Skip to content
GitLab
Commit 35509d56 authored by Till Brehm's avatar Till Brehm
Browse files

Better variable quoting in sql queries.

parent e9a57d4a
Hide whitespace changes
Inline Side-by-side
interface/lib/classes/tform.inc.php
View file @ 35509d56
......@@ -1048,6 +1048,8 @@ class tform {
function getSQL($record, $tab, $action = 'INSERT', $primary_id = 0, $sql_ext_where = '') {
global $app;
$primary_id = $app->functions->intval($primary_id);
// If there are no data records on the tab, return empty sql string
if(count($this->formDef['tabs'][$tab]['fields']) == 0) return '';
......@@ -1272,6 +1274,7 @@ class tform {
function getDataRecord($primary_id) {
global $app;
$escape = '`';
$primary_id = $app->functions->intval($primary_id);
$sql = "SELECT * FROM ".$escape.$this->formDef['db_table'].$escape." WHERE ".$this->formDef['db_table_idx']." = ".$primary_id." AND ".$this->getAuthSQL('r', $this->formDef['db_table']);
return $app->db->queryOneRecord($sql);
}
......@@ -1285,6 +1288,11 @@ class tform {
}
function getAuthSQL($perm, $table = '') {
global $app;
$perm = $app->db->quote($perm);
$table = $app->db->quote($table);
if($_SESSION["s"]["user"]["typ"] == 'admin') {
return '1';
} else {
......@@ -1309,6 +1317,7 @@ class tform {
function checkPerm($record_id, $perm) {
global $app;
$record_id = $app->functions->intval($record_id);
if($record_id > 0) {
// Add backticks for incomplete table names.
if(stristr($this->formDef['db_table'], '.')) {
......@@ -1403,7 +1412,7 @@ class tform {
if($limit_name == '') $app->error('Limit name missing in function checkClientLimit.');
// Get the limits of the client that is currently logged in
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT $limit_name as number, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another item
......@@ -1425,7 +1434,7 @@ class tform {
if($limit_name == '') $app->error('Limit name missing in function checkClientLimit.');
// Get the limits of the client that is currently logged in
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
//* If the client belongs to a reseller, we will check against the reseller Limit too
......
interface/lib/classes/tform_actions.inc.php
View file @ 35509d56
......@@ -81,7 +81,7 @@ class tform_actions {
// check if the client is locked - he may not change anything, then.
if(!$app->auth->is_admin()) {
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.locked FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($client_group_id));
if(is_array($client) && $client['locked'] == 'y') {
$app->tform->errorMessage .= $app->lng("client_you_are_locked")."<br />";
......
interface/lib/classes/validate_client.inc.php
View file @ 35509d56
......@@ -53,7 +53,7 @@ class validate_client {
}
}
} else {
$num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM sys_user WHERE username = '".$app->db->quote($field_value)."' AND client_id != ".$client_id);
$num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM sys_user WHERE username = '".$app->db->quote($field_value)."' AND client_id != ".$app->functions->intval($client_id));
if($num_rec["number"] > 0) {
$errmsg = $validator['errmsg'];
if(isset($app->tform->wordbook[$errmsg])) {
......
interface/lib/classes/validate_dns.inc.php
View file @ 35509d56
......@@ -104,7 +104,7 @@ class validate_dns {
}
if(substr($field, -1) == '.' && $area == 'Name'){
$soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ".$zoneid);
$soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ".intval($zoneid));
if(substr($field, (strlen($field) - strlen($soa['origin']))) != $soa['origin']) $error .= $desc." ".$app->tform->wordbook['error_out_of_zone']."<br>\r\n";
}
......@@ -267,7 +267,7 @@ class validate_dns {
global $app, $conf;
// increase serial
$serial_date = substr($serial, 0, 8);
$serial_date = $app->functions->intval(substr($serial, 0, 8));
$count = $app->functions->intval(substr($serial, 8, 2));
$current_date = date("Ymd");
if($serial_date >= $current_date){
......
interface/lib/classes/validate_domain.inc.php
View file @ 35509d56
......@@ -118,7 +118,7 @@ class validate_domain {
if($domain['ip_address'] == '' || $domain['ipv6_address'] == ''){
if($domain['parent_domain_id'] > 0){
$parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$domain['parent_domain_id']);
$parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($domain['parent_domain_id']));
}
}
......@@ -217,7 +217,7 @@ class validate_domain {
// if alias/subdomain: check IP addresses of parent domain
if($check['ip_address'] == '' || $check['ipv6_address'] == ''){
if($check['parent_domain_id'] > 0){
$check_parent_domain = $app->db->queryOneRecord("SELECT * FROM `web_domain` WHERE `domain_id` = ".$check['parent_domain_id']);
$check_parent_domain = $app->db->queryOneRecord("SELECT * FROM `web_domain` WHERE `domain_id` = ".$app->functions->intval($check['parent_domain_id']));
}
}
......@@ -282,7 +282,7 @@ class validate_domain {
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_wildcard FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
if($client["limit_wildcard"] == 'y') return true;
......
interface/web/dns/dns_a_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -97,7 +97,7 @@ class page_action extends tform_actions {
} // end if user is not admin
//* Check for duplicates where IP and hostname are the same
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$this->dataRecord["name"]."' AND zone = '".$this->dataRecord["zone"]."' and data = '".$this->dataRecord["data"]."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$this->dataRecord["name"]."' AND zone = '".$this->dataRecord["zone"]."' and id != ".$this->id.")");
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and data = '".$app->db->quote($this->dataRecord["data"])."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.")");
if($tmp['number'] > 0) $app->tform->errorMessage .= $app->tform->lng("data_error_duplicate")."<br>";
unset($tmp);
......
interface/web/dns/dns_aaaa_edit.php
View file @ 35509d56
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -113,7 +113,7 @@ class page_action extends tform_actions {
//* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record
$soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r'));
$app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id);
$app->db->datalogUpdate('dns_rr', "sys_groupid = ".intval($soa['sys_groupid']), 'id', $this->id);
//* Update the serial number of the SOA record
$soa_id = $app->functions->intval($_POST["zone"]);
......
interface/web/dns/dns_alias_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......
interface/web/dns/dns_cname_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -97,7 +97,7 @@ class page_action extends tform_actions {
} // end if user is not admin
//* Check for duplicates where IP and hostname are the same
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$this->dataRecord["name"]."' AND zone = '".$this->dataRecord["zone"]."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$this->dataRecord["name"]."' AND zone = '".$this->dataRecord["zone"]."' and id != ".$this->id.")");
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.")");
if($tmp['number'] > 0) $app->tform->errorMessage .= $app->tform->lng("data_error_duplicate")."<br>";
unset($tmp);
......
interface/web/dns/dns_hinfo_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......
interface/web/dns/dns_import.php
View file @ 35509d56
......@@ -52,7 +52,7 @@ $domain = (isset($_POST['domain'])&&!empty($_POST['domain']))?$_POST['domain']:N
if($_SESSION['s']['user']['typ'] == 'admin') {
$server_id = (isset($_POST['server_id']))?$app->functions->intval($_POST['server_id']):1;
} else {
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT default_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
$server_id = $client["default_dnsserver"];
}
......@@ -101,14 +101,14 @@ if($_SESSION['s']['user']['typ'] == 'admin') {
if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// load the list of clients
$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id'];
$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".intval($client['client_id']);
$clients = $app->db->queryAllRecords($sql);
$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
if(is_array($clients)) {
foreach( $clients as $client) {
......@@ -648,7 +648,7 @@ if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'
foreach($dns_rr as $rr)
{
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `zone`, `name`, `type`, `data`, `aux`, `ttl`, `active`) VALUES
('$sys_userid', '$sys_groupid', 'riud', 'riud', '', '$server_id', '$dns_soa_id', '$rr[name]', '$rr[type]', '$rr[data]', '$rr[aux]', '$rr[ttl]', 'Y')";
('$sys_userid', '$sys_groupid', 'riud', 'riud', '', '$server_id', '$dns_soa_id', '".$app->db->quote($rr['name'])."', '".$app->db->quote($rr['type'])."', '".$app->db->quote($rr['data'])."', '".$app->db->quote($rr['aux'])."', '".$app->db->quote($rr['ttl'])."', 'Y')";
$dns_rr_id = $app->db->datalogInsert('dns_rr', $insert_data, 'id');
}
}
......
interface/web/dns/dns_mx_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -112,7 +112,7 @@ class page_action extends tform_actions {
global $app, $conf;
// Check if record is existing already
$duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$this->dataRecord["name"]."' AND type = '".$this->dataRecord["type"]."' AND data = '".$this->dataRecord["data"]."' AND ".$app->tform->getAuthSQL('r'));
$duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$app->db->quote($this->dataRecord["name"])."' AND type = '".$app->db->quote($this->dataRecord["type"])."' AND data = '".$app->db->quote($this->dataRecord["data"])."' AND ".$app->tform->getAuthSQL('r'));
if(is_array($duplicate_mx) && !empty($duplicate_mx)) $app->error($app->tform->wordbook["duplicate_mx_record_txt"]);
......@@ -123,7 +123,7 @@ class page_action extends tform_actions {
global $app, $conf;
// Check if record is existing already
$duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$this->dataRecord["name"]."' AND type = '".$this->dataRecord["type"]."' AND data = '".$this->dataRecord["data"]."' AND id != ".$app->functions->intval($this->dataRecord["id"])." AND ".$app->tform->getAuthSQL('r'));
$duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$app->db->quote($this->dataRecord["name"])."' AND type = '".$app->db->quote($this->dataRecord["type"])."' AND data = '".$app->db->quote($this->dataRecord["data"])."' AND id != ".$app->functions->intval($this->dataRecord["id"])." AND ".$app->tform->getAuthSQL('r'));
if(is_array($duplicate_mx) && !empty($duplicate_mx)) $app->error($app->tform->wordbook["duplicate_mx_record_txt"]);
......
interface/web/dns/dns_ns_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......
interface/web/dns/dns_ptr_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......
interface/web/dns/dns_rp_edit.php
View file @ 35509d56
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......
interface/web/dns/dns_slave_edit.php
View file @ 35509d56
......@@ -87,7 +87,7 @@ class page_action extends tform_actions {
} else if($app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, sys_group.name, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Fill the client select field
......@@ -122,7 +122,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_slave_zone, default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// When the record is updated
......@@ -150,7 +150,7 @@ class page_action extends tform_actions {
if(strlen($this->dataRecord["origin"]) > 0 && substr($this->dataRecord["origin"], -1, 1) != '.') $this->dataRecord["origin"] .= '.';
//* Check if a primary zone with the same name already exists
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_soa WHERE origin = \"".$this->dataRecord["origin"]."\" AND server_id= \"".$this->dataRecord["server_id"]."\"");
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_soa WHERE origin = \"".$app->db->quote($this->dataRecord["origin"])."\" AND server_id= \"".$app->db->quote($this->dataRecord["server_id"])."\"");
if($tmp["number"] > 0) {
$app->error($app->tform->wordbook["origin_error_unique"]);
}
......@@ -162,7 +162,7 @@ class page_action extends tform_actions {
global $app, $conf;
// Check if record is existing already
$duplicate_slave = $app->db->queryOneRecord("SELECT * FROM dns_slave WHERE origin = '".$this->dataRecord["origin"]."' AND server_id = ".$app->functions->intval($this->dataRecord["server_id"])." AND ".$app->tform->getAuthSQL('r'));
$duplicate_slave = $app->db->queryOneRecord("SELECT * FROM dns_slave WHERE origin = '".$app->db->quote($this->dataRecord["origin"])."' AND server_id = ".$app->functions->intval($this->dataRecord["server_id"])." AND ".$app->tform->getAuthSQL('r'));
if(is_array($duplicate_slave) && !empty($duplicate_slave)) $app->error($app->tform->wordbook["origin_error_unique"]);
......
interface/web/dns/dns_soa_edit.php
View file @ 35509d56
......@@ -97,7 +97,7 @@ class page_action extends tform_actions {
} else if($app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Fill the client select field
......@@ -132,7 +132,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_zone, default_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// When the record is updated
......@@ -177,7 +177,7 @@ class page_action extends tform_actions {
$this->dataRecord["also_notify"] = preg_replace('/\s+/', '', $this->dataRecord["also_notify"]);
//* Check if a secondary zone with the same name already exists
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = \"".$this->dataRecord["origin"]."\" AND server_id = \"".$this->dataRecord["server_id"]."\"");
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = \"".$app->db->quote($this->dataRecord["origin"])."\" AND server_id = \"".$app->db->quote($this->dataRecord["server_id"])."\"");
if($tmp["number"] > 0) {
$app->error($app->tform->wordbook["origin_error_unique"]);
}
......
interface/web/dns/dns_srv_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......
interface/web/dns/dns_txt_edit.php
View file @ 35509d56
......@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
......
interface/web/dns/dns_wizard.php
View file @ 35509d56
......@@ -49,9 +49,9 @@ $sys_groupid = (isset($_POST['client_group_id']))?$app->functions->intval($_POST
if($_SESSION['s']['user']['typ'] == 'admin') {
$server_id = (isset($_POST['server_id']))?$app->functions->intval($_POST['server_id']):1;
} else {
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT default_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
$server_id = $client["default_dnsserver"];
$server_id = intval($client["default_dnsserver"]);
}
......@@ -105,7 +105,7 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO
// load the list of clients
$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id'];
$clients = $app->db->queryAllRecords($sql);
$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
if(is_array($clients)) {
foreach( $clients as $client) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment