From: Joe Hunt Date: Fri, 18 Apr 2008 16:29:03 +0000 (+0000) Subject: Module gl sealed against XSS Attacks X-Git-Tag: v2.4.2~19^2~2099 X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=commitdiff_plain;h=65c68ebb3a09aa06418fb7f5e1712ca8012d756f;p=fa-stable.git Module gl sealed against XSS Attacks --- diff --git a/CHANGELOG.txt b/CHANGELOG.txt index be952195..da6f5bba 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -19,8 +19,18 @@ Legend: ! -> Note $ -> Affected files +18-Apr-2008 Joe Hunt +! Module gl sealed against XSS Attacks +$ /gl/includes/db/gl_db_accounts.inc + /gl/includes/db/gl_db_account_types.inc + /gl/includes/db/gl_db_bank_accounts.inc + /gl/includes/db/gl_db_bank_trans.inc + /gl/includes/db/gl_db_bank_trans_types.inc + /gl/includes/db/gl_db_currencies.inc + /gl/includes/db/gl_db_trans.inc + 18-Apr-2008 Janusz Dobrowolski -! Modules admin and dimensions sealed against XSS atacks +! Modules admin and dimensions sealed against XSS attacks $ /admin/payment_terms.php /admin/shipping_companies.php /admin/db/company_db.inc @@ -30,7 +40,7 @@ $ /admin/payment_terms.php /dimensions/includes/dimensions_db.inc 18-Apr-2008 Joe Hunt -! Changed db_escape function to avoid XSS attacks via js db injection +! Modules includes, inventory and manufacturing sealed against XSS attacks $ /includes/db/comments_db.inc /includes/db/inventory_db.inc /includes/db/references_db.inc diff --git a/gl/includes/db/gl_db_account_types.inc b/gl/includes/db/gl_db_account_types.inc index a9c38573..87ddba3a 100644 --- a/gl/includes/db/gl_db_account_types.inc +++ b/gl/includes/db/gl_db_account_types.inc @@ -1,104 +1,104 @@ - \ No newline at end of file diff --git a/gl/includes/db/gl_db_accounts.inc b/gl/includes/db/gl_db_accounts.inc index 27503708..4d51985f 100644 --- a/gl/includes/db/gl_db_accounts.inc +++ b/gl/includes/db/gl_db_accounts.inc @@ -5,8 +5,8 @@ function add_gl_account($account_code, $account_name, $account_type, $account_co { $account_name = db_escape($account_name); $sql = "INSERT INTO ".TB_PREF."chart_master (account_code, account_code2, account_name, account_type, - tax_code) - VALUES ('$account_code', '$account_code2', $account_name, $account_type, $tax_code)"; + tax_code) + VALUES (".db_escape($account_code).", ".db_escape($account_code2).", $account_name, $account_type, $tax_code)"; db_query($sql, "could not add gl account"); } @@ -15,7 +15,7 @@ function update_gl_account($account_code, $account_name, $account_type, $account { $account_name = db_escape($account_name); $sql = "UPDATE ".TB_PREF."chart_master SET account_name=$account_name, - account_type=$account_type, account_code2='$account_code2', + account_type=$account_type, account_code2=".db_escape($account_code2).", tax_code=$tax_code WHERE account_code = '$account_code'"; db_query($sql, "could not update gl account"); @@ -35,10 +35,10 @@ function get_gl_accounts($from=null, $to=null) WHERE ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id"; if ($from != null) $sql .= " AND ".TB_PREF."chart_master.account_code >= '$from'"; - if ($to != null) + if ($to != null) $sql .= " AND ".TB_PREF."chart_master.account_code <= '$to'"; $sql .= " ORDER BY account_code"; - + return db_query($sql, "could not get gl accounts"); } @@ -48,10 +48,10 @@ function get_gl_accounts_all($balance=-1) FROM ".TB_PREF."chart_master,".TB_PREF."chart_types, ".TB_PREF."chart_class WHERE ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id AND ".TB_PREF."chart_types.class_id=".TB_PREF."chart_class.cid"; - if ($balance != -1) + if ($balance != -1) $sql .= " AND ".TB_PREF."chart_class.balance_sheet=$balance"; $sql .= " ORDER BY ".TB_PREF."chart_class.cid, ".TB_PREF."chart_types.id, ".TB_PREF."chart_master.account_code"; - + return db_query($sql, "could not get gl accounts"); } @@ -69,12 +69,12 @@ function is_account_balancesheet($code) WHERE ".TB_PREF."chart_master.account_type=".TB_PREF."chart_types.id AND ".TB_PREF."chart_types.class_id=".TB_PREF."chart_class.cid AND ".TB_PREF."chart_master.account_code='$code'"; - + $result = db_query($sql,"could not retreive the account class for $code"); $row = db_fetch_row($result); return $row[0]; } - + function get_gl_account_name($code) { $sql = "SELECT account_name from ".TB_PREF."chart_master WHERE account_code='$code'"; diff --git a/gl/includes/db/gl_db_bank_accounts.inc b/gl/includes/db/gl_db_bank_accounts.inc index 138ad95a..2c405614 100644 --- a/gl/includes/db/gl_db_bank_accounts.inc +++ b/gl/includes/db/gl_db_bank_accounts.inc @@ -2,28 +2,28 @@ //--------------------------------------------------------------------------------------------- -function add_bank_account($account_code, $account_type, $bank_account_name, $bank_name, $bank_account_number, +function add_bank_account($account_code, $account_type, $bank_account_name, $bank_name, $bank_account_number, $bank_address, $bank_curr_code) { - $sql = "INSERT INTO ".TB_PREF."bank_accounts (account_code, account_type, bank_account_name, bank_name, bank_account_number, bank_address, bank_curr_code) - VALUES ('$account_code', $account_type, '$bank_account_name', '$bank_name', '$bank_account_number', - '$bank_address', '$bank_curr_code')"; - + $sql = "INSERT INTO ".TB_PREF."bank_accounts (account_code, account_type, bank_account_name, bank_name, bank_account_number, bank_address, bank_curr_code) + VALUES (".db_escape($account_code).", $account_type, ".db_escape($bank_account_name).", ".db_escape($bank_name).", ".db_escape($bank_account_number).", + ".db_escape($bank_address).", '$bank_curr_code')"; + db_query($sql, "could not add a bank account for $account_code"); } //--------------------------------------------------------------------------------------------- -function update_bank_account($account_code, $account_type, $bank_account_name, $bank_name, $bank_account_number, +function update_bank_account($account_code, $account_type, $bank_account_name, $bank_name, $bank_account_number, $bank_address, $bank_curr_code) { - $sql = "UPDATE ".TB_PREF."bank_accounts SET account_type = $account_type, - bank_account_name='$bank_account_name', bank_name='$bank_name', - bank_account_number='$bank_account_number', bank_curr_code='$bank_curr_code', - bank_address='$bank_address' WHERE account_code = '$account_code'"; - + $sql = "UPDATE ".TB_PREF."bank_accounts SET account_type = $account_type, + bank_account_name=".db_escape($bank_account_name).", bank_name=".db_escape($bank_name).", + bank_account_number=".db_escape($bank_account_number).", bank_curr_code='$bank_curr_code', + bank_address=".db_escape($bank_address)." WHERE account_code = '$account_code'"; + db_query($sql, "could not update bank account for $account_code"); -} +} //--------------------------------------------------------------------------------------------- @@ -31,7 +31,7 @@ function delete_bank_account($account_code) { $sql = "DELETE FROM ".TB_PREF."bank_accounts WHERE account_code='$account_code'"; - db_query($sql,"could not delete bank account for $account_code"); + db_query($sql,"could not delete bank account for $account_code"); } @@ -42,7 +42,7 @@ function get_bank_account($account_code) $sql = "SELECT * FROM ".TB_PREF."bank_accounts WHERE account_code='$account_code'"; $result = db_query($sql, "could not retreive bank account for $account_code"); - + return db_fetch($result); } diff --git a/gl/includes/db/gl_db_bank_trans.inc b/gl/includes/db/gl_db_bank_trans.inc index 804e94ac..6aebe6f4 100644 --- a/gl/includes/db/gl_db_bank_trans.inc +++ b/gl/includes/db/gl_db_bank_trans.inc @@ -6,35 +6,35 @@ // $amount is in $currency // $date_ is display date (non-sql) -function add_bank_trans($type, $trans_no, $bank_act, $ref, $date_, $bank_trans_type_id, +function add_bank_trans($type, $trans_no, $bank_act, $ref, $date_, $bank_trans_type_id, $amount, $person_type_id, $person_id, $currency="", $err_msg="") { $sqlDate = date2sql($date_); - + // convert $amount to the bank's currency - if ($currency != "") + if ($currency != "") { $bank_account_currency = get_bank_account_currency($bank_act); $to_bank_currency = get_exchange_rate_from_to($currency, $bank_account_currency, $date_); $amount_bank = ($amount / $to_bank_currency); - } + } else - $amount_bank = $amount; - - + $amount_bank = $amount; + + // Also store the rate to the home //$BankToHomeCurrencyRate = get_exchange_rate_to_home_currency($bank_account_currency, $date_); - - $sql = "INSERT INTO ".TB_PREF."bank_trans (type, trans_no, bank_act, ref, + + $sql = "INSERT INTO ".TB_PREF."bank_trans (type, trans_no, bank_act, ref, trans_date, bank_trans_type_id, amount, person_type_id, person_id) "; - - $sql .= "VALUES ($type, $trans_no, '$bank_act', '$ref', '$sqlDate', '$bank_trans_type_id', + + $sql .= "VALUES ($type, $trans_no, '$bank_act', ".db_escape($ref).", '$sqlDate', '$bank_trans_type_id', $amount_bank, $person_type_id, '$person_id')"; - + if ($err_msg == "") $err_msg = "The bank transaction could not be inserted"; - - db_query($sql, $err_msg); + + db_query($sql, $err_msg); } //---------------------------------------------------------------------------------------- @@ -43,29 +43,29 @@ function exists_bank_trans($type, $type_no) { $sql = "SELECT trans_no FROM ".TB_PREF."bank_trans WHERE type=$type AND trans_no=$type_no"; - $result = db_query($sql, "Cannot retreive a bank transaction"); - - return (db_num_rows($result) > 0); + $result = db_query($sql, "Cannot retreive a bank transaction"); + + return (db_num_rows($result) > 0); } //---------------------------------------------------------------------------------------- function get_bank_trans($type, $trans_no=null, $person_type_id=null, $person_id=null) { - $sql = "SELECT *, bank_account_name, account_code, bank_curr_code, name AS BankTransType - FROM ".TB_PREF."bank_trans, ".TB_PREF."bank_accounts, ".TB_PREF."bank_trans_types + $sql = "SELECT *, bank_account_name, account_code, bank_curr_code, name AS BankTransType + FROM ".TB_PREF."bank_trans, ".TB_PREF."bank_accounts, ".TB_PREF."bank_trans_types WHERE ".TB_PREF."bank_trans_types.id = ".TB_PREF."bank_trans.bank_trans_type_id AND ".TB_PREF."bank_accounts.account_code=".TB_PREF."bank_trans.bank_act "; - if ($type != null) + if ($type != null) $sql .= " AND type=$type "; if ($trans_no != null) - $sql .= " AND ".TB_PREF."bank_trans.trans_no = $trans_no "; + $sql .= " AND ".TB_PREF."bank_trans.trans_no = $trans_no "; if ($person_type_id != null) $sql .= " AND ".TB_PREF."bank_trans.person_type_id = $person_type_id "; if ($person_id != null) - $sql .= " AND ".TB_PREF."bank_trans.person_id = '$person_id'"; + $sql .= " AND ".TB_PREF."bank_trans.person_id = '$person_id'"; $sql .= " ORDER BY trans_date, ".TB_PREF."bank_trans.id"; - + return db_query($sql, "query for bank transaction"); } @@ -74,9 +74,9 @@ function get_bank_trans($type, $trans_no=null, $person_type_id=null, $person_id= function get_gl_trans_value($account, $type, $trans_no) { $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE account='$account' AND type=$type AND type_no=$trans_no"; - + $result = db_query($sql, "query for gl trans value"); - + $row = db_fetch_row($result); return $row[0]; } @@ -87,22 +87,22 @@ function void_bank_trans($type, $type_no, $nested=false) { if (!$nested) begin_transaction(); - - $sql = "UPDATE ".TB_PREF."bank_trans SET amount=0 + + $sql = "UPDATE ".TB_PREF."bank_trans SET amount=0 WHERE type=$type AND trans_no=$type_no"; - + $result = db_query($sql, "could not void bank transactions for type=$type and trans_no=$type_no"); - + void_gl_trans($type, $type_no, true); - + // in case it's a customer trans - probably better to check first void_cust_allocations($type, $type_no); void_customer_trans($type, $type_no); - + // in case it's a supplier trans - probably better to check first void_supp_allocations($type, $type_no); void_supp_trans($type, $type_no); - + if (!$nested) commit_transaction(); } diff --git a/gl/includes/db/gl_db_bank_trans_types.inc b/gl/includes/db/gl_db_bank_trans_types.inc index 66e1cdd6..7a6e5807 100644 --- a/gl/includes/db/gl_db_bank_trans_types.inc +++ b/gl/includes/db/gl_db_bank_trans_types.inc @@ -2,39 +2,39 @@ function add_bank_trans_type($name) { - $sql = "INSERT INTO ".TB_PREF."bank_trans_types (name) VALUES ('$name')"; - - db_query($sql, "could not add bank transaction type"); + $sql = "INSERT INTO ".TB_PREF."bank_trans_types (name) VALUES (".db_escape($name).")"; + + db_query($sql, "could not add bank transaction type"); } function update_bank_trans_type($type_id, $name) { - $sql = "UPDATE ".TB_PREF."bank_trans_types SET name='$name' WHERE id=$type_id"; - - db_query($sql, "could not update bank transaction type"); + $sql = "UPDATE ".TB_PREF."bank_trans_types SET name=".db_escape($name)." WHERE id=$type_id"; + + db_query($sql, "could not update bank transaction type"); } function get_all_bank_trans_type() { $sql = "SELECT * FROM ".TB_PREF."bank_trans_types"; - + return db_query($sql, "could not get all bank transaction type"); -} +} function get_bank_trans_type($type_id) { $sql = "SELECT * FROM ".TB_PREF."bank_trans_types WHERE id=$type_id"; - + $result = db_query($sql, "could not get bank transaction type"); - + return db_fetch($result); } function delete_bank_trans_type($type_id) { $sql="DELETE FROM ".TB_PREF."bank_trans_types WHERE id=$type_id"; - - db_query($sql, "could not delete bank transaction type"); + + db_query($sql, "could not delete bank transaction type"); } ?> \ No newline at end of file diff --git a/gl/includes/db/gl_db_currencies.inc b/gl/includes/db/gl_db_currencies.inc index 8c9ad979..a4d7e2d4 100644 --- a/gl/includes/db/gl_db_currencies.inc +++ b/gl/includes/db/gl_db_currencies.inc @@ -4,9 +4,9 @@ function update_currency($curr_abrev, $symbol, $currency, $country, $hundreds_name) { - $sql = "UPDATE ".TB_PREF."currencies SET currency='$currency', curr_symbol='$symbol', - country='$country', hundreds_name='$hundreds_name' WHERE curr_abrev = '$curr_abrev'"; - + $sql = "UPDATE ".TB_PREF."currencies SET currency=".db_escape($currency).", curr_symbol='$symbol', + country=".db_escape($country).", hundreds_name=".db_escape($hundreds_name)." WHERE curr_abrev = '$curr_abrev'"; + db_query($sql, "could not update currency for $curr_abrev"); } @@ -14,9 +14,9 @@ function update_currency($curr_abrev, $symbol, $currency, $country, $hundreds_na function add_currency($curr_abrev, $symbol, $currency, $country, $hundreds_name) { - $sql = "INSERT INTO ".TB_PREF."currencies (curr_abrev, curr_symbol, currency, country, hundreds_name) - VALUES ('$curr_abrev', '$symbol', '$currency', '$country', '$hundreds_name')"; - + $sql = "INSERT INTO ".TB_PREF."currencies (curr_abrev, curr_symbol, currency, country, hundreds_name) + VALUES (".db_escape($curr_abrev).", '$symbol', ".db_escape($currency).", ".db_escape($country).", ".db_escape($hundreds_name).")"; + db_query($sql, "could not add currency for $curr_abrev"); } @@ -26,7 +26,7 @@ function delete_currency($curr_code) { $sql="DELETE FROM ".TB_PREF."currencies WHERE curr_abrev='$curr_code'"; db_query($sql, "could not delete currency $curr_code"); - + $sql="DELETE FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code'"; db_query($sql, "could not delete exchange rates for currency $curr_code"); } @@ -35,18 +35,18 @@ function delete_currency($curr_code) function get_currency($curr_code) { - $sql = "SELECT * FROM ".TB_PREF."currencies WHERE curr_abrev='$curr_code'"; + $sql = "SELECT * FROM ".TB_PREF."currencies WHERE curr_abrev='$curr_code'"; $result = db_query($sql, "could not get currency $curr_code"); - + $row = db_fetch($result); - return $row; + return $row; } //--------------------------------------------------------------------------------------------- function get_currencies() { - $sql = "SELECT * FROM ".TB_PREF."currencies"; + $sql = "SELECT * FROM ".TB_PREF."currencies"; return db_query($sql, "could not get currencies"); } diff --git a/gl/includes/db/gl_db_trans.inc b/gl/includes/db/gl_db_trans.inc index 911fd58a..ecd12fae 100644 --- a/gl/includes/db/gl_db_trans.inc +++ b/gl/includes/db/gl_db_trans.inc @@ -11,7 +11,7 @@ function add_gl_trans($type, $trans_id, $date_, $account, $dimension, $dimension $amount, $currency=null, $person_type_id=null, $person_id=null, $err_msg="") { global $use_audit_trail; - + $date = date2sql($date_); if ($currency != null) $amount_in_home_currency = to_home_currency($amount, $currency, $date_); @@ -27,7 +27,7 @@ function add_gl_trans($type, $trans_id, $date_, $account, $dimension, $dimension $memo_ = $_SESSION["wa_current_user"]->username; else $memo_ = $_SESSION["wa_current_user"]->username . " - " . $memo_; - } + } $sql = "INSERT INTO ".TB_PREF."gl_trans ( type, type_no, tran_date, account, dimension_id, dimension2_id, memo_, amount"; @@ -37,7 +37,7 @@ function add_gl_trans($type, $trans_id, $date_, $account, $dimension, $dimension $sql .= ") "; $sql .= "VALUES ($type, $trans_id, '$date', - '$account', $dimension, $dimension2, '$memo_', $amount_in_home_currency"; + '$account', $dimension, $dimension2, ".db_escape($memo_).", $amount_in_home_currency"; if ($person_type_id != null) $sql .= ", $person_type_id, '$person_id'"; @@ -56,7 +56,7 @@ function add_gl_trans($type, $trans_id, $date_, $account, $dimension, $dimension // $date_ is display date (non-sql) // $amount is in HOME currency -function add_gl_trans_std_cost($type, $trans_id, $date_, $account, $dimension, $dimension2, +function add_gl_trans_std_cost($type, $trans_id, $date_, $account, $dimension, $dimension2, $memo_, $amount, $person_type_id=null, $person_id=null, $err_msg="") { if ($amount != 0) @@ -160,17 +160,17 @@ function get_gl_trans_from_to($from_date, $to_date, $account, $dimension=0, $dim //-------------------------------------------------------------------------------- -function get_budget_trans_from_to($from_date, $to_date, $account, $dimension=0, $dimension2=0) +function get_budget_trans_from_to($from_date, $to_date, $account, $dimension=0, $dimension2=0) { $from = date2sql($from_date); $to = date2sql($to_date); - + $sql = "SELECT SUM(amount) FROM ".TB_PREF."budget_trans WHERE account='$account' "; - if ($from_date != "") + if ($from_date != "") $sql .= " AND tran_date >= '$from' "; - if ($to_date != "") + if ($to_date != "") $sql .= " AND tran_date <= '$to' "; if ($dimension > 0) $sql .= " AND dimension_id = $dimension"; @@ -191,27 +191,27 @@ function add_journal_entries($items, $date_, $ref, $reverse, $memo_=null) $trans_type = systypes::journal_entry(); $trans_id = get_next_trans_no($trans_type); - foreach ($items as $journal_item) + foreach ($items as $journal_item) { $is_bank_to = is_bank_account($journal_item->code_id); - add_gl_trans($trans_type, $trans_id, $date_, $journal_item->code_id, - $journal_item->dimension_id, $journal_item->dimension2_id, + add_gl_trans($trans_type, $trans_id, $date_, $journal_item->code_id, + $journal_item->dimension_id, $journal_item->dimension2_id, $journal_item->reference, $journal_item->amount); - if ($is_bank_to) + if ($is_bank_to) { - add_bank_trans($trans_type, $trans_id, $journal_item->code_id, $ref, + add_bank_trans($trans_type, $trans_id, $journal_item->code_id, $ref, $date_, 3, $journal_item->amount, - 0, "", get_company_currency(), - "Cannot insert a destination bank transaction"); - } + 0, "", get_company_currency(), + "Cannot insert a destination bank transaction"); + } } add_comments($trans_type, $trans_id, $date_, $memo_); references::save($trans_type, $trans_id, $ref); - if ($reverse) + if ($reverse) { //$reversingDate = date(user_date_display(), @@ -220,20 +220,20 @@ function add_journal_entries($items, $date_, $ref, $reverse, $memo_=null) $trans_id_reverse = get_next_trans_no($trans_type); - foreach ($items as $journal_item) + foreach ($items as $journal_item) { $is_bank_to = is_bank_account($journal_item->code_id); add_gl_trans($trans_type, $trans_id_reverse, $reversingDate, - $journal_item->code_id, $journal_item->dimension_id, $journal_item->dimension2_id, + $journal_item->code_id, $journal_item->dimension_id, $journal_item->dimension2_id, $journal_item->reference, -$journal_item->amount); - if ($is_bank_to) + if ($is_bank_to) { - add_bank_trans($trans_type, $trans_id_reverse, $journal_item->code_id, $ref, + add_bank_trans($trans_type, $trans_id_reverse, $journal_item->code_id, $ref, $reversingDate, 3, $journal_item->amount, - 0, "", get_company_currency(), - "Cannot insert a destination bank transaction"); - } + 0, "", get_company_currency(), + "Cannot insert a destination bank transaction"); + } } add_comments($trans_type, $trans_id_reverse, $reversingDate, $memo_);