summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaria Staskova <masha@dhtmlx.com>2014-05-20 14:53:56 +0300
committerMaria Staskova <masha@dhtmlx.com>2014-05-20 14:53:56 +0300
commit074750e6ee632990c5b9334473df0f8b4b65c000 (patch)
treea4a93727ffdae161b9df42e93066c03cff980088
parent8959cc7e4727f5e28f6d3d44b5124d364dab2253 (diff)
parentd5d7611f58fdbd5c49df78336c3856d747585c4e (diff)
downloadconnector-php-074750e6ee632990c5b9334473df0f8b4b65c000.zip
connector-php-074750e6ee632990c5b9334473df0f8b4b65c000.tar.gz
connector-php-074750e6ee632990c5b9334473df0f8b4b65c000.tar.bz2
Merge branch 'master' of 192.168.3.251:connector-php
Diffstat
-rw-r--r--codebase/base_connector.php48
-rw-r--r--codebase/connector.js11
-rw-r--r--codebase/convert.php6
-rw-r--r--codebase/crosslink_connector.php4
-rw-r--r--codebase/data_connector.php33
-rw-r--r--codebase/dataprocessor.php28
-rw-r--r--codebase/dataview_connector.php1
-rw-r--r--codebase/db_common.php92
-rw-r--r--codebase/db_oracle.php4
-rw-r--r--codebase/db_phpcake.php7
-rw-r--r--codebase/gantt_connector.php32
-rw-r--r--codebase/grid_connector.php2
-rw-r--r--codebase/strategy.php8
-rw-r--r--codebase/treegrid_connector.php2
-rw-r--r--codebase/treegridmultitable_connector.php2
-rw-r--r--codebase/xss_filter.php18
-rw-r--r--samples/config.php2
17 files changed, 238 insertions, 62 deletions
diff --git a/codebase/base_connector.php b/codebase/base_connector.php
index ab11cb5..26f1f8b 100644
--- a/codebase/base_connector.php
+++ b/codebase/base_connector.php
@@ -288,6 +288,10 @@ class Connector {
protected $encoding="utf-8";//!< assigned encoding (UTF-8 by default)
protected $editing=false;//!< flag of edit mode ( response for dataprocessor )
+ public static $filter_var="dhx_filter";
+ public static $sort_var="dhx_sort";
+ public static $kids_var="dhx_kids";
+
public $model=false;
private $updating=false;//!< flag of update mode ( response for data-update )
@@ -309,7 +313,8 @@ class Connector {
protected $filters;
protected $sorts;
protected $mix;
-
+ protected $order = false;
+
/*! constructor
Here initilization of all Masters occurs, execution timer initialized
@@ -590,22 +595,26 @@ class Connector {
$this->request->set_user($_GET["dhx_user"]);
}
- if (isset($_GET["dhx_sort"]))
- foreach($_GET["dhx_sort"] as $k => $v){
+ if (isset($_GET[Connector::$sort_var]))
+ foreach($_GET[Connector::$sort_var] as $k => $v){
$k = $this->safe_field_name($k);
$this->request->set_sort($this->resolve_parameter($k),$v);
}
- if (isset($_GET["dhx_filter"]))
- foreach($_GET["dhx_filter"] as $k => $v){
+ if (isset($_GET[Connector::$filter_var]))
+ foreach($_GET[Connector::$filter_var] as $k => $v){
$k = $this->safe_field_name($k);
- $this->request->set_filter($this->resolve_parameter($k),$v);
+ if ($v !== "")
+ $this->request->set_filter($this->resolve_parameter($k),$v);
}
+ $this->check_csrf();
+ }
+
+ protected function check_csrf(){
$key = ConnectorSecurity::checkCSRF($this->editing);
if ($key !== "")
- $this->add_top_attribute("dhx_security", $key);
-
+ $this->add_top_attribute(ConnectorSecurity::$security_var, $key);
}
/*! convert incoming request name to the actual DB name
@@ -701,7 +710,23 @@ class Connector {
*/
public function dynamic_loading($count){
$this->dload=$count;
- }
+ }
+
+ /*! enable or disable data reordering
+
+ @param name
+ name of field, which will be used for order storing, optional
+ by default 'sortorder' field will be used
+ */
+ public function enable_order($name = true){
+ if ($name === true)
+ $name = "sortorder";
+
+ $this->sort($name);
+ $this->access->allow("order");
+ $this->request->set_order($name);
+ $this->order = $name;
+ }
/*! enable logging
@@ -750,7 +775,10 @@ class Connector {
*/
protected function xml_end(){
$this->fill_collections();
- return $this->extra_output."</data>";
+ if (isset($this->extra_output))
+ return $this->extra_output."</data>";
+ else
+ return "</data>";
}
protected function fill_collections($list=""){
diff --git a/codebase/connector.js b/codebase/connector.js
index 69c5a02..0ee9648 100644
--- a/codebase/connector.js
+++ b/codebase/connector.js
@@ -83,7 +83,7 @@ if (window.dhtmlXGridObject && !dhtmlXGridObject.prototype._init_point_connector
if (!this._colls_loaded && this.cellType){
var ar=[];
for (var i=0; i < this.cellType.length; i++)
- if (this.cellType[i].indexOf("co")==0 || this._con_f_used[i]==2) ar.push(i);
+ if (this.cellType[i].indexOf("co")==0 || this.cellType[i].indexOf("clist")==0 || this._con_f_used[i]==2) ar.push(i);
if (ar.length)
arguments[0]+=(arguments[0].indexOf("?")!=-1?"&":"?")+"connector=true&dhx_colls="+ar.join(",");
}
@@ -120,8 +120,13 @@ if (window.dhtmlXGridObject && !dhtmlXGridObject.prototype._init_point_connector
} else
v[v.length]=val;
}
- if (opts.length)
- combo.addOption(opts);
+ if (opts.length){
+ if (combo)
+ combo.addOption(opts);
+ } else if (v.length && !combo)
+ if (this.registerCList)
+ this.registerCList(f*1, v);
+
if (this._con_f_used[f*1])
this._con_f_used[f*1]=v;
diff --git a/codebase/convert.php b/codebase/convert.php
index 59e85ab..f24922c 100644
--- a/codebase/convert.php
+++ b/codebase/convert.php
@@ -41,6 +41,10 @@ class ConvertService{
}
public function convert($conn, $out){
+ $str_out = str_replace("<rows>","<rows profile='color'>", $out);
+ $str_out = str_replace("<head>","<head><columns>", $str_out);
+ $str_out = str_replace("</head>","</columns></head>", $str_out);
+
if ($this->type == "pdf")
header("Content-type: application/pdf");
else
@@ -50,7 +54,7 @@ class ConvertService{
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_HEADER, false);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
- curl_setopt($handle, CURLOPT_POSTFIELDS, "grid_xml=".urlencode(str_replace("<rows>","<rows profile='color'>", $out)));
+ curl_setopt($handle, CURLOPT_POSTFIELDS, "grid_xml=".urlencode($str_out));
$out->reset();
diff --git a/codebase/crosslink_connector.php b/codebase/crosslink_connector.php
index d6df689..22ad83d 100644
--- a/codebase/crosslink_connector.php
+++ b/codebase/crosslink_connector.php
@@ -109,6 +109,10 @@ class CrossOptionsConnector extends Connector{
$this->link->delete($master_key);
break;
case "updated":
+ //cross link options not loaded yet, so we can skip update
+ if (!array_key_exists($this->link_name, $action->get_data()))
+ break;
+ //else, delete old options and continue in insert section to add new values
$this->link->delete($master_key);
case "inserted":
for ($i=0; $i < sizeof($link_key); $i++)
diff --git a/codebase/data_connector.php b/codebase/data_connector.php
index e6786b9..7c9251d 100644
--- a/codebase/data_connector.php
+++ b/codebase/data_connector.php
@@ -114,7 +114,10 @@ class DataConnector extends Connector{
}
protected function parse_request_mode(){
- //do nothing, at least for now
+ if (isset($_GET['action']) && $_GET["action"] != "get")
+ $this->editing = true;
+ else
+ parent::parse_request_mode();
}
//parse GET scoope, all operations with incoming request must be done here
@@ -134,10 +137,10 @@ class DataConnector extends Connector{
//data saving
$this->editing = true;
}
+ parent::check_csrf();
} else {
if (isset($_GET['editing']) && isset($_POST['ids']))
$this->editing = true;
-
parent::parse_request();
}
@@ -149,7 +152,10 @@ class DataConnector extends Connector{
/*! renders self as xml, starting part
*/
protected function xml_start(){
- $start = parent::xml_start();
+ $start = "<data";
+ foreach($this->attributes as $k=>$v)
+ $start .= " ".$k."='".$v."'";
+ $start.= ">";
foreach($this->sections as $k=>$v)
$start .= "<".$k.">".$v."</".$k.">\n";
@@ -195,7 +201,7 @@ class JSONDataConnector extends DataConnector{
$name = $k;
$option="\"{$name}\":[";
if (!is_string($this->options[$name]))
- $option.=substr($this->options[$name]->render(),0,-2);
+ $option.=substr(json_encode($this->options[$name]->render()),1,-1);
else
$option.=$this->options[$name];
$option.="]";
@@ -274,8 +280,11 @@ class JSONCommonDataItem extends DataItem{
}
if ($this->userdata !== false)
- foreach ($this->userdata as $key => $value)
+ foreach ($this->userdata as $key => $value){
+ if ($value === null)
+ $data[$key]="";
$data[$key]=$value;
+ }
return $data;
}
@@ -340,7 +349,7 @@ class TreeCommonDataItem extends CommonDataItem{
$str.=" ".$key."='".$this->xmlentities($value)."'";
if ($this->kids === true)
- $str .=" dhx_kids='1'";
+ $str .=" ".Connector::$kids_var."='1'";
return $str.">";
}
@@ -394,7 +403,11 @@ class TreeDataConnector extends DataConnector{
/*! renders self as xml, starting part
*/
protected function xml_start(){
- return "<data parent='".$this->request->get_relation()."'>";
+ $attributes = " parent='".$this->request->get_relation()."' ";
+ foreach($this->attributes as $k=>$v)
+ $attributes .= " ".$k."='".$v."'";
+
+ return "<data".$attributes.">";
}
}
@@ -420,6 +433,10 @@ class JSONTreeDataConnector extends TreeDataConnector{
if (!empty($this->options))
$data["collections"] = $this->options;
+
+ foreach($this->attributes as $k=>$v)
+ $data[$k] = $v;
+
$data = json_encode($data);
// return as string
@@ -489,7 +506,7 @@ class JSONTreeCommonDataItem extends TreeCommonDataItem{
$data[$key]=$value;
if ($this->kids === true)
- $data["dhx_kids"] = 1;
+ $data[Connector::$kids_var] = 1;
return $data;
}
diff --git a/codebase/dataprocessor.php b/codebase/dataprocessor.php
index 74852e2..89a4460 100644
--- a/codebase/dataprocessor.php
+++ b/codebase/dataprocessor.php
@@ -160,12 +160,15 @@ class DataProcessor{
$mode = $this->status_to_mode($action->get_status());
if (!$this->connector->access->check($mode)){
- LogMaster::log("Access control: {$operation} operation blocked");
+ LogMaster::log("Access control: {$mode} operation blocked");
$action->error();
} else {
$check = $this->connector->event->trigger("beforeProcessing",$action);
if (!$action->is_ready())
$this->check_exts($action,$mode);
+ if ($mode == "insert" && $action->get_status() != "error" && $action->get_status() != "invalid")
+ $this->connector->sql->new_record_order($action, $this->request);
+
$check = $this->connector->event->trigger("afterProcessing",$action);
}
@@ -178,13 +181,14 @@ class DataProcessor{
if ($this->connector->sql->is_record_transaction()){
if ($action->get_status()=="error" || $action->get_status()=="invalid")
- $this->connector->sql->rollback_transaction();
+ $this->connector->sql->rollback_transaction();
else
- $this->connector->sql->commit_transaction();
+ $this->connector->sql->commit_transaction();
}
-
+
return $action;
}
+
/*! check if some event intercepts processing, send data to DataWrapper in other case
@param action
@@ -220,7 +224,7 @@ class DataProcessor{
}
$this->connector->event->trigger("after".$mode,$action);
- $this->config = $old_config;
+ $this->config->copy($old_config);
}
/*! output xml response for dataprocessor
@@ -484,11 +488,23 @@ class DataAction{
function to_xml(){
$str="<action type='{$this->status}' sid='{$this->id}' tid='{$this->nid}' ";
foreach ($this->attrs as $k => $v) {
- $str.=$k."='".$v."' ";
+ $str.=$k."='".$this->xmlentities($v)."' ";
}
$str.=">{$this->output}</action>";
return $str;
}
+
+ /*! replace xml unsafe characters
+
+ @param string
+ string to be escaped
+ @return
+ escaped string
+ */
+ public function xmlentities($string) {
+ return str_replace( array( '&', '"', "'", '<', '>', '’' ), array( '&amp;' , '&quot;', '&apos;' , '&lt;' , '&gt;', '&apos;' ), $string);
+ }
+
/*! convert self to string ( for logs )
@return
diff --git a/codebase/dataview_connector.php b/codebase/dataview_connector.php
index 41b7387..fe2c9fd 100644
--- a/codebase/dataview_connector.php
+++ b/codebase/dataview_connector.php
@@ -60,7 +60,6 @@ class DataViewConnector extends Connector{
foreach($this->attributes as $k=>$v)
$attributes .= " ".$k."='".$v."'";
- $start.= ">";
if ($this->dload){
if ($pos=$this->request->get_start())
return "<data pos='".$pos."'".$attributes.">";
diff --git a/codebase/db_common.php b/codebase/db_common.php
index 19365f3..e2f521e 100644
--- a/codebase/db_common.php
+++ b/codebase/db_common.php
@@ -14,6 +14,7 @@ class DataRequestConfig{
private $start; //!< start of requested data
private $count; //!< length of requested data
+ private $order = false;
private $user;
private $version;
@@ -83,6 +84,12 @@ class DataRequestConfig{
}
+ public function get_order(){
+ return $this->order;
+ }
+ public function set_order($order){
+ $this->order = $order;
+ }
public function get_user(){
return $this->user;
}
@@ -195,7 +202,9 @@ class DataRequestConfig{
name of source table
*/
public function set_source($value){
- $this->source=trim($value);
+ if (is_string($value))
+ $value = trim($value);
+ $this->source = $value;
if (!$this->source) throw new Exception("Source of data can't be empty");
}
/*! sets data limits
@@ -640,6 +649,73 @@ abstract class DBDataWrapper extends DataWrapper{
return $str;
}
+ public function new_record_order($action, $source){
+ $order = $source->get_order();
+ if ($order){
+ $table = $source->get_source();
+ $id = $this->config->id["db_name"];
+ $idvalue = $action->get_new_id();
+
+ $max = $this->queryOne("SELECT MAX($order) as dhx_maxvalue FROM $table");
+ $dhx_maxvalue = $max["dhx_maxvalue"] + 1;
+
+ $this->query("UPDATE $table SET $order = $dhx_maxvalue WHERE $id = $idvalue");
+ }
+ }
+
+ public function order($data, $source){
+ //id of moved item
+ $id1 = $this->escape($data->get_value("id"));
+ //id of target item
+ $target = $data->get_value("target");
+ if (strpos($target, "next:") !== false){
+ $dropnext = true;
+ $id2 = str_replace("next:", "", $target);
+ } else {
+ $id2 = $target;
+ }
+ $id2 = $this->escape($id2);
+
+
+ //for tree like components we need to limit out queries to the affected branch only
+ $relation_select = $relation_update = $relation_sql_out = $relation_sql = "";
+ if ($this->config->relation_id["name"]){
+ $relation = $data->get_value($this->config->relation_id["name"]);
+ if ($relation !== false && $relation !== ""){
+ $relation_sql = " ".$this->config->relation_id["db_name"]." = '".$this->escape($relation)."' AND ";
+ $relation_select = $this->config->relation_id["db_name"]." as dhx_parent, ";
+ $relation_update = " ".$this->config->relation_id["db_name"]." = '".$this->escape($relation)."', ";
+ }
+ }
+
+
+ $name = $source->get_order();
+ $table = $source->get_source();
+ $idkey = $this->config->id["db_name"];
+
+ $source = $this->queryOne("select $relation_select $name as dhx_index from $table where $idkey = '$id1'");
+ $source_index = $source["dhx_index"] ? $source["dhx_index"] : 0;
+ if ($relation_sql)
+ $relation_sql_out = " ".$this->config->relation_id["db_name"]." = '".$this->escape($source["dhx_parent"])."' AND ";
+
+ $this->query("update $table set $name = $name - 1 where $relation_sql_out $name >= $source_index");
+
+ if ($id2 !== ""){
+ $target = $this->queryOne("select $name as dhx_index from $table where $idkey = '$id2'");
+ $target_index = $target["dhx_index"];
+ if (!$target_index)
+ $target_index = 0;
+ if ($dropnext)
+ $target_index += 1;
+ $this->query("update $table set $name = $name + 1 where $relation_sql $name >= $target_index");
+ } else {
+ $target = $this->queryOne("select max($name) as dhx_index from $table");
+ $target_index = ($target["dhx_index"] ? $target["dhx_index"] : 0)+1;
+ }
+
+ $this->query("update $table set $relation_update $name = $target_index where $idkey = '$id1'");
+ }
+
public function insert($data,$source){
$sql=$this->insert_query($data,$source);
$this->query($sql);
@@ -724,8 +800,14 @@ abstract class DBDataWrapper extends DataWrapper{
else
array_push($sql,$this->escape_name($rules[$i]["name"])." ".$rules[$i]["operation"]." '".$this->escape($rules[$i]["value"])."'");
}
- if ($relation!==false)
- array_push($sql,$this->escape_name($this->config->relation_id["db_name"])." = '".$this->escape($relation)."'");
+
+ if ($relation !== false && $relation !== ""){
+ $relsql = $this->escape_name($this->config->relation_id["db_name"])." = '".$this->escape($relation)."'";
+ if ($relation == "0")
+ $relsql = "( ".$relsql." OR ".$this->escape_name($this->config->relation_id["db_name"])." IS NULL )";
+
+ array_push($sql,$relsql);
+ }
return implode(" AND ",$sql);
}
/*! convert sorting rules to sql string
@@ -800,7 +882,7 @@ abstract class DBDataWrapper extends DataWrapper{
$sql.=implode(",",$temp)." WHERE ".$this->escape_name($this->config->id["db_name"])."='".$this->escape($data->get_id())."'";
//if we have limited set - set constraints
- $where=$this->build_where($request->get_filters(),$request->get_relation());
+ $where=$this->build_where($request->get_filters());
if ($where) $sql.=" AND (".$where.")";
return $sql;
@@ -820,7 +902,7 @@ abstract class DBDataWrapper extends DataWrapper{
$sql.=" WHERE ".$this->escape_name($this->config->id["db_name"])."='".$this->escape($data->get_id())."'";
//if we have limited set - set constraints
- $where=$this->build_where($request->get_filters(),$request->get_relation());
+ $where=$this->build_where($request->get_filters());
if ($where) $sql.=" AND (".$where.")";
return $sql;
diff --git a/codebase/db_oracle.php b/codebase/db_oracle.php
index 064d55a..703d3a4 100644
--- a/codebase/db_oracle.php
+++ b/codebase/db_oracle.php
@@ -23,8 +23,8 @@ class OracleDBDataWrapper extends DBDataWrapper{
$mode = ($this->is_record_transaction() || $this->is_global_transaction())?OCI_DEFAULT:OCI_COMMIT_ON_SUCCESS;
- $res=oci_execute($stm,$mode);
- if ($res===false) throw new Exception("Oracle - sql execution failed\n".oci_error($this->connection));
+ $res = @oci_execute($stm,$mode);
+ if ($res===false) throw new Exception(oci_error($this->connection));
$this->last_id=$out[0];
diff --git a/codebase/db_phpcake.php b/codebase/db_phpcake.php
index 980c9c3..97d94eb 100644
--- a/codebase/db_phpcake.php
+++ b/codebase/db_phpcake.php
@@ -13,7 +13,12 @@ if you plan to use it for Oracle - use Oracle connection type instead
**/
class PHPCakeDBDataWrapper extends ArrayDBDataWrapper{
public function select($sql){
- $res = $this->connection->find("all");
+ $source = $sql->get_source();
+ if (is_array($source)) //result of find
+ $res = $source;
+ else
+ $res = $this->connection->find("all");
+
if (sizeof($res)){
$name = get_class($this->connection);
$temp = array();
diff --git a/codebase/gantt_connector.php b/codebase/gantt_connector.php
index 46c580b..74b8636 100644
--- a/codebase/gantt_connector.php
+++ b/codebase/gantt_connector.php
@@ -10,8 +10,6 @@ require_once("data_connector.php");
**/
class GanttDataItem extends DataItem{
- public static $open = null;
-
/*! return self as XML string
*/
function to_xml(){
@@ -28,8 +26,6 @@ class GanttDataItem extends DataItem{
if ($this->userdata !== false)
foreach ($this->userdata as $key => $value)
$str.="<".$key."><![CDATA[".$value."]]></".$key.">";
- if (GanttDataItem::$open !== null)
- $str.="<open>".GanttDataItem::$open."</open>";
return $str."</task>";
}
@@ -82,6 +78,9 @@ class GanttConnector extends Connector{
if (!$data_type) $data_type="GanttDataProcessor";
if (!$render_type) $render_type="RenderStrategy";
parent::__construct($res,$type,$item_type,$data_type,$render_type);
+
+ $this->event->attach("afterDelete", array($this, "delete_related_links"));
+ $this->event->attach("afterOrder", array($this, "order_set_parent"));
}
//parse GET scoope, all operations with incoming request must be done here
@@ -99,8 +98,25 @@ class GanttConnector extends Connector{
}
}
- public function openAll($mode = true) {
- GanttDataItem::$open = $mode;
+ function order_set_parent($action){
+ $value = $action->get_id();
+ $parent = $action->get_value("parent");
+
+ $table = $this->request->get_source();
+ $id = $this->config->id["db_name"];
+
+ $this->sql->query("UPDATE $table SET parent = $parent WHERE $id = $value");
+ }
+
+ function delete_related_links($action){
+ if (isset($this->options["links"])){
+ $links = $this->options["links"];
+ $value = $this->sql->escape($action->get_new_id());
+ $table = $links->get_request()->get_source();
+
+ $this->sql->query("DELETE FROM $table WHERE source = '$value'");
+ $this->sql->query("DELETE FROM $table WHERE target = '$value'");
+ }
}
public function render_links($table,$id="",$fields=false,$extra=false,$relation_id=false) {
@@ -145,9 +161,7 @@ class JSONGanttDataItem extends GanttDataItem{
$extra = $this->config->text[$i]["name"];
$obj[$extra]=$this->data[$extra];
}
- if (GanttDataItem::$open !== null)
- $obj['open'] = GanttDataItem::$open;
-
+
if ($this->userdata !== false)
foreach ($this->userdata as $key => $value)
$obj[$key]=$value;
diff --git a/codebase/grid_connector.php b/codebase/grid_connector.php
index 9748dee..10a98bd 100644
--- a/codebase/grid_connector.php
+++ b/codebase/grid_connector.php
@@ -87,7 +87,7 @@ class GridDataItem extends DataItem{
public function to_xml_start(){
if ($this->skip) return "";
- $str="<row id='".$this->get_id()."'";
+ $str="<row id='".$this->xmlentities($this->get_id())."'";
foreach ($this->row_attrs as $k=>$v)
$str.=" ".$k."='".$v."'";
$str.=">";
diff --git a/codebase/strategy.php b/codebase/strategy.php
index 47582a5..f9a106f 100644
--- a/codebase/strategy.php
+++ b/codebase/strategy.php
@@ -46,7 +46,7 @@ class RenderStrategy {
protected function simple_mix($mix, $data) {
// get mix details
for ($i = 0; $i < count($mix); $i++)
- $data[$mix[$i]["name"]] = is_string($mix[$i]["value"]) ? $mix[$i]["value"] : "";
+ $data[$mix[$i]["name"]] = is_object($mix[$i]["value"]) ? "" : $mix[$i]["value"];
return $data;
}
@@ -169,7 +169,7 @@ class TreeRenderStrategy extends RenderStrategy {
$output.=$data->to_xml_start();
if ($data->has_kids()===-1 || ( $data->has_kids()==true && !$dload)){
$sub_request = new DataRequestConfig($conn->get_request());
- $sub_request->set_fieldset(implode(",",$config_copy->db_names_list($conn->sql)));
+ //$sub_request->set_fieldset(implode(",",$config_copy->db_names_list($conn->sql)));
$sub_request->set_relation($data->get_id());
$output.=$this->render_set($conn->sql->select($sub_request), $name, $dload, $sep, $config_copy, $mix);
}
@@ -223,9 +223,9 @@ class JSONTreeRenderStrategy extends TreeRenderStrategy {
$record = $data->to_xml_start();
if ($data->has_kids()===-1 || ( $data->has_kids()==true && !$dload)){
$sub_request = new DataRequestConfig($conn->get_request());
- $sub_request->set_fieldset(implode(",",$config_copy->db_names_list($conn->sql)));
+ //$sub_request->set_fieldset(implode(",",$config_copy->db_names_list($conn->sql)));
$sub_request->set_relation($data->get_id());
- $sub_request->set_filters(array());
+ //$sub_request->set_filters(array());
$temp = $this->render_set($conn->sql->select($sub_request), $name, $dload, $sep, $config_copy, $mix);
if (sizeof($temp))
$record["data"] = $temp;
diff --git a/codebase/treegrid_connector.php b/codebase/treegrid_connector.php
index f074879..0bb19ea 100644
--- a/codebase/treegrid_connector.php
+++ b/codebase/treegrid_connector.php
@@ -90,7 +90,7 @@ class TreeGridConnector extends GridConnector{
/*! renders self as xml, starting part
*/
protected function xml_start(){
- return "<rows parent='".$this->request->get_relation()."'>";
+ return "<rows parent='".$this->xmlentities( $this->request->get_relation() )."'>";
}
}
diff --git a/codebase/treegridmultitable_connector.php b/codebase/treegridmultitable_connector.php
index c380ef6..3f4bbd9 100644
--- a/codebase/treegridmultitable_connector.php
+++ b/codebase/treegridmultitable_connector.php
@@ -27,7 +27,7 @@ class TreeGridMultitableConnector extends TreeGridConnector{
public function xml_start(){
if (isset($_GET['id'])) {
- return "<rows parent='".$this->render->level_id($_GET['id'], $this->get_level() - 1)."'>";
+ return "<rows parent='".$this->xmlentities($this->render->level_id($_GET['id'], $this->get_level() - 1))."'>";
} else {
return "<rows parent='0'>";
}
diff --git a/codebase/xss_filter.php b/codebase/xss_filter.php
index b02d878..ed0a309 100644
--- a/codebase/xss_filter.php
+++ b/codebase/xss_filter.php
@@ -143,6 +143,7 @@ define("DHX_SECURITY_TRUSTED", 3);
class ConnectorSecurity{
static public $xss = DHX_SECURITY_SAFETEXT;
static public $security_key = false;
+ static public $security_var = "dhx_security";
static private $filterClass = null;
static function filter($value, $mode = false){
@@ -170,25 +171,26 @@ class ConnectorSecurity{
die();
}
static function checkCSRF($edit){
- if(!isset($_SESSION)) @session_start();
-
if (ConnectorSecurity::$security_key){
+ if (!isset($_SESSION))
+ @session_start();
+
if ($edit=== true){
- if (!isset($_POST['dhx_security']))
+ if (!isset($_POST[ConnectorSecurity::$security_var]))
return ConnectorSecurity::CSRF_detected();
- $master_key = $_SESSION['dhx_security'];
- $update_key = $_POST['dhx_security'];
+ $master_key = $_SESSION[ConnectorSecurity::$security_var];
+ $update_key = $_POST[ConnectorSecurity::$security_var];
if ($master_key != $update_key)
return ConnectorSecurity::CSRF_detected();
return "";
}
//data loading
- if (!array_key_exists("dhx_security",$_SESSION)){
- $_SESSION["dhx_security"] = md5(uniqid());
+ if (!array_key_exists(ConnectorSecurity::$security_var,$_SESSION)){
+ $_SESSION[ConnectorSecurity::$security_var] = md5(uniqid());
}
- return $_SESSION["dhx_security"];
+ return $_SESSION[ConnectorSecurity::$security_var];
}
return "";
diff --git a/samples/config.php b/samples/config.php
index 753650a..00466f3 100644
--- a/samples/config.php
+++ b/samples/config.php
@@ -1,5 +1,5 @@
<?php
- $mysql_server="192.168.1.251";
+ $mysql_server="192.168.3.251";
$mysql_user = "sampleDB";
$mysql_pass = "sampleDB";
$mysql_db = "sampleDB";
generated by cgit v1.1 at 2025-05-10 14:17:40 +0000