Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-07 16:41:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix tool for generic to sql filters. Must not be saved into api files.

Browse Source
This commit is contained in:
Laurent Destailleur
2022-01-01 21:46:16 +01:00
parent 7fd601a29d
commit b41fdb6ec9
5 changed files with 105 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
htdocs/api/class/api.class.php
View File

@@ -302,49 +302,13 @@ class DolibarrApi
{
// phpcs:enable
//$regexstring='\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)';
//$tmp=preg_replace_all('/'.$regexstring.'/', '', $sqlfilters);
$tmp = trim($sqlfilters);
$i = 0; $nb = strlen($tmp);
if ($nb > 0 && $tmp[0] != '(') {
$error = "Bad sqlfilters (first and last characters must be open and closing parenthesis) = ".$sqlfilters;
dol_syslog($error, LOG_WARNING);
return false;
}
$counter = 0;
while ($i < $nb) {
if ($tmp[$i] == '(') {
$counter++;
}
if ($tmp[$i] == ')') {
$counter--;
// TODO: After a closing ), only a " or " or " and " or end of string is allowed.
}
if ($counter < 0) {
$error = "Bad sqlfilters (too many closing parenthesis) = ".$sqlfilters;
dol_syslog($error, LOG_WARNING);
return false;
}
$i++;
}
if ($counter > 0) {
$error = "Bad sqlfilters (too many opening parenthesis) = ".$sqlfilters;
dol_syslog($error, LOG_WARNING);
return false;
}
return true;
return dolCheckFilters($sqlfilters, $error);
}
// phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps
// phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
/**
* Function to forge a SQL criteria
* Function to forge a SQL criteria from a Generic filter string
*
* @param array $matches Array of found string by regex search.
* Each entry is 1 and only 1 criteria.
@@ -353,51 +317,6 @@ class DolibarrApi
*/
protected static function _forge_criteria_callback($matches)
{
// phpcs:enable
global $db;
//dol_syslog("Convert matches ".$matches[1]);
if (empty($matches[1])) {
return '';
}
$tmp = explode(':', $matches[1], 3);
if (count($tmp) < 3) {
return '';
}
// Sanitize operand
$operand = preg_replace('/[^a-z0-9\._]/i', '', trim($tmp[0]));
// Sanitize operator
$operator = strtoupper(preg_replace('/[^a-z<>=]/i', '', trim($tmp[1])));
// Only some operators are allowed.
if (! in_array($operator, array('LIKE', 'ULIKE', '<', '>', '<=', '>=', '=', '<>', 'IS', 'ISNOT', 'IN'))) {
return '';
}
if ($operator == 'ISNOT') {
$operator = 'IS NOT';
}
// Sanitize value
$tmpescaped = trim($tmp[2]);
$regbis = array();
if ($operator == 'IN') {
$tmpescaped = "(".$db->sanitize($tmpescaped, 1).")";
} elseif (in_array($operator, array('<', '>', '<=', '>=', '=', '<>'))) {
if (preg_match('/^\'(.*)\'$/', $tmpescaped, $regbis)) { // If 'YYYY-MM-DD HH:MM:SS+X'
$tmpescaped = "'".$db->escape($regbis[1])."'";
} else {
$tmpescaped = ((float) $tmpescaped);
}
} else {
if (preg_match('/^\'(.*)\'$/', $tmpescaped, $regbis)) {
$tmpescaped = "'".$db->escape($regbis[1])."'";
} else {
$tmpescaped = "'".$db->escape($tmpescaped)."'";
}
}
return $db->escape($operand).' '.$db->escape($operator)." ".$tmpescaped;
return dolForgeCriteriaCallback($matches);
}
}