2017-08-04 16:28:16 +02:00
< ? php
include_once __DIR__ . '/../../core.php' ;
function check_query ( $query )
{
2017-09-15 15:03:27 +02:00
$query = mb_strtoupper ( $query );
2017-08-04 16:28:16 +02:00
$blacklist = [ 'INSERT' , 'UPDATE' , 'TRUNCATE' , 'DELETE' , 'DROP' , 'GRANT' , 'CREATE' , 'REVOKE' ];
foreach ( $blacklist as $value ) {
if ( preg_match ( " / \ b " . preg_quote ( $value ) . " \ b/ " , $query )) {
return false ;
}
}
return true ;
}
switch ( filter ( 'op' )) {
case 'update' :
2018-07-19 15:33:32 +02:00
$options2 = htmlspecialchars_decode ( post ( 'options2' ), ENT_QUOTES );
2017-08-04 16:28:16 +02:00
2018-07-19 15:33:32 +02:00
if ( check_query ( $options2 )) {
$dbo -> query ( 'UPDATE `zz_modules` SET `title`=' . prepare ( post ( 'title' )) . ', `options2`=' . prepare ( $options2 ) . ' WHERE `id`=' . prepare ( $id_record ));
2017-08-09 08:11:04 +02:00
$rs = true ;
2017-08-04 16:28:16 +02:00
} else {
$rs = false ;
}
if ( $rs ) {
2018-07-19 17:29:21 +02:00
flash () -> info ( tr ( 'Salvataggio completato!' ));
2017-08-04 16:28:16 +02:00
} else {
2018-07-19 17:29:21 +02:00
flash () -> error ( tr ( 'Ci sono stati alcuni errori durante il salvataggio!' ));
2017-08-04 16:28:16 +02:00
}
break ;
case 'fields' :
$rs = true ;
2018-11-09 07:17:37 +01:00
// Fix per la protezone contro XSS, che interpreta la sequenza "<testo" come un tag HTML
$queries = ( array ) $_POST [ 'query' ];
foreach ( $queries as $c => $query ) {
if ( check_query ( $query )) {
2017-08-04 16:28:16 +02:00
$array = [
2018-07-19 15:33:32 +02:00
'name' => post ( 'name' )[ $c ],
2018-11-09 07:17:37 +01:00
'query' => $query ,
2018-07-19 15:33:32 +02:00
'visible' => post ( 'visible' )[ $c ],
'search' => post ( 'search' )[ $c ],
'slow' => post ( 'slow' )[ $c ],
'format' => post ( 'format' )[ $c ],
'summable' => post ( 'sum' )[ $c ],
'search_inside' => post ( 'search_inside' )[ $c ],
'order_by' => post ( 'order_by' )[ $c ],
2017-08-09 08:11:04 +02:00
'id_module' => $id_record ,
2017-08-04 16:28:16 +02:00
];
2018-11-09 07:17:37 +01:00
if ( ! empty ( post ( 'id' )[ $c ]) && ! empty ( $query )) {
2018-07-19 15:33:32 +02:00
$id = post ( 'id' )[ $c ];
2017-08-04 16:28:16 +02:00
$dbo -> update ( 'zz_views' , $array , [ 'id' => $id ]);
2018-11-09 07:17:37 +01:00
} elseif ( ! empty ( $query )) {
2018-10-30 20:03:30 +01:00
$array [ 'order' ] = orderValue ( 'zz_views' , 'id_module' , $id_record );
2017-08-04 16:28:16 +02:00
$dbo -> insert ( 'zz_views' , $array );
$id = $dbo -> lastInsertedID ();
}
2017-08-24 10:39:32 +02:00
// Aggiornamento dei permessi relativi
2018-07-19 15:33:32 +02:00
$dbo -> sync ( 'zz_group_view' , [ 'id_vista' => $id ], [ 'id_gruppo' => ( array ) post ( 'gruppi' )[ $c ]]);
2017-08-04 16:28:16 +02:00
} else {
$rs = false ;
}
}
if ( $rs ) {
2018-07-19 17:29:21 +02:00
flash () -> info ( tr ( 'Salvataggio completato!' ));
2017-08-04 16:28:16 +02:00
} else {
2018-07-19 17:29:21 +02:00
flash () -> error ( tr ( 'Ci sono stati alcuni errori durante il salvataggio!' ));
2017-08-04 16:28:16 +02:00
}
break ;
case 'filters' :
$rs = true ;
2018-11-09 07:17:37 +01:00
// Fix per la protezone contro XSS, che interpreta la sequenza "<testo" come un tag HTML
$queries = ( array ) $_POST [ 'query' ];
foreach ( $queries as $c => $query ) {
$query = $_POST [ 'query' ][ $c ];
2017-08-04 16:28:16 +02:00
2018-11-09 07:17:37 +01:00
if ( check_query ( $query )) {
2017-08-04 16:28:16 +02:00
$array = [
2018-07-19 15:33:32 +02:00
'name' => post ( 'name' )[ $c ],
'idgruppo' => post ( 'gruppo' )[ $c ],
2017-08-09 08:11:04 +02:00
'idmodule' => $id_record ,
2018-11-09 07:17:37 +01:00
'clause' => $query ,
2018-07-19 15:33:32 +02:00
'position' => ! empty ( post ( 'position' )[ $c ]) ? 'HVN' : 'WHR' ,
2017-08-04 16:28:16 +02:00
];
2018-11-09 07:17:37 +01:00
if ( ! empty ( post ( 'id' )[ $c ]) && ! empty ( $query )) {
2018-07-19 15:33:32 +02:00
$id = post ( 'id' )[ $c ];
2017-08-04 16:28:16 +02:00
$dbo -> update ( 'zz_group_module' , $array , [ 'id' => $id ]);
2018-11-09 07:17:37 +01:00
} elseif ( ! empty ( $query )) {
2017-08-04 16:28:16 +02:00
$dbo -> insert ( 'zz_group_module' , $array );
$id = $dbo -> lastInsertedID ();
}
} else {
$rs = false ;
}
}
if ( $rs ) {
2018-07-19 17:29:21 +02:00
flash () -> info ( tr ( 'Salvataggio completato!' ));
2017-08-04 16:28:16 +02:00
} else {
2018-07-19 17:29:21 +02:00
flash () -> error ( tr ( 'Ci sono stati alcuni errori durante il salvataggio!' ));
2017-08-04 16:28:16 +02:00
}
break ;
case 'change' :
$id = filter ( 'id' );
$rs = $dbo -> fetchArray ( 'SELECT enabled FROM zz_group_module WHERE id=' . prepare ( $id ));
2018-11-09 07:17:37 +01:00
$dbo -> update ( 'zz_group_module' , [
'enabled' => ! empty ( $rs [ 0 ][ 'enabled' ]) ? 0 : 1
], [ 'id' => $id ]);
2017-08-04 16:28:16 +02:00
2018-07-19 17:29:21 +02:00
flash () -> info ( tr ( 'Salvataggio completato!' ));
2017-08-04 16:28:16 +02:00
break ;
2017-09-13 13:05:35 +02:00
case 'test' :
2018-02-14 11:10:03 +01:00
$total = App :: readQuery ( Modules :: get ( $id_record ));
2017-09-13 13:05:35 +02:00
$module_query = $total [ 'query' ];
$dbo -> fetchArray ( $module_query . ' LIMIT 1' );
break ;
2017-08-04 16:28:16 +02:00
case 'delete' :
$id = filter ( 'id' );
$dbo -> query ( 'DELETE FROM `zz_views` WHERE `id`=' . prepare ( $id ));
$dbo -> query ( 'DELETE FROM `zz_group_view` WHERE `id_vista`=' . prepare ( $id ));
2018-07-19 17:29:21 +02:00
flash () -> info ( tr ( 'Eliminazione completata!' ));
2017-08-04 16:28:16 +02:00
break ;
case 'delete_filter' :
$id = filter ( 'id' );
$dbo -> query ( 'DELETE FROM `zz_group_module` WHERE `id`=' . prepare ( $id ));
2018-07-19 17:29:21 +02:00
flash () -> info ( tr ( 'Eliminazione completata!' ));
2017-08-04 16:28:16 +02:00
break ;
case 'update_position' :
$start = filter ( 'start' ) + 1 ;
$end = filter ( 'end' ) + 1 ;
$id = filter ( 'id' );
if ( $start > $end ) {
$dbo -> query ( 'UPDATE `zz_views` SET `order`=`order` + 1 WHERE `order`>=' . prepare ( $end ) . ' AND `order`<' . prepare ( $start ) . ' AND id_module=' . prepare ( $id_record ));
$dbo -> query ( 'UPDATE `zz_views` SET `order`=' . prepare ( $end ) . ' WHERE id=' . prepare ( $id ));
} elseif ( $end != $start ) {
$dbo -> query ( 'UPDATE `zz_views` SET `order`=`order` - 1 WHERE `order`>' . prepare ( $start ) . ' AND `order`<=' . prepare ( $end ) . ' AND id_module=' . prepare ( $id_record ));
$dbo -> query ( 'UPDATE `zz_views` SET `order`=' . prepare ( $end ) . ' WHERE id=' . prepare ( $id ));
}
break ;
}