function sqlInjectionFilter() { array_walk($_GET, function (&$v) { $v = sqlFilter($v); }); array_walk($_POST, function (&$v) { $v = sqlFilter($v); }); }
} $missionID = 0; //GET MISSION ID //TODO check missionID with session info. if (isset($_SESSION['missionID']) == true) { $missionID = $_SESSION['missionID']; } else { error(3001); } //Connect $mysqli = connectDB(); //Filter special characters $skey = sqlFilter($mysqli, $skey); $monsterID = sqlFilter($mysqli, $monsterID); $win = sqlFilter($mysqli, $win); $crystal = sqlFilter($mysqli, $crystal); $unlock = false; //Get UID $uid = $_SESSION['uid']; if ($win === 'true') { $unlock = true; // Insert MissionInfo //Prepare SQL statement $sql_insert = "INSERT INTO MissionInfo (uid,missionID)VALUES (?,?)"; /* create a prepared statement */ if ($stmt = $mysqli->prepare($sql_insert)) { /* bind parameters for markers */ $stmt->bind_param('ii', $uid, $missionID); $res = $stmt->execute(); $stmt->close(); $sql_get = "SELECT uid FROM MissionInfo WHERE uid = ? AND missionID = ?";
/** * Generate a comparison expression using dashes, commas etc. * * @param string $table_id the table * @param string $colname the column * @param string $colinfo other column information * @access private */ function SQLCompareStar($table, $colname, $colinfo) { // Get the uifilter being used and its value // skip the asterisk and the @sign $uif_name = substr($colinfo['compare'], 2); #x4Debug($this->yamlP2['uifilter']); $uiv_val = a($this->yamlP2['uifilter'][$uif_name], 'value'); if ($uiv_val == '') { return ''; } // Get data dictionary $dd = ddTable($table); # KFD 6/18/08, route out to the new universal sqlFilter() $rv = sqlFilter($dd['flat'][$colname], $uiv_val, $dd['table_id']); #x4Debug($colname); #x4Debug($uiv_val); #x4Debug($rv); if ($rv != '') { return "(" . $rv . ")"; } return ''; #return "(".rff_OneCol($dd['flat'][$colname],$colname,$uiv_val).")"; }
* @author Hang */ include 'common.php'; //MAIN ENTRY $skey = $missionID = ""; if (isset($_POST["skey"]) == true && isset($_POST["missionID"]) == true) { $skey = $_POST["skey"]; $missionID = $_POST["missionID"]; } else { error(1005); } //Connect $mysqli = connectDB(); //Filter special characters $skey = sqlFilter($mysqli, $skey); $missionID = sqlFilter($mysqli, $missionID); //Get UID $uid = $_SESSION['uid']; $bool_enter = true; // Check MissionInfo with pre mission //Prepare SQL statement $sql_get = "SELECT missionID FROM MissionInfo WHERE (uid = ? AND missionID = ?)"; /* create a prepared statement */ if ($stmt = $mysqli->prepare($sql_get)) { /* bind parameters for markers */ $stmt->bind_param('ii', $uid, $missionID); $res = $stmt->execute(); /* fetch value */ $result = $stmt->get_result(); $data = $result->fetch_array(); if ($data == null) {
*/ include 'common.php'; //MAIN ENTRY $uuid = ""; $skey = ""; if (isset($_POST["uuid"]) == true && isset($_POST["skey"]) == true) { $uuid = $_POST["uuid"]; $skey = $_POST["skey"]; } else { error(1005); } //Connect $mysqli = connectDB(); //Filter special characters $uuid = sqlFilter($mysqli, $uuid); $skey = sqlFilter($mysqli, $skey); //Check UUID with Session //Prepare SQL statement $sql_get = "SELECT * FROM UserInfo WHERE uuid = ?"; /* create a prepared statement */ if ($stmt = $mysqli->prepare($sql_get)) { /* bind parameters for markers */ $stmt->bind_param('s', $uuid); $res = $stmt->execute(); /* fetch value */ $result = $stmt->get_result(); $data = $result->fetch_array(); if ($data == null) { error(2005); exit; }
* * @version 1.0 * @author Hang */ include 'common.php'; //MAIN ENTRY $uuid = ""; if (isset($_POST["uuid"]) == true) { $uuid = $_POST["uuid"]; } else { error(1005); } //Connect $mysqli = connectDB(); //Filter special characters $uuid = sqlFilter($mysqli, $uuid); //Check UUID //Prepare SQL statement $sql_get = "SELECT uid FROM UserInfo WHERE uuid = ?"; /* create a prepared statement */ if ($stmt = $mysqli->prepare($sql_get)) { /* bind parameters for markers */ $stmt->bind_param('s', $uuid); $res = $stmt->execute(); /* fetch value */ $result = $stmt->get_result(); $data = $result->fetch_array(); if ($data == null) { error(2003); exit; }
/** * Generate search results for an x4browse/search * * @author: Kenneth Downs */ function browseFetch() { # This is the list of columns to return $acols = explode(',', $this->dd['projections']['_uisearch']); # By default the search criteria come from the # variables, unless it is a child table search $vals = aFromGP('x4w_'); $awhere = array(); $tabPar = gp('tableIdPar'); if ($tabPar != '') { $ddpar = ddTable(gp('tableIdPar')); $pks = $ddpar['pks']; $stab = ddView(gp('tableIdPar')); $skey = SQLFN(gp('skeyPar')); $vals2 = SQL_OneRow("SELECT {$pks} FROM {$stab} WHERE skey = {$skey}"); if (!$vals2) { $vals2 = array(); } $vals = array_merge($vals, $vals2); } # Build the where clause # foreach ($vals as $column_id => $colvalue) { if (!isset($this->flat[$column_id])) { continue; } $colinfo = $this->flat[$column_id]; $exact = isset($vals2[$column_id]); //$tcv = trim($colvalue); $tcv = $colvalue; $type = $colinfo['type_id']; if ($tcv != "") { // trap for a % sign in non-string $xwhere = sqlFilter($this->flat[$column_id], $tcv); if ($xwhere != '') { $awhere[] = "({$xwhere})"; } } } # <----- RETURN if (count($awhere) == 0) { x4Debug("returning"); return; } # Generate the limit # KFD 11/12/08, modified to respect sql_limit, with default of 100 $SLimit = ' LIMIT ' . configGet('sql_limit', 100); if ($tabPar != '') { if (a($this->dd['fk_parents'][$tabPar], 'uiallrows', 'N') == 'Y') { $SLimit = ''; } } # Build the Order by # $ascDesc = gp('sortAD') == 'ASC' ? ' ASC' : ' DESC'; $aorder = array(); $searchsort = trim(a($this->dd, 'uisearchsort', '')); if (gpExists('sortAD')) { $aorder[] = gp('sortCol') . ' ' . gp('sortAD'); } if ($searchsort != '') { $aocols = explode(",", $searchsort); foreach ($aocols as $pmcol) { $char1 = substr($pmcol, 0, 1); $column_id = substr($pmcol, 1); if ($char1 == '+') { $aorder[] = $column_id . ' ASC'; } else { $aorder[] = $column_id . ' DESC'; } } $SQLOrder = " ORDER BY " . implode(',', $aorder); } else { # KFD 6/18/08, new routine that works out sort $aorder = sqlOrderBy($vals); if (count($aorder) == 0) { $SQLOrder = ''; } else { $SQLOrder = " ORDER BY " . implode(',', $aorder); } } # just before building the query, drop out # any columns that have a table_id_fko to the parent foreach ($acols as $idx => $column_id) { if ($this->flat[$column_id]['table_id_fko'] == $tabPar && $tabPar != '') { unset($acols[$idx]); } } // Build the where and limit $SWhere = ' WHERE ' . implode(' AND ', $awhere); // Retrieve data $SQL = "SELECT skey," . implode(',', $acols) . " FROM " . $this->view_id . $SWhere . $SQLOrder . $SLimit; $answer = SQL_AllRows($SQL); $this->browseFetchModify($answer); x4Data('browseFetch', $answer); return; }
/** * * @param $inputString 对输入的字符串做安全性过滤(SQL注入过滤,HTML代码转义) */ function InputSafeFilter($inputString) { if (strlen($inputString) > 0) { $inputString = sqlFilter($inputString); //作SQL注入的过滤 $inputString = htmlspecialchars($inputString); //作HTML的转义 } return $inputString; }
function rowsFromFilters(&$table, $filters, $cols, $matches = array()) { $tabflat = $table['flat']; $table_id = $table['table_id']; $view_id = DDTable_IDResolve($table_id); //echo SessionGet("GROUP_ID_EFF"); // Set user-requested filters $sw = array(); foreach ($tabflat as $colname => $colinfo) { if (isset($matches[$colname])) { $tcv = trim($matches[$colname]); if ($tcv != "") { $tcsql = SQL_Format($colinfo["type_id"], $tcv); $sw[] = $colname . "=" . $tcsql; //$sql_where.=ListDelim($sql_where," AND ").$colname."=".$tcsql; } } elseif (isset($filters[$colname])) { $tcv = trim($filters[$colname]); $tid = $colinfo['type_id']; if ($tid == 'dtime' || $tid == 'date') { $tcv = dEnsureTS($tcv); } if ($tcv != "") { // trap for a % sign in non-string $sw[] = '(' . sqlFilter($colinfo, $tcv) . ')'; } } } $sql_where = implode(' AND ', $sw); // Set identity-security filters // NOPE, Rem'd out 10/26/06 when moved server-side //$sql_where2 = S*QLX_Filters($tabflat); //if ($sql_where2!="") { // $sql_where.=ListDelim($sql_where," AND ").$sql_where2; //} if ($sql_where != "") { $sql_where = " WHERE " . $sql_where; } // KFD 10/24/07. ASC/DESC used to be after the clause below, // but we need to get it first because we have // to assign it to each column $obasc = ConGet("table", $table_id, "orderasc"); if ($obasc == "") { $obasc = "ASC"; ConSet("table", $table_id, "orderasc", $obasc); } $SQLOB = $obasc; // KFD: 10/24/07. Order by all columns, not just the // the selected one. But order by the selected one // first. $ob = ConGet("table", $table_id, "orderby"); $lob = explode(',', $table['projections']['_uisearch']); if ($ob == '') { foreach ($lob as $onecol) { $aid = $table['flat'][$onecol]['automation_id']; if (in_array($aid, array('SEQUENCE', 'SEQDEFAULT'))) { continue; } $ob = $onecol; ConSet('table', $table_id, 'orderby', $ob); } } $sob = $ob . ' ' . $obasc; foreach ($lob as $onecol) { $aid = $table['flat'][$onecol]['automation_id']; if (in_array($aid, array('SEQUENCE', 'SEQDEFAULT'))) { continue; } if ($onecol != $ob) { $sob .= "\n, " . $onecol . ' ' . $obasc; } } ConSet('table', $table_id, 'complex_orderby', $sob); // Retrieve the limit as a vgaget, defaulting to 300 // DJO 4-8-2008 Allow for system variable override, 0 would be all records /** * DJO 8-15-2008 No longer needed because of the Config System */ //$SQL_Limit = OptionGet( 'SQL_LIMIT', vgaGet( 'SQL_Limit', 300 ) ); $SQL_Limit = configGet('sql_limit', 300); // Execute the sql, pull down the skey values $skeys = array(); $sq = "SELECT " . $cols . " FROM " . $view_id . $sql_where . " ORDER BY " . $sob . ($SQL_Limit > 0 ? " LIMIT " . $SQL_Limit : ''); $rows = SQL_ALLRows($sq); $retval = $rows === false ? array() : $rows; return $retval; }
function browseFetch() { $mtime = microtime(true); $table_id = $this->dd['table_id']; $tabPar = gp('tableIdPar'); # This is the list of columns to return. Maybe override # if there is something specific named for this table $acols = explode(',', $this->dd['projections']['_uisearch']); if ($tabPar != '') { if (isset($this->dd['projections']['child_' . $tabPar])) { $acols = explode(',', $this->dd['projections']['child_' . $tabPar]); } } # By default the search criteria come from the # variables, unless it is a child table search $vals = aFromGP('x6w_'); $awhere = array(); $projSort = ''; if ($tabPar == '') { $vals2 = array(); } else { $vals2 = $this->fetchParent(); $vals = array_merge($vals, $vals2); # KFD 12/27/08, if the sortdesc flag has been set on any # columns in the projection, those columns # become the default sort. Work it up here # and set them aside. $proj = 'child_' . $tabPar; $aprojSort = array(); if (isset($this->dd['projdetails'][$proj])) { foreach ($this->dd['projdetails'][$proj] as $column => $sortasc) { if ($sortasc == 'Y') { $aprojSort[] = "+{$column}"; } if ($sortasc == 'N') { $aprojSort[] = "-{$column}"; } } } $projSort = implode(",", $aprojSort); } # Build the where clause # $this->flat = $this->dd['flat']; $allowNoFilters = false; foreach ($vals as $column_id => $colvalue) { if (!isset($this->flat[$column_id])) { continue; } if ($colvalue == '*') { $awhere = array(); # KFD 2/17/09 Sourceforge 2609083 # Doing this returned all rows on regular # searches. Whatever it was for, it cannot # be done here this way. #gpSet('xReturnAll','Y'); $allowNoFilters = true; break; } $colinfo = $this->flat[$column_id]; $exact = isset($vals2[$column_id]); $expre = gp('x6exactPre', 0); //$tcv = trim($colvalue); $tcv = $colvalue; $type = $colinfo['type_id']; if ($tcv != "") { if ($exact) { gpSet('x6exactPre', 1); } // trap for a % sign in non-string $xwhere = sqlFilter($this->flat[$column_id], $tcv); if ($xwhere != '') { $awhere[] = "({$xwhere})"; } if ($exact && $expre == 0) { gpUnset('x6exactpre'); } } } # <----- RETURN (MAYBE) # Sourceforge 2612788 - this is actually an exit, not # a return. if (count($awhere) == 0) { if (gp('xReturnAll', 'N') == 'N' && !$allowNoFilters) { exit; } } # Generate the limit $SLimit = ' LIMIT 100'; if ($tabPar != '') { if (a($this->dd['fk_parents'][$tabPar], 'uiallrows', 'N') == 'Y') { $SLimit = ' LIMIT 100'; } } if (gp('xReturnAll', 'N') == 'Y') { $SLimit = ''; } # Build the Order by # $ascDesc = gp('sortAD') == 'ASC' ? ' ASC' : ' DESC'; $aorder = array(); $searchsort = ''; if (gpExists('sortAsc')) { x6Debug(gp('sortAsc')); $ascDesc = gp('sortAsc') == 'true' ? ' ASC' : ' DESC'; $aorder[] = gp('sortCol') . ' ' . gp('sortAD'); } else { # KFD 12/27/08, Use the search sort that was # set aside above if it is there $searchsort = $projSort == '' ? trim(arr($this->dd, 'uisearchsort', '')) : $projSort; } if ($searchsort != '') { $aocols = explode(",", $searchsort); foreach ($aocols as $pmcol) { $char1 = substr($pmcol, 0, 1); $column_id = substr($pmcol, 1); if ($char1 == '+') { $aorder[] = $column_id . ' ASC'; } else { $aorder[] = $column_id . ' DESC'; } } $SQLOrder = " ORDER BY " . implode(',', $aorder); } else { # KFD 6/18/08, new routine that works out sort $aorder = sqlOrderBy($vals); if (count($aorder) == 0) { $SQLOrder = ''; } else { $SQLOrder = " ORDER BY " . implode(',', $aorder); } } # just before building the query, drop out # any columns that have a table_id_fko to the parent foreach ($acols as $idx => $column_id) { if ($this->flat[$column_id]['table_id_fko'] == $tabPar && $tabPar != '') { unset($acols[$idx]); } } // Build the where and limit if (count($awhere) == 0) { $SWhere = ''; } else { $SWhere = ' WHERE ' . implode(' AND ', $awhere); } // Retrieve data #$SQL ="SELECT skey,".implode(',',$acols) # KFD 11/15/08. We can actually select *, because the grid # works out what columns it needs, and we # don't want to accidentally reduce the column # list and exclude something it needs. $SQL = "SELECT * " . " FROM " . $this->dd['viewname'] . $SWhere . $SQLOrder . $SLimit; $answer = SQL_AllRows($SQL); # These parameters have to be sent from the back. They # figure everything out. $sortable = gp('xSortable', 'N') == 'Y'; $gridHeight = gp('xGridHeight', 500); $lookups = gp('xLookups', 'N') == 'Y'; $edit = 0; $childedit = in_array($this->dd['x6childwrites'], array('Y', 'grid')); if ($tabPar != '' && $childedit) { $edit = 1; } # The button bar is either a 1/0 or a list of buttons. # Make the simple setting first, then possibly override $bb = gp('xButtonBar', 'N') == 'Y' || $edit; if ($tabPar != '' && $this->dd['x6childwrites'] == 'detail') { $bb = 'new'; } # Now grab us a grid $grid = new androHTMLGrid($gridHeight, $table_id, $lookups, $sortable, $bb, $edit); $this->gridGeneric($grid, $this->dd, $tabPar, $vals2); $grid->addData($answer); $grid->hp['x6profile'] = 'grid'; # Put some important properties on the grid! $grid->ap['xGridHeight'] = $gridHeight; $grid->ap['xReturnAll'] = gp('xReturnAll', 'N'); if ($tabPar != '') { $grid->ap['x6tablePar'] = $tabPar; } # If they asked for the entire grid, send it back # as *MAIN* and let the browser put it where it belongs if (gp('sendGrid', 0) == 1) { if (count($answer) == 0) { $grid->noResults(); } x6html('*MAIN*', $grid->bufferedRender()); return; } # ..otherwise just send the body back. But kill # any script they created. if (count($answer) == 0) { $grid->noResults(); } $mtimer = microtime(true); $grid->dbody->render(); exit; }