As generated by AppGini 22.12

app/admin/ajax-maintenance-mode.php

@@ -1,10 +1,11 @@
 <?php
-	$currDir = dirname(__FILE__);
-	require("{$currDir}/incCommon.php");
+	require(__DIR__ . '/incCommon.php');
 
 	if(!getLoggedAdmin()) exit;
 
-	$status = $_REQUEST['status'];
+	if(!csrf_token(true)) exit;
+
+	$status = Request::val('status');
 	if($status == 'on') maintenance_mode(true);
 	if($status == 'off') maintenance_mode(false);
 

app/admin/ajax-saved-sql.php

@@ -0,0 +1,24 @@
+<?php
+	/*
+	  Manage stored SQL queries for admin user.
+	  Parameters:
+		queries: (optional) a json string [{name, query}, ..]) to store.
+	  Response:
+		stored queries (as a json string).
+
+	  queries are stored in the membership_users.data field for the current user, under the key 'storedQueries'
+	*/
+
+	require(__DIR__ . '/incCommon.php');
+
+	if(!csrf_token(true)) {
+		@header('HTTP/1.0 403 Access Denied');
+		die();
+	}
+
+	// store queries if provided
+	$queries = Request::val('queries', null);
+	if($queries !== null)
+		setUserData('storedQueries', $queries);
+
+	echo getUserData('storedQueries');

app/admin/ajax-sql.php

@@ -0,0 +1,33 @@
+<?php
+	require(__DIR__ . '/incCommon.php');
+
+	if(!csrf_token(true)) {
+		@header('HTTP/1.0 403 Access Denied');
+		die();
+	}
+
+	$sql = trim(Request::val('sql'));
+	if(!preg_match('/^SELECT\s+.*?\s+FROM\s+\S+/i', $sql)) {
+		@header('HTTP/1.0 404 Not Found');
+		die("Invalid query");
+	}
+
+	// force a limit of 1000 in case no limit specified
+	if(!preg_match('/\s+limit\s+\d+(\s*,\s*\d+)?/i', $sql))
+		$sql .= ' LIMIT 1000';
+
+	$resp = ['titles' => [], 'data' => [], 'error' => ''];
+	$eo = ['silentErrors' => true];
+
+	$res = sql($sql, $eo);
+	if(!$res)
+		$resp['error'] = $eo['error'];
+	else while($row = db_fetch_assoc($res)) {
+		if(!count($resp['titles']))
+			$resp['titles'] = array_keys($row);
+
+		$resp['data'][] = array_map('htmlspecialchars', array_values($row));
+	}
+
+	@header('Content-type: application/json');
+	echo json_encode($resp, JSON_PARTIAL_OUTPUT_ON_ERROR);

app/admin/app-documentation.php

@@ -1,10 +1,7 @@
 <?php
-	$currDir = dirname(__FILE__);
-	require("{$currDir}/incCommon.php");
+	require(__DIR__ . '/incCommon.php');
 
 	$GLOBALS['page_title'] = $Translation['app documentation'];
-	include("{$currDir}/incHeader.php");
-
-	$app_title = 'OIM';
+	include(__DIR__ . '/incHeader.php');
 
-	include("{$currDir}/incFooter.php");
+	include(__DIR__ . '/incFooter.php');

app/admin/getUsers.php

@@ -1,5 +1,5 @@
 <?php
-// This script and data application were generated by AppGini 5.97
+// This script and data application were generated by AppGini 22.12
 // Download AppGini for free from https://bigprof.com/appgini/download/
 
 /*
@@ -19,23 +19,19 @@
 
 	$start_ts = microtime(true);
 
-	$curr_dir=dirname(__FILE__);
-	require("{$curr_dir}/incCommon.php");
+	require(__DIR__ . '/incCommon.php');
 
 	// how many results to return per call, in case of json output
 	$results_per_page = 50;
 
-	$id = false;
-	if(isset($_REQUEST['id'])) $id = from_utf8($_REQUEST['id']);
+	$id = from_utf8(Request::val('id'));
+	$search_term = from_utf8(Request::val('s'));
 
-	$search_term = false;
-	if(isset($_REQUEST['s'])) $search_term = from_utf8($_REQUEST['s']);
-
-	$page = intval($_REQUEST['p']);
+	$page = intval(Request::val('p'));
 	if($page < 1) $page = 1;
 	$skip = $results_per_page * ($page - 1);
 
-	$table_name = $_REQUEST['t'];
+	$table_name = Request::val('t');
 	if(!in_array($table_name, array_keys(getTableList()))) {
 		/* invalid table */
 		echo '{"results":[{"id":"","text":"Invalid table"}],"more":false,"elapsed":0}';
@@ -44,23 +40,25 @@
 
 	/* if id is provided, get owner */
 	$owner = false;
-	if($id) {
-		$owner = sqlValue("select memberID from membership_userrecords where tableName='{$table_name}' and pkValue='" . makeSafe($id) . "'");
-	}
+	if($id)
+		$owner = sqlValue("SELECT `memberID` FROM `membership_userrecords` WHERE `tableName`='{$table_name}' AND `pkValue`='" . makeSafe($id) . "'");
 
 	$prepared_data = [];
-	$where = "g.name!='{$adminConfig['anonymousGroup']}' and p.allowView>0 ";
+	$where = "g.`name`!='{$adminConfig['anonymousGroup']}' and p.`allowView`>0 ";
 	if($search_term) {
 		$search_term = makeSafe($search_term);
 		$where .= "and (u.memberID like '%{$search_term}%' or g.name like '%{$search_term}%')";
 	}
-	$res = sql("select u.memberID, g.name from membership_users u left join membership_groups g on u.groupID=g.groupID left join  membership_grouppermissions p on g.groupID=p.groupID and p.tableName='{$table_name}' where {$where} order by g.name, u.memberID limit {$skip}, {$results_per_page}", $eo);
+
+	$eo = ['silentErrors' => true];
+	$res = sql("SELECT u.`memberID`, g.`name` FROM `membership_users` u LEFT JOIN `membership_groups` g ON u.`groupID`=g.`groupID` LEFT JOIN `membership_grouppermissions` p ON g.`groupID`=p.`groupID` AND p.`tableName`='{$table_name}' WHERE {$where} ORDER BY g.`name`, u.`memberID` LIMIT {$skip}, {$results_per_page}", $eo);
 	while($row = db_fetch_row($res)) {
-		$prepared_data[] = array('id' => to_utf8($row[0]), 'text' => to_utf8("<b>{$row[1]}</b>/{$row[0]}"));
+		$row = array_map('strip_tags', $row);
+		$prepared_data[] = ['id' => to_utf8($row[0]), 'text' => to_utf8("<b>{$row[1]}</b>/{$row[0]}")];
 	}
 
-	echo json_encode(array(
+	echo json_encode([
 		'results' => $prepared_data,
 		'more' => (@db_num_rows($res) >= $results_per_page),
-		'elapsed' => round(microtime(true) - $start_ts, 3)
-	));
+		'elapsed' => round(microtime(true) - $start_ts, 3),
+	]);

app/admin/incCommon.php

@@ -1,62 +1,24 @@
 <?php
-	error_reporting(E_ERROR /*| E_WARNING*/ | E_PARSE);
-
 	// incCommon.php is included only in the admin area, so if this flag is defined, this indicates we're in admin area
 	define('ADMIN_AREA', true);
 
-	if(!defined('datalist_db_encoding')) define('datalist_db_encoding', 'UTF-8');
-	ob_start();
-	$currDir = dirname(__FILE__);
-	include_once("{$currDir}/../settings-manager.php");
-
-	include_once("{$currDir}/../defaultLang.php");
-	include_once("{$currDir}/../language.php");
-	$Translation = array_merge($TranslationEn, $Translation);
-
-	include_once("{$currDir}/../db.php");
+	include_once(__DIR__ . '/../settings-manager.php');
 
 	// check if initial setup was performed or not
 	detect_config();
 	migrate_config();
 
 	$adminConfig = config('adminConfig');
-	include_once("{$currDir}/incFunctions.php");
-	@include_once("{$currDir}/../hooks/__global.php");
 
 	checkAppRequirements();
 
-	// detecting classes not included above
-	@spl_autoload_register(function($class) {
-		$admin_dir = dirname(__FILE__);
-		@include_once("{$admin_dir}/../resources/lib/{$class}.php");
-	});
-
-	/* trim $_POST, $_GET, $_REQUEST */
-	if(count($_POST)) $_POST = array_trim($_POST);
-	if(count($_GET)) $_GET = array_trim($_GET);
-	if(count($_REQUEST)) $_REQUEST = array_trim($_REQUEST);
-
+	ob_start();
 	initSession();
 
 	// check if membership system exists
 	setupMembership();
 
-	/* do we have a JWT auth header? */
-	jwt_check_login();
-
-	// renew remember-me token, if applicable
-	if(!getLoggedAdmin()) $remember_check = RememberMe::check();
-
-	// is there a logged admin user?
-	if(!($uname = getLoggedAdmin())) {
-		// if no remember-me cookie, redirect to login page
-		if(!$remember_check) die('<META HTTP-EQUIV="Refresh" CONTENT="0;url=../index.php">');
-
-		// get username from remeber-me cookie, set session and redirect to admin homepage
-		$uname = makeSafe(strtolower(RememberMe::user()));
-		$_SESSION['memberID'] = $uname;
-		$_SESSION['memberGroupID'] = sqlValue("SELECT `groupID` FROM `membership_users` WHERE LCASE(`memberID`)='{$uname}'");
-		redirect('admin/pageHome.php');
-	}
+	@include_once(__DIR__ . '/../hooks/__global.php');
 
-?>
+	if(!Authentication::getAdmin()) Authentication::signIn();
+	if(!Authentication::getAdmin()) redirect('index.php');