2017-08-04 16:28:16 +02:00
< ? php
include_once __DIR__ . '/../../core.php' ;
function check_query ( $query )
{
2017-09-15 15:03:27 +02:00
$query = mb_strtoupper ( $query );
2017-08-04 16:28:16 +02:00
$blacklist = [ 'INSERT' , 'UPDATE' , 'TRUNCATE' , 'DELETE' , 'DROP' , 'GRANT' , 'CREATE' , 'REVOKE' ];
foreach ( $blacklist as $value ) {
if ( preg_match ( " / \ b " . preg_quote ( $value ) . " \ b/ " , $query )) {
return false ;
}
}
return true ;
}
switch ( filter ( 'op' )) {
case 'update' :
$post [ 'options2' ] = htmlspecialchars_decode ( $post [ 'options2' ], ENT_QUOTES );
if ( check_query ( $post [ 'options2' ])) {
$dbo -> query ( 'UPDATE `zz_modules` SET `title`=' . prepare ( $post [ 'title' ]) . ', `options2`=' . prepare ( $post [ 'options2' ]) . ' WHERE `id`=' . prepare ( $id_record ));
2017-08-09 08:11:04 +02:00
$rs = true ;
2017-08-04 16:28:16 +02:00
} else {
$rs = false ;
}
if ( $rs ) {
2017-09-04 12:02:29 +02:00
$_SESSION [ 'infos' ][] = tr ( 'Salvataggio completato!' );
2017-08-04 16:28:16 +02:00
} else {
2017-09-04 12:02:29 +02:00
$_SESSION [ 'errors' ][] = tr ( 'Ci sono stati alcuni errori durante il salvataggio!' );
2017-08-04 16:28:16 +02:00
}
break ;
case 'fields' :
$rs = true ;
foreach (( array ) $post [ 'query' ] as $c => $k ) {
2018-01-31 09:50:36 +01:00
// Fix per la protezone contro XSS, che interpreta la sequenza "<testo" come un tag HTML
$post [ 'query' ][ $c ] = $_POST [ 'query' ][ $c ];
2017-08-04 16:28:16 +02:00
if ( check_query ( $post [ 'query' ][ $c ])) {
$array = [
'name' => $post [ 'name' ][ $c ],
'query' => $post [ 'query' ][ $c ],
'enabled' => $post [ 'enabled' ][ $c ],
'search' => $post [ 'search' ][ $c ],
'slow' => $post [ 'slow' ][ $c ],
'format' => $post [ 'format' ][ $c ],
'summable' => $post [ 'sum' ][ $c ],
'search_inside' => $post [ 'search_inside' ][ $c ],
'order_by' => $post [ 'order_by' ][ $c ],
2017-08-09 08:11:04 +02:00
'id_module' => $id_record ,
2017-08-04 16:28:16 +02:00
];
if ( ! empty ( $post [ 'id' ][ $c ]) && ! empty ( $post [ 'query' ][ $c ])) {
$id = $post [ 'id' ][ $c ];
$dbo -> update ( 'zz_views' , $array , [ 'id' => $id ]);
} elseif ( ! empty ( $post [ 'query' ][ $c ])) {
2017-08-28 09:58:40 +02:00
$array [ '#order' ] = '(SELECT IFNULL(MAX(`order`) + 1, 0) FROM zz_views AS t WHERE id_module=' . prepare ( $id_record ) . ')' ;
2017-08-04 16:28:16 +02:00
$dbo -> insert ( 'zz_views' , $array );
$id = $dbo -> lastInsertedID ();
}
2017-08-24 10:39:32 +02:00
// Aggiornamento dei permessi relativi
$dbo -> sync ( 'zz_group_view' , [ 'id_vista' => $id ], [ 'id_gruppo' => ( array ) $post [ 'gruppi' ][ $c ]]);
2017-08-04 16:28:16 +02:00
} else {
$rs = false ;
}
}
if ( $rs ) {
2017-09-04 12:02:29 +02:00
$_SESSION [ 'infos' ][] = tr ( 'Salvataggio completato!' );
2017-08-04 16:28:16 +02:00
} else {
2017-09-04 12:02:29 +02:00
$_SESSION [ 'errors' ][] = tr ( 'Ci sono stati alcuni errori durante il salvataggio!' );
2017-08-04 16:28:16 +02:00
}
break ;
case 'filters' :
$rs = true ;
foreach (( array ) $post [ 'query' ] as $c => $k ) {
2018-01-31 09:52:26 +01:00
// Fix per la protezone contro XSS, che interpreta la sequenza "<testo" come un tag HTML
$post [ 'query' ][ $c ] = $_POST [ 'query' ][ $c ];
2017-08-04 16:28:16 +02:00
if ( check_query ( $post [ 'query' ][ $c ])) {
$array = [
2018-06-26 14:30:26 +02:00
'name' => $post [ 'name' ][ $c ],
2017-08-04 16:28:16 +02:00
'idgruppo' => $post [ 'gruppo' ][ $c ],
2017-08-09 08:11:04 +02:00
'idmodule' => $id_record ,
2017-08-04 16:28:16 +02:00
'clause' => $post [ 'query' ][ $c ],
'position' => ! empty ( $post [ 'position' ][ $c ]) ? 'HVN' : 'WHR' ,
];
if ( ! empty ( $post [ 'id' ][ $c ]) && ! empty ( $post [ 'query' ][ $c ])) {
$id = $post [ 'id' ][ $c ];
$dbo -> update ( 'zz_group_module' , $array , [ 'id' => $id ]);
} elseif ( ! empty ( $post [ 'query' ][ $c ])) {
$dbo -> insert ( 'zz_group_module' , $array );
$id = $dbo -> lastInsertedID ();
}
} else {
$rs = false ;
}
}
if ( $rs ) {
2017-09-04 12:02:29 +02:00
$_SESSION [ 'infos' ][] = tr ( 'Salvataggio completato!' );
2017-08-04 16:28:16 +02:00
} else {
2017-09-04 12:02:29 +02:00
$_SESSION [ 'errors' ][] = tr ( 'Ci sono stati alcuni errori durante il salvataggio!' );
2017-08-04 16:28:16 +02:00
}
break ;
case 'change' :
$id = filter ( 'id' );
$rs = $dbo -> fetchArray ( 'SELECT enabled FROM zz_group_module WHERE id=' . prepare ( $id ));
$array = [ 'enabled' => ! empty ( $rs [ 0 ][ 'enabled' ]) ? 0 : 1 ];
$dbo -> update ( 'zz_group_module' , $array , [ 'id' => $id ]);
2017-09-04 12:02:29 +02:00
$_SESSION [ 'infos' ][] = tr ( 'Salvataggio completato!' );
2017-08-04 16:28:16 +02:00
break ;
2017-09-13 13:05:35 +02:00
case 'test' :
2018-02-14 11:10:03 +01:00
$total = App :: readQuery ( Modules :: get ( $id_record ));
2017-09-13 13:05:35 +02:00
$module_query = $total [ 'query' ];
$dbo -> fetchArray ( $module_query . ' LIMIT 1' );
break ;
2017-08-04 16:28:16 +02:00
case 'delete' :
$id = filter ( 'id' );
$dbo -> query ( 'DELETE FROM `zz_views` WHERE `id`=' . prepare ( $id ));
$dbo -> query ( 'DELETE FROM `zz_group_view` WHERE `id_vista`=' . prepare ( $id ));
2017-09-04 12:02:29 +02:00
$_SESSION [ 'infos' ][] = tr ( 'Eliminazione completata!' );
2017-08-04 16:28:16 +02:00
break ;
case 'delete_filter' :
$id = filter ( 'id' );
$dbo -> query ( 'DELETE FROM `zz_group_module` WHERE `id`=' . prepare ( $id ));
2017-09-04 12:02:29 +02:00
$_SESSION [ 'infos' ][] = tr ( 'Eliminazione completata!' );
2017-08-04 16:28:16 +02:00
break ;
case 'update_position' :
$start = filter ( 'start' ) + 1 ;
$end = filter ( 'end' ) + 1 ;
$id = filter ( 'id' );
if ( $start > $end ) {
$dbo -> query ( 'UPDATE `zz_views` SET `order`=`order` + 1 WHERE `order`>=' . prepare ( $end ) . ' AND `order`<' . prepare ( $start ) . ' AND id_module=' . prepare ( $id_record ));
$dbo -> query ( 'UPDATE `zz_views` SET `order`=' . prepare ( $end ) . ' WHERE id=' . prepare ( $id ));
} elseif ( $end != $start ) {
$dbo -> query ( 'UPDATE `zz_views` SET `order`=`order` - 1 WHERE `order`>' . prepare ( $start ) . ' AND `order`<=' . prepare ( $end ) . ' AND id_module=' . prepare ( $id_record ));
$dbo -> query ( 'UPDATE `zz_views` SET `order`=' . prepare ( $end ) . ' WHERE id=' . prepare ( $id ));
}
break ;
}