Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
admin/incFunctions.php: add `getUserData()` and `setUserData()` to get/set user-specific data stored into `membership_users.data` Add admin/pageSQL.php to allow admin to easily query the database (and store queries for later reference). UI/UX enhancements for members list page under admin area. Fix stored XSS in `invoice_items_autofill.php`
- Loading branch information
Ahmad Gneady
committed
Jul 3, 2021
1 parent
41dda75
commit 478e5a5
Showing
37 changed files
with
775 additions
and
172 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
<?php | ||
/* | ||
Manage stored SQL queries for admin user. | ||
Parameters: | ||
queries: (optional) a json string [{name, query}, ..]) to store. | ||
Response: | ||
stored queries (as a json string). | ||
queries are stored in the membership_users.data field for the current user, under the key 'storedQueries' | ||
*/ | ||
|
||
$currDir = dirname(__FILE__); | ||
require("{$currDir}/incCommon.php"); | ||
|
||
if(!csrf_token(true)) { | ||
@header('HTTP/1.0 403 Access Denied'); | ||
die(); | ||
} | ||
|
||
// store queries if provided | ||
if(isset($_REQUEST['queries'])) { | ||
$queries = $_REQUEST['queries']; | ||
setUserData('storedQueries', $queries); | ||
} | ||
|
||
echo getUserData('storedQueries'); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
<?php | ||
$currDir = dirname(__FILE__); | ||
require("{$currDir}/incCommon.php"); | ||
|
||
if(!csrf_token(true)) { | ||
@header('HTTP/1.0 403 Access Denied'); | ||
die(); | ||
} | ||
|
||
$sql = trim($_REQUEST['sql']); | ||
if(!preg_match('/^SELECT\s+.*?\s+FROM\s+\S+/i', $sql)) { | ||
@header('HTTP/1.0 404 Not Found'); | ||
die("Invalid query"); | ||
} | ||
|
||
// force a limit of 1000 in case no limit specified | ||
if(!preg_match('/\s+limit\s+\d+(\s*,\s*\d+)?/i', $sql)) | ||
$sql .= ' LIMIT 1000'; | ||
|
||
$resp = ['titles' => [], 'data' => [], 'error' => '']; | ||
$eo = ['silentErrors' => true]; | ||
|
||
$res = sql($sql, $eo); | ||
if(!$res) | ||
$resp['error'] = $eo['error']; | ||
else while($row = db_fetch_assoc($res)) { | ||
if(!count($resp['titles'])) | ||
$resp['titles'] = array_keys($row); | ||
|
||
$resp['data'][] = array_map('htmlspecialchars', array_values($row)); | ||
} | ||
|
||
@header('Content-type: application/json'); | ||
echo json_encode($resp, JSON_PARTIAL_OUTPUT_ON_ERROR); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,17 @@ | ||
<?php | ||
$currDir=dirname(__FILE__); | ||
require("$currDir/incCommon.php"); | ||
require(__DIR__ . '/incCommon.php'); | ||
|
||
// validate input | ||
$memberID=makeSafe(strtolower($_GET['memberID'])); | ||
$memberID = makeSafe(strtolower($_GET['memberID'])); | ||
|
||
if(!csrf_token(true)) die($Translation['csrf token expired or invalid']); | ||
|
||
sql("delete from membership_users where lcase(memberID)='$memberID'", $eo); | ||
sql("update membership_userrecords set memberID='' where lcase(memberID)='$memberID'", $eo); | ||
$eo = ['silentErrors' => true]; | ||
sql("DELETE FROM `membership_users` WHERE LCASE(`memberID`)='$memberID'", $eo); | ||
sql("UPDATE `membership_userrecords` SET `memberID`='' WHERE LCASE(`memberID`)='$memberID'", $eo); | ||
|
||
if($_SERVER['HTTP_REFERER']) { | ||
redirect($_SERVER['HTTP_REFERER'], TRUE); | ||
} else { | ||
redirect("admin/pageViewMembers.php"); | ||
redirect('admin/pageViewMembers.php'); | ||
} | ||
|
||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.