source: trunk/admin/user_list_backend.php @ 26050

Last change on this file since 26050 was 26050, checked in by plg, 10 years ago

feature 1668: protect dataTables backend script (ajax called, serverside processing)
File size: 3.8 KB
Line 
1<?php
2define('PHPWG_ROOT_PATH','../');
3define('IN_ADMIN', true);
4
5include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
6
7check_status(ACCESS_ADMINISTRATOR);
8       
9/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
10 * Easy set variables
11 */
12       
13/* Array of database columns which should be read and sent back to DataTables. Use a space where
14 * you want to insert a non-database field (for example a counter or static image)
15 */
16$aColumns = array('id', 'username', 'status', 'mail_address', 'registration_date');
17       
18/* Indexed column (used for fast and accurate table cardinality) */
19$sIndexColumn = "id";
20       
21/* DB table to use */
22$sTable = USERS_TABLE.' INNER JOIN '.USER_INFOS_TABLE.' AS ui ON id = ui.user_id';
23
24/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
25 * If you just want to use the basic configuration for DataTables with PHP server-side, there is
26 * no need to edit below this line
27 */
28
29/*
30 * Paging
31 */
32$sLimit = "";
33if ( isset( $_REQUEST['iDisplayStart'] ) && $_REQUEST['iDisplayLength'] != '-1' )
34{
35  $sLimit = "LIMIT ".pwg_db_real_escape_string( $_REQUEST['iDisplayStart'] ).", ".
36    pwg_db_real_escape_string( $_REQUEST['iDisplayLength'] );
37}
38       
39       
40/*
41 * Ordering
42 */
43if ( isset( $_REQUEST['iSortCol_0'] ) )
44{
45  $sOrder = "ORDER BY  ";
46  for ( $i=0 ; $i<intval( $_REQUEST['iSortingCols'] ) ; $i++ )
47  {
48    if ( $_REQUEST[ 'bSortable_'.intval($_REQUEST['iSortCol_'.$i]) ] == "true" )
49    {
50      $sOrder .= $aColumns[ intval( $_REQUEST['iSortCol_'.$i] ) ]."
51                                        ".pwg_db_real_escape_string( $_REQUEST['sSortDir_'.$i] ) .", ";
52    }
53  }
54               
55  $sOrder = substr_replace( $sOrder, "", -2 );
56  if ( $sOrder == "ORDER BY" )
57  {
58    $sOrder = "";
59  }
60}
61       
62       
63/*
64 * Filtering
65 * NOTE this does not match the built-in DataTables filtering which does it
66 * word by word on any field. It's possible to do here, but concerned about efficiency
67 * on very large tables, and MySQL's regex functionality is very limited
68 */
69$sWhere = "";
70if ( $_REQUEST['sSearch'] != "" )
71{
72  $sWhere = "WHERE (";
73  for ( $i=0 ; $i<count($aColumns) ; $i++ )
74  {
75    $sWhere .= $aColumns[$i]." LIKE '%".pwg_db_real_escape_string( $_REQUEST['sSearch'] )."%' OR ";
76  }
77  $sWhere = substr_replace( $sWhere, "", -3 );
78  $sWhere .= ')';
79}
80       
81/* Individual column filtering */
82for ( $i=0 ; $i<count($aColumns) ; $i++ )
83{
84  if ( $_REQUEST['bSearchable_'.$i] == "true" && $_REQUEST['sSearch_'.$i] != '' )
85  {
86    if ( $sWhere == "" )
87    {
88      $sWhere = "WHERE ";
89    }
90    else
91    {
92      $sWhere .= " AND ";
93    }
94    $sWhere .= $aColumns[$i]." LIKE '%".pwg_db_real_escape_string($_REQUEST['sSearch_'.$i])."%' ";
95  }
96}
97       
98       
99/*
100 * SQL queries
101 * Get data to display
102 */
103$sQuery = "
104                SELECT SQL_CALC_FOUND_ROWS ".str_replace(" , ", " ", implode(", ", $aColumns))."
105                FROM   $sTable
106                $sWhere
107                $sOrder
108                $sLimit
109        ";
110$rResult = pwg_query($sQuery);
111       
112/* Data set length after filtering */
113$sQuery = "
114                SELECT FOUND_ROWS()
115        ";
116$rResultFilterTotal = pwg_query($sQuery);
117$aResultFilterTotal = pwg_db_fetch_array($rResultFilterTotal);
118$iFilteredTotal = $aResultFilterTotal[0];
119       
120/* Total data set length */
121$sQuery = "
122                SELECT COUNT(".$sIndexColumn.")
123                FROM   $sTable
124        ";
125$rResultTotal = pwg_query($sQuery);
126$aResultTotal = pwg_db_fetch_array($rResultTotal);
127$iTotal = $aResultTotal[0];
128       
129       
130/*
131 * Output
132 */
133$output = array(
134  "sEcho" => intval($_REQUEST['sEcho']),
135  "iTotalRecords" => $iTotal,
136  "iTotalDisplayRecords" => $iFilteredTotal,
137  "aaData" => array()
138        );
139       
140while ( $aRow = pwg_db_fetch_array( $rResult ) )
141{
142  $row = array();
143  for ( $i=0 ; $i<count($aColumns) ; $i++ )
144  {
145    if ( $aColumns[$i] == "status" )
146    {
147      $row[] = l10n('user_status_'.$aRow[ $aColumns[$i] ]);
148    }
149    else if ( $aColumns[$i] != ' ' )
150    {
151      /* General output */
152      $row[] = $aRow[ $aColumns[$i] ];
153    }
154  }
155  $output['aaData'][] = $row;
156}
157       
158echo json_encode( $output );
159?>
Note: See TracBrowser for help on using the repository browser.