Julio Cesar Laura Avendaño
@@ -242,8 +242,51 @@ function executeQuery ($SqlStatement, $DBConnectionUID = 'workflow', $aParameter
|
|||||||
{
|
{
|
||||||
$con = Propel::getConnection( $DBConnectionUID );
|
$con = Propel::getConnection( $DBConnectionUID );
|
||||||
$con->begin();
|
$con->begin();
|
||||||
|
G::loadClass('system');
|
||||||
|
$blackList = System::getQueryBlackList();
|
||||||
|
$aListQueries = explode('|', $blackList['queries']);
|
||||||
|
$aListAllTables = explode('|', $blackList['tables'].$blackList['pmtables']);
|
||||||
|
$parseSqlStm = new PHPSQLParser($SqlStatement);
|
||||||
try {
|
try {
|
||||||
|
//Parsing queries and check the blacklist
|
||||||
|
foreach ($parseSqlStm as $key => $value) {
|
||||||
|
if($key === 'parsed'){
|
||||||
|
$aParseSqlStm = $value;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$nameOfTable = '';
|
||||||
|
$arrayOfTables = array();
|
||||||
|
foreach ($aParseSqlStm as $key => $value) {
|
||||||
|
if(in_array($key, $aListQueries)){
|
||||||
|
if(isset($value['table'])){
|
||||||
|
$nameOfTable = $value['table'];
|
||||||
|
} else {
|
||||||
|
foreach ($value as $valueTab) {
|
||||||
|
if(is_array($valueTab)){
|
||||||
|
$arrayOfTables = $valueTab;
|
||||||
|
} else {
|
||||||
|
$nameOfTable = $valueTab;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if(isset($nameOfTable)){
|
||||||
|
if(in_array($nameOfTable,$aListAllTables)){
|
||||||
|
G::SendTemporalMessage( 'ID_NOT_EXECUTE_QUERY', 'error', 'labels' );
|
||||||
|
throw new SQLException(G::loadTranslation('ID_NOT_EXECUTE_QUERY'));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (!empty($arrayOfTables)) {
|
||||||
|
foreach ($arrayOfTables as $row) {
|
||||||
|
if(in_array($row, $aListAllTables)){
|
||||||
|
G::SendTemporalMessage( 'ID_NOT_EXECUTE_QUERY', 'error', 'labels' );
|
||||||
|
throw new SQLException(G::loadTranslation('ID_NOT_EXECUTE_QUERY'));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$statement = trim( $SqlStatement );
|
$statement = trim( $SqlStatement );
|
||||||
$statement = str_replace( '(', '', $statement );
|
$statement = str_replace( '(', '', $statement );
|
||||||
|
|
||||||
|
|||||||
@@ -1163,6 +1163,29 @@ class System
|
|||||||
return $config;
|
return $config;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get information about the queries permitted and tables we can modified
|
||||||
|
* @access public
|
||||||
|
* @param string $globalIniFile
|
||||||
|
* @return array of execute query Black list
|
||||||
|
*/
|
||||||
|
public static function getQueryBlackList($globalIniFile = ''){
|
||||||
|
$config = array();
|
||||||
|
if (empty($globalIniFile)) {
|
||||||
|
$blackListIniFile = PATH_CONFIG . 'execute-query-blacklist.ini';
|
||||||
|
$sysTablesIniFile = PATH_CONFIG . 'system-tables.ini';
|
||||||
|
}
|
||||||
|
// read the global execute-query-blacklist.ini configuration file
|
||||||
|
if(file_exists($blackListIniFile)){
|
||||||
|
$config = @parse_ini_file($blackListIniFile);
|
||||||
|
}
|
||||||
|
if(file_exists($sysTablesIniFile)){
|
||||||
|
$systemTables = @parse_ini_file($sysTablesIniFile);
|
||||||
|
$config['tables'] = $systemTables['tables'];
|
||||||
|
}
|
||||||
|
return $config;
|
||||||
|
}
|
||||||
|
|
||||||
public function updateIndexFile ($conf)
|
public function updateIndexFile ($conf)
|
||||||
{
|
{
|
||||||
if (! file_exists( PATH_HTML . 'index.html' )) {
|
if (! file_exists( PATH_HTML . 'index.html' )) {
|
||||||
|
|||||||
@@ -744,6 +744,7 @@ class workspaceTools
|
|||||||
p11835::isApplicable();
|
p11835::isApplicable();
|
||||||
$systemSchema = System::getSystemSchema($this->dbAdapter);
|
$systemSchema = System::getSystemSchema($this->dbAdapter);
|
||||||
$systemSchemaRbac = System::getSystemSchemaRbac($this->dbAdapter);// get the Rbac Schema
|
$systemSchemaRbac = System::getSystemSchemaRbac($this->dbAdapter);// get the Rbac Schema
|
||||||
|
$this->registerSystemTables(array_merge($systemSchema,$systemSchemaRbac));
|
||||||
$this->upgradeSchema( $systemSchema );
|
$this->upgradeSchema( $systemSchema );
|
||||||
$this->upgradeSchema( $systemSchemaRbac, false, true, $onedb ); // perform Upgrade to Rbac
|
$this->upgradeSchema( $systemSchemaRbac, false, true, $onedb ); // perform Upgrade to Rbac
|
||||||
$this->upgradeData();
|
$this->upgradeData();
|
||||||
@@ -2279,4 +2280,22 @@ class workspaceTools
|
|||||||
throw $e;
|
throw $e;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
/**
|
||||||
|
* Register system tables in a file
|
||||||
|
*
|
||||||
|
* return void
|
||||||
|
*/
|
||||||
|
public static function registerSystemTables($aSquema){
|
||||||
|
//Register all tables
|
||||||
|
$sListTables = '';
|
||||||
|
foreach ($aSquema as $key => $value) {
|
||||||
|
$sListTables .= $key .'|';
|
||||||
|
}
|
||||||
|
|
||||||
|
$sysTablesIniFile= PATH_CONFIG . 'system-tables.ini';
|
||||||
|
$contents = file_put_contents( $sysTablesIniFile, sprintf( "%s '%s'\n", "tables = ", $sListTables ) );
|
||||||
|
if ($contents === null) {
|
||||||
|
throw (new Exception( G::LoadTranslation('ID_FILE_NOT_WRITEABLE', SYS_LANG, array($sysTablesIniFile) ) ));
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
6
workflow/engine/config/execute-query-blacklist.ini
Executable file
6
workflow/engine/config/execute-query-blacklist.ini
Executable file
@@ -0,0 +1,6 @@
|
|||||||
|
;The separator parameter is |
|
||||||
|
;Setting statements - Statements can not allowed in the execution, example queries="INSERT|UPDATE|REPLACE|DELETE"
|
||||||
|
queries = "INSERT|UPDATE|REPLACE|DELETE"
|
||||||
|
|
||||||
|
;Setting tables - Tables that can not apply sentences, pmtables="PMTABLE1|PMTABLE2"
|
||||||
|
pmtables = ""
|
||||||
Reference in New Issue
Block a user