From 2bcdab793e406bb5a44d2c4e079ec7cc2a1aa857 Mon Sep 17 00:00:00 2001 From: Janusz Dobrowolski Date: Thu, 10 Jan 2019 10:17:14 +0100 Subject: [PATCH] Activated strict SQL mode, minor SQL injection fix, fixed _vl() debug helper. --- admin/display_prefs.php | 8 +++-- includes/date_functions.inc | 46 +++++++++++++++-------------- includes/db/class.reflines_db.inc | 2 +- includes/db/connect_db_mysql.inc | 2 +- includes/db/connect_db_mysqli.inc | 2 +- includes/ui/class.crud_view.inc | 13 ++++++-- includes/ui/class.reflines_crud.inc | 4 +-- includes/ui/ui_input.inc | 8 ++++- includes/ui/ui_view.inc | 2 +- inventory/includes/db/items_db.inc | 13 ++++---- inventory/manage/items.php | 8 ++--- inventory/manage/locations.php | 4 +-- purchasing/manage/suppliers.php | 2 +- sales/includes/cart_class.inc | 4 +-- 14 files changed, 69 insertions(+), 49 deletions(-) diff --git a/admin/display_prefs.php b/admin/display_prefs.php index e686a81a..243ddea9 100644 --- a/admin/display_prefs.php +++ b/admin/display_prefs.php @@ -40,10 +40,12 @@ if (isset($_POST['setprefs'])) array('prices_dec', 'qty_dec', 'rates_dec', 'percent_dec', 'date_format', 'date_sep', 'tho_sep', 'dec_sep', 'print_profile', 'theme', 'page_size', 'language', 'startup_tab', - 'show_gl' => 0, 'show_codes'=> 0, 'show_hints' => 0, - 'rep_popup' => 0, 'graphic_links' => 0, 'sticky_doc_date' => 0, 'query_size' => 10.0, 'transaction_days' => 30, 'save_report_selections' => 0, - 'use_date_picker' => 0, 'def_print_destination' => 0, 'def_print_orientation' => 0))); + 'def_print_destination' => 0, 'def_print_orientation' => 0))); + + set_user_prefs(check_value( + array( 'show_gl', 'show_codes', 'show_hints', 'rep_popup', + 'graphic_links', 'sticky_doc_date', 'use_date_picker'))); if ($chg_lang) $_SESSION['language']->set_language($_POST['language']); diff --git a/includes/date_functions.inc b/includes/date_functions.inc index c0bcbe94..e90e2e78 100644 --- a/includes/date_functions.inc +++ b/includes/date_functions.inc @@ -395,32 +395,34 @@ and converts to a yyyy/mm/dd format */ list($day, $month, $year) = explode($sep, $date_); else // $how == 2 || $how == 5, YYYYMMDD or YYYYMmmDD list($year, $month, $day) = explode($sep, $date_); - if ($how > 2) - { - global $tmonths; - $month = array_search($month, $tmonths); - } -//to modify assumption in 2030 - if ($SysPrefs->date_system == 0 || $SysPrefs->date_system == 3) - { - if ((int)$year < 60) + + if ($year+$day+$month) { + if ($how > 2) { - $year = "20".$year; - } - elseif ((int)$year > 59 && (int)$year < 100) + global $tmonths; + $month = array_search($month, $tmonths); + } + //to modify assumption in 2030 + if ($SysPrefs->date_system == 0 || $SysPrefs->date_system == 3) { - $year = "19".$year; + if ((int)$year < 60) + { + $year = "20".$year; + } + elseif ((int)$year > 59 && (int)$year < 100) + { + $year = "19".$year; + } } - } - if ((int)$year > 9999) - { - return 0; + if ((int)$year > 9999) + { + return 0; + } + if ($SysPrefs->date_system == 1) + list($year, $month, $day) = jalali_to_gregorian($year, $month, $day); + elseif ($SysPrefs->date_system == 2) + list($year, $month, $day) = islamic_to_gregorian($year, $month, $day); } - if ($SysPrefs->date_system == 1) - list($year, $month, $day) = jalali_to_gregorian($year, $month, $day); - elseif ($SysPrefs->date_system == 2) - list($year, $month, $day) = islamic_to_gregorian($year, $month, $day); - return sprintf("%04d-%02d-%02d", $year, $month, $day); }// end of function diff --git a/includes/db/class.reflines_db.inc b/includes/db/class.reflines_db.inc index f67aa60a..277ebe74 100644 --- a/includes/db/class.reflines_db.inc +++ b/includes/db/class.reflines_db.inc @@ -153,7 +153,7 @@ class reflines_db extends data_set { function find_refline_id($reference, $type, $fallback=true) { $sql = "SELECT * FROM ".TB_PREF."reflines WHERE trans_type=".db_escape($type) - ." AND CHAR_LENGTH(`prefix`) AND LEFT('$reference', CHAR_LENGTH(`prefix`)) = `prefix`"; + ." AND CHAR_LENGTH(`prefix`) AND LEFT(".db_escape($reference).", CHAR_LENGTH(`prefix`)) = `prefix`"; if ($fallback) // if not found return refline with empty prefix $sql .= " UNION SELECT * FROM ".TB_PREF."reflines WHERE trans_type=".db_escape($type)." AND `prefix`=''"; $ret = db_query($sql, "cannot check reference line id"); diff --git a/includes/db/connect_db_mysql.inc b/includes/db/connect_db_mysql.inc index d3857cab..4be5a295 100644 --- a/includes/db/connect_db_mysql.inc +++ b/includes/db/connect_db_mysql.inc @@ -10,7 +10,7 @@ See the License here . ***********************************************************************/ define('DB_DUPLICATE_ERROR', 1062); -define('SQL_MODE', ''); // STRICT_ALL_TABLES,NO_ZERO_IN_DATE ? +define('SQL_MODE', 'STRICT_ALL_TABLES'); // prevents SQL injection with silent field content truncation function set_global_connection($company=-1) { diff --git a/includes/db/connect_db_mysqli.inc b/includes/db/connect_db_mysqli.inc index a70e5926..696fd828 100644 --- a/includes/db/connect_db_mysqli.inc +++ b/includes/db/connect_db_mysqli.inc @@ -10,7 +10,7 @@ See the License here . ***********************************************************************/ define('DB_DUPLICATE_ERROR', 1062); -define('SQL_MODE', ''); // STRICT_ALL_TABLES,NO_ZERO_IN_DATE ? +define('SQL_MODE', 'STRICT_ALL_TABLES'); // prevents SQL injection with silent field content truncation $db_last_inserted_id = 0; diff --git a/includes/ui/class.crud_view.inc b/includes/ui/class.crud_view.inc index dd3ffb54..963ed75b 100644 --- a/includes/ui/class.crud_view.inc +++ b/includes/ui/class.crud_view.inc @@ -72,6 +72,8 @@ class user_view { return user_numeric($value); case 'percent': return user_numeric($value)/100; + case 'check': + return isset($value) ? 1 : 0; case 'text': case 'date': default: @@ -92,6 +94,8 @@ class user_view { return number_format2($value); case 'percent': return percent_format($value*100); + case 'check': + return !empty($value); case 'stock': $this->dec = get_qty_dec($value); // retrieve dec for use in following qty fields case 'text': @@ -161,7 +165,8 @@ class user_view { $value = isset($this->data->$fld) ? $this->data->$fld : @$fmt['dflt']; else $value = isset($this->data[$fld]) ? $this->data[$fld] : @$fmt['dflt']; - if(isset($value)) + + if (isset($value)) $output[$post] = $this->_format_output($value, @$fmt['fmt']); } } @@ -198,9 +203,13 @@ class user_view { $post = isset($fmt['post']) ? $fmt['post'] : $name; // input name (default to field name) $fld = isset($fmt['fld']) ? $fmt['fld'] : $name; // input value (default to field name) + // if ($all || array_key_exists($post, $input)) // { - $value = $this->_format_input(@$input[$post], @$fmt['fmt']); + if (@$fmt['fmt'] == 'check') + $value = @$input[$post] ? 1 : 0; + else + $value = $this->_format_input(@$input[$post], @$fmt['fmt']); // if (is_array($data)) if ($all || isset($value)) diff --git a/includes/ui/class.reflines_crud.inc b/includes/ui/class.reflines_crud.inc index 60226fe2..d4729339 100644 --- a/includes/ui/class.reflines_crud.inc +++ b/includes/ui/class.reflines_crud.inc @@ -23,7 +23,7 @@ class fa_reflines extends simple_crud_view { 'description', 'trans_type', 'pattern', - 'default', + 'default' => 'check', ); } @@ -98,7 +98,7 @@ class fa_reflines extends simple_crud_view { label_row(_("Reference Pattern:"), $prefix . text_input($this->name.'pattern', null, 30, 60)); if (get_post($this->name.'default')) - label_row(_("Default for This Type:"), _("Yes")); + { label_row(_("Default for This Type:"), _("Yes")); hidden($this->name.'default', 1); } else check_row(_("Set as Default for This Type:"), $this->name.'default'); diff --git a/includes/ui/ui_input.inc b/includes/ui/ui_input.inc index 6ff977ad..59a3676e 100644 --- a/includes/ui/ui_input.inc +++ b/includes/ui/ui_input.inc @@ -348,7 +348,13 @@ function select_button_cell($name, $value, $title=false) function check_value($name) { - return (empty($_POST[$name]) ? 0 : 1); + if (is_array($name)) { + $ret = array(); + foreach($name as $key) + $ret[$key] = check_value($key); + return $ret; + } else + return (empty($_POST[$name]) ? 0 : 1); } function checkbox($label, $name, $value=null, $submit_on_change=false, $title=false) diff --git a/includes/ui/ui_view.inc b/includes/ui/ui_view.inc index 979f6587..35363f89 100644 --- a/includes/ui/ui_view.inc +++ b/includes/ui/ui_view.inc @@ -1497,7 +1497,7 @@ if (!function_exists('_vd')) function _vl($mixed, $title = '', $exit = false) { - error_log((!empty($title) ? ($title .':') : '') . var_export($mixed, true)); + error_log((!empty($title) ? ($title .':') : '') . print_r($mixed, true)); if ($exit) exit; } diff --git a/inventory/includes/db/items_db.inc b/inventory/includes/db/items_db.inc index f38fd4a8..07fde0d1 100644 --- a/inventory/includes/db/items_db.inc +++ b/inventory/includes/db/items_db.inc @@ -41,7 +41,7 @@ function update_item($stock_id, $description, $long_description, $category_id, if ($mb_flag != '') $sql .= ", mb_flag=".db_escape($mb_flag); - if ($depreciation_start != '') { + if (isset($depreciation_start)) { $sql .= ", depreciation_start='".date2sql($depreciation_start)."'" .", depreciation_date='".date2sql($depreciation_start)."'"; } @@ -63,8 +63,9 @@ function add_item($stock_id, $description, $long_description, $category_id, $sql = "INSERT INTO ".TB_PREF."stock_master (stock_id, description, long_description, category_id, tax_type_id, units, mb_flag, sales_account, inventory_account, cogs_account, adjustment_account, wip_account, dimension_id, dimension2_id, no_sale, no_purchase, editable, - depreciation_method, depreciation_rate, depreciation_factor, depreciation_start, depreciation_date, fa_class_id) - VALUES (".db_escape($stock_id).", ".db_escape($description).", ".db_escape($long_description).", + depreciation_method, depreciation_rate, depreciation_factor" + .(isset($depreciation_start) ? ", depreciation_start, depreciation_date, fa_class_id" : "") + .") VALUES (".db_escape($stock_id).", ".db_escape($description).", ".db_escape($long_description).", ".db_escape($category_id).", ".db_escape($tax_type_id).", " .db_escape($units).", ".db_escape($mb_flag).", ".db_escape($sales_account).", ".db_escape($inventory_account) @@ -74,9 +75,9 @@ function add_item($stock_id, $description, $long_description, $category_id, .db_escape($no_sale)."," .db_escape($no_purchase)."," .db_escape($editable)."," - .db_escape($depreciation_method).",".db_escape($depreciation_rate).",".db_escape($depreciation_factor).",'" - .date2sql($depreciation_start)."','".date2sql($depreciation_start)."'," - .db_escape($fa_class_id).")"; + .db_escape($depreciation_method).",".db_escape($depreciation_rate).",".db_escape($depreciation_factor) + .(isset($depreciation_start) ? ",'".date2sql($depreciation_start)."','".date2sql($depreciation_start)."',".db_escape($fa_class_id) : "") + .")"; db_query($sql, "The item could not be added"); diff --git a/inventory/manage/items.php b/inventory/manage/items.php index a897b9cb..f95887e0 100644 --- a/inventory/manage/items.php +++ b/inventory/manage/items.php @@ -237,7 +237,7 @@ if (isset($_POST['addupdate'])) $_POST['adjustment_account'], $_POST['wip_account'], $_POST['dimension_id'], $_POST['dimension2_id'], check_value('no_sale'), check_value('editable'), check_value('no_purchase'), - get_post('depreciation_method'), input_num('depreciation_rate'), input_num('depreciation_factor'), get_post('depreciation_start'), + get_post('depreciation_method'), input_num('depreciation_rate'), input_num('depreciation_factor'), get_post('depreciation_start', null), get_post('fa_class_id')); update_record_status($_POST['NewStockID'], $_POST['inactive'], @@ -258,7 +258,7 @@ if (isset($_POST['addupdate'])) $_POST['adjustment_account'], $_POST['wip_account'], $_POST['dimension_id'], $_POST['dimension2_id'], check_value('no_sale'), check_value('editable'), check_value('no_purchase'), - get_post('depreciation_method'), input_num('depreciation_rate'), input_num('depreciation_factor'), get_post('depreciation_start'), + get_post('depreciation_method'), input_num('depreciation_rate'), input_num('depreciation_factor'), get_post('depreciation_start', null), get_post('fa_class_id')); display_notification(_("A new item has been added.")); @@ -464,7 +464,7 @@ function item_settings(&$stock_id, $new_item) gl_all_accounts_list_row(_("Depreciation cost account:"), 'cogs_account', $_POST['cogs_account']); gl_all_accounts_list_row(_("Depreciation/Disposal account:"), 'adjustment_account', $_POST['adjustment_account']); } - elseif (!is_service($_POST['mb_flag'])) + elseif (!is_service(get_post('mb_flag'))) { gl_all_accounts_list_row(_("Inventory Account:"), 'inventory_account', $_POST['inventory_account']); gl_all_accounts_list_row(_("C.O.G.S. Account:"), 'cogs_account', $_POST['cogs_account']); @@ -478,7 +478,7 @@ function item_settings(&$stock_id, $new_item) } - if (is_manufactured($_POST['mb_flag'])) + if (is_manufactured(get_post('mb_flag'))) gl_all_accounts_list_row(_("WIP Account:"), 'wip_account', $_POST['wip_account']); else hidden('wip_account', $_POST['wip_account']); diff --git a/inventory/manage/locations.php b/inventory/manage/locations.php index 86bdb9d9..6728e1e5 100644 --- a/inventory/manage/locations.php +++ b/inventory/manage/locations.php @@ -59,7 +59,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') { update_item_location($selected_id, $_POST['location_name'], $_POST['delivery_address'], - $_POST['phone'], $_POST['phone2'], $_POST['fax'], $_POST['email'], $_POST['contact'], $_POST['fixed_asset']); + $_POST['phone'], $_POST['phone2'], $_POST['fax'], $_POST['email'], $_POST['contact'], check_value('fixed_asset')); display_notification(_('Selected location has been updated')); } else @@ -68,7 +68,7 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM') /*selected_id is null cos no item selected on first time round so must be adding a record must be submitting new entries in the new Location form */ add_item_location($_POST['loc_code'], $_POST['location_name'], $_POST['delivery_address'], - $_POST['phone'], $_POST['phone2'], $_POST['fax'], $_POST['email'], $_POST['contact'], $_POST['fixed_asset']); + $_POST['phone'], $_POST['phone2'], $_POST['fax'], $_POST['email'], $_POST['contact'], check_value('fixed_asset')); display_notification(_('New location has been added')); } diff --git a/purchasing/manage/suppliers.php b/purchasing/manage/suppliers.php index 4c127b7e..89026989 100644 --- a/purchasing/manage/suppliers.php +++ b/purchasing/manage/suppliers.php @@ -219,7 +219,7 @@ if (isset($_POST['submit'])) $_POST['website'], $_POST['supp_account_no'], $_POST['bank_account'], input_num('credit_limit', 0), $_POST['dimension_id'], $_POST['dimension2_id'], $_POST['curr_code'], $_POST['payment_terms'], $_POST['payable_account'], $_POST['purchase_account'], $_POST['payment_discount_account'], - $_POST['notes'], $_POST['tax_group_id'], get_post('tax_included', 0)); + $_POST['notes'], $_POST['tax_group_id'], check_value('tax_included')); update_record_status($_POST['supplier_id'], $_POST['inactive'], 'suppliers', 'supplier_id'); diff --git a/sales/includes/cart_class.inc b/sales/includes/cart_class.inc index 6aefabf7..1bc3db24 100644 --- a/sales/includes/cart_class.inc +++ b/sales/includes/cart_class.inc @@ -74,8 +74,8 @@ class Cart var $payment_terms; // cached payment terms var $credit; // prepayment mode: - var $prepaid; // true for documents issued in prepayment mode - var $prep_amount; // prepayment required for SO, invoiced amount for prepaiament invoice + var $prepaid=false; // true for documents issued in prepayment mode + var $prep_amount=0; // prepayment required for SO, invoiced amount for prepaiament invoice var $sum_paid; // sum of all allocated prepayments both to order and related invoices var $alloc; // sum of payments allocated to this document var $prepayments = array(); // allocation records for this document -- 2.30.2