X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=sql%2Falter2.2.php;h=db6b3aecec026d7a87d51dbffda900541030a116;hb=da7df35c61205d0b1af47d286be591b8a3194b0c;hp=cfc914aad4293703e2b7e70907d7267e88afba1c;hpb=bfd17863a94324dba8e9be74b03368cb3b3b5e98;p=fa-stable.git

diff --git a/sql/alter2.2.php b/sql/alter2.2.php
index cfc914aa..db6b3aec 100644
--- a/sql/alter2.2.php
+++ b/sql/alter2.2.php
@@ -10,14 +10,15 @@
     See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
 
-class fa2_2 {
-	var $version = '2.2';	// version installed
+class fa2_2 extends fa_patch  {
+	var $previous = '2.1';		// applicable database version
+	var $version = '2.2rc';	// version installed
 	var $description;
 	var $sql = 'alter2.2.sql';
 	var $preconf = true;
-	var $beta = false; // upgrade from 2.1 or 2.2beta; set in pre_check
+	var $beta = false; // upgrade from 2.1 or 2.2beta; set in prepare()
 	
-	function fa2_2() {
+	function __construct() {
 		global $security_groups;
 		$this->beta = !isset($security_groups);
 		$this->description = _('Upgrade from version 2.1/2.2beta to 2.2');
@@ -28,19 +29,25 @@ class fa2_2 {
 	//	Install procedure. All additional changes 
 	//	not included in sql file should go here.
 	//
-	function install($pref, $force) 
+	function install($company, $force=false) 
 	{
-		global $db, $systypes_array;
-		
+		global $db, $systypes_array, $db_connections;
+
 		if (!$this->preconf)
 			return false;
 
-		if ($this->beta)	// nothing special to be done on upgrade form 2.2beta
+		$pref = $db_connections[$company]['tbpref'];
+		// Until 2.2 sanitizing text input with db_escape was not
+		// consequent enough. To avoid comparision problems we have to 
+		// fix this now.
+		sanitize_database($pref);
+
+		if ($this->beta)	// nothing more to be done on upgrade from 2.2beta
 			return true;
 
 		// set item category dflt accounts to values from company GL setup
 		$prefs = get_company_prefs();
-		$sql = "UPDATE {$pref}stock_category SET "
+		$sql = "UPDATE ".TB_PREF."stock_category SET "
 			."dflt_sales_act = '" . $prefs['default_inv_sales_act'] . "',"
 			."dflt_cogs_act = '". $prefs['default_cogs_act'] . "',"
 			."dflt_inventory_act = '" . $prefs['default_inventory_act'] . "',"
@@ -55,15 +62,15 @@ class fa2_2 {
 		foreach($systypes_array as $typeno => $typename) {
 			$info = get_systype_db_info($typeno);
 			if ($info == null || $info[3] == null) continue;
-			$tbl = str_replace(TB_PREF, $pref, $info[0]);
+ 			$tbl = $info[0];
 			$sql = "SELECT DISTINCT {$info[2]} as id,{$info[3]} as ref FROM $tbl";
 			if ($info[1])
 				$sql .= " WHERE {$info[1]}=$typeno";
 			$result = db_query($sql);
 			if (db_num_rows($result)) {
 				while ($row = db_fetch($result)) {
-					$res2 = db_query("INSERT INTO {$pref}refs VALUES("
-						. $row['id'].",".$typeno.",".db_escape($row['ref']).")");
+					$res2 = db_query("INSERT INTO ".TB_PREF."refs VALUES("
+						. $row['id'].",".$typeno.",'".$row['ref']."')");
 					if (!$res2) {
 						display_error(_("Cannot copy references from $tbl")
 							.':<br>'. db_error_msg($db));
@@ -73,68 +80,39 @@ class fa2_2 {
 			}
 		}
 
-	if (!($ret = db_query("SELECT MAX(`order_no`) FROM `{$pref}sales_orders`")) ||
-		!db_num_rows($ret))
-	{
-		display_error(_('Cannot query max sales order number.'));
-		return false;
-	} 
-	$row = db_fetch($ret);
-	$max_order = $row[0];
-	$next_ref = $max_order+1;
-	$sql = "UPDATE `{$pref}sys_types` 
-		SET `type_no`='$max_order', 
-			`next_reference`='$next_ref'
-		WHERE `type_id`=30";
-	if(!db_query($sql))
-	{
-		display_error(_('Cannot store next sales order reference.'));
-		return false;
-	}
-
-	return convert_roles($pref);
+		if (!($ret = db_query("SELECT MAX(`order_no`) FROM `".TB_PREF."sales_orders`")) ||
+			!db_num_rows($ret))
+		{
+				display_error(_('Cannot query max sales order number.'));
+				return false;
+		} 
+		$row = db_fetch($ret);
+		$max_order = $row[0];
+		$next_ref = $max_order+1;
+		$sql = "UPDATE `".TB_PREF."sys_types` 
+			SET `type_no`='$max_order',`next_reference`='$next_ref'
+			WHERE `type_id`=30";
+		if(!db_query($sql))
+		{
+			display_error(_('Cannot store next sales order reference.'));
+			return false;
+		}
+		return convert_roles($pref);
 	}
 	//
 	//	Checking before install
 	//
-	function pre_check($pref, $force)
-	{	
+	function prepare()
+	{
 		global $security_groups;
-		
-		if ($this->beta && !$force)
+
+		if ($this->beta)
 			$this->sql = 'alter2.2rc.sql';
 		// return ok when security groups still defined (upgrade from 2.1)
 		// or usersonline not defined (upgrade from 2.2 beta)
-		return isset($security_groups) || (check_table($pref, 'usersonline')!=0);
-	}
-	//
-	//	Test if patch was applied before.
-	//
-	function installed($pref) {
-		$n = 1; // number of patches to be installed
-		$patchcnt = 0;
-		if (!$this->beta) {
-			$n = 16;
-			if (check_table($pref, 'company', 'custom1_name')) $patchcnt++;
-			if (!check_table($pref, 'company', 'profit_loss_year_act')) $patchcnt++;
-			if (!check_table($pref, 'company', 'login_tout')) $patchcnt++;
-			if (!check_table($pref, 'stock_category', 'dflt_no_sale')) $patchcnt++;
-			if (!check_table($pref, 'users', 'sticky_doc_date')) $patchcnt++;
-			if (!check_table($pref, 'users', 'startup_tab')) $patchcnt++;
-			if (!check_table($pref, 'cust_branch', 'inactive')) $patchcnt++;
-			if (!check_table($pref, 'chart_class', 'ctype')) $patchcnt++;
-			if (!check_table($pref, 'audit_trail')) $patchcnt++;
-			if (!check_table($pref, 'currencies', 'auto_update')) $patchcnt++;
-			if (!check_table($pref, 'stock_master','no_sale')) $patchcnt++;
-			if (!check_table($pref, 'suppliers', 'supp_ref')) $patchcnt++;
-			if (!check_table($pref, 'users', 'role_id')) $patchcnt++;
-			if (!check_table($pref, 'sales_orders', 'reference')) $patchcnt++;
-			if (!check_table($pref, 'tags')) $patchcnt++;
-		} 
-		if (!check_table($pref, 'useronline')) $patchcnt++;
+		$pref = $this->companies[$company]['tbpref'];
 
-		$n -= $patchcnt;
-		return $n == 0 ? true : $patchcnt;
+		return isset($security_groups) || (check_table($pref, 'usersonline')!=0);
 	}
 };
 
@@ -202,7 +180,7 @@ function convert_roles($pref)
 			}
 			$sections  = array_keys($sections);
 			sort($sections); sort($area_set);
-			import_security_role($pref, $security_headings[$role_id], $sections, $area_set);
+			import_security_role($security_headings[$role_id], $sections, $area_set);
 			$new_ids[$role_id] = db_insert_id();
 		}
 		$result = get_users(true);
@@ -212,7 +190,7 @@ function convert_roles($pref)
 		}
 		foreach($users as $old_id => $uids)
 			foreach( $uids as $id) {
-				$sql = "UPDATE {$pref}users set role_id=".$new_ids[$old_id].
+				$sql = "UPDATE ".TB_PREF."users set role_id=".$new_ids[$old_id].
 					" WHERE id=$id";
 				$ret = db_query($sql, 'cannot update users roles');
 				if(!$ret) return false;
@@ -220,9 +198,9 @@ function convert_roles($pref)
 		return true;
 }
 
-function import_security_role($pref, $name, $sections, $areas)
+function import_security_role($name, $sections, $areas)
 {
-	$sql = "INSERT INTO {$pref}security_roles (role, description, sections, areas)
+	$sql = "INSERT INTO ".TB_PREF."security_roles (role, description, sections, areas)
 	VALUES (".db_escape('FA 2.1 '.$name).",".db_escape($name).","
 	.db_escape(implode(';',$sections)).",".db_escape(implode(';',$areas)).")";
 
@@ -251,19 +229,11 @@ function fix_extensions() {
 		$ext['tab'] = $ext['name'];
 		$ext['name'] = access_string($ext['title'], true); 
 		$ext['path'] = $ext['folder']; unset($ext['folder']);
-		$ext['type'] = 'module';
+		$ext['type'] = 'extension';
 		$ext['active'] = '1';
 		$exts[] = $ext;
 	}
 
-	include($path_to_root.'/modules/installed_modules.php');
-	foreach($installed_modules as $mod) {
-		$mod['title'] = $mod['name'];
-		$mod['name'] = access_string($mod['name'], true);
-		$mod['type'] = 'plugin';
-		$ext['active'] = '1';
-		$exts[] = $mod;
-	}
 	if (!write_extensions($exts))
 		return false;
 	
@@ -275,6 +245,65 @@ function fix_extensions() {
 	return true;
 }
 
-$install = new fa2_2;
+/*
+	Find and update all database records with special chars in text fields 
+	to ensure all of them are changed to html entites.
+*/
+function sanitize_database($pref, $test = false) {
+
+ 	 if ($test)
+ 	 	error_log('Sanitizing database ...');
+
+	 $tsql = "SHOW TABLES LIKE '".($pref=='' ? '' : substr($pref,0,-1).'\\_')."%'";
+	 $tresult = db_query($tsql, "Cannot select all tables with prefix '$pref'");
+	 while($tbl = db_fetch($tresult)) {
+		$table = $tbl[0];
+		$csql = "SHOW COLUMNS FROM $table";
+		$cresult = db_query($csql, "Cannot select column names for table '$table'");
+		$textcols = $keys = array();
+		while($col = db_fetch($cresult)) {
+			if (strpos($col['Type'], 'char')!==false 
+					|| strpos($col['Type'], 'text')!==false)
+				$textcols[] = '`'.$col['Field'].'`';
+			if ($col['Key'] == 'PRI') {
+				$keys[] = '`'.$col['Field'].'`';
+			}
+		}
+
+ 		if (empty($keys)) { // comments table have no primary key, so give up
+ 			continue;
+ 		}
+	 	if ($test)
+		 	error_log("Table $table (".implode(',',$keys)."):(".implode(',',$textcols)."):");
 
-?>
\ No newline at end of file
+		if (!count($textcols)) continue;
+
+		// fetch all records containing special characters in text fields
+		$sql = "SELECT ".implode(',', array_unique(array_merge($keys,$textcols)))
+			." FROM {$table} WHERE 
+			CONCAT(".implode(',', $textcols).") REGEXP '[\\'\"><&]'";
+		$result = db_query($sql, "Cannot select all suspicious fields in $table");
+
+		// and fix them
+		while($rec= db_fetch($result)) {
+			$sql = "UPDATE {$table} SET ";
+			$val = $key = array();
+			foreach ($textcols as $f) {
+				$val[] = $f.'='.db_escape($rec[substr($f,1,-1)]);
+			}
+			$sql .= implode(',', $val). ' WHERE ';
+			foreach ($keys as $k) {
+				$key[] = $k.'=\''.$rec[substr($k,1,-1)].'\'';
+			}
+			$sql .= implode( ' AND ', $key);
+		 	if ($test)
+				error_log("\t(".implode(',',$val).") updated");
+			else
+				db_query($sql, 'cannot update record');
+		}
+	}
+ 	 if ($test)
+ 	 	error_log('Sanitizing done.');
+}
+
+$install = new fa2_2;