diff options
| author | Stanislav-Wolski <stanislau.wolski@gmail.com> | 2012-05-28 17:29:54 +0300 |
|---|---|---|
| committer | Stanislav-Wolski <stanislau.wolski@gmail.com> | 2012-05-28 17:29:54 +0300 |
| commit | f412231c95a2d54a1061b597b4032227e5e0bdb5 (patch) | |
| tree | 0a4b388edebba591e6fd19dbe1cea2f7978d7294 | |
| parent | 6c5b0c64092ad095d55412b5765c14bd121b508c (diff) | |
| download | connector-php-f412231c95a2d54a1061b597b4032227e5e0bdb5.zip connector-php-f412231c95a2d54a1061b597b4032227e5e0bdb5.tar.gz connector-php-f412231c95a2d54a1061b597b4032227e5e0bdb5.tar.bz2 | |
[add] csrf defense and render_array functionality
| -rw-r--r-- | codebase/base_connector.php | 25 | ||||
| -rw-r--r-- | codebase/data_connector.php | 16 | ||||
| -rw-r--r-- | codebase/dataview_connector.php | 11 | ||||
| -rw-r--r-- | codebase/db_common.php | 3 | ||||
| -rw-r--r-- | codebase/grid_connector.php | 10 | ||||
| -rw-r--r-- | codebase/scheduler_connector.php | 3 | ||||
| -rw-r--r-- | codebase/tree_connector.php | 6 | ||||
| -rw-r--r-- | codebase/xss_filter.php | 2 | ||||
| -rw-r--r-- | samples/config.php | 6 | ||||
| -rw-r--r-- | samples/scheduler/07_array_connector.html | 54 | ||||
| -rw-r--r-- | samples/scheduler/07_array_connector.php | 11 | ||||
| -rw-r--r-- | samples/security/data_csrf.php | 14 | ||||
| -rw-r--r-- | samples/security/dataview_csrf.php | 14 | ||||
| -rw-r--r-- | samples/security/form_csrf.php | 15 | ||||
| -rw-r--r-- | samples/security/grid_csrf.php | 14 | ||||
| -rw-r--r-- | samples/security/scheduler_csrf.php | 15 | ||||
| -rw-r--r-- | samples/security/tree_csrf.php | 13 |
17 files changed, 208 insertions, 24 deletions
diff --git a/codebase/base_connector.php b/codebase/base_connector.php index 2c924a9..6f66ef8 100644 --- a/codebase/base_connector.php +++ b/codebase/base_connector.php @@ -327,6 +327,7 @@ class Connector { "data_class"=>$data_type, "render_class"=>$render_type ); + $this->attributes = array(); $this->config = new DataConfig(); $this->request = new DataRequestConfig(); @@ -361,6 +362,11 @@ class Connector { } + protected $attributes; + public function add_top_attribute($name, $string){ + $this->attributes[$name] = $string; + } + //model is a class, which will be used for all data operations //we expect that it has next methods get, update, insert, delete //if method was not defined - we will use default logic @@ -421,6 +427,12 @@ class Connector { return $this->render(); } + public function render_array($data, $id, $fields, $extra=false, $relation_id=false){ + $this->configure("-",$id,$fields,$extra,$relation_id); + $this->sql = new ArrayDBDataWrapper($data, null); + return $this->render(); + } + public function render_complex_sql($sql,$id,$fields,$extra=false,$relation_id=false){ $this->config->init($id,$fields,$extra,$relation_id); $this->request->parse_sql($sql, true); @@ -475,9 +487,11 @@ class Connector { $this->sql = new ArrayDBDataWrapper(); $result = new ArrayQueryWrapper(call_user_func(array($this->model, "get"), $this->request)); $this->output_as_xml($result); - } else + } else { $this->output_as_xml($this->get_resource()); } + + } } $this->end_run(); } @@ -557,6 +571,9 @@ class Connector { $this->request->set_filter($this->resolve_parameter($k),$v); } + $key = ConnectorSecurity::checkCSRF($this->editing); + if ($key !== "") + $this->add_top_attribute("dhx_security", $key); } @@ -679,7 +696,11 @@ class Connector { /*! renders self as xml, starting part */ protected function xml_start(){ - return "<data>"; + $attributes = ""; + foreach($this->attributes as $k=>$v) + $attributes .= " ".$k."='".$v."'"; + + return "<data".$attributes.">"; } /*! renders self as xml, ending part */ diff --git a/codebase/data_connector.php b/codebase/data_connector.php index a5419e0..f094fb8 100644 --- a/codebase/data_connector.php +++ b/codebase/data_connector.php @@ -102,7 +102,6 @@ class DataConnector extends Connector{ if (!$data_type) $data_type="CommonDataProcessor"; $this->sections = array(); - $this->attributes = array(); if (!$render_type) $render_type="RenderStrategy"; parent::__construct($res,$type,$item_type,$data_type,$render_type); @@ -114,11 +113,6 @@ class DataConnector extends Connector{ $this->sections[$name] = $string; } - protected $attributes; - public function add_top_attribute($name, $string){ - $this->attributes[$name] = $string; - } - protected function parse_request_mode(){ //do nothing, at least for now } @@ -150,9 +144,6 @@ class DataConnector extends Connector{ if (isset($_GET["start"]) && isset($_GET["count"])) $this->request->set_limit($_GET["start"],$_GET["count"]); - $key = ConnectorSecurity::checkCSRF($this->editing); - if ($key !== "") - $this->add_top_attribute("dhx_security", $key); } /*! renders self as xml, starting part @@ -167,7 +158,6 @@ class DataConnector extends Connector{ $start .= "<".$k.">".$v."</".$k.">\n"; return $start; } - }; class JSONDataConnector extends DataConnector{ @@ -232,10 +222,14 @@ class JSONDataConnector extends DataConnector{ $is_sections = sizeof($this->sections) && $this->is_first_call(); - if ($this->dload || $is_sections){ + if ($this->dload || $is_sections || sizeof($this->attributes)){ $start = $start.$end; $end=""; + $attributes = ""; + foreach($this->attributes as $k=>$v) + $end .= ", ".$k.":\"".$v."\""; + if ($is_sections){ //extra sections foreach($this->sections as $k=>$v) diff --git a/codebase/dataview_connector.php b/codebase/dataview_connector.php index 0c4ca0c..41b7387 100644 --- a/codebase/dataview_connector.php +++ b/codebase/dataview_connector.php @@ -56,14 +56,19 @@ class DataViewConnector extends Connector{ /*! renders self as xml, starting part */ protected function xml_start(){ + $attributes = ""; + foreach($this->attributes as $k=>$v) + $attributes .= " ".$k."='".$v."'"; + + $start.= ">"; if ($this->dload){ if ($pos=$this->request->get_start()) - return "<data pos='".$pos."'>"; + return "<data pos='".$pos."'".$attributes.">"; else - return "<data total_count='".$this->sql->get_size($this->request)."'>"; + return "<data total_count='".$this->sql->get_size($this->request)."'".$attributes.">"; } else - return "<data>"; + return "<data".$attributes.">"; } } ?>
\ No newline at end of file diff --git a/codebase/db_common.php b/codebase/db_common.php index 7d738ee..8b5935a 100644 --- a/codebase/db_common.php +++ b/codebase/db_common.php @@ -930,6 +930,9 @@ class ArrayDBDataWrapper extends DBDataWrapper{ if ($res->index < sizeof($res->data)) return $res->data[$res->index++]; } + public function select($sql){ + return new ArrayQueryWrapper($this->connection); + } public function query($sql){ throw new Exception("Not implemented"); } diff --git a/codebase/grid_connector.php b/codebase/grid_connector.php index 6f41467..4d1926b 100644 --- a/codebase/grid_connector.php +++ b/codebase/grid_connector.php @@ -214,14 +214,18 @@ class GridConnector extends Connector{ /*! renders self as xml, starting part */ protected function xml_start(){ + $attributes = ""; + foreach($this->attributes as $k=>$v) + $attributes .= " ".$k."='".$v."'"; + if ($this->dload){ if ($pos=$this->request->get_start()) - return "<rows pos='".$pos."'>"; + return "<rows pos='".$pos."'".$attributes.">"; else - return "<rows total_count='".$this->sql->get_size($this->request)."'>"; + return "<rows total_count='".$this->sql->get_size($this->request)."'".$attributes.">"; } else - return "<rows>"; + return "<rows".$attributes.">"; } diff --git a/codebase/scheduler_connector.php b/codebase/scheduler_connector.php index 7032fd8..11572b2 100644 --- a/codebase/scheduler_connector.php +++ b/codebase/scheduler_connector.php @@ -22,7 +22,6 @@ class SchedulerDataItem extends DataItem{ $extra = $this->config->text[$i]["name"]; $str.="<".$extra."><![CDATA[".$this->data[$extra]."]]></".$extra.">"; } - if ($this->userdata !== false) foreach ($this->userdata as $key => $value) $str.="<".$key."><![CDATA[".$value."]]></".$key.">"; @@ -164,6 +163,8 @@ class JSONSchedulerConnector extends SchedulerConnector { protected function xml_end() { $this->fill_collections(); $end = (!empty($this->extra_output)) ? ', "collections": {'.$this->extra_output.'}' : ''; + foreach ($this->attributes as $k => $v) + $end.=", ".$k.":\"".$v."\""; $end .= '}'; return $end; } diff --git a/codebase/tree_connector.php b/codebase/tree_connector.php index ddc21e7..d94206a 100644 --- a/codebase/tree_connector.php +++ b/codebase/tree_connector.php @@ -188,7 +188,11 @@ class TreeConnector extends Connector{ /*! renders self as xml, starting part
*/
public function xml_start(){
- return "<tree id='".$this->request->get_relation()."'>";
+ $attributes = "";
+ foreach($this->attributes as $k=>$v)
+ $attributes .= " ".$k."='".$v."'";
+
+ return "<tree id='".$this->request->get_relation()."'".$attributes.">";
}
/*! renders self as xml, ending part
diff --git a/codebase/xss_filter.php b/codebase/xss_filter.php index 9018443..b68cb56 100644 --- a/codebase/xss_filter.php +++ b/codebase/xss_filter.php @@ -190,6 +190,8 @@ class ConnectorSecurity{ return $_SESSION["dhx_security"]; } + + return ""; } }
\ No newline at end of file diff --git a/samples/config.php b/samples/config.php index 79d6843..753650a 100644 --- a/samples/config.php +++ b/samples/config.php @@ -1,7 +1,7 @@ <?php - $mysql_server="localhost"; - $mysql_user = "root"; - $mysql_pass = ""; + $mysql_server="192.168.1.251"; + $mysql_user = "sampleDB"; + $mysql_pass = "sampleDB"; $mysql_db = "sampleDB"; $excel_file = "../common/excel_sample.xls"; diff --git a/samples/scheduler/07_array_connector.html b/samples/scheduler/07_array_connector.html new file mode 100644 index 0000000..c4c2183 --- /dev/null +++ b/samples/scheduler/07_array_connector.html @@ -0,0 +1,54 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<head> + <meta http-equiv="Content-type" content="text/html; charset=utf-8"> + <title></title> +</head> + <script src="../dhtmlx/dhtmlxscheduler.js" type="text/javascript" charset="utf-8"></script> + <link rel="stylesheet" href="../dhtmlx/dhtmlxscheduler.css" type="text/css" title="no title" charset="utf-8"> + +<style type="text/css" media="screen"> + html, body{ + margin:0px; + padding:0px; + height:100%; + overflow:hidden; + } +</style> + +<script type="text/javascript" charset="utf-8"> + function init() { + scheduler.config.multi_day = true; + scheduler.config.prevent_cache = true; + scheduler.config.xml_date="%Y-%m-%d %H:%i"; + scheduler.init('scheduler_here',new Date(2012,4,1),"month"); + + + scheduler.locale.labels.section_type = "Type"; + scheduler.config.lightbox.sections = [ + {name:"description", height:200, map_to:"text", type:"textarea" , focus:true}, + {name:"type", height:21, map_to:"type", type:"select", + options:scheduler.serverList("type")}, + {name:"time", height:72, type:"time", map_to:"auto"} + ]; + scheduler.load("07_array_connector.php"); + } +</script> + +<body onload="init();"> + <div id="scheduler_here" class="dhx_cal_container" style='width:100%; height:100%;'> + <div class="dhx_cal_navline"> + <div class="dhx_cal_prev_button"> </div> + <div class="dhx_cal_next_button"> </div> + <div class="dhx_cal_today_button"></div> + <div class="dhx_cal_date"></div> + <div class="dhx_cal_tab" name="day_tab" style="right:204px;"></div> + <div class="dhx_cal_tab" name="week_tab" style="right:140px;"></div> + <div class="dhx_cal_tab" name="month_tab" style="right:76px;"></div> + </div> + <div class="dhx_cal_header"> + </div> + <div class="dhx_cal_data"> + </div> + </div> +</body>
\ No newline at end of file diff --git a/samples/scheduler/07_array_connector.php b/samples/scheduler/07_array_connector.php new file mode 100644 index 0000000..7415a53 --- /dev/null +++ b/samples/scheduler/07_array_connector.php @@ -0,0 +1,11 @@ +<?php + include ('../../codebase/scheduler_connector.php'); + + $data = array( + array("event_id" => 1, "start_date" => "2012-05-24 00:00", "end_date" => "2012-05-25 00:00", "event_name" => "creation time"), + array("event_id" => 2, "start_date" => "2010-02-16", "end_date" => "2084-06-08", "event_name" => "second part") + ); + + $scheduler = new SchedulerConnector(); + $scheduler->render_array($data,"event_id","start_date,end_date,event_name"); +?>
\ No newline at end of file diff --git a/samples/security/data_csrf.php b/samples/security/data_csrf.php new file mode 100644 index 0000000..1cfaf11 --- /dev/null +++ b/samples/security/data_csrf.php @@ -0,0 +1,14 @@ +<?php + require_once("../config.php"); + + $res=mysql_connect($mysql_server,$mysql_user,$mysql_pass); + mysql_select_db($mysql_db); + + require("../../codebase/data_connector.php"); + + ConnectorSecurity::$security_key = true; + + $grid = new JSONDataConnector($res); + $grid->set_limit(10); + $grid->render_table("grid50000","item_id","item_nm,item_cd"); +?>
\ No newline at end of file diff --git a/samples/security/dataview_csrf.php b/samples/security/dataview_csrf.php new file mode 100644 index 0000000..1971380 --- /dev/null +++ b/samples/security/dataview_csrf.php @@ -0,0 +1,14 @@ +<?php + require_once("../config.php"); + + $res=mysql_connect($mysql_server,$mysql_user,$mysql_pass); + mysql_select_db($mysql_db); + + require("../../codebase/dataview_connector.php"); + + ConnectorSecurity::$security_key = true; + + $grid = new DataViewConnector($res); + $grid->set_limit(10); + $grid->render_table("grid50000","item_id","item_nm,item_cd"); +?>
\ No newline at end of file diff --git a/samples/security/form_csrf.php b/samples/security/form_csrf.php new file mode 100644 index 0000000..8f76f03 --- /dev/null +++ b/samples/security/form_csrf.php @@ -0,0 +1,15 @@ +<?php + require_once("../config.php"); + + $res=mysql_connect($mysql_server,$mysql_user,$mysql_pass); + mysql_select_db($mysql_db); + + require("../../codebase/form_connector.php"); + + ConnectorSecurity::$security_key = true; + + $_GET["id"] = 810; + + $grid = new FormConnector($res); + $grid->render_table("grid50000","item_id","item_nm,item_cd"); +?>
\ No newline at end of file diff --git a/samples/security/grid_csrf.php b/samples/security/grid_csrf.php new file mode 100644 index 0000000..d3a1c82 --- /dev/null +++ b/samples/security/grid_csrf.php @@ -0,0 +1,14 @@ +<?php + require_once("../config.php"); + + $res=mysql_connect($mysql_server,$mysql_user,$mysql_pass); + mysql_select_db($mysql_db); + + require("../../codebase/grid_connector.php"); + + ConnectorSecurity::$security_key = true; + + $grid = new GridConnector($res); + $grid->set_limit(10); + $grid->render_table("grid50000","item_id","item_nm,item_cd"); +?>
\ No newline at end of file diff --git a/samples/security/scheduler_csrf.php b/samples/security/scheduler_csrf.php new file mode 100644 index 0000000..9db3900 --- /dev/null +++ b/samples/security/scheduler_csrf.php @@ -0,0 +1,15 @@ +<?php + require_once("../config.php"); + + $res=mysql_connect($mysql_server,$mysql_user,$mysql_pass); + mysql_select_db($mysql_db); + + require("../../codebase/scheduler_connector.php"); + + ConnectorSecurity::$security_key = true; + + $_GET["id"] = 810; + + $grid = new JSONSchedulerConnector($res); + $grid->render_table("events","event_id","start_date, end_date, event_name"); +?>
\ No newline at end of file diff --git a/samples/security/tree_csrf.php b/samples/security/tree_csrf.php new file mode 100644 index 0000000..eca30e9 --- /dev/null +++ b/samples/security/tree_csrf.php @@ -0,0 +1,13 @@ +<?php + require_once("../config.php"); + + $res=mysql_connect($mysql_server,$mysql_user,$mysql_pass); + mysql_select_db($mysql_db); + + require("../../codebase/tree_connector.php"); + + ConnectorSecurity::$security_key = true; + + $grid = new TreeConnector($res); + $grid->render_table("tasks","taskId","taskName","","parentId"); +?>
\ No newline at end of file |