source: trunk/admin/history.php @ 4304

Revision 4304, 18.6 KB checked in by Eric, 10 years ago (diff)

Escape all login and username characters in database
Display correctly usernames

(I hope not to have made mistakes)

  • Property svn:eol-style set to LF
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2009 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24/**
25 * Display filtered history lines
26 */
27
28// +-----------------------------------------------------------------------+
29// |                              functions                                |
30// +-----------------------------------------------------------------------+
31
32// +-----------------------------------------------------------------------+
33// |                           initialization                              |
34// +-----------------------------------------------------------------------+
35
36if (!defined('PHPWG_ROOT_PATH'))
37{
38  die('Hacking attempt!');
39}
40
41include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
42include_once(PHPWG_ROOT_PATH.'admin/include/functions_history.inc.php');
43
44if (isset($_GET['start']) and is_numeric($_GET['start']))
45{
46  $page['start'] = $_GET['start'];
47}
48else
49{
50  $page['start'] = 0;
51}
52
53$types = array('none', 'picture', 'high', 'other');
54$display_thumbnails = array('no_display_thumbnail', 'display_thumbnail_classic', 'display_thumbnail_hoverbox');
55
56// +-----------------------------------------------------------------------+
57// | Check Access and exit when user status is not ok                      |
58// +-----------------------------------------------------------------------+
59
60check_status(ACCESS_ADMINISTRATOR);
61
62// +-----------------------------------------------------------------------+
63// | Build search criteria and redirect to results                         |
64// +-----------------------------------------------------------------------+
65
66$page['errors'] = array();
67$search = array();
68
69if (isset($_POST['submit']))
70{
71  // dates
72  if (!empty($_POST['start_year']))
73  {
74    $search['fields']['date-after'] = sprintf(
75      '%d-%02d-%02d',
76      $_POST['start_year'],
77      $_POST['start_month'],
78      $_POST['start_day']
79      );
80  }
81
82  if (!empty($_POST['end_year']))
83  {
84    $search['fields']['date-before'] = sprintf(
85      '%d-%02d-%02d',
86      $_POST['end_year'],
87      $_POST['end_month'],
88      $_POST['end_day']
89      );
90  }
91
92  if (empty($_POST['types']))
93  {
94    $search['fields']['types'] = $types;
95  }
96  else
97  {
98    $search['fields']['types'] = $_POST['types'];
99  }
100
101  $search['fields']['user'] = $_POST['user'];
102
103  if (!empty($_POST['image_id']))
104  {
105    $search['fields']['image_id'] = intval($_POST['image_id']);
106  }
107
108  if (!empty($_POST['filename']))
109  {
110    $search['fields']['filename'] = str_replace(
111      '*',
112      '%',
113      mysql_real_escape_string($_POST['filename'])
114      );
115  }
116
117  $search['fields']['display_thumbnail'] = $_POST['display_thumbnail'];
118  // Display choise are also save to one cookie
119  $cookie_val = ($_POST['display_thumbnail']!=$display_thumbnails[2] and in_array($_POST['display_thumbnail'], $display_thumbnails)) ? $_POST['display_thumbnail']:null;
120  pwg_set_cookie_var('history_display_thumbnail', $cookie_val, strtotime('+1 month') );
121
122  // TODO manage inconsistency of having $_POST['image_id'] and
123  // $_POST['filename'] simultaneously
124
125  // echo '<pre>'; print_r($search); echo '</pre>';
126
127  if (!empty($search))
128  {
129    // register search rules in database, then they will be available on
130    // thumbnails page and picture page.
131    $query ='
132INSERT INTO '.SEARCH_TABLE.'
133  (rules)
134  VALUES
135  (\''.serialize($search).'\')
136;';
137    pwg_query($query);
138
139    $search_id = mysql_insert_id();
140
141    redirect(
142      PHPWG_ROOT_PATH.'admin.php?page=history&search_id='.$search_id
143      );
144  }
145  else
146  {
147    array_push($page['errors'], l10n('search_one_clause_at_least'));
148  }
149}
150
151// +-----------------------------------------------------------------------+
152// |                             template init                             |
153// +-----------------------------------------------------------------------+
154
155$template->set_filename('history', 'history.tpl');
156
157// TabSheet initialization
158history_tabsheet();
159
160$template->assign(
161  array(
162    'U_HELP' => PHPWG_ROOT_PATH.'popuphelp.php?page=history',
163    'F_ACTION' => get_root_url().'admin.php?page=history'
164    )
165  );
166
167// +-----------------------------------------------------------------------+
168// |                             history lines                             |
169// +-----------------------------------------------------------------------+
170
171if (isset($_GET['search_id'])
172    and $page['search_id'] = (int)$_GET['search_id'])
173{
174  // what are the lines to display in reality ?
175  $query = '
176SELECT rules
177  FROM '.SEARCH_TABLE.'
178  WHERE id = '.$page['search_id'].'
179;';
180  list($serialized_rules) = mysql_fetch_row(pwg_query($query));
181
182  $page['search'] = unserialize($serialized_rules);
183
184  if (isset($_GET['user_id']))
185  {
186    if (!is_numeric($_GET['user_id']))
187    {
188      die('user_id GET parameter must be an integer value');
189    }
190
191    $page['search']['fields']['user'] = $_GET['user_id'];
192
193    $query ='
194INSERT INTO '.SEARCH_TABLE.'
195  (rules)
196  VALUES
197  (\''.serialize($page['search']).'\')
198;';
199    pwg_query($query);
200
201    $search_id = mysql_insert_id();
202
203    redirect(
204      PHPWG_ROOT_PATH.'admin.php?page=history&search_id='.$search_id
205      );
206  }
207
208  $data = trigger_event('get_history', array(), $page['search'], $types);
209  usort($data, 'history_compare');
210
211  $page['nb_lines'] = count($data);
212
213  $history_lines = array();
214  $user_ids = array();
215  $username_of = array();
216  $category_ids = array();
217  $image_ids = array();
218  $tag_ids = array();
219
220  foreach ($data as $row)
221  {
222    $user_ids[$row['user_id']] = 1;
223
224    if (isset($row['category_id']))
225    {
226      $category_ids[$row['category_id']] = 1;
227    }
228
229    if (isset($row['image_id']))
230    {
231      $image_ids[$row['image_id']] = 1;
232    }
233
234    if (isset($row['tag_ids']))
235    {
236      foreach (explode(',', $row['tag_ids']) as $tag_id)
237      {
238        array_push($tag_ids, $tag_id);
239      }
240    }
241
242    array_push(
243      $history_lines,
244      $row
245      );
246  }
247
248  // prepare reference data (users, tags, categories...)
249  if (count($user_ids) > 0)
250  {
251    $query = '
252SELECT '.$conf['user_fields']['id'].' AS id
253     , '.$conf['user_fields']['username'].' AS username
254  FROM '.USERS_TABLE.'
255  WHERE id IN ('.implode(',', array_keys($user_ids)).')
256;';
257    $result = pwg_query($query);
258
259    $username_of = array();
260    while ($row = mysql_fetch_assoc($result))
261    {
262      $username_of[$row['id']] = stripslashes($row['username']);
263    }
264  }
265
266  if (count($category_ids) > 0)
267  {
268    $query = '
269SELECT id, uppercats
270  FROM '.CATEGORIES_TABLE.'
271  WHERE id IN ('.implode(',', array_keys($category_ids)).')
272;';
273    $uppercats_of = simple_hash_from_query($query, 'id', 'uppercats');
274
275    $name_of_category = array();
276
277    foreach ($uppercats_of as $category_id => $uppercats)
278    {
279      $name_of_category[$category_id] = get_cat_display_name_cache(
280        $uppercats
281        );
282    }
283  }
284
285  if (count($image_ids) > 0)
286  {
287    $query = '
288SELECT
289    id,
290    IF(name IS NULL, file, name) AS label,
291    filesize,
292    high_filesize,
293    file,
294    path,
295    tn_ext
296  FROM '.IMAGES_TABLE.'
297  WHERE id IN ('.implode(',', array_keys($image_ids)).')
298;';
299    // $label_of_image = simple_hash_from_query($query, 'id', 'label');
300    $label_of_image = array();
301    $filesize_of_image = array();
302    $high_filesize_of_image = array();
303    $file_of_image = array();
304    $path_of_image = array();
305    $tn_ext_of_image = array();
306
307    $result = pwg_query($query);
308    while ($row = mysql_fetch_assoc($result))
309    {
310      $label_of_image[ $row['id'] ] = $row['label'];
311
312      if (isset($row['filesize']))
313      {
314        $filesize_of_image[ $row['id'] ] = $row['filesize'];
315      }
316
317      if (isset($row['high_filesize']))
318      {
319        $high_filesize_of_image[ $row['id'] ] = $row['high_filesize'];
320      }
321
322      $file_of_image[ $row['id'] ] = $row['file'];
323      $path_of_image[ $row['id'] ] = $row['path'];
324      $tn_ext_of_image[ $row['id'] ] = $row['tn_ext'];
325    }
326
327    // echo '<pre>'; print_r($high_filesize_of_image); echo '</pre>';
328  }
329
330  if (count($tag_ids) > 0)
331  {
332    $tag_ids = array_unique($tag_ids);
333
334    $query = '
335SELECT
336    id,
337    name
338  FROM '.TAGS_TABLE.'
339  WHERE id IN ('.implode(', ', $tag_ids).')
340;';
341    $name_of_tag = array();
342
343    $result = pwg_query($query);
344    while ($row = mysql_fetch_assoc($result))
345    {
346      $name_of_tag[ $row['id'] ] = $row['name'];
347    }
348  }
349
350  $i = 0;
351  $first_line = $page['start'] + 1;
352  $last_line = $page['start'] + $conf['nb_logs_page'];
353
354  $summary['total_filesize'] = 0;
355  $summary['guests_IP'] = array();
356
357  foreach ($history_lines as $line)
358  {
359    // FIXME when we watch the representative of a non image element, it is
360    // the not the representative filesize that is counted (as it is
361    // unknown) but the non image element filesize. Proposed solution: add
362    // #images.representative_filesize and add 'representative' in the
363    // choices of #history.image_type.
364
365    if (isset($line['image_type']))
366    {
367      if ($line['image_type'] == 'high')
368      {
369        if (isset($high_filesize_of_image[$line['image_id']]))
370        {
371          $summary['total_filesize']+=
372            $high_filesize_of_image[$line['image_id']];
373        }
374      }
375      else
376      {
377        if (isset($filesize_of_image[$line['image_id']]))
378        {
379          $summary['total_filesize']+=
380            $filesize_of_image[$line['image_id']];
381        }
382      }
383    }
384
385    if ($line['user_id'] == $conf['guest_id'])
386    {
387      if (!isset($summary['guests_IP'][ $line['IP'] ]))
388      {
389        $summary['guests_IP'][ $line['IP'] ] = 0;
390      }
391
392      $summary['guests_IP'][ $line['IP'] ]++;
393    }
394
395    $i++;
396
397    if ($i < $first_line or $i > $last_line)
398    {
399      continue;
400    }
401
402    $user_string = '';
403    if (isset($username_of[$line['user_id']]))
404    {
405      $user_string.= $username_of[$line['user_id']];
406    }
407    else
408    {
409      $user_string.= $line['user_id'];
410    }
411    $user_string.= '&nbsp;<a href="';
412    $user_string.= PHPWG_ROOT_PATH.'admin.php?page=history';
413    $user_string.= '&amp;search_id='.$page['search_id'];
414    $user_string.= '&amp;user_id='.$line['user_id'];
415    $user_string.= '">+</a>';
416
417    $tags_string = '';
418    if (isset($line['tag_ids']))
419    {
420      $tags_string = preg_replace(
421        '/(\d+)/e',
422        '$name_of_tag["$1"]',
423        str_replace(
424          ',',
425          ', ',
426          $line['tag_ids']
427          )
428        );
429    }
430
431    $image_string = '';
432    if (isset($line['image_id']))
433    {
434      $picture_url = make_picture_url(
435        array(
436          'image_id' => $line['image_id'],
437          )
438        );
439
440      $element = array(
441           'id' => $line['image_id'],
442           'file' => $file_of_image[$line['image_id']],
443           'path' => $path_of_image[$line['image_id']],
444           'tn_ext' => $tn_ext_of_image[$line['image_id']],
445           );
446
447      $image_title = '('.$line['image_id'].')';
448
449      if (isset($label_of_image[$line['image_id']]))
450      {
451        $image_title.= ' '.$label_of_image[$line['image_id']];
452      }
453      else
454      {
455        $image_title.= ' unknown filename';
456      }
457
458      $image_string = '';
459
460      switch ($page['search']['fields']['display_thumbnail'])
461      {
462        case 'no_display_thumbnail':
463        {
464          $image_string= '<a href="'.$picture_url.'">'.$image_title.'</a>';
465          break;
466        }
467        case 'display_thumbnail_classic':
468        {
469          $image_string =
470            '<a class="thumbnail" href="'.$picture_url.'">'
471            .'<span><img src="'.get_thumbnail_url($element)
472            .'" alt="'.$image_title.'" title="'.$image_title.'">'
473            .'</span></a>';
474          break;
475        }
476        case 'display_thumbnail_hoverbox':
477        {
478          $image_string =
479            '<a class="over" href="'.$picture_url.'">'
480            .'<span><img src="'.get_thumbnail_url($element)
481            .'" alt="'.$image_title.'" title="'.$image_title.'">'
482            .'</span>'.$image_title.'</a>';
483          break;
484        }
485      }
486    }
487
488    $template->append(
489      'search_results',
490      array(
491        'DATE'      => $line['date'],
492        'TIME'      => $line['time'],
493        'USER'      => $user_string,
494        'IP'        => $line['IP'],
495        'IMAGE'     => $image_string,
496        'TYPE'      => $line['image_type'],
497        'SECTION'   => $line['section'],
498        'CATEGORY'  => isset($line['category_id'])
499          ? ( isset($name_of_category[$line['category_id']])
500                ? $name_of_category[$line['category_id']]
501                : 'deleted '.$line['category_id'] )
502          : '',
503        'TAGS'       => $tags_string,
504        )
505      );
506  }
507
508  $summary['nb_guests'] = 0;
509  if (count(array_keys($summary['guests_IP'])) > 0)
510  {
511    $summary['nb_guests'] = count(array_keys($summary['guests_IP']));
512
513    // we delete the "guest" from the $username_of hash so that it is
514    // avoided in next steps
515    unset($username_of[ $conf['guest_id'] ]);
516  }
517
518  $summary['nb_members'] = count($username_of);
519
520  $member_strings = array();
521  foreach ($username_of as $user_id => $user_name)
522  {
523    $member_string = $user_name.'&nbsp;<a href="';
524    $member_string.= get_root_url().'admin.php?page=history';
525    $member_string.= '&amp;search_id='.$page['search_id'];
526    $member_string.= '&amp;user_id='.$user_id;
527    $member_string.= '">+</a>';
528
529    $member_strings[] = $member_string;
530  }
531
532  $template->assign(
533    'search_summary',
534    array(
535      'NB_LINES' => l10n_dec(
536        '%d line filtered', '%d lines filtered',
537        $page['nb_lines']
538        ),
539      'FILESIZE' => $summary['total_filesize'].' KB',
540      'USERS' => l10n_dec(
541        '%d user', '%d users',
542        $summary['nb_members'] + $summary['nb_guests']
543        ),
544      'MEMBERS' => sprintf(
545        l10n_dec('%d member', '%d members', $summary['nb_members']).': %s',
546        implode(
547          ', ',
548          $member_strings
549          )
550        ),
551      'GUESTS' => l10n_dec(
552        '%d guest', '%d guests',
553        $summary['nb_guests']
554        ),
555      )
556    );
557}
558
559// +-----------------------------------------------------------------------+
560// |                            navigation bar                             |
561// +-----------------------------------------------------------------------+
562
563if (isset($page['search_id']))
564{
565  $navbar = create_navigation_bar(
566    get_root_url().'admin.php'.get_query_string_diff(array('start')),
567    $page['nb_lines'],
568    $page['start'],
569    $conf['nb_logs_page']
570    );
571
572  $template->assign('navbar', $navbar);
573}
574
575// +-----------------------------------------------------------------------+
576// |                             filter form                               |
577// +-----------------------------------------------------------------------+
578
579$form = array();
580
581if (isset($page['search']))
582{
583  if (isset($page['search']['fields']['date-after']))
584  {
585    $tokens = explode('-', $page['search']['fields']['date-after']);
586
587    $form['start_year']  = (int)$tokens[0];
588    $form['start_month'] = (int)$tokens[1];
589    $form['start_day']   = (int)$tokens[2];
590  }
591
592  if (isset($page['search']['fields']['date-before']))
593  {
594    $tokens = explode('-', $page['search']['fields']['date-before']);
595
596    $form['end_year']  = (int)$tokens[0];
597    $form['end_month'] = (int)$tokens[1];
598    $form['end_day']   = (int)$tokens[2];
599  }
600
601  $form['types'] = $page['search']['fields']['types'];
602
603  if (isset($page['search']['fields']['user']))
604  {
605    $form['user'] = $page['search']['fields']['user'];
606  }
607  else
608  {
609    $form['user'] = null;
610  }
611
612  $form['image_id'] = @$page['search']['fields']['image_id'];
613  $form['filename'] = @$page['search']['fields']['filename'];
614
615  $form['display_thumbnail'] = @$page['search']['fields']['display_thumbnail'];
616}
617else
618{
619  // by default, at page load, we want the selected date to be the current
620  // date
621  $form['start_year']  = $form['end_year']  = date('Y');
622  $form['start_month'] = $form['end_month'] = date('n');
623  $form['start_day']   = $form['end_day']   = date('j');
624  $form['types'] = $types;
625  // Hoverbox by default
626  $form['display_thumbnail'] =
627    pwg_get_cookie_var('history_display_thumbnail', $display_thumbnails[2]);
628}
629
630
631$month_list = $lang['month'];
632$month_list[0]='------------';
633ksort($month_list);
634
635$template->assign(
636  array(
637    'IMAGE_ID' => @$form['image_id'],
638    'FILENAME' => @$form['filename'],
639
640    'month_list' => $month_list,
641
642    'START_DAY_SELECTED' => @$form['start_day'],
643    'START_MONTH_SELECTED' => @$form['start_month'],
644    'START_YEAR' => @$form['start_year'],
645
646    'END_DAY_SELECTED' => @$form['end_day'],
647    'END_MONTH_SELECTED' => @$form['end_month'],
648    'END_YEAR'   => @$form['end_year'],
649    )
650  );
651
652$template->assign(
653    array(
654      'type_option_values' => $types,
655      'type_option_selected' => $form['types']
656    )
657  );
658
659
660$query = '
661SELECT
662    '.$conf['user_fields']['id'].' AS id,
663    '.$conf['user_fields']['username'].' AS username
664  FROM '.USERS_TABLE.'
665  ORDER BY username ASC
666;';
667$template->assign(
668  array(
669    'user_options' => simple_hash_from_query($query, 'id','username'),
670    'user_options_selected' => array(@$form['user'])
671  )
672);
673
674$template->assign(
675  array(
676      'display_thumbnail_values' => $display_thumbnails,
677      'display_thumbnail_selected' => array($form['display_thumbnail']),
678    )
679  );
680
681// +-----------------------------------------------------------------------+
682// |                           html code display                           |
683// +-----------------------------------------------------------------------+
684
685$template->assign_var_from_handle('ADMIN_CONTENT', 'history');
686?>
Note: See TracBrowser for help on using the repository browser.