diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 8f9aae02c2..baa3c48ea1 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,10 +1,25 @@ +2008-07-13 Evi Vanoost + + * pandora_console/general/logon_ok.php: Made the query use sprintf (for security purposes) + + * pandora_console/include/functions_db.php: Made all the database queries relying on a single query function for simpler management + Also made sure that no functions returned NULL because NULL is a valid database value. + Also made a simple query cache array so that duplicate queries to generate a single page won't be repeated (ACL queries) + Also updated some other queries and functions (see the diff) and removed some old code + + * pandora_console/estado_grupo.php: Now with working agents counter! + + * pandora_console/general/footer.php: Just made a fancy counter that displays how much queries weren't duplicated (90 on some pages!!) + 2008-07-12 Evi Vanoost * pandora_console/operation/agentes/networkmap.php: Some minor bugfixes introduced with my changes yesterday - * pandora_console/general/links_menu.php: 2 queries for a menu? Changed it to a single query. This list will likely never be empty - if it is, Links section won't be generated + * pandora_console/general/links_menu.php: 2 queries for a menu? Changed it to a single query. + This list will likely never be empty - if it is, Links section won't be generated - * pandora_console/general/logon_ok.php: Updated the queries to go faster. Changed the timestamp calculation to an indexed query using utimestamp and UNIXTIME(NOW())-604800 + * pandora_console/general/logon_ok.php: Updated the queries to go faster. + Changed the timestamp calculation to an indexed query using utimestamp and UNIXTIME(NOW())-604800 * pandora_console/images/networkmap/8.png: Added the Mac OS X icon.. @@ -12,7 +27,8 @@ * pandora_console/operation/agentes/estado_grupo.php: Fixed the issue where all data was 0-ed out. There was an if-then-else construction that wasn't working well - * pandora_console/operation/agentes/networkmap.php: Made more extensive error messages that explains WHY it wasn't generating. Then also made it so the image is cached instead of regenerated every time (currently hardcoded at 5 min.). + * pandora_console/operation/agentes/networkmap.php: Made more extensive error messages that explains WHY it wasn't generating. + Then also made it so the image is cached instead of regenerated every time (currently hardcoded at 5 min.). 2008-07-10 Evi Vanoost diff --git a/pandora_console/general/footer.php b/pandora_console/general/footer.php index d328cbbd97..28edb7cc6c 100644 --- a/pandora_console/general/footer.php +++ b/pandora_console/general/footer.php @@ -19,13 +19,13 @@ global $config; echo "
"; echo ' -Pandora FMS '.$pandora_version.' Build '.$build_version.'
'. +Pandora FMS '.$pandora_version.' - Build '.$build_version.'
'. lang_string ("gpl_notice").'
'; if (isset($_SERVER['REQUEST_TIME'])) { $time = $_SERVER['REQUEST_TIME']; } else { $time = time(); } - echo "".$lang_label["gen_date"]." ".date("D F d, Y H:i:s", $time)."
"; + echo "".$lang_label["gen_date"]." ".date("D F d, Y H:i:s", $time)." - Saved ".$sql_cache["saved"]." Queries
"; echo "
"; ?> diff --git a/pandora_console/general/logon_ok.php b/pandora_console/general/logon_ok.php index 1c63a3545f..624204aa7d 100644 --- a/pandora_console/general/logon_ok.php +++ b/pandora_console/general/logon_ok.php @@ -28,7 +28,7 @@ echo "

"; // Private messages pending to read ! -$sql='SELECT COUNT('id_mensaje') AS count FROM tmensajes WHERE id_usuario_destino="'.$nick.'" AND estado="FALSE";'; +$sql=sprintf("SELECT COUNT('id_mensaje') AS count FROM tmensajes WHERE id_usuario_destino='%s' AND estado='FALSE';",$nick); $resultado = mysql_query ($sql); $row = mysql_fetch_array ($resultado); if ($row["count"] != 0){ diff --git a/pandora_console/include/functions_db.php b/pandora_console/include/functions_db.php index b52ab3398b..745166c112 100644 --- a/pandora_console/include/functions_db.php +++ b/pandora_console/include/functions_db.php @@ -13,7 +13,6 @@ // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. - /** * Check if login session variables are set. * @@ -21,29 +20,26 @@ * * @return 0 on success */ -function check_login () { - global $config; - if (!isset($config["homedir"])){ - // No exists $config. Exit inmediatly - include ("general/noaccess.php"); - exit; - } - if ((isset($_SESSION["id_usuario"])) AND ($_SESSION["id_usuario"] != "")) { - $id = $_SESSION["id_usuario"]; - $query1="SELECT id_usuario FROM tusuario WHERE id_usuario= '$id'"; - $resq1 = mysql_query($query1); - $rowdup = mysql_fetch_array($resq1); - $nombre = $rowdup[0]; - if ( $id == $nombre ){ - return 0; - } - } - audit_db("N/A", getenv("REMOTE_ADDR"), "No session", "Trying to access without a valid session"); - include ($config["homedir"]."/general/noaccess.php"); - exit; +function check_login () { + global $config; + if (!isset($config["homedir"])){ + // No exists $config. Exit inmediatly + include("general/noaccess.php"); + exit; + } + if ((isset($_SESSION["id_usuario"])) AND ($_SESSION["id_usuario"] != "")) { + $id = get_db_value("id_usuario","tusuario","id_usuario",$_SESSION["id_usuario"]); + if ( $_SESSION["id_usuario"] == $id ){ + return 0; + } + } + audit_db("N/A", getenv("REMOTE_ADDR"), "No session", "Trying to access without a valid session"); + include ($config["homedir"]."/general/noaccess.php"); + exit; } -/** + +/** * Check access privileges to resources * * Access can be: @@ -57,91 +53,69 @@ function check_login () { * DM - DB Management * LM - Alert Management * PM - Pandora Management - * - * @param id_user User id + * + * @param id_user User id * @param id_group Agents group id * @param access Access privilege - * + * * @return 1 if the user has privileges, 0 if not. - */ +**/ function give_acl ($id_user, $id_group, $access) { - // IF user is level = 1 then always return 1 - // Access can be: - /* - IR - Incident Read - IW - Incident Write - IM - Incident Management - AR - Agent Read - AW - Agent Write - LW - Alert Write - UM - User Management - DM - DB Management - LM - Alert Management - PM - Pandora Management - */ + // IF user is level = 1 then always return 1 + + global $config; + $nivel = get_db_value("nivel","tusuario","id_usuario",$id_user); + if ($nivel == 1) { + return 1; + //Apparently nivel is 1 if user has full admin access + } - global $config; - - $query1="SELECT * FROM tusuario WHERE id_usuario = '".$id_user."'"; - $res=mysql_query($query1); - $row=mysql_fetch_array($res); - if ($row["nivel"] == 1) - return 1; - if ($id_group == 0) // Group doesnt matter, any group, for check permission to do at least an action in a group - $query1="SELECT * FROM tusuario_perfil WHERE id_usuario = '".$id_user."'"; // GroupID = 0, group doesnt matter (use with caution!) - else - $query1="SELECT * FROM tusuario_perfil WHERE id_usuario = '".$id_user."' and ( id_grupo =".$id_group." OR id_grupo = 1)"; // GroupID = 1 ALL groups - $resq1=mysql_query($query1); - $result = 0; - while ($rowdup=mysql_fetch_array($resq1)){ - $id_perfil=$rowdup["id_perfil"]; + //Joined multiple queries into one. That saves on the query overhead and query cache. + if ($id_group == 0) { + $query1=sprintf("SELECT `tperfil`.`incident_view`,`tperfil`.`incident_edit`,`tperfil`.`incident_management`,`tperfil`.`agent_view`,`tperfil`.`agent_edit`,`tperfil`.`alert_edit`,`tperfil`.`alert_management`,`tperfil`.`pandora_management`,`tperfil`.`db_management`,`tperfil`.`user_management` FROM `tusuario_perfil`,`tperfil` WHERE `tusuario_perfil`.`id_perfil` = `tperfil`.`id_perfil` AND `tusuario_perfil`.`id_usuario` = '%s'",$id_user); //GroupID = 0, access doesnt matter (use with caution!) - Any user gets access to group 0 + } else { + $query1=sprintf("SELECT `tperfil`.`incident_view`,`tperfil`.`incident_edit`,`tperfil`.`incident_management`,`tperfil`.`agent_view`,`tperfil`.`agent_edit`,`tperfil`.`alert_edit`,`tperfil`.`alert_management`,`tperfil`.`pandora_management`,`tperfil`.`db_management`,`tperfil`.`user_management` FROM `tusuario_perfil`,`tperfil` WHERE `tusuario_perfil`.`id_perfil` = `tperfil`.`id_perfil` +AND `tusuario_perfil`.`id_usuario` = '%s' AND (`tusuario_perfil`.`id_grupo` = '%d' OR `tusuario_perfil`.`id_grupo`= 1)",$id_user,$id_group); + } + + $rowdup = get_db_all_rows_sql($query1); + $result = 0; + $i = 0; + while($rowdup[$i]){ // For each profile for this pair of group and user do... - $query2="SELECT * FROM tperfil WHERE id_perfil = ".$id_perfil; - $resq2=mysql_query($query2); - if ($rowq2=mysql_fetch_array($resq2)){ switch ($access) { case "IR": - $result = $result + $rowq2["incident_view"]; - + $result += $rowdup[$i]["incident_view"]; break; case "IW": - $result = $result + $rowq2["incident_edit"]; - + $result += $rowdup[$i]["incident_edit"]; break; case "IM": - $result = $result + $rowq2["incident_management"]; - + $result += $rowdup[$i]["incident_management"]; break; case "AR": - $result = $result + $rowq2["agent_view"]; - + $result += $rowdup[$i]["agent_view"]; break; case "AW": - $result = $result + $rowq2["agent_edit"]; - + $result += $rowdup[$i]["agent_edit"]; break; case "LW": - $result = $result + $rowq2["alert_edit"]; - + $result += $rowdup[$i]["alert_edit"]; break; case "LM": - $result = $result + $rowq2["alert_management"]; - + $result += $rowdup[$i]["alert_management"]; break; case "PM": - $result = $result + $rowq2["pandora_management"]; - + $result += $rowdup[$i]["pandora_management"]; break; case "DM": - $result = $result + $rowq2["db_management"]; - + $result += $rowdup[$i]["db_management"]; break; case "UM": - $result = $result + $rowq2["user_management"]; - + $result += $rowdup[$i]["user_management"]; break; } - } + $i++; } if ($result > 1) $result = 1; @@ -157,9 +131,9 @@ function give_acl ($id_user, $id_group, $access) { * @param descripcion Long action description */ function audit_db ($id, $ip, $accion, $descripcion){ - $today=date('Y-m-d H:i:s'); $utimestamp = time(); - $sql1='INSERT INTO tsesion (ID_usuario, accion, fecha, IP_origen,descripcion, utimestamp) VALUES ("'.$id.'","'.$accion.'","'.$today.'","'.$ip.'","'.$descripcion.'", '.$utimestamp.')'; + $today=date('Y-m-d H:i:s',$utimestamp); + $sql1='INSERT INTO tsesion (ID_usuario, accion, fecha, IP_origen,descripcion, utimestamp) VALUES ("'.$id.'","'.$accion.'","'.$today.'","'.$ip.'","'.$descripcion.'", "'.$utimestamp.'")'; $result=mysql_query($sql1); } @@ -171,11 +145,11 @@ function audit_db ($id, $ip, $accion, $descripcion){ */ function logon_db ($id_user, $ip) { global $config; - + audit_db ($id_user, $ip, "Logon", "Logged in"); - // Update last registry of user to get last logon - $sql = sprintf ('UPDATE tusuario fecha_registro = $today WHERE id_usuario = "%s"', $id_user); - $result = mysql_query ($sql); + // Update last registry of user to set last logon. How do we audit when the user was created then? + $sql = sprintf ('UPDATE tusuario SET fecha_registro = $today WHERE id_usuario = "%s"', $id_user); + mysql_query ($sql); } /** @@ -185,8 +159,7 @@ function logon_db ($id_user, $ip) { * @param ip Client user IP address. */ function logoff_db ($id_user, $ip) { - global $config; - audit_db ($config['id_user'], $ip, "Logoff", "Logged out"); + audit_db ($id_user, $ip, "Logoff", "Logged out"); } /** @@ -1260,29 +1233,26 @@ function give_agent_id_from_module_id ($id_agent_module) { * @param field Field name to get * @param table Table to retrieve the data * @param field_search Field to filter elements - * @param condition Condition the field must have. + * @param condition Condition the field must have * * @return */ -function get_db_value ($field, $table, $field_search, $condition){ +$sql_cache=array('saved' => 0); +function get_db_value ($field, $table, $field_search=1, $condition=1){ + if (is_int ($condition)) { - $sql = sprintf ('SELECT %s FROM %s WHERE %s = %d', $field, $table, $field_search, $condition); + $sql = sprintf ("SELECT %s FROM `%s` WHERE `%s` = '%d'", $field, $table, $field_search, $condition); } else if (is_float ($condition) || is_double ($condition)) { - $sql = sprintf ('SELECT %s FROM %s WHERE %s = %f', $field, $table, $field_search, $condition); + $sql = sprintf ("SELECT %s FROM `%s` WHERE `%s` = '%f'", $field, $table, $field_search, $condition); } else { - $sql = sprintf ('SELECT %s FROM %s WHERE %s = "%s"', $field, $table, $field_search, $condition); + $sql = sprintf ("SELECT %s FROM `%s` WHERE `%s` = '%s'", $field, $table, $field_search, $condition); } - $sql .= ' LIMIT 1'; + $sql .= " LIMIT 1"; + $result = get_db_all_rows_sql($sql); + if(is_array($result)) + return $result[0][$field]; - $result = mysql_query ($sql); - if (! $result) { - echo 'Error: get_db_value("'.$sql.'") :'. mysql_error ().'
'; - return NULL; - } - if ($row = mysql_fetch_array ($result)) - return $row[0]; - - return NULL; + return ""; } /** @@ -1290,18 +1260,12 @@ function get_db_value ($field, $table, $field_search, $condition){ * * @param sql SQL select statement to execute. * - * @return The first row of the result. + * @return The first row of the result or something empty. */ function get_db_row_sql ($sql) { - $result = mysql_query ($sql); - if (! $result) { - echo 'Error: get_db_row("'.$sql.'") :'. mysql_error ().'
'; - return NULL; - } - if ($row = mysql_fetch_array ($result)) - return $row; + $result = get_db_all_rows_sql($sql); - return NULL; + return $result[0]; } /** @@ -1317,18 +1281,19 @@ function get_db_row_sql ($sql) { * @return The first row of a database query. */ function get_db_row ($table, $field_search, $condition) { - global $config; if (is_int ($condition)) { - $sql = sprintf ('SELECT * FROM %s WHERE %s = %d', $table, $field_search, $condition); + $sql = sprintf ("SELECT * FROM `%s` WHERE `%s` = '%d'", $table, $field_search, $condition); } else if (is_float ($condition) || is_double ($condition)) { - $sql = sprintf ('SELECT * FROM %s WHERE %s = %f', $table, $field_search, $condition); + $sql = sprintf ("SELECT * FROM `%s` WHERE `%s` = '%f'", $table, $field_search, $condition); } else { - $sql = sprintf ('SELECT * FROM %s WHERE %s = "%s"', $table, $field_search, $condition); + $sql = sprintf ("SELECT * FROM `%s` WHERE `%s` = '%s'", $table, $field_search, $condition); } $sql .= ' LIMIT 1'; - return get_db_row_sql ($sql); + $result = get_db_all_rows_sql ($sql); + + return $result[0]; } /** @@ -1336,21 +1301,12 @@ function get_db_row ($table, $field_search, $condition) { * * @param sql SQL statement to execute * @param field Field number to get, beggining by 0. Default: 0 - * + * @param cache Cache the query while generating this page. Default: 1 * @return The selected field of the first row in a select statement. */ function get_db_sql ($sql, $field = 0) { - global $config; - - $result = mysql_query ($sql); - if (! $result) { - echo 'Error: get_db_sql ("'.$sql.'") :'. mysql_error ().'
'; - return NULL; - } - if ($row = mysql_fetch_array ($result)) - return $row[$field]; - - return NULL; + $row = get_db_all_rows_sql($sql); + return $row[0][$field]; } /** @@ -1362,18 +1318,26 @@ function get_db_sql ($sql, $field = 0) { */ function get_db_all_rows_sql ($sql) { global $config; - $retval = array (); - $result = mysql_query ($sql); + global $sql_cache; + $retval = array(); - if (! $result) { - echo mysql_error (); - return array(); + if($sql_cache[$sql]) { + $retval = $sql_cache[$sql]; + $sql_cache[saved]++; + } else { + $result = mysql_query($sql); + if (!$result) { + echo 'Error: get_db_all_rows_sql ("'.$sql.'") :'. mysql_error ().'
'; + return $retval; + } + while ($row = mysql_fetch_array ($result)) { + array_push ($retval, $row); + } + $sql_cache[$sql] = $retval; } - while ($row = mysql_fetch_array ($result)) { - array_push ($retval, $row); - } - - return $retval; + if(!empty($retval)) + return $retval; + return ""; //Return empty because NULL is a possible database value } /** @@ -1384,10 +1348,11 @@ function get_db_all_rows_sql ($sql) { * @return A matrix with all the values in the table */ function get_db_all_rows_in_table ($table, $order_field = "") { - if ($order_field != "") - return get_db_all_rows_sql ('SELECT * FROM ' . $table . " ORDER BY $order_field "); - else - return get_db_all_rows_sql ('SELECT * FROM '.$table); + if ($order_field != "") { + return get_db_all_rows_sql("SELECT * FROM `".$table."` ORDER BY `".$order_field."` "); + } else { + return get_db_all_rows_sql("SELECT * FROM `".$table."`"); + } } /** diff --git a/pandora_console/operation/agentes/estado_grupo.php b/pandora_console/operation/agentes/estado_grupo.php index 3d88089b84..200f68058b 100644 --- a/pandora_console/operation/agentes/estado_grupo.php +++ b/pandora_console/operation/agentes/estado_grupo.php @@ -56,7 +56,7 @@ foreach ($groups as $id_group => $group_name) { continue; $total_agents += $agents; - $group_info = array ('agent' => 0, + $group_info = array ('agent' => $agents, 'ok' => 0, 'bad' => 0, 'alerts' => 0,