assetmgt/api/v2/post/report_builder.php

<?php
defined($security_key) or exit;

//------------------------------------------
// Report Builder - POST Endpoints
//------------------------------------------

// Set content type to JSON
header('Content-Type: application/json');

// Connect to DB
$pdo = dbConnect($dbname);

// Parse input data
$data = json_decode($input, true);
$action = strtolower($data['action'] ?? '');

/**
 * Security check: Only allow SELECT queries
 */
function isSelectQuery($query) {
    $query = trim($query);
    $query = preg_replace('/\s+/', ' ', $query); // Normalize whitespace

    // Only allow SELECT queries
    if (!preg_match('/^SELECT\s/i', $query)) {
        return false;
    }

    // Block dangerous keywords that could be used for injection
    $dangerousPatterns = [
        '/;\s*DROP\s/i',
        '/;\s*DELETE\s/i',
        '/;\s*UPDATE\s/i',
        '/;\s*INSERT\s/i',
        '/;\s*CREATE\s/i',
        '/;\s*ALTER\s/i',
        '/;\s*TRUNCATE\s/i',
        '/INTO\s+OUTFILE\s/i',
        '/LOAD_FILE\s*\(/i',
        '/SLEEP\s*\(/i',
        '/BENCHMARK\s*\(/i',
    ];

    foreach ($dangerousPatterns as $pattern) {
        if (preg_match($pattern, $query)) {
            return false;
        }
    }

    return true;
}

/**
 * Execute a SELECT query
 */
if ($action === 'executequery') {
    $query = $data['query'] ?? '';

    if (empty($query)) {
        http_response_code(400);
        $messages = json_encode([
            'success' => false,
            'message' => 'Query parameter is required'
        ], JSON_UNESCAPED_UNICODE);
    }
    // Security check: only allow SELECT queries
    elseif (!isSelectQuery($query)) {
        http_response_code(400);
        $messages = json_encode([
            'success' => false,
            'message' => 'Only SELECT queries are allowed'
        ], JSON_UNESCAPED_UNICODE);
    } else {
        try {
            // Execute the query
            $stmt = $pdo->query($query);

            // Fetch all results
            $results = $stmt->fetchAll(PDO::FETCH_ASSOC);

            // Get row count
            $rowCount = count($results);

            // Limit results to prevent memory issues
            $maxResults = 5000;
            if ($rowCount > $maxResults) {
                $results = array_slice($results, 0, $maxResults);
                $message = "Query executed successfully. Showing first $maxResults of $rowCount rows.";
            } else {
                $message = "Query executed successfully. $rowCount rows returned.";
            }

            $messages = json_encode([
                'success' => true,
                'results' => $results,
                'rowCount' => $rowCount,
                'message' => $message
            ], JSON_UNESCAPED_UNICODE);

        } catch (PDOException $e) {
            http_response_code(400);
            $messages = json_encode([
                'success' => false,
                'message' => 'Query execution failed: ' . $e->getMessage()
            ], JSON_UNESCAPED_UNICODE);
        }
    }
}

/**
 * Invalid or missing action
 */
else {
    http_response_code(400);
    $messages = json_encode([
        'success' => false,
        'message' => 'Invalid or missing action parameter'
    ], JSON_UNESCAPED_UNICODE);
}

// Send results
echo $messages;
?>