function sqlInjectionFilter()
{
array_walk($_GET, function (&$v) {
$v = sqlFilter($v);
});
array_walk($_POST, function (&$v) {
$v = sqlFilter($v);
});
}
}
$missionID = 0;
//GET MISSION ID
//TODO check missionID with session info.
if (isset($_SESSION['missionID']) == true) {
$missionID = $_SESSION['missionID'];
} else {
error(3001);
}
//Connect
$mysqli = connectDB();
//Filter special characters
$skey = sqlFilter($mysqli, $skey);
$monsterID = sqlFilter($mysqli, $monsterID);
$win = sqlFilter($mysqli, $win);
$crystal = sqlFilter($mysqli, $crystal);
$unlock = false;
//Get UID
$uid = $_SESSION['uid'];
if ($win === 'true') {
$unlock = true;
// Insert MissionInfo
//Prepare SQL statement
$sql_insert = "INSERT INTO MissionInfo (uid,missionID)VALUES (?,?)";
/* create a prepared statement */
if ($stmt = $mysqli->prepare($sql_insert)) {
/* bind parameters for markers */
$stmt->bind_param('ii', $uid, $missionID);
$res = $stmt->execute();
$stmt->close();
$sql_get = "SELECT uid FROM MissionInfo WHERE uid = ? AND missionID = ?";
/**
* Generate a comparison expression using dashes, commas etc.
*
* @param string $table_id the table
* @param string $colname the column
* @param string $colinfo other column information
* @access private
*/
function SQLCompareStar($table, $colname, $colinfo)
{
// Get the uifilter being used and its value
// skip the asterisk and the @sign
$uif_name = substr($colinfo['compare'], 2);
#x4Debug($this->yamlP2['uifilter']);
$uiv_val = a($this->yamlP2['uifilter'][$uif_name], 'value');
if ($uiv_val == '') {
return '';
}
// Get data dictionary
$dd = ddTable($table);
# KFD 6/18/08, route out to the new universal sqlFilter()
$rv = sqlFilter($dd['flat'][$colname], $uiv_val, $dd['table_id']);
#x4Debug($colname);
#x4Debug($uiv_val);
#x4Debug($rv);
if ($rv != '') {
return "(" . $rv . ")";
}
return '';
#return "(".rff_OneCol($dd['flat'][$colname],$colname,$uiv_val).")";
}
* @author Hang
*/
include 'common.php';
//MAIN ENTRY
$skey = $missionID = "";
if (isset($_POST["skey"]) == true && isset($_POST["missionID"]) == true) {
$skey = $_POST["skey"];
$missionID = $_POST["missionID"];
} else {
error(1005);
}
//Connect
$mysqli = connectDB();
//Filter special characters
$skey = sqlFilter($mysqli, $skey);
$missionID = sqlFilter($mysqli, $missionID);
//Get UID
$uid = $_SESSION['uid'];
$bool_enter = true;
// Check MissionInfo with pre mission
//Prepare SQL statement
$sql_get = "SELECT missionID FROM MissionInfo WHERE (uid = ? AND missionID = ?)";
/* create a prepared statement */
if ($stmt = $mysqli->prepare($sql_get)) {
/* bind parameters for markers */
$stmt->bind_param('ii', $uid, $missionID);
$res = $stmt->execute();
/* fetch value */
$result = $stmt->get_result();
$data = $result->fetch_array();
if ($data == null) {
*/
include 'common.php';
//MAIN ENTRY
$uuid = "";
$skey = "";
if (isset($_POST["uuid"]) == true && isset($_POST["skey"]) == true) {
$uuid = $_POST["uuid"];
$skey = $_POST["skey"];
} else {
error(1005);
}
//Connect
$mysqli = connectDB();
//Filter special characters
$uuid = sqlFilter($mysqli, $uuid);
$skey = sqlFilter($mysqli, $skey);
//Check UUID with Session
//Prepare SQL statement
$sql_get = "SELECT * FROM UserInfo WHERE uuid = ?";
/* create a prepared statement */
if ($stmt = $mysqli->prepare($sql_get)) {
/* bind parameters for markers */
$stmt->bind_param('s', $uuid);
$res = $stmt->execute();
/* fetch value */
$result = $stmt->get_result();
$data = $result->fetch_array();
if ($data == null) {
error(2005);
exit;
}
*
* @version 1.0
* @author Hang
*/
include 'common.php';
//MAIN ENTRY
$uuid = "";
if (isset($_POST["uuid"]) == true) {
$uuid = $_POST["uuid"];
} else {
error(1005);
}
//Connect
$mysqli = connectDB();
//Filter special characters
$uuid = sqlFilter($mysqli, $uuid);
//Check UUID
//Prepare SQL statement
$sql_get = "SELECT uid FROM UserInfo WHERE uuid = ?";
/* create a prepared statement */
if ($stmt = $mysqli->prepare($sql_get)) {
/* bind parameters for markers */
$stmt->bind_param('s', $uuid);
$res = $stmt->execute();
/* fetch value */
$result = $stmt->get_result();
$data = $result->fetch_array();
if ($data == null) {
error(2003);
exit;
}
/**
* Generate search results for an x4browse/search
*
* @author: Kenneth Downs
*/
function browseFetch()
{
# This is the list of columns to return
$acols = explode(',', $this->dd['projections']['_uisearch']);
# By default the search criteria come from the
# variables, unless it is a child table search
$vals = aFromGP('x4w_');
$awhere = array();
$tabPar = gp('tableIdPar');
if ($tabPar != '') {
$ddpar = ddTable(gp('tableIdPar'));
$pks = $ddpar['pks'];
$stab = ddView(gp('tableIdPar'));
$skey = SQLFN(gp('skeyPar'));
$vals2 = SQL_OneRow("SELECT {$pks} FROM {$stab} WHERE skey = {$skey}");
if (!$vals2) {
$vals2 = array();
}
$vals = array_merge($vals, $vals2);
}
# Build the where clause
#
foreach ($vals as $column_id => $colvalue) {
if (!isset($this->flat[$column_id])) {
continue;
}
$colinfo = $this->flat[$column_id];
$exact = isset($vals2[$column_id]);
//$tcv = trim($colvalue);
$tcv = $colvalue;
$type = $colinfo['type_id'];
if ($tcv != "") {
// trap for a % sign in non-string
$xwhere = sqlFilter($this->flat[$column_id], $tcv);
if ($xwhere != '') {
$awhere[] = "({$xwhere})";
}
}
}
# <----- RETURN
if (count($awhere) == 0) {
x4Debug("returning");
return;
}
# Generate the limit
# KFD 11/12/08, modified to respect sql_limit, with default of 100
$SLimit = ' LIMIT ' . configGet('sql_limit', 100);
if ($tabPar != '') {
if (a($this->dd['fk_parents'][$tabPar], 'uiallrows', 'N') == 'Y') {
$SLimit = '';
}
}
# Build the Order by
#
$ascDesc = gp('sortAD') == 'ASC' ? ' ASC' : ' DESC';
$aorder = array();
$searchsort = trim(a($this->dd, 'uisearchsort', ''));
if (gpExists('sortAD')) {
$aorder[] = gp('sortCol') . ' ' . gp('sortAD');
}
if ($searchsort != '') {
$aocols = explode(",", $searchsort);
foreach ($aocols as $pmcol) {
$char1 = substr($pmcol, 0, 1);
$column_id = substr($pmcol, 1);
if ($char1 == '+') {
$aorder[] = $column_id . ' ASC';
} else {
$aorder[] = $column_id . ' DESC';
}
}
$SQLOrder = " ORDER BY " . implode(',', $aorder);
} else {
# KFD 6/18/08, new routine that works out sort
$aorder = sqlOrderBy($vals);
if (count($aorder) == 0) {
$SQLOrder = '';
} else {
$SQLOrder = " ORDER BY " . implode(',', $aorder);
}
}
# just before building the query, drop out
# any columns that have a table_id_fko to the parent
foreach ($acols as $idx => $column_id) {
if ($this->flat[$column_id]['table_id_fko'] == $tabPar && $tabPar != '') {
unset($acols[$idx]);
}
}
// Build the where and limit
$SWhere = ' WHERE ' . implode(' AND ', $awhere);
// Retrieve data
$SQL = "SELECT skey," . implode(',', $acols) . " FROM " . $this->view_id . $SWhere . $SQLOrder . $SLimit;
$answer = SQL_AllRows($SQL);
$this->browseFetchModify($answer);
x4Data('browseFetch', $answer);
return;
}
/**
*
* @param $inputString 对输入的字符串做安全性过滤(SQL注入过滤,HTML代码转义)
*/
function InputSafeFilter($inputString)
{
if (strlen($inputString) > 0) {
$inputString = sqlFilter($inputString);
//作SQL注入的过滤
$inputString = htmlspecialchars($inputString);
//作HTML的转义
}
return $inputString;
}
function rowsFromFilters(&$table, $filters, $cols, $matches = array())
{
$tabflat = $table['flat'];
$table_id = $table['table_id'];
$view_id = DDTable_IDResolve($table_id);
//echo SessionGet("GROUP_ID_EFF");
// Set user-requested filters
$sw = array();
foreach ($tabflat as $colname => $colinfo) {
if (isset($matches[$colname])) {
$tcv = trim($matches[$colname]);
if ($tcv != "") {
$tcsql = SQL_Format($colinfo["type_id"], $tcv);
$sw[] = $colname . "=" . $tcsql;
//$sql_where.=ListDelim($sql_where," AND ").$colname."=".$tcsql;
}
} elseif (isset($filters[$colname])) {
$tcv = trim($filters[$colname]);
$tid = $colinfo['type_id'];
if ($tid == 'dtime' || $tid == 'date') {
$tcv = dEnsureTS($tcv);
}
if ($tcv != "") {
// trap for a % sign in non-string
$sw[] = '(' . sqlFilter($colinfo, $tcv) . ')';
}
}
}
$sql_where = implode(' AND ', $sw);
// Set identity-security filters
// NOPE, Rem'd out 10/26/06 when moved server-side
//$sql_where2 = S*QLX_Filters($tabflat);
//if ($sql_where2!="") {
// $sql_where.=ListDelim($sql_where," AND ").$sql_where2;
//}
if ($sql_where != "") {
$sql_where = " WHERE " . $sql_where;
}
// KFD 10/24/07. ASC/DESC used to be after the clause below,
// but we need to get it first because we have
// to assign it to each column
$obasc = ConGet("table", $table_id, "orderasc");
if ($obasc == "") {
$obasc = "ASC";
ConSet("table", $table_id, "orderasc", $obasc);
}
$SQLOB = $obasc;
// KFD: 10/24/07. Order by all columns, not just the
// the selected one. But order by the selected one
// first.
$ob = ConGet("table", $table_id, "orderby");
$lob = explode(',', $table['projections']['_uisearch']);
if ($ob == '') {
foreach ($lob as $onecol) {
$aid = $table['flat'][$onecol]['automation_id'];
if (in_array($aid, array('SEQUENCE', 'SEQDEFAULT'))) {
continue;
}
$ob = $onecol;
ConSet('table', $table_id, 'orderby', $ob);
}
}
$sob = $ob . ' ' . $obasc;
foreach ($lob as $onecol) {
$aid = $table['flat'][$onecol]['automation_id'];
if (in_array($aid, array('SEQUENCE', 'SEQDEFAULT'))) {
continue;
}
if ($onecol != $ob) {
$sob .= "\n, " . $onecol . ' ' . $obasc;
}
}
ConSet('table', $table_id, 'complex_orderby', $sob);
// Retrieve the limit as a vgaget, defaulting to 300
// DJO 4-8-2008 Allow for system variable override, 0 would be all records
/**
* DJO 8-15-2008 No longer needed because of the Config System
*/
//$SQL_Limit = OptionGet( 'SQL_LIMIT', vgaGet( 'SQL_Limit', 300 ) );
$SQL_Limit = configGet('sql_limit', 300);
// Execute the sql, pull down the skey values
$skeys = array();
$sq = "SELECT " . $cols . " FROM " . $view_id . $sql_where . " ORDER BY " . $sob . ($SQL_Limit > 0 ? " LIMIT " . $SQL_Limit : '');
$rows = SQL_ALLRows($sq);
$retval = $rows === false ? array() : $rows;
return $retval;
}
function browseFetch()
{
$mtime = microtime(true);
$table_id = $this->dd['table_id'];
$tabPar = gp('tableIdPar');
# This is the list of columns to return. Maybe override
# if there is something specific named for this table
$acols = explode(',', $this->dd['projections']['_uisearch']);
if ($tabPar != '') {
if (isset($this->dd['projections']['child_' . $tabPar])) {
$acols = explode(',', $this->dd['projections']['child_' . $tabPar]);
}
}
# By default the search criteria come from the
# variables, unless it is a child table search
$vals = aFromGP('x6w_');
$awhere = array();
$projSort = '';
if ($tabPar == '') {
$vals2 = array();
} else {
$vals2 = $this->fetchParent();
$vals = array_merge($vals, $vals2);
# KFD 12/27/08, if the sortdesc flag has been set on any
# columns in the projection, those columns
# become the default sort. Work it up here
# and set them aside.
$proj = 'child_' . $tabPar;
$aprojSort = array();
if (isset($this->dd['projdetails'][$proj])) {
foreach ($this->dd['projdetails'][$proj] as $column => $sortasc) {
if ($sortasc == 'Y') {
$aprojSort[] = "+{$column}";
}
if ($sortasc == 'N') {
$aprojSort[] = "-{$column}";
}
}
}
$projSort = implode(",", $aprojSort);
}
# Build the where clause
#
$this->flat = $this->dd['flat'];
$allowNoFilters = false;
foreach ($vals as $column_id => $colvalue) {
if (!isset($this->flat[$column_id])) {
continue;
}
if ($colvalue == '*') {
$awhere = array();
# KFD 2/17/09 Sourceforge 2609083
# Doing this returned all rows on regular
# searches. Whatever it was for, it cannot
# be done here this way.
#gpSet('xReturnAll','Y');
$allowNoFilters = true;
break;
}
$colinfo = $this->flat[$column_id];
$exact = isset($vals2[$column_id]);
$expre = gp('x6exactPre', 0);
//$tcv = trim($colvalue);
$tcv = $colvalue;
$type = $colinfo['type_id'];
if ($tcv != "") {
if ($exact) {
gpSet('x6exactPre', 1);
}
// trap for a % sign in non-string
$xwhere = sqlFilter($this->flat[$column_id], $tcv);
if ($xwhere != '') {
$awhere[] = "({$xwhere})";
}
if ($exact && $expre == 0) {
gpUnset('x6exactpre');
}
}
}
# <----- RETURN (MAYBE)
# Sourceforge 2612788 - this is actually an exit, not
# a return.
if (count($awhere) == 0) {
if (gp('xReturnAll', 'N') == 'N' && !$allowNoFilters) {
exit;
}
}
# Generate the limit
$SLimit = ' LIMIT 100';
if ($tabPar != '') {
if (a($this->dd['fk_parents'][$tabPar], 'uiallrows', 'N') == 'Y') {
$SLimit = ' LIMIT 100';
}
}
if (gp('xReturnAll', 'N') == 'Y') {
$SLimit = '';
}
# Build the Order by
#
$ascDesc = gp('sortAD') == 'ASC' ? ' ASC' : ' DESC';
$aorder = array();
$searchsort = '';
if (gpExists('sortAsc')) {
x6Debug(gp('sortAsc'));
$ascDesc = gp('sortAsc') == 'true' ? ' ASC' : ' DESC';
$aorder[] = gp('sortCol') . ' ' . gp('sortAD');
} else {
# KFD 12/27/08, Use the search sort that was
# set aside above if it is there
$searchsort = $projSort == '' ? trim(arr($this->dd, 'uisearchsort', '')) : $projSort;
}
if ($searchsort != '') {
$aocols = explode(",", $searchsort);
foreach ($aocols as $pmcol) {
$char1 = substr($pmcol, 0, 1);
$column_id = substr($pmcol, 1);
if ($char1 == '+') {
$aorder[] = $column_id . ' ASC';
} else {
$aorder[] = $column_id . ' DESC';
}
}
$SQLOrder = " ORDER BY " . implode(',', $aorder);
} else {
# KFD 6/18/08, new routine that works out sort
$aorder = sqlOrderBy($vals);
if (count($aorder) == 0) {
$SQLOrder = '';
} else {
$SQLOrder = " ORDER BY " . implode(',', $aorder);
}
}
# just before building the query, drop out
# any columns that have a table_id_fko to the parent
foreach ($acols as $idx => $column_id) {
if ($this->flat[$column_id]['table_id_fko'] == $tabPar && $tabPar != '') {
unset($acols[$idx]);
}
}
// Build the where and limit
if (count($awhere) == 0) {
$SWhere = '';
} else {
$SWhere = ' WHERE ' . implode(' AND ', $awhere);
}
// Retrieve data
#$SQL ="SELECT skey,".implode(',',$acols)
# KFD 11/15/08. We can actually select *, because the grid
# works out what columns it needs, and we
# don't want to accidentally reduce the column
# list and exclude something it needs.
$SQL = "SELECT * " . " FROM " . $this->dd['viewname'] . $SWhere . $SQLOrder . $SLimit;
$answer = SQL_AllRows($SQL);
# These parameters have to be sent from the back. They
# figure everything out.
$sortable = gp('xSortable', 'N') == 'Y';
$gridHeight = gp('xGridHeight', 500);
$lookups = gp('xLookups', 'N') == 'Y';
$edit = 0;
$childedit = in_array($this->dd['x6childwrites'], array('Y', 'grid'));
if ($tabPar != '' && $childedit) {
$edit = 1;
}
# The button bar is either a 1/0 or a list of buttons.
# Make the simple setting first, then possibly override
$bb = gp('xButtonBar', 'N') == 'Y' || $edit;
if ($tabPar != '' && $this->dd['x6childwrites'] == 'detail') {
$bb = 'new';
}
# Now grab us a grid
$grid = new androHTMLGrid($gridHeight, $table_id, $lookups, $sortable, $bb, $edit);
$this->gridGeneric($grid, $this->dd, $tabPar, $vals2);
$grid->addData($answer);
$grid->hp['x6profile'] = 'grid';
# Put some important properties on the grid!
$grid->ap['xGridHeight'] = $gridHeight;
$grid->ap['xReturnAll'] = gp('xReturnAll', 'N');
if ($tabPar != '') {
$grid->ap['x6tablePar'] = $tabPar;
}
# If they asked for the entire grid, send it back
# as *MAIN* and let the browser put it where it belongs
if (gp('sendGrid', 0) == 1) {
if (count($answer) == 0) {
$grid->noResults();
}
x6html('*MAIN*', $grid->bufferedRender());
return;
}
# ..otherwise just send the body back. But kill
# any script they created.
if (count($answer) == 0) {
$grid->noResults();
}
$mtimer = microtime(true);
$grid->dbody->render();
exit;
}
