Context Navigation

← Previous Change
Next Change →

Version.inc.php

Timestamp:

Nov 24, 2015 5:38:54 PM (8 years ago)

Author:

anonymous

Message:

Escaped quotes from email from names.
Changed logMsg string truncation method and added version to email log msg.
Better variable testing in carry queries.
Spelling errors.
Added runtime cache to Currency.
Added logging to form validation.
More robust form validation.
Added json serialization methond to Version.

File:

: 1 edited

trunk/lib/Version.inc.php (modified) (10 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/lib/Version.inc.php

-                      r532
+                      r550
         // If true, makes an exact comparison of saved vs. live table schemas. If false, just checks that the saved columns are available.
         'db_schema_strict' => true,
+        // Serialization method.
+        // Legacy installations will have been using 'phpserialize' but these should migrate to use 'json' to avoid PHP object injection https://www.owasp.org/index.php/PHP_Object_Injection
+        'serialization_method' => 'phpserialize', // Or 'json'
     );
 …
     public function setParam($params=null)
+    {
+        $app =& App::getInstance();
+        if (isset($params['serialization_method']) && !in_array($params['serialization_method'], ['phpserialize', 'json'])) {
+            trigger_error(sprintf('Invalid serialization_method: %s', $params['serialization_method']), E_USER_ERROR);
+        }
         if (isset($params) && is_array($params)) {
             // Merge new parameters with old overriding only those passed.
 …
         // Clean-up old versions.
         $this->deleteOld($record_table, $record_key, $record_val);
+        // Serialize the DB record.
+        switch ($this->getParam('serialization_method')) {
+        case 'phpserialize':
+            $data = gzcompress(serialize($record), 9);
+            break;
+        case 'json':
+            $data = gzcompress(json_encode($record), 9);
+            break;
+        }
         // Save as new version.
 …
                 '" . $db->escapeString($record_key) . "',
                 '" . $db->escapeString($record_val) . "',
                 '" . $db->escapeString(gzcompress(serialize($record), 9)) . "',
+                '" . $db->escapeString($data) . "',
                 '" . $db->escapeString($title) . "',
                 '" . $db->escapeString($last_version_number + 1) . "',
 …
         // Get version data.
         $qid = $db->query("
+            SELECT * FROM " . $db->escapeString($this->getParam('db_table')) . "
+            SELECT *
+            FROM " . $db->escapeString($this->getParam('db_table')) . "
             WHERE version_id = '" . $db->escapeString($version_id) . "'
         ");
 …
             return false;
+        }
+        $data = unserialize(gzuncompress($record['version_data']));
+        // Unserialize the DB record.
+        switch ($this->getParam('serialization_method')) {
+        case 'phpserialize':
+            $data = unserialize(gzuncompress($record['version_data']));
+            break;
+        case 'json':
+            $data = json_decode(gzuncompress($record['version_data']), true);
+            break;
+        }
         // Ensure saved db columns match current table schema.
 …
                 // First query for oldest records, selecting enough to bring total number down to min_qty.
                 $qid = $db->query("
+                    SELECT version_id FROM " . $db->escapeString($this->getParam('db_table')) . "
+                    SELECT version_id
+                    FROM " . $db->escapeString($this->getParam('db_table')) . "
                     WHERE record_table = '" . $db->escapeString($record_table) . "'
                     AND record_key = '" . $db->escapeString($record_key) . "'
                     AND record_val = '" . $db->escapeString($record_val) . "'
                     ORDER BY version_datetime ASC
                     LIMIT " . ($v_count - $this->getParam('min_qty')) . "
+                    LIMIT " . $db->escapeString($v_count - $this->getParam('min_qty')) . "
                 ");
+                $old_versions = array();
                 while (list($old_id) = mysql_fetch_row($qid)) {
                     $old_versions[] = $old_id;
 …
                 // Delete versions older than min_days, while still keeping min_qty.
                 $qid = $db->query("
+                    SELECT version_id FROM " . $db->escapeString($this->getParam('db_table')) . "
+                    SELECT version_id
+                    FROM " . $db->escapeString($this->getParam('db_table')) . "
                     WHERE record_table = '" . $db->escapeString($record_table) . "'
                     AND record_key = '" . $db->escapeString($record_key) . "'
 …
                     LIMIT " . ($v_count - $this->getParam('min_qty')) . "
                 ");
+                $old_versions = array();
                 while (list($old_id) = mysql_fetch_row($qid)) {
                     $old_versions[] = $old_id;
 …
         // Get version data.
         $qid = $db->query("
+            SELECT * FROM " . $db->escapeString($this->getParam('db_table')) . "
+            SELECT *
+            FROM " . $db->escapeString($this->getParam('db_table')) . "
             WHERE version_id = '" . $db->escapeString($version_id) . "'
         ");
         $record = mysql_fetch_assoc($qid);
         if (isset($record['version_data'])) {
+            return unserialize(gzuncompress($record['version_data']));
+            // Unserialize the DB record.
+            switch ($this->getParam('serialization_method')) {
+            case 'phpserialize':
+                return unserialize(gzuncompress($record['version_data']));
+            case 'json':
+                return json_decode(gzuncompress($record['version_data']));
+            }
         } else {
             return false;

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 550 for trunk/lib/Version.inc.php

Legend:

trunk/lib/Version.inc.php

Download in other formats: