Hardening
This commit is contained in:
“VeLiTi”
BIN
api/.DS_Store
vendored
BIN
api/.DS_Store
vendored
Binary file not shown.
BIN
api/v0/.DS_Store
vendored
BIN
api/v0/.DS_Store
vendored
Binary file not shown.
@@ -60,12 +60,12 @@ if (!empty($username) && !empty($password)) {
|
||||
}
|
||||
else
|
||||
{
|
||||
http_response_code(203);
|
||||
http_response_code(403);
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
http_response_code(203);
|
||||
http_response_code(403);
|
||||
}
|
||||
$conn->close();
|
||||
}
|
||||
|
||||
BIN
api/v1/.DS_Store
vendored
BIN
api/v1/.DS_Store
vendored
Binary file not shown.
@@ -188,7 +188,8 @@ switch ($action) {
|
||||
break;
|
||||
|
||||
case 'report_usage_servicereports':
|
||||
$sql = 'SELECT YEAR(h.created) AS year, QUARTER(h.created) AS quarter, MONTH(h.created) as month, count(h.rowID) AS count FROM equipment_history h LEFT JOIN equipment e ON h.equipmentid = e.rowID where h.type = "ServiceReport" AND NOT e.productrowid = "31" GROUP BY YEAR(h.created), QUARTER(h.created), MONTH(h.created)';
|
||||
$exclusion = ' AND NOT e.serialnumber = "22050695" AND NOT e.serialnumber = "22020439" AND NOT e.serialnumber = "23060550" AND NOT e.serialnumber = "22020444" ';
|
||||
$sql = 'SELECT YEAR(h.created) AS year, QUARTER(h.created) AS quarter, MONTH(h.created) as month, count(h.rowID) AS count FROM equipment_history h LEFT JOIN equipment e ON h.equipmentid = e.rowID where h.type = "ServiceReport" AND NOT e.productrowid = "31" '.$exclusion.' GROUP BY YEAR(h.created), QUARTER(h.created), MONTH(h.created)';
|
||||
break;
|
||||
|
||||
case 'contract_usage_servicereports':
|
||||
|
||||
@@ -68,7 +68,7 @@ if(isset($get_content) && $get_content!=''){
|
||||
//Filter out only relevant servicereports
|
||||
$filter_key_1 = '"%serialnumber%"';
|
||||
$filter_key_2 = '"ServiceReport"';
|
||||
$clause .= ' AND h.type = '.$filter_key_2.' AND h.description like '.$filter_key_1;
|
||||
$clause .= ' AND h.type = '.$filter_key_2.' AND e.productrowid = "31" AND h.description like '.$filter_key_1;
|
||||
}
|
||||
else {//create clause
|
||||
$clause .= ' AND '.$v[0].' = :'.$v[0];
|
||||
|
||||
BIN
api/v2/.DS_Store
vendored
Normal file
BIN
api/v2/.DS_Store
vendored
Normal file
Binary file not shown.
@@ -80,12 +80,15 @@ foreach ($products as $product) {
|
||||
$version_configurations = [];
|
||||
|
||||
foreach ($product_config as $item) {
|
||||
|
||||
if ($item['productrowid'] == $product['rowID']) {
|
||||
// Initialize version array if it doesn't exist
|
||||
if (!isset($version_configurations[$item['version']])) {
|
||||
|
||||
$version_configurations[$item['version']] = [
|
||||
'version_id' => $item['version'],
|
||||
'config_setting' => $item['config'],
|
||||
'main_option_for_display' => $item['measurement'],
|
||||
'configurations' => []
|
||||
];
|
||||
}
|
||||
@@ -106,7 +109,7 @@ foreach ($products as $product) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Add all version configurations to the catalog
|
||||
$catalog[$product['rowID']]['versions'] = array_values($version_configurations);
|
||||
}
|
||||
|
||||
@@ -68,7 +68,7 @@ if(isset($get_content) && $get_content!=''){
|
||||
//Filter out only relevant servicereports
|
||||
$filter_key_1 = '"%serialnumber%"';
|
||||
$filter_key_2 = '"ServiceReport"';
|
||||
$clause .= ' AND h.type = '.$filter_key_2.' AND h.description like '.$filter_key_1;
|
||||
$clause .= ' AND h.type = '.$filter_key_2.' AND NOT e.productrowid = "31" AND h.description like '.$filter_key_1;
|
||||
}
|
||||
elseif ($v[0] == 'created') {
|
||||
//build up search
|
||||
|
||||
@@ -69,7 +69,7 @@ if (isset($criterias['productrowid']) && $criterias['productrowid'] != ''){
|
||||
}
|
||||
else {
|
||||
//SQL for Paging include name from different tables
|
||||
$sql = 'SELECT pc.*, pv.config,pag.group_mandatory, pag.group_type,
|
||||
$sql = 'SELECT pc.*, pv.config,pv.measurement,pag.group_mandatory, pag.group_type,
|
||||
CASE WHEN p.rowID IS NOT NULL THEN p.productname
|
||||
WHEN pag.group_id IS NOT NULL THEN pag.group_name
|
||||
END AS assignment_name,
|
||||
|
||||
@@ -3,16 +3,17 @@ defined($security_key) or exit;
|
||||
ini_set('display_errors', '1');
|
||||
ini_set('display_startup_errors', '1');
|
||||
error_reporting(E_ALL);
|
||||
|
||||
//------------------------------------------
|
||||
// dealers
|
||||
//------------------------------------------
|
||||
|
||||
//Connect to DB
|
||||
$pdo = dbConnect($dbname);
|
||||
|
||||
//CONTENT FROM API (POST)
|
||||
$post_content = json_decode($input,true);
|
||||
|
||||
|
||||
//CHECK IF REQUEST IS FROM DEALERFINDER
|
||||
if(isset($post_content['bounds'])){
|
||||
//++++++++++++++++++++++
|
||||
@@ -194,6 +195,8 @@ elseif(isset($post_content['dealerfinder'])){
|
||||
}
|
||||
|
||||
//CHECK ALL THE POSTED ITEMS
|
||||
//CHECK ALL THE POSTED ITEMS
|
||||
$orderByParts = [];
|
||||
foreach ($post_content as $key => $value){
|
||||
//GET FILTER CRITERIA
|
||||
if ($key !='submit' && $key !='city' && $key !='range' && $key !='lat' && $key !='lng' && $value !='C'){
|
||||
@@ -204,80 +207,75 @@ elseif(isset($post_content['dealerfinder'])){
|
||||
//check value returned and include SQL
|
||||
switch ($value) {
|
||||
case '1':
|
||||
$sql .= 'case when d.'.$key.' = 1 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 1 then 1 else 0 end';
|
||||
break;
|
||||
|
||||
case '0':
|
||||
$sql .= 'case when d.'.$key.' = 0 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 0 then 1 else 0 end';
|
||||
break;
|
||||
}
|
||||
//------------------------------------
|
||||
break;
|
||||
|
||||
case ($field_question_2 ?? 'showroom_quality'): //showroom_quality
|
||||
|
||||
//check value returned and include SQL
|
||||
switch ($value) {
|
||||
case '2':
|
||||
$sql .= 'case when d.'.$key.' = 2 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 2 then 1 else 0 end';
|
||||
break;
|
||||
|
||||
case '1':
|
||||
$sql .= 'case when d.'.$key.' = 1 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 1 then 1 else 0 end';
|
||||
break;
|
||||
|
||||
case '0':
|
||||
$sql .= 'case when d.'.$key.' = 0 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 0 then 1 else 0 end';
|
||||
break;
|
||||
}
|
||||
//------------------------------------
|
||||
break;
|
||||
|
||||
case ($field_question_3 ?? 'showroom_size'): //showroom_size
|
||||
|
||||
//check value returned and include SQL
|
||||
switch ($value) {
|
||||
case '2':
|
||||
$sql .= 'case when d.'.$key.' = 2 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 2 then 1 else 0 end';
|
||||
break;
|
||||
|
||||
case '1':
|
||||
$sql .= 'case when d.'.$key.' = 1 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 1 then 1 else 0 end';
|
||||
break;
|
||||
|
||||
case '0':
|
||||
$sql .= 'case when d.'.$key.' = 0 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 0 then 1 else 0 end';
|
||||
break;
|
||||
}
|
||||
//------------------------------------
|
||||
break;
|
||||
|
||||
case ($field_question_4 ?? 'brand_category'): //brand_category
|
||||
|
||||
//check value returned and include SQL
|
||||
switch ($value) {
|
||||
case '2':
|
||||
$sql .= 'case when d.'.$key.' = 2 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 2 then 1 else 0 end';
|
||||
break;
|
||||
|
||||
case '1':
|
||||
$sql .= 'case when d.'.$key.' = 1 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 1 then 1 else 0 end';
|
||||
break;
|
||||
|
||||
case '0':
|
||||
$sql .= 'case when d.'.$key.' = 0 then 1 else 0 end +';
|
||||
$orderByParts[] = 'case when d.'.$key.' = 0 then 1 else 0 end';
|
||||
break;
|
||||
}
|
||||
//------------------------------------
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//Replace LAST J
|
||||
$sql = removeTrailingElement($sql, ',');
|
||||
//REPLACE LAST + with DESC
|
||||
$sql = removeTrailingElement($sql, '+').' desc limit 0,4';
|
||||
// Build the final ORDER BY clause
|
||||
if (!empty($orderByParts)) {
|
||||
// If we have filter criteria, order by the sum of matching criteria descending
|
||||
$sql .= '(' . implode(' + ', $orderByParts) . ') desc limit 0,4';
|
||||
} else {
|
||||
// If no criteria (all "C" values), just order by name or some default
|
||||
$sql .= 'd.name asc limit 0,4';
|
||||
}
|
||||
|
||||
//Prepare statement
|
||||
$stmt = $pdo->prepare($sql);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user