<?PHP
/*
* phpMyPurchasing
* Jason Gerfen [hide@address.com]
*
* ajaxSearch.php - handle generic ajax searches
*/
if(file_exists('scripts/inc.config.php')) {
require 'scripts/inc.config.php';
// ensure we are being called from our configured host
if( $defined['hostname'] === $_SERVER['SERVER_NAME'] ) {
// obtain default options
$defined = array_merge($defined,$handles['misc']->getDefaults());
$defined = array_merge($defined,$handles['misc']->getAuthentication());
$accessList = $handles['misc']->getAccessList();
// copy and filter incoming data
$get = @array_map( $handles['val']->ValidateXSS, $_GET );
$post = @array_map( $handles['val']->ValidateXSS, $_POST );
$sess = @array_map( $handles['val']->ValidateXSS, $_SESSION );
$serv = @array_map( $handles['val']->ValidateXSS, $_SERVER );
// initialize a db connection handle
$dbconn = $handles['db']->dbConnect( $defined['dbhost'], $defined['username'], $defined['password'], $defined['dbname'] );
//define the template and cache directories
$handles['tpl']->strTemplateDir = $defined['templates'];
$handles['tpl']->strCacheDir = '/tmp';
if( !empty( $post ) ) { $flag = "TRUE"; } else { $flag = "FALSE"; }
// gather up some information for the token
if( ( !isset( $_SESSION['token'] ) ) || ( !is_resource( $handles['session'] ) ) ) {
$handles['session'] = new dbSession( $defined['timeout'] );
}
$_SESSION['referrer'] = $serv['HTTP_REFERER'];
// perform authentication
$authenticated = $handles['auth']->DecideAuth( $_SESSION['token'], $post['user'], $post['pass'], $serv );
// process authentication and load appropriate template
if($authenticated !== 0) {
return;
} else {
if(!empty($post)) {
if((!empty($post['order']))&&($post['order']==="true")) {
$sql = "SELECT * FROM `purchases` WHERE `txtOrderDate` = \"" . $post['txtOrderDate'] . "\" AND `txtOrderNum` = \"" . $post['txtOrderNum'] . "\" AND `txtOrderGroup` = \"" . $post['txtOrderGroup'] . "\" AND `txtOrderAccountNumber` = \"" . $post['txtOrderAccountNumber'] . "\" AND `txtOrderETA` = \"" . $post['txtOrderETA'] . "\" AND `txtVendANDName` = \"" . $post['txtVendANDName'] . "\" AND `txtVendANDContact` = \"" . $post['txtVendANDAddress'] . "\" AND `txtVendANDPhone` = \"" . $post['txtVendANDPhone'] . "\" AND `txtVendANDPhone` = \"" . $post['txtVendANDPhone'] . "\" AND `txtVendANDEmail` = \"" . $post['txtVendANDEmail'] . "\" AND `txtDepartmentName` = \"" . $post['txtDepartmentName'] . "\" AND `txtDepartmentContact` = \"" . $post['txtDepartmentContact'] . "\" AND `txtDepartmentAddress` = \"" . $post['txtDepartmentAddress'] . "\" AND `txtDepartmentPhone` = \"" . $post['txtDepartmentPhone'] . "\" AND `txtDepartmentEmail` = \"" . $post['txtDepartmentEmail'] . "\"";
}
if((!empty($post['product']))&&($post['product']==="true")) {
$sql = "SELECT * FROM `products` WHERE `description` = \"\" OR `price` = \"\" OR `number` = \"\" OR `source` \"\"";
}
if((!empty($post['vendor']))&&($post['vendor']==="true")) {
$sql = "SELECT * FROM `vendors` WHERE `vname` = \"\" OR `vcontact` = \"\" OR`vaddress` = \"\" OR `vphone` = \"\" OR `vemail` = \"\"";
}
if((!empty($post['department']))&&($post['department']==="true")) {
$sql = "SELECT * FROM `departments` WHERE `dname` = \"\" OR `dcontact` = \"\" OR `daddress` = \"\" OR `dphone` = \"\" OR `demail` = \"\"";
}
if((!empty($post['groups']))&&($post['groups']==="true")) {
$sql = "SELECT * FROM `groups` WHERE `txtGroupName` = \"" . $post['txtGroupName'] . "\" AND `txtGroupManager` = \"" . $post['txtGroupManager'] . "\" AND `txtGroupPhone` = \"" . $post['txtGroupPhone'] . "\" AND `txtGroupDescription` = \"" . $post['txtGroupDescription'] . "\"";
}
if((!empty($post['users']))&&($post['users']==="true")) {
$sql = "SELECT `txtUserName`,`txtUserLevel`,`txtUserGroup`,`txtUserDepartment`,`txtUserFname`,`txtUserLname`,`txtUserPhone`,`txtUserEmail` FROM `users` WHERE `txtUserName` = \"" . $post['txtUserName'] . "\" AND `txtUserLevel` = \"" . $post['txtUserLevel'] . "\" AND `txtUserGroup` = \"" . $post['txtUserGroup'] . "\" AND `txtUserFname` = \"" . $post['txtUserFname'] . "\" AND `txtUserLname` = \"" . $post['txtUserLname'] . "\" AND `txtUserDepartment` = \"" . $post['txtUserDepartment'] . "\" AND `txtUserPhone` = \"" . $post['txtUserPhone'] . "\" AND `txtUserEmail` = \"" . $post['txtUserEmail'] . "\"";
}
if((!empty($post['permissions']))&&($post['permissions']==="true")) {
$sql['objects'] = "SELECT * FROM `resources` WHERE `txtObjectID` = \"" . md5($post['txtObjectName']) . "\" AND `txtObjectName` = \"" . $post['txtObjectName'] . "\" AND `txtObjectOwner` = \"" . $post['txtObjectOwner'] . "\"";
$sql['groups'] = "SELECT * FROM `gresources` WHERE `txtObjectID` = \"" . md5($post['txtObjectName']) . "\"";
$sql['users'] = "SELECT * FROM `uresources` WHERE `txtObjectID` = \"" . md5($post['txtObjectName']) . "\"";
}
if(!empty($sql)) {
if(count($sql)>1){
foreach($sql as $key => $value){
if(($results = $handles['db']->dbQuery($handles['val']->ValidateSQL($value,$dbconn), $dbconn))!==-1) {
if($handles['db']->dbNumRowsAffected($dbconn)>0) {
$response[$key] = $handles['db']->dbArrayResultsAssoc($results);
}
}
}
} else {
if(($results = $handles['db']->dbQuery($handles['val']->ValidateSQL($sql,$dbconn), $dbconn))!==-1) {
if($handles['db']->dbNumRowsAffected($dbconn)>0) {
$response = $handles['db']->dbArrayResultsAssoc($results);
}
}
}
}
}
}
if($post['order']==="true") {
$response[0] = array('txtOrderDate' => '04/21/2010',
'txtOrderNum' => '12343',
'txtOrderGroup' => 'mygroup',
'txtOrderAccountNumber' => 'myaccount',
'txtOrderETA' => '05/23/2010',
'txtVendorName' => 'wuka',
'txtVendorContact' => 'contact',
'txtVendorAddress' => '123 w. wtf',
'txtVendorPhone' => '123-123-1223',
'txtVendorEmail' => 'hide@address.com',
'txtDepartmentName' => 'mydept',
'txtDepartmentContact' => 'myname',
'txtDepartmentAddress' => '345 ',
'txtDepartmentPhone' => '123-123-1234',
'txtDepartmentEmail' => 'hide@address.com',
'txtOrderTrackingNumber' => '1234556',
'txtOrderNotes' => 'fuck this',
'products' => array(
array('txtPartsID' => '001',
'txtPartsQuantity' => '003',
'txtPartsDescription' => 'a product',
'txtPartsPrice' => '4.56',
'txtPartsNumber' => '00345',
'txtPartsSource' => 'wherever'
),
array('txtPartsID' => '025',
'txtPartsQuantity' => '023',
'txtPartsDescription' => 'a product 1',
'txtPartsPrice' => '8.56',
'txtPartsNumber' => '10345',
'txtPartsSource' => 'wtfs'
)
)
);
}
if(count($response[0])>0) {
if(function_exists("json_encode")) {
$response = json_encode(array_map($handles['val']->ValidateXSS, $response[0]));
} else {
$response = $handles['misc']->arr2json(array_map($handles['val']->ValidateXSS, $response[0]));
}
} else {
if(function_exists("json_encode")) {
$response = json_encode(array_map($handles['val']->ValidateXSS, $response));
} else {
$response = $handles['misc']->arr2json(array_map($handles['val']->ValidateXSS, $response));
}
}
echo $response;
} else {
echo "Cannot be called from anywhere other then our defined host";
}
} else {
echo "Configuration file not found";
}
?>