script> <!-- now all the slickgrid stuff--> <script type="text/javascript" src="js/chem-editors.js"></script> <script type="text/javascript" src="js/chem-formatters.js"></script> <script type="text/javascript" src="js/chemistry-functions.js"></script> <?php // ID if (isset($_GET['regid']) && !empty($_GET['regid']) && is_pos_int($_GET['regid'])) { $id = $_GET['regid']; } else { if (isset($_REQUEST['mode']) && $_REQUEST['mode'] === 'create') { $id = 0; } else { die("The id parameter in the URL isn't a valid registration ID."); } } $parentregno = ''; if ($id > 0) { $sql = "SELECT reg.cpd_id, reg.regno, reg.no_structure, reg.validated, reg.userid_entrant, reg.userid_registrar, reg.is_salt, \n reg.parent_regid, cpd.name, cpd.cas_number, cpd.pubchem_id,\n cpd.chemspider_id, cpd.notes, cpd.iupac_name, prop.mwt, prop.exact_mass, prop.formula, prop.is_chiral, prop.density, 1d.inchi\n FROM compound_registry AS reg JOIN compounds AS cpd ON reg.cpd_id = cpd.id JOIN compound_properties AS prop\n ON reg.cpd_id = prop.compound_id JOIN 1D_structures AS 1d ON reg.cpd_id = 1d.compound_id WHERE reg.id = :id"; $req = $bdd->prepare($sql); $req->execute(array('id' => $id)); $reg_data = $req->fetch(); $cpdid = $reg_data['cpd_id'];
$url = str_replace('app/editinplace.php', 'experiments.php', $url); $full_url = $url . "?mode=view&id=" . $id; $footer = "\n\n~~~\nSent from eLabFTW http://www.elabftw.net\n"; $message = Swift_Message::newInstance()->setSubject(_('[eLabFTW] New comment posted'))->setFrom(array(get_config('mail_from') => 'eLabFTW'))->setTo(array($users['email'] => 'Admin eLabFTW'))->setBody(sprintf(_('Hi. %s %s left a comment on your experiment. Have a look: %s'), $commenter['firstname'], $commenter['lastname'], $full_url) . $footer); $mailer = getMailer(); // SEND EMAIL try { $mailer->send($message); } catch (Exception $e) { dblog('Error', 'smtp', $e->getMessage()); exit; } } } else { // UPDATE OF EXISTING COMMENT if ($id_arr[0] === 'expcomment' && is_pos_int($id_arr[1])) { $id = $id_arr[1]; // Update comment if ($_POST['expcomment'] != '' && $_POST['expcomment'] != ' ') { // we must first check $expcomment = filter_var($_POST['expcomment'], FILTER_SANITIZE_STRING); // SQL to update single exp comment $sql = "UPDATE experiments_comments SET\n comment = :new_comment,\n datetime = :now\n WHERE id = :id"; $req = $pdo->prepare($sql); $req->execute(array('new_comment' => $expcomment, 'now' => date("Y-m-d H:i:s"), 'id' => $id)); } else { // Submitted comment is empty // Get old comment $sql = "SELECT comment FROM experiments_comments WHERE id = :id"; $req = $pdo->prepare($sql); $req->execute(array('id' => $id));
/** * Check if the date is valid. * * @param int $input The date to check * @return integer|string $input The input date if it's valid, or the date of today if not */ function check_date($input) { // Check DATE (is != null ? is 8 in length ? is int ? is valable ?) if (isset($input) && !empty($input) && strlen($input) == '8' && is_pos_int($input)) { // Check if day/month are good $datemonth = substr($input, 4, 2); $dateday = substr($input, 6, 2); if ($datemonth <= '12' && $dateday <= '31' && $datemonth > '0' && $dateday > '0') { // SUCCESS on every test return $input; } else { return kdate(); } } else { return kdate(); } }
if (is_pos_int($_POST['id'])) { $id = $_POST['id']; } else { die(_("The id parameter is not valid!")); } // we update the name of a team via sysconfig.php if (isset($_POST['team_name'])) { $team_name = filter_var($_POST['team_name'], FILTER_SANITIZE_STRING); $sql = "UPDATE teams\n SET team_name = :team_name\n WHERE team_id = :team_id"; $req = $pdo->prepare($sql); $result = $req->execute(array('team_name' => $team_name, 'team_id' => $id)); exit; } // we only update status if (isset($_POST['status'])) { if (is_pos_int($_POST['status'])) { $status = $_POST['status']; } else { exit; } $sql = "UPDATE experiments \n SET status = :status \n WHERE userid = :userid \n AND id = :id"; $req = $pdo->prepare($sql); $result = $req->execute(array('status' => $status, 'userid' => $_SESSION['userid'], 'id' => $id)); // we only update visibility } elseif (isset($_POST['visibility'])) { // will return 'team' in case of wrong visibility $visibility = check_visibility($_POST['visibility']); $sql = "UPDATE experiments \n SET visibility = :visibility \n WHERE userid = :userid \n AND id = :id"; $req = $pdo->prepare($sql); $result = $req->execute(array('visibility' => $visibility, 'userid' => $_SESSION['userid'], 'id' => $id)); // or we update date, title, and body
} // if you select from two tables but one is empty, as it makes a cross join, no results will be returned // on a fresh install, if there is no tags, it will not find anything // so we make a left join // https://stackoverflow.com/questions/3171276/select-multiple-tables-when-one-table-is-empty-in-mysql $sql = "SELECT exp.* FROM experiments as exp LEFT JOIN experiments_tags as exptag ON 1=1 WHERE" . $sqlFirst . $sqlTitle . $sqlBody . $sqlTag . $sqlStatus . $sqlDate . $sqlGroup; $req = $pdo->prepare($sql); // if there is a selection on 'owned by', we use the owner id as parameter if ($owner_search) { $req->execute(array('userid' => $owner)); } else { $req->execute(array('userid' => $_SESSION['userid'])); } $search_type = 'experiments'; // DATABASE SEARCH } elseif (is_pos_int($_GET['type']) || $_GET['type'] === 'database') { // we want only stuff from our team $sqlTeam = " AND i.team = " . $_SESSION['team_id']; // display entire team database if ($_GET['type'] === 'database' && empty($title) && empty($body) && empty($tags) && empty($status) && empty($rating) && empty($from) && empty($to)) { $sqlFirst = "SELECT i.* FROM items as i LEFT JOIN items_tags as itag ON 1=1 WHERE i.id > 0"; } elseif ($_GET['type'] === 'database') { $sqlFirst = "SELECT i.* FROM items as i LEFT JOIN items_tags as itag ON 1=1 WHERE i.id > 0"; } else { $sqlFirst = "SELECT i.* FROM items as i LEFT JOIN items_tags as itag ON 1=1 WHERE type = :type"; } $sql = $sqlFirst . $sqlTeam . $sqlTitle . $sqlBody . $sqlTag . $sqlRating . $sqlDate . $sqlGroup; $req = $pdo->prepare($sql); if ($_GET['type'] === 'database') { $req->execute(); } else {
$msg_arr = array(); $creator = new \Elabftw\Elabftw\Create(); // Check ID if (isset($_GET['id']) && !empty($_GET['id']) && is_pos_int($_GET['id'])) { $id = $_GET['id']; } else { die(_("The id parameter is not valid!")); } if ($_GET['type'] === 'exp') { $new_id = $creator->duplicateExperiment($_GET['id']); } elseif ($_GET['type'] === 'db') { $new_id = $creator->duplicateItem($_GET['id']); } else { die(_("The type parameter is not valid.")); } if (is_pos_int($new_id)) { if ($_GET['type'] === 'exp') { $msg_arr[] = _('Experiment successfully duplicated.'); $_SESSION['infos'] = $msg_arr; header('location: ../experiments.php?mode=edit&id=' . $new_id . ''); exit; } else { $msg_arr[] = _('Database entry successfully duplicated.'); $_SESSION['infos'] = $msg_arr; header('location: ../database.php?mode=edit&id=' . $new_id . ''); exit; } } else { $msg_arr[] = sprintf(_("There was an unexpected problem! Please %sopen an issue on GitHub%s if you think this is a bug."), "<a href='https://github.com/elabftw/elabftw/issues/'>", "</a>"); $_SESSION['errors'] = $msg_arr; header('location: ../experiments.php');
// What do we create ? if (isset($_GET['type']) && !empty($_GET['type']) && is_pos_int($_GET['type'])) { // $type is int for DB items $type = $_GET['type']; } elseif (isset($_GET['type']) && !empty($_GET['type']) && $_GET['type'] === 'exp') { $type = 'experiments'; } else { $msg_arr[] = _('Wrong item type!'); $_SESSION['infos'] = $msg_arr; header('location: ../index.php'); exit; } if ($type === 'experiments') { $elabid = generate_elabid(); // do we want template ? if (isset($_GET['tpl']) && is_pos_int($_GET['tpl'])) { // SQL to get template $sql = "SELECT name, body FROM experiments_templates WHERE id = :id"; $get_tpl = $pdo->prepare($sql); $get_tpl->execute(array('id' => $_GET['tpl'])); $get_tpl_info = $get_tpl->fetch(); // the title is the name of the template $title = $get_tpl_info['name']; $body = $get_tpl_info['body']; } else { // if there is no template, title is 'Untitled' and the body is the default exp_tpl $title = _('Untitled'); // SQL to get body $sql = "SELECT body FROM experiments_templates WHERE userid = 0 AND team = :team"; $get_body = $pdo->prepare($sql); $get_body->execute(array('team' => $_SESSION['team_id']));
* it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * eLabFTW is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with eLabFTW. If not, see <http://www.gnu.org/licenses/>. * ********************************************************************************/ require_once 'inc/common.php'; // get $id from $_POST['id'] if (is_pos_int($_POST['id'])) { $id = $_POST['id']; } else { die('Bad id value.'); } // we only update status if (isset($_POST['status'])) { $status = check_status($_POST['status']); $sql = "UPDATE experiments \n SET status = :status \n WHERE userid_creator = :userid \n AND id = :id"; $req = $bdd->prepare($sql); $result = $req->execute(array('status' => $status, 'userid' => $_SESSION['userid'], 'id' => $id)); // we only update visibility } elseif (isset($_POST['visibility'])) { // will return 'team' in case of wrong visibility $visibility = check_visibility($_POST['visibility']); $sql = "UPDATE experiments \n SET visibility = :visibility \n WHERE userid_creator = :userid \n AND id = :id";
function validate_tacs($options) { $output = array(); $old_settings = fablab_get_tac(); foreach ($options as $key => $value) { if ($key == 'tac_date') { $date = strtotime($value); if ($date) { $output[$key] = $date; } else { add_settings_error('tac_fields', 'naDate', 'Bitte ein Datum eingeben!'); $output[$key] = $old_settings[$key]; } } else { if ($key == 'tac_pageid') { if (is_pos_int($value)) { $output[$key] = sanitize_text_field($value); } else { add_settings_error('tac_fields', 'naN', 'Bitte eine verfügbare Page auswählen!'); $output[$key] = $old_settings[$key]; } } else { if (is_pos_int($old_settings[$key])) { if (is_pos_int($value)) { $output[$key] = sanitize_text_field($value); } else { add_settings_error('tac_fields', 'naN', 'Bitte eine positive Zahl eingeben!'); $output[$key] = $old_settings[$key]; } } else { if (!empty($value)) { $output[$key] = sanitize_text_field($value); } else { add_settings_error('tac_fields', 'empty', 'Leeres Feld ist nicht erlaubt!'); $output[$key] = $old_settings[$key]; } } } } } return $output; }
if (isset($_GET['order'])) { if ($_GET['order'] != '') { if ($_GET['order'] === 'cat') { $order = 'ty.name'; } elseif ($_GET['order'] === 'date' || $_GET['order'] === 'rating' || $_GET['order'] === 'title') { $order = 'it.' . $_GET['order']; } } } if (isset($_GET['sort'])) { if ($_GET['sort'] != '' && ($_GET['sort'] === 'asc' || $_GET['sort'] === 'desc')) { $sort = $_GET['sort']; } } if (isset($_GET['filter'])) { if ($_GET['filter'] != '' && is_pos_int($_GET['filter'])) { $filter = "AND ty.id = '" . $_GET['filter'] . "' "; } } // /////////////////////////////////////////////////////////////////////// // SQL for showDB // TAG SEARCH if (isset($_GET['tag']) && !empty($_GET['tag'])) { $tag = filter_var($_GET['tag'], FILTER_SANITIZE_STRING); $sql = "SELECT it.id, ty.name, ta.item_id\n FROM items AS it, items_types AS ty, items_tags AS ta\n WHERE it.type = ty.id\n AND it.team = :teamid\n AND it.id = ta.item_id\n AND ta.tag LIKE :tag\n " . $filter . "\n ORDER BY {$order} {$sort}\n LIMIT 100"; $req = $pdo->prepare($sql); $req->bindParam(':tag', $tag, PDO::PARAM_STR); $req->bindParam(':teamid', $_SESSION['team_id'], PDO::PARAM_INT); $req->execute(); // put resulting ids in the results array while ($get_id = $req->fetch()) {
/** * Check if we have a template to load for experiments * * @param int $tpl The template ID * @return bool */ private function checkTpl($tpl) { return is_pos_int($tpl); }
********************************************************************************/ require_once 'inc/common.php'; //Array to store validation errors $msg_arr = array(); //Validation error flag $errflag = false; // CHECKS // ID if (is_pos_int($_POST['regid']) || $_POST['regid'] == 0) { $regid = $_POST['regid']; } else { $regid = ''; $msg_arr[] = 'The id parameter is not valid !'; $errflag = true; } if (is_pos_int($_POST['cpdid'])) { $cpdid = $_POST['cpdid']; } else { $cpdid = ''; } $name = check_title($_POST['name']); $iupacname = check_title($_POST['iupac_name']); if (isset($_POST['validated'])) { if ($_POST['validated'] === 'true') { $validated = 1; } else { $validated = 0; } } else { $validated = 0; }
$group_name = filter_var($_POST['create_teamgroup'], FILTER_SANITIZE_STRING); $sql = "INSERT INTO team_groups(name, team) VALUES(:name, :team)"; $req = $pdo->prepare($sql); $req->bindParam(':name', $group_name); $req->bindParam(':team', $_SESSION['team_id']); if ($req->execute()) { echo '1'; } else { echo '0'; } } // EDIT TEAM GROUP NAME FROM JEDITABLE if (isset($_POST['teamgroup']) && !empty($_POST['teamgroup'])) { $name = filter_var($_POST['teamgroup'], FILTER_SANITIZE_STRING); $id_arr = explode('_', $_POST['id']); if ($id_arr[0] === 'teamgroup' && is_pos_int($id_arr[1])) { // SQL to update single exp comment $sql = "UPDATE team_groups SET name = :name WHERE id = :id AND team = :team"; $req = $pdo->prepare($sql); $req->bindParam(':name', $name); $req->bindParam(':team', $_SESSION['team_id']); $req->bindParam(':id', $id_arr[1], PDO::PARAM_INT); if ($req->execute()) { echo stripslashes($name); } } } // ADD OR REMOVE USER TO/FROM TEAM GROUP if (isset($_POST['teamgroup_user'])) { if ($_POST['action'] === 'add') { $sql = "INSERT INTO users2team_groups(userid, groupid) VALUES(:userid, :groupid)";
$tab = '4'; $item_type_id = $_POST['item_type_id']; $item_type_name = filter_var($_POST['item_type_name'], FILTER_SANITIZE_STRING); // we remove the # of the hexacode and sanitize string $item_type_bgcolor = filter_var(substr($_POST['item_type_bgcolor'], 1, 6), FILTER_SANITIZE_STRING); $item_type_template = check_body($_POST['item_type_template']); $sql = "UPDATE items_types SET\n name = :name,\n team = :team,\n bgcolor = :bgcolor,\n template = :template\n WHERE id = :id"; $req = $pdo->prepare($sql); $result = $req->execute(array('name' => $item_type_name, 'team' => $_SESSION['team_id'], 'bgcolor' => $item_type_bgcolor, 'template' => $item_type_template, 'id' => $item_type_id)); if (!$result) { $errflag = true; $error = '14'; } } // ADD NEW ITEM TYPE if (isset($_POST['new_item_type']) && is_pos_int($_POST['new_item_type'])) { $tab = '4'; $item_type_name = filter_var($_POST['new_item_type_name'], FILTER_SANITIZE_STRING); if (strlen($item_type_name) < 1) { $item_type_name = 'Unnamed'; } // we remove the # of the hexacode and sanitize string $item_type_bgcolor = filter_var(substr($_POST['new_item_type_bgcolor'], 1, 6), FILTER_SANITIZE_STRING); $item_type_template = check_body($_POST['new_item_type_template']); $sql = "INSERT INTO items_types(name, team, bgcolor, template) VALUES(:name, :team, :bgcolor, :template)"; $req = $pdo->prepare($sql); $result = $req->execute(array('name' => $item_type_name, 'team' => $_SESSION['team_id'], 'bgcolor' => $item_type_bgcolor, 'template' => $item_type_template)); if (!$result) { $errflag = true; $error = '15'; }
* the License, or (at your option) any later version. * * * * eLabFTW is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied * * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR * * PURPOSE. See the GNU Affero General Public License for more details. * * * * You should have received a copy of the GNU Affero General Public * * License along with eLabFTW. If not, see <http://www.gnu.org/licenses/>. * * * ********************************************************************************/ require_once 'inc/common.php'; require_once ELAB_ROOT . 'inc/locale.php'; require_once ELAB_ROOT . 'vendor/autoload.php'; // Check id is valid and assign it to $id if (isset($_GET['id']) && is_pos_int($_GET['id'])) { $id = $_GET['id']; } else { die(_("The id parameter is not valid!")); } // check the type if ($_GET['type'] === 'experiments' || $_GET['type'] === 'items') { $type = $_GET['type']; } else { die(_("The type parameter is not valid.")); } // do the pdf $pdf = new \Elabftw\Elabftw\MakePdf($id, $type); $mpdf = new mPDF(); $mpdf->SetAuthor($pdf->author); $mpdf->SetTitle($pdf->title);
/** * Verify the itemId received * * @param int itemId Id of our item * @throws Exception if id is not pos int */ private function checkItemId($itemId) { if (is_pos_int($itemId)) { $this->itemId = $itemId; } else { throw new Exception('Bad item id'); } }