2008-07-13 Evi Vanoost <vanooste@rcbi.rochester.edu>

* pandora_console/general/logon_ok.php: Made the query use sprintf (for security purposes) * pandora_console/include/functions_db.php: Made all the database queries relying on a single query function for simpler management Also made sure that no functions returned NULL because NULL is a valid database value. It will return an empty value or something Also made a simple query cache array so that duplicate queries to generate a single page won't be repeated (ACL queries) Also updated some other queries and functions (see the diff) and removed some old code * pandora_console/estado_grupo.php: Now with working agents counter! * pandora_console/general/footer.php: Just made a fancy counter that displays how much queries weren't duplicated (90 on some pages!!) git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@953 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2008-07-15 20:19:30 +00:00 · 2008-07-15 20:19:30 +00:00 · 086ec57b3c
parent 15283d4b31
commit 086ec57b3c
5 changed files with 130 additions and 149 deletions
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@ -1,10 +1,25 @@
 2008-07-13  Evi Vanoost <vanooste@rcbi.rochester.edu>
 	* pandora_console/general/logon_ok.php: Made the query use sprintf (for security purposes)
 	* pandora_console/include/functions_db.php: Made all the database queries relying on a single query function for simpler management
 		Also made sure that no functions returned NULL because NULL is a valid database value.
 		Also made a simple query cache array so that duplicate queries to generate a single page won't be repeated (ACL queries)
 		Also updated some other queries and functions (see the diff) and removed some old code
 	* pandora_console/estado_grupo.php: Now with working agents counter!
 	* pandora_console/general/footer.php: Just made a fancy counter that displays how much queries weren't duplicated (90 on some pages!!)
 2008-07-12  Evi Vanoost <vanooste@rcbi.rochester.edu>
 	* pandora_console/operation/agentes/networkmap.php: Some minor bugfixes introduced with my changes yesterday
-	* pandora_console/general/links_menu.php: 2 queries for a menu? Changed it to a single query. This list will likely never be empty - if it is, Links section won't be generated
+	* pandora_console/general/links_menu.php: 2 queries for a menu? Changed it to a single query. 
 			This list will likely never be empty - if it is, Links section won't be generated
-	* pandora_console/general/logon_ok.php: Updated the queries to go faster. Changed the timestamp calculation to an indexed query using utimestamp and UNIXTIME(NOW())-604800
+	* pandora_console/general/logon_ok.php: Updated the queries to go faster. 
 			Changed the timestamp calculation to an indexed query using utimestamp and UNIXTIME(NOW())-604800
 	* pandora_console/images/networkmap/8.png: Added the Mac OS X icon..
@ -12,7 +27,8 @@
 	* pandora_console/operation/agentes/estado_grupo.php: Fixed the issue where all data was 0-ed out. There was an if-then-else construction that wasn't working well
-	* pandora_console/operation/agentes/networkmap.php: Made more extensive error messages that explains WHY it wasn't generating. Then also made it so the image is cached instead of regenerated every time (currently hardcoded at 5 min.).
+	* pandora_console/operation/agentes/networkmap.php: Made more extensive error messages that explains WHY it wasn't generating. 
 		Then also made it so the image is cached instead of regenerated every time (currently hardcoded at 5 min.).
 2008-07-10  Evi Vanoost <vanooste@rcbi.rochester.edu>
--- a/pandora_console/general/footer.php
+++ b/pandora_console/general/footer.php
@ -19,13 +19,13 @@ global $config;
 echo "<center>";
 echo '<a class="white_bold" target="_new" href="general/license/pandora_info_'.$config["language"].'.html">
-Pandora FMS '.$pandora_version.' Build '.$build_version.'<br>'.
+Pandora FMS '.$pandora_version.' - Build '.$build_version.'<br>'.
 lang_string ("gpl_notice").'</a><br>';
 	if (isset($_SERVER['REQUEST_TIME'])) {
 		$time = $_SERVER['REQUEST_TIME'];
 	} else {
 		$time = time();
 	}
-	echo "<a class='white'>".$lang_label["gen_date"]." ".date("D F d, Y H:i:s", $time)."</a><br>";
+	echo "<a class='white'>".$lang_label["gen_date"]." ".date("D F d, Y H:i:s", $time)." - Saved ".$sql_cache["saved"]." Queries</a><br>";
 echo "</center>";
 ?>
--- a/pandora_console/general/logon_ok.php
+++ b/pandora_console/general/logon_ok.php
@ -28,7 +28,7 @@ echo "</p>";
 // Private messages pending to read !
-$sql='SELECT COUNT('id_mensaje') AS count FROM tmensajes WHERE id_usuario_destino="'.$nick.'" AND estado="FALSE";';
+$sql=sprintf("SELECT COUNT('id_mensaje') AS count FROM tmensajes WHERE id_usuario_destino='%s' AND estado='FALSE';",$nick);
 $resultado = mysql_query ($sql);
 $row = mysql_fetch_array ($resultado);
 if ($row["count"] != 0){
--- a/pandora_console/include/functions_db.php
+++ b/pandora_console/include/functions_db.php
@ -13,7 +13,6 @@
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 // GNU General Public License for more details.
 /** 
 * Check if login session variables are set.
 *
@ -21,29 +20,26 @@
 * 
 * @return 0 on success
 */
-function check_login () { 
+function check_login () {
-	global $config;
+        global $config;
-	if (!isset($config["homedir"])){
+        if (!isset($config["homedir"])){
-		// No exists $config. Exit inmediatly
+                // No exists $config. Exit inmediatly
-		include ("general/noaccess.php");
+                include("general/noaccess.php");
-		exit;
+                exit;
-	}
+        }
-	if ((isset($_SESSION["id_usuario"])) AND ($_SESSION["id_usuario"] != "")) { 
+        if ((isset($_SESSION["id_usuario"])) AND ($_SESSION["id_usuario"] != "")) {
-		$id = $_SESSION["id_usuario"];
+                $id = get_db_value("id_usuario","tusuario","id_usuario",$_SESSION["id_usuario"]);
-		$query1="SELECT id_usuario FROM tusuario WHERE id_usuario= '$id'";
+                if ( $_SESSION["id_usuario"] == $id ){
-		$resq1 = mysql_query($query1);
+                        return 0;
-		$rowdup = mysql_fetch_array($resq1);
+                }
-		$nombre = $rowdup[0];
+        }
-		if ( $id == $nombre ){
+        audit_db("N/A", getenv("REMOTE_ADDR"), "No session", "Trying to access without a valid session");
-			return 0;
+        include ($config["homedir"]."/general/noaccess.php");
-		}
+        exit;
 	}
 	audit_db("N/A", getenv("REMOTE_ADDR"), "No session", "Trying to access without a valid session");
 	include ($config["homedir"]."/general/noaccess.php");
 	exit;
 }
-/** 
+	
 /**
 * Check access privileges to resources
 *
 * Access can be:
@ -57,91 +53,69 @@ function check_login () {
 * DM - DB Management
 * LM - Alert Management
 * PM - Pandora Management
- * 
+ *
- * @param id_user User id 
+ * @param id_user User id
 * @param id_group Agents group id
 * @param access Access privilege
- * 
+ *
 * @return 1 if the user has privileges, 0 if not.
- */
+**/
 function give_acl ($id_user, $id_group, $access) {
-	// IF user is level = 1 then always return 1
+        // IF user is level = 1 then always return 1
-	// Access can be:
+
-	/*	
+        global $config;
-		IR - Incident Read
+        $nivel = get_db_value("nivel","tusuario","id_usuario",$id_user);
-		IW - Incident Write
+        if ($nivel == 1) {
-		IM - Incident Management
+                return 1;
-		AR - Agent Read
+                //Apparently nivel is 1 if user has full admin access        
-		AW - Agent Write
+	}        
 		LW - Alert Write
 		UM - User Management
 		DM - DB Management
 		LM - Alert Management
 		PM - Pandora Management
 	*/
-	global $config;
+	//Joined multiple queries into one. That saves on the query overhead and query cache.
-	
+        if ($id_group == 0) {
-	$query1="SELECT * FROM tusuario WHERE id_usuario = '".$id_user."'";
+                $query1=sprintf("SELECT `tperfil`.`incident_view`,`tperfil`.`incident_edit`,`tperfil`.`incident_management`,`tperfil`.`agent_view`,`tperfil`.`agent_edit`,`tperfil`.`alert_edit`,`tperfil`.`alert_management`,`tperfil`.`pandora_management`,`tperfil`.`db_management`,`tperfil`.`user_management` FROM `tusuario_perfil`,`tperfil` WHERE `tusuario_perfil`.`id_perfil` = `tperfil`.`id_perfil` AND `tusuario_perfil`.`id_usuario` = '%s'",$id_user);                //GroupID = 0, access doesnt matter (use with caution!) - Any user gets access to group 0
-	$res=mysql_query($query1);
+        } else {
-	$row=mysql_fetch_array($res);
+                $query1=sprintf("SELECT `tperfil`.`incident_view`,`tperfil`.`incident_edit`,`tperfil`.`incident_management`,`tperfil`.`agent_view`,`tperfil`.`agent_edit`,`tperfil`.`alert_edit`,`tperfil`.`alert_management`,`tperfil`.`pandora_management`,`tperfil`.`db_management`,`tperfil`.`user_management` FROM `tusuario_perfil`,`tperfil` WHERE `tusuario_perfil`.`id_perfil` = `tperfil`.`id_perfil` 
-	if ($row["nivel"] == 1)
+AND `tusuario_perfil`.`id_usuario` = '%s' AND (`tusuario_perfil`.`id_grupo` = '%d' OR `tusuario_perfil`.`id_grupo`= 1)",$id_user,$id_group);
-		return 1;
+	}
-	if ($id_group == 0) // Group doesnt matter, any group, for check permission to do at least an action in a group
+
-		$query1="SELECT * FROM tusuario_perfil WHERE id_usuario = '".$id_user."'";	// GroupID = 0, group doesnt matter (use with caution!)
+	$rowdup = get_db_all_rows_sql($query1);
-	else
+	$result = 0;
-		$query1="SELECT * FROM tusuario_perfil WHERE id_usuario = '".$id_user."' and ( id_grupo =".$id_group." OR id_grupo = 1)";	// GroupID = 1 ALL groups      
+	$i = 0;
-	$resq1=mysql_query($query1);  
+	while($rowdup[$i]){
 	$result = 0; 
 	while ($rowdup=mysql_fetch_array($resq1)){
 		$id_perfil=$rowdup["id_perfil"];
 		// For each profile for this pair of group and user do...
 		$query2="SELECT * FROM tperfil WHERE id_perfil = ".$id_perfil;    
 		$resq2=mysql_query($query2);  
 		if ($rowq2=mysql_fetch_array($resq2)){
 			switch ($access) {
 			case "IR":
-				$result = $result + $rowq2["incident_view"];
+				$result += $rowdup[$i]["incident_view"];
 				break;
 			case "IW":
-				$result = $result + $rowq2["incident_edit"];
+				$result += $rowdup[$i]["incident_edit"];
 				break;
 			case "IM":
-				$result = $result + $rowq2["incident_management"];
+				$result += $rowdup[$i]["incident_management"];
 				break;
 			case "AR":
-				$result = $result + $rowq2["agent_view"];
+				$result += $rowdup[$i]["agent_view"];
 				break;
 			case "AW":
-				$result = $result + $rowq2["agent_edit"];
+				$result += $rowdup[$i]["agent_edit"];
 				break;
 			case "LW":
-				$result = $result + $rowq2["alert_edit"];
+				$result += $rowdup[$i]["alert_edit"];
 				break;
 			case "LM":
-				$result = $result + $rowq2["alert_management"];
+				$result += $rowdup[$i]["alert_management"];
 				break;
 			case "PM":
-				$result = $result + $rowq2["pandora_management"];
+				$result += $rowdup[$i]["pandora_management"];
 				break;
 			case "DM":
-				$result = $result + $rowq2["db_management"];
+				$result += $rowdup[$i]["db_management"];
 				break;
 			case "UM":
-				$result = $result + $rowq2["user_management"];
+				$result += $rowdup[$i]["user_management"];
 				break;
 			}
-		} 
+		$i++;
 	}
 	if ($result > 1)
 		$result = 1;
@ -157,9 +131,9 @@ function give_acl ($id_user, $id_group, $access) {
 * @param descripcion Long action description
 */
 function audit_db ($id, $ip, $accion, $descripcion){
 	$today=date('Y-m-d H:i:s');
 	$utimestamp = time();
-	$sql1='INSERT INTO tsesion (ID_usuario, accion, fecha, IP_origen,descripcion, utimestamp) VALUES ("'.$id.'","'.$accion.'","'.$today.'","'.$ip.'","'.$descripcion.'", '.$utimestamp.')';
+	$today=date('Y-m-d H:i:s',$utimestamp);
 	$sql1='INSERT INTO tsesion (ID_usuario, accion, fecha, IP_origen,descripcion, utimestamp) VALUES ("'.$id.'","'.$accion.'","'.$today.'","'.$ip.'","'.$descripcion.'", "'.$utimestamp.'")';
 	$result=mysql_query($sql1);
 }
@ -171,11 +145,11 @@ function audit_db ($id, $ip, $accion, $descripcion){
 */
 function logon_db ($id_user, $ip) {
 	global $config;
-	
+
 	audit_db ($id_user, $ip, "Logon", "Logged in");
-	// Update last registry of user to get last logon
+	// Update last registry of user to set last logon. How do we audit when the user was created then?
-	$sql = sprintf ('UPDATE tusuario fecha_registro = $today WHERE id_usuario = "%s"', $id_user);
+	$sql = sprintf ('UPDATE tusuario SET fecha_registro = $today WHERE id_usuario = "%s"', $id_user);
-	$result = mysql_query ($sql);
+	mysql_query ($sql);
 }
 /**
@ -185,8 +159,7 @@ function logon_db ($id_user, $ip) {
 * @param ip Client user IP address.
 */
 function logoff_db ($id_user, $ip) {
-	global $config;
+	audit_db ($id_user, $ip, "Logoff", "Logged out");
 	audit_db ($config['id_user'], $ip, "Logoff", "Logged out");
 }
 /**
@ -1260,29 +1233,26 @@ function give_agent_id_from_module_id ($id_agent_module) {
 * @param field Field name to get
 * @param table Table to retrieve the data
 * @param field_search Field to filter elements
- * @param condition Condition the field must have.
+ * @param condition Condition the field must have
 * 
 * @return 
 */
-function get_db_value ($field, $table, $field_search, $condition){
+$sql_cache=array('saved' => 0);
 function get_db_value ($field, $table, $field_search=1, $condition=1){
 	if (is_int ($condition)) {
-		$sql = sprintf ('SELECT %s FROM %s WHERE %s = %d', $field, $table, $field_search, $condition);
+		$sql = sprintf ("SELECT %s FROM `%s` WHERE `%s` = '%d'", $field, $table, $field_search, $condition);
 	} else if (is_float ($condition) || is_double ($condition)) {
-		$sql = sprintf ('SELECT %s FROM %s WHERE %s = %f', $field, $table, $field_search, $condition);
+		$sql = sprintf ("SELECT %s FROM `%s` WHERE `%s` = '%f'", $field, $table, $field_search, $condition);
 	} else {
-		$sql = sprintf ('SELECT %s FROM %s WHERE %s = "%s"', $field, $table, $field_search, $condition);
+		$sql = sprintf ("SELECT %s FROM `%s` WHERE `%s` = '%s'", $field, $table, $field_search, $condition);
 	}
-	$sql .= ' LIMIT 1';
+	$sql .= " LIMIT 1";
 	$result = get_db_all_rows_sql($sql);
 	if(is_array($result))	
 		return $result[0][$field];
-	$result = mysql_query ($sql);
+	return "";
 	if (! $result) {
 		echo '<strong>Error:</strong> get_db_value("'.$sql.'") :'. mysql_error ().'<br />';
 		return NULL;
 	}
 	if ($row = mysql_fetch_array ($result))
 		return $row[0];
 	return NULL;
 }
 /** 
@ -1290,18 +1260,12 @@ function get_db_value ($field, $table, $field_search, $condition){
 * 
 * @param sql SQL select statement to execute.
 * 
- * @return The first row of the result.
+ * @return The first row of the result or something empty.
 */
 function get_db_row_sql ($sql) {
-	$result = mysql_query ($sql);
+	$result = get_db_all_rows_sql($sql);
 	if (! $result) {
 		echo '<strong>Error:</strong> get_db_row("'.$sql.'") :'. mysql_error ().'<br />';
 		return NULL;
 	}
 	if ($row = mysql_fetch_array ($result))
 		return $row;
-	return NULL;
+	return $result[0];
 }
 /** 
@ -1317,18 +1281,19 @@ function get_db_row_sql ($sql) {
 * @return The first row of a database query.
 */
 function get_db_row ($table, $field_search, $condition) {
 	global $config;
 	if (is_int ($condition)) {
-		$sql = sprintf ('SELECT * FROM %s WHERE %s = %d', $table, $field_search, $condition);
+		$sql = sprintf ("SELECT * FROM `%s` WHERE `%s` = '%d'", $table, $field_search, $condition);
 	} else if (is_float ($condition) || is_double ($condition)) {
-		$sql = sprintf ('SELECT * FROM %s WHERE %s = %f', $table, $field_search, $condition);
+		$sql = sprintf ("SELECT * FROM `%s` WHERE `%s` = '%f'", $table, $field_search, $condition);
 	} else {
-		$sql = sprintf ('SELECT * FROM %s WHERE %s = "%s"', $table, $field_search, $condition);
+		$sql = sprintf ("SELECT * FROM `%s` WHERE `%s` = '%s'", $table, $field_search, $condition);
 	}
 	$sql .= ' LIMIT 1';
-	return get_db_row_sql ($sql);
+	$result = get_db_all_rows_sql ($sql);
 	return $result[0];
 }
 /** 
@ -1336,21 +1301,12 @@ function get_db_row ($table, $field_search, $condition) {
 *
 * @param sql SQL statement to execute
 * @param field Field number to get, beggining by 0. Default: 0
- * 
+ * @param cache Cache the query while generating this page. Default: 1
 * @return The selected field of the first row in a select statement.
 */
 function get_db_sql ($sql, $field = 0) {
-	global $config;
+	$row = get_db_all_rows_sql($sql);
-	
+	return $row[0][$field];
 	$result = mysql_query ($sql);
 	if (! $result) {
 		echo '<strong>Error:</strong> get_db_sql ("'.$sql.'") :'. mysql_error ().'<br />';
 		return NULL;
 	}
 	if ($row = mysql_fetch_array ($result))
 		return $row[$field];
 	return NULL;
 }
 /**
@ -1362,18 +1318,26 @@ function get_db_sql ($sql, $field = 0) {
 */
 function get_db_all_rows_sql ($sql) {
 	global $config;
-	$retval = array ();
+        global $sql_cache;
-	$result = mysql_query ($sql);
+        $retval = array();
-	if (! $result) {
+	if($sql_cache[$sql]) {
-		echo mysql_error ();
+        	$retval = $sql_cache[$sql];    
-		return array();
+        	$sql_cache[saved]++;
 	} else {
                $result = mysql_query($sql);
 	        if (!$result) {
        	        echo '<strong>Error:</strong> get_db_all_rows_sql ("'.$sql.'") :'. mysql_error ().'<br />';
                	return $retval;
        	}
                while ($row = mysql_fetch_array ($result)) {
                        array_push ($retval, $row);
                }
 		$sql_cache[$sql] = $retval;
 	}
-	while ($row = mysql_fetch_array ($result)) {
+	if(!empty($retval))	
-		array_push ($retval, $row);
+        	return $retval;
-	}
+	return ""; //Return empty because NULL is a possible database value
 	return $retval;
 }
 /**
@ -1384,10 +1348,11 @@ function get_db_all_rows_sql ($sql) {
 * @return A matrix with all the values in the table
 */
 function get_db_all_rows_in_table ($table, $order_field = "") {
-	if ($order_field != "")
+	if ($order_field != "") {
-		return get_db_all_rows_sql ('SELECT * FROM ' . $table . " ORDER BY $order_field ");
+		return get_db_all_rows_sql("SELECT * FROM `".$table."` ORDER BY `".$order_field."` ");
-	else	
+	} else {	
-		return get_db_all_rows_sql ('SELECT * FROM '.$table);
+		return get_db_all_rows_sql("SELECT * FROM `".$table."`");
 	}
 }
 /**
--- a/pandora_console/operation/agentes/estado_grupo.php
+++ b/pandora_console/operation/agentes/estado_grupo.php
@ -56,7 +56,7 @@ foreach ($groups as $id_group => $group_name) {
 		continue;
 	$total_agents += $agents;
-	$group_info = array ('agent' => 0,
+	$group_info = array ('agent' => $agents,
 			'ok' => 0,
 			'bad' => 0,
 			'alerts' => 0,