inc/record.inc.php
changeset 65 ce1c4d5e1576
parent 63 d76966db18e5
child 71 e1b918eaf69a
equal deleted inserted replaced
64:dab0e9deeb67 65:ce1c4d5e1576
    35 	 * NOTICE: Serial number *will* be RFC1912 compilant after update 
    35 	 * NOTICE: Serial number *will* be RFC1912 compilant after update 
    36 	 * NOTICE: This function will allow only 100 DNS zone transfers ;-)
    36 	 * NOTICE: This function will allow only 100 DNS zone transfers ;-)
    37 	 * YYYYMMDDnn
    37 	 * YYYYMMDDnn
    38 	 */
    38 	 */
    39 
    39 
    40 	$sqlq = "SELECT notified_serial FROM domains WHERE id = '".$domain_id."'";
    40 	$sqlq = "SELECT notified_serial FROM domains WHERE id = ".$db->quote($domain_id);
    41 	$notified_serial = $db->queryOne($sqlq);
    41 	$notified_serial = $db->queryOne($sqlq);
    42 
    42 
    43 	$sqlq = "SELECT content FROM records WHERE type = 'SOA' AND domain_id = '".$domain_id."'";
    43 	$sqlq = "SELECT content FROM records WHERE type = 'SOA' AND domain_id = ".$db->quote($domain_id);
    44 	$content = $db->queryOne($sqlq);
    44 	$content = $db->queryOne($sqlq);
    45     $need_to_update = false;
    45     $need_to_update = false;
    46 	
    46 	
    47 	// Getting the serial field.
    47 	// Getting the serial field.
    48 	$soa = explode(" ", $content);
    48 	$soa = explode(" ", $content);
    99 		// build new soa and update SQL after that
    99 		// build new soa and update SQL after that
   100 		for ($i = 0; $i < count($soa); $i++) 
   100 		for ($i = 0; $i < count($soa); $i++) 
   101 		{	
   101 		{	
   102 			$new_soa .= $soa[$i] . " "; 
   102 			$new_soa .= $soa[$i] . " "; 
   103 		}
   103 		}
   104 		$sqlq = "UPDATE records SET content = '".$new_soa."' WHERE domain_id = '".$domain_id."' AND type = 'SOA'";
   104 		$sqlq = "UPDATE records SET content = ".$db->quote($new_soa)." WHERE domain_id = ".$db->quote($domain_id)." AND type = 'SOA'";
   105 		$db->Query($sqlq);
   105 		$db->Query($sqlq);
   106 		return true;
   106 		return true;
   107 	}
   107 	}
   108 }  
   108 }  
   109 
   109 
   126 	}
   126 	}
   127 	if (is_numeric($zoneid))
   127 	if (is_numeric($zoneid))
   128 	{
   128 	{
   129 		validate_input($zoneid, $type, $content, $name, $prio, $ttl);
   129 		validate_input($zoneid, $type, $content, $name, $prio, $ttl);
   130                 $change = time();
   130                 $change = time();
   131                 $db->query("UPDATE records set name='$name', type='$type', content='$content', ttl='$ttl', prio='$prio', change_date='$change' WHERE id=$recordid");
   131                 $db->query("UPDATE records set name=".$db->quote($name).", type=".$db->quote($type).", content=".$db->quote($content).", ttl=".$db->quote($ttl).", prio=".$db->quote($prio).", change_date=".$db->quote($change)." WHERE id=".$db->quote($recordid));
   132 		
   132 		
   133 		/*
   133 		/*
   134 		 * Added by DeViCeD - Update SOA Serial number
   134 		 * Added by DeViCeD - Update SOA Serial number
   135 		 * There should be more checks
   135 		 * There should be more checks
   136 		 */
   136 		 */
   155 	{
   155 	{
   156 		error(ERR_RECORD_ACCESS_DENIED);
   156 		error(ERR_RECORD_ACCESS_DENIED);
   157 	}
   157 	}
   158 	if (is_numeric($zoneid) || is_numeric($userid) || is_numeric($recordid))
   158 	if (is_numeric($zoneid) || is_numeric($userid) || is_numeric($recordid))
   159 	{
   159 	{
   160 		$db->query("INSERT INTO record_owners (user_id, record_id) VALUES ('".$userid."','".$recordid."')");
   160 		$db->query("INSERT INTO record_owners (user_id, record_id) VALUES (".$db->quote($userid).", ".$db->quote($recordid).")");
   161 		return true;
   161 		return true;
   162 	}
   162 	}
   163 	else
   163 	else
   164 	{
   164 	{
   165 		error(sprintf(ERR_INV_ARGC, "add_record_owner", "at least one of the arguments is not numeric"));
   165 		error(sprintf(ERR_INV_ARGC, "add_record_owner", "at least one of the arguments is not numeric"));
   173 	{
   173 	{
   174 		error(ERR_RECORD_ACCESS_DENIED);
   174 		error(ERR_RECORD_ACCESS_DENIED);
   175 	}
   175 	}
   176 	if (is_numeric($zoneid) || is_numeric($rowid) || is_numeric($recordid))
   176 	if (is_numeric($zoneid) || is_numeric($rowid) || is_numeric($recordid))
   177 	{
   177 	{
   178 		$db->query("DELETE FROM record_owners WHERE id='".$rowid."' AND record_id='".$recordid."'");
   178 		$db->query("DELETE FROM record_owners WHERE id=".$db->quote($rowid)." AND record_id=".$db->quote($recordid));
   179 		return true;
   179 		return true;
   180 	}
   180 	}
   181 	else
   181 	else
   182 	{
   182 	{
   183 		error(sprintf(ERR_INV_ARGC, "delete_record_owner", "at least one of the arguments is not numeric"));
   183 		error(sprintf(ERR_INV_ARGC, "delete_record_owner", "at least one of the arguments is not numeric"));
   204 
   204 
   205 		// Generate new timestamp for the daemon
   205 		// Generate new timestamp for the daemon
   206 		$change = time();
   206 		$change = time();
   207 		
   207 		
   208 		// Execute query.
   208 		// Execute query.
   209 		$db->query("INSERT INTO records (domain_id, name, type, content, ttl, prio, change_date) VALUES ($zoneid, '$name', '$type', '$content', $ttl, '$prio', $change)");
   209 		$db->query("INSERT INTO records (domain_id, name, type, content, ttl, prio, change_date) VALUES (".$db->quote($zoneid).", ".$db->quote($name).", ".$db->quote($type).", ".$db->quote($content).", ".$db->quote($ttl).", ".$db->quote($prio).", ".$db->quote($change).")");
   210 		if ($type != 'SOA')
   210 		if ($type != 'SOA')
   211 		{
   211 		{
   212 			update_soa_serial($zoneid);
   212 			update_soa_serial($zoneid);
   213 		}
   213 		}
   214 		return true;
   214 		return true;
   239         {
   239         {
   240                 error(sprintf(ERR_INV_ARGC, "add_supermaster", "supermaster already exists"));
   240                 error(sprintf(ERR_INV_ARGC, "add_supermaster", "supermaster already exists"));
   241         }
   241         }
   242         else
   242         else
   243         {
   243         {
   244                 $db->query("INSERT INTO supermasters VALUES ('$master_ip', '$ns_name', '$account')");
   244                 $db->query("INSERT INTO supermasters VALUES (".$db->quote($master_ip).", ".$db->quote($ns_name).", ".$db->quote($account).")");
   245                 return true;
   245                 return true;
   246         }
   246         }
   247 }
   247 }
   248 
   248 
   249 function delete_supermaster($master_ip)
   249 function delete_supermaster($master_ip)
   253         {
   253         {
   254                 error(ERR_LEVEL_5);
   254                 error(ERR_LEVEL_5);
   255         }
   255         }
   256         if (is_valid_ip($master_ip) || is_valid_ip6($master_ip))
   256         if (is_valid_ip($master_ip) || is_valid_ip6($master_ip))
   257         {
   257         {
   258                 $db->query("DELETE FROM supermasters WHERE ip = '$master_ip'");
   258                 $db->query("DELETE FROM supermasters WHERE ip = ".$db->quote($master_ip));
   259                 return true;
   259                 return true;
   260         }
   260         }
   261         else
   261         else
   262         {
   262         {
   263                 error(sprintf(ERR_INV_ARGC, "delete_supermaster", "No or no valid ipv4 or ipv6 address given."));
   263                 error(sprintf(ERR_INV_ARGC, "delete_supermaster", "No or no valid ipv4 or ipv6 address given."));
   271         {
   271         {
   272                 error(ERR_LEVEL_5);
   272                 error(ERR_LEVEL_5);
   273         }
   273         }
   274         if (is_valid_ip($master_ip) || is_valid_ip6($master_ip))
   274         if (is_valid_ip($master_ip) || is_valid_ip6($master_ip))
   275 	{
   275 	{
   276 	        $result = $db->queryRow("SELECT ip,nameserver,account FROM supermasters WHERE ip = '$master_ip'");
   276 	        $result = $db->queryRow("SELECT ip,nameserver,account FROM supermasters WHERE ip = ".$db->quote($master_ip));
   277 
   277 
   278 		$ret = array(
   278 		$ret = array(
   279 		"master_ip"	=>              $result["ip"],
   279 		"master_ip"	=>              $result["ip"],
   280 		"ns_name"	=>              $result["nameserver"],
   280 		"ns_name"	=>              $result["nameserver"],
   281 		"account"	=>              $result["account"]
   281 		"account"	=>              $result["account"]
   318 
   318 
   319 	}
   319 	}
   320 	if (is_numeric($id))
   320 	if (is_numeric($id))
   321 	{
   321 	{
   322 	    $did = recid_to_domid($id);
   322 	    $did = recid_to_domid($id);
   323 		$db->query('DELETE FROM records WHERE id=' . $id );
   323 		$db->query('DELETE FROM records WHERE id=' . $db->quote($id) );
   324 		if ($type != 'SOA')
   324 		if ($type != 'SOA')
   325 		{
   325 		{
   326 			update_soa_serial($did);
   326 			update_soa_serial($did);
   327 		}
   327 		}
   328         // $id doesnt exist in database anymore so its deleted or just not there which means "true"	
   328         // $id doesnt exist in database anymore so its deleted or just not there which means "true"	
   366 	// THAN
   366 	// THAN
   367 	// Continue this function
   367 	// Continue this function
   368 	if (($domain && $owner && $webip && $mailip) || ($empty && $owner && $domain) || (eregi('in-addr.arpa', $domain) && $owner) || $type=="SLAVE" && $domain && $owner && $slave_master)
   368 	if (($domain && $owner && $webip && $mailip) || ($empty && $owner && $domain) || (eregi('in-addr.arpa', $domain) && $owner) || $type=="SLAVE" && $domain && $owner && $slave_master)
   369 	{
   369 	{
   370                 // First insert zone into domain table
   370                 // First insert zone into domain table
   371                 $db->query("INSERT INTO domains (name, type) VALUES ('$domain', '$type')");
   371                 $db->query("INSERT INTO domains (name, type) VALUES (".$db->quote($domain).", ".$db->quote($type).")");
   372 
   372 
   373                 // Determine id of insert zone (in other words, find domain_id)
   373                 // Determine id of insert zone (in other words, find domain_id)
   374                 $iddomain = $db->lastInsertId('domains', 'id');
   374                 $iddomain = $db->lastInsertId('domains', 'id');
   375                 if (PEAR::isError($iddomain)) {
   375                 if (PEAR::isError($iddomain)) {
   376                         die($id->getMessage());
   376                         die($id->getMessage());
   377                 }
   377                 }
   378 
   378 
   379                 // Second, insert into zones tables
   379                 // Second, insert into zones tables
   380                 $db->query("INSERT INTO zones (domain_id, owner) VALUES ('$iddomain', $owner)");
   380                 $db->query("INSERT INTO zones (domain_id, owner) VALUES (".$db->quote($iddomain).", ".$db->quote($owner).")");
   381 
   381 
   382 		if ($type == "SLAVE")
   382 		if ($type == "SLAVE")
   383 		{
   383 		{
   384 			$db->query("UPDATE domains SET master = '$slave_master' WHERE id = '$iddomain';");
   384 			$db->query("UPDATE domains SET master = ".$db->quote($slave_master)." WHERE id = ".$db->quote($iddomain));
   385 			
   385 			
   386 			// Done
   386 			// Done
   387 			return true;
   387 			return true;
   388 		}
   388 		}
   389 		else
   389 		else
   398 				$ns1 = $GLOBALS["NS1"];
   398 				$ns1 = $GLOBALS["NS1"];
   399 				$hm  = $GLOBALS["HOSTMASTER"];
   399 				$hm  = $GLOBALS["HOSTMASTER"];
   400 				$ttl = $GLOBALS["DEFAULT_TTL"];
   400 				$ttl = $GLOBALS["DEFAULT_TTL"];
   401 
   401 
   402 				// Build and execute query
   402 				// Build and execute query
   403 				$sql = "INSERT INTO records (domain_id, name, content, type, ttl, prio, change_date) VALUES ('$iddomain', '$domain', '$ns1 $hm 1', 'SOA', $ttl, 0, '$now')";
   403 				$sql = "INSERT INTO records (domain_id, name, content, type, ttl, prio, change_date) VALUES (".$db->quote($iddomain).", ".$db->quote($domain).", ".$db->quote($ns1.' '.$hm.' 1').", 'SOA', ".$db->quote($ttl).", 0, ".$db->quote($now).")";
   404 				$db->query($sql);
   404 				$db->query($sql);
   405 
   405 
   406 				// Done
   406 				// Done
   407 				return true;
   407 				return true;
   408 			}
   408 			}
   428 						if (!$ttl)
   428 						if (!$ttl)
   429 						{
   429 						{
   430 							$ttl = $GLOBALS["DEFAULT_TTL"];
   430 							$ttl = $GLOBALS["DEFAULT_TTL"];
   431 						}
   431 						}
   432 
   432 
   433 						$sql = "INSERT INTO records (domain_id, name, content, type, ttl, prio, change_date) VALUES ('$iddomain', '$name','$content','$type','$ttl','$prio','$now')";
   433 						$sql = "INSERT INTO records (domain_id, name, content, type, ttl, prio, change_date) VALUES (".$db->quote($iddomain).", ".$db->quote($name).", ".$db->quote($content).", ".$db->quote($type).", ".$db->quote($ttl).", ".$db->quote($prio).", ".$db->quote($now).")";
   434 						$db->query($sql);
   434 						$db->query($sql);
   435 					}
   435 					}
   436 				}
   436 				}
   437 				// All done.
   437 				// All done.
   438 				return true;
   438 				return true;
   464 	}
   464 	}
   465 
   465 
   466 	// See if the ID is numeric.
   466 	// See if the ID is numeric.
   467 	if (is_numeric($id))
   467 	if (is_numeric($id))
   468 	{
   468 	{
   469 		$db->query("DELETE FROM zones WHERE domain_id=$id");
   469 		$db->query("DELETE FROM zones WHERE domain_id=".$db->quote($id));
   470 		$db->query("DELETE FROM domains WHERE id=$id");
   470 		$db->query("DELETE FROM domains WHERE id=".$db->quote($id));
   471 		$db->query("DELETE FROM records WHERE domain_id=$id");
   471 		$db->query("DELETE FROM records WHERE domain_id=".$db->quote($id));
   472 		// Nothing in the database. If the delete deleted 0 records it means the id is just not there.
   472 		// Nothing in the database. If the delete deleted 0 records it means the id is just not there.
   473 		// therefore the is no need to check the affectedRows values.
   473 		// therefore the is no need to check the affectedRows values.
   474 		return true;
   474 		return true;
   475 	}
   475 	}
   476 	else
   476 	else
   487 function recid_to_domid($id)
   487 function recid_to_domid($id)
   488 {
   488 {
   489 	global $db;
   489 	global $db;
   490 	if (is_numeric($id))
   490 	if (is_numeric($id))
   491 	{
   491 	{
   492 		$result = $db->query("SELECT domain_id FROM records WHERE id=$id");
   492 		$result = $db->query("SELECT domain_id FROM records WHERE id=".$db->quote($id));
   493 		$r = $result->fetchRow();
   493 		$r = $result->fetchRow();
   494 		return $r["domain_id"];
   494 		return $r["domain_id"];
   495 	}
   495 	}
   496 	else
   496 	else
   497 	{
   497 	{
   565 		error(ERR_LEVEL_5);
   565 		error(ERR_LEVEL_5);
   566 	}
   566 	}
   567 
   567 
   568 	if (is_numeric($domain) && is_numeric($newowner) && is_valid_user($newowner))
   568 	if (is_numeric($domain) && is_numeric($newowner) && is_valid_user($newowner))
   569 	{
   569 	{
   570 		if($db->queryOne("SELECT COUNT(id) FROM zones WHERE owner=$newowner AND domain_id=$domain") == 0)
   570 		if($db->queryOne("SELECT COUNT(id) FROM zones WHERE owner=".$db->quote($newowner)." AND domain_id=".$db->quote($domain)) == 0)
   571 		{
   571 		{
   572 			$db->query("INSERT INTO zones (domain_id, owner) VALUES($domain, $newowner)");
   572 			$db->query("INSERT INTO zones (domain_id, owner) VALUES(".$db->quote($domain).", ".$db->quote($newowner).")");
   573 		}
   573 		}
   574 		return true;
   574 		return true;
   575 	}
   575 	}
   576 	else
   576 	else
   577 	{
   577 	{
   581 
   581 
   582 
   582 
   583 function delete_owner($domain, $owner)
   583 function delete_owner($domain, $owner)
   584 {
   584 {
   585 	global $db;
   585 	global $db;
   586 	if($db->queryOne("SELECT COUNT(id) FROM zones WHERE owner=$owner AND domain_id=$domain") != 0)
   586 	if($db->queryOne("SELECT COUNT(id) FROM zones WHERE owner=".$db->quote($owner)." AND domain_id=".$db->quote($domain)) != 0)
   587 	{
   587 	{
   588 		$db->query("DELETE FROM zones WHERE owner=$owner AND domain_id=$domain");
   588 		$db->query("DELETE FROM zones WHERE owner=".$db->quote($owner)." AND domain_id=".$db->quote($domain));
   589 	}
   589 	}
   590 	return true;
   590 	return true;
   591 }
   591 }
   592 
   592 
   593 /*
   593 /*
   619 	}
   619 	}
   620 
   620 
   621 	// Get the domain id.
   621 	// Get the domain id.
   622 	$domid = recid_to_domid($recid);
   622 	$domid = recid_to_domid($recid);
   623 
   623 
   624 	$result = $db->query("select id, type from records where domain_id=$recid and type='$type'");
   624 	$result = $db->query("select id, type from records where domain_id=".$db->quote($recid)." and type=".$db->quote($type));
   625 	return $result;
   625 	return $result;
   626 }
   626 }
   627 
   627 
   628 
   628 
   629 /*
   629 /*
   633 function get_recordtype_from_id($id)
   633 function get_recordtype_from_id($id)
   634 {
   634 {
   635 	global $db;
   635 	global $db;
   636 	if (is_numeric($id))
   636 	if (is_numeric($id))
   637 	{
   637 	{
   638 		$result = $db->query("SELECT type FROM records WHERE id=$id");
   638 		$result = $db->query("SELECT type FROM records WHERE id=".$db->quote($id));
   639 		$r = $result->fetchRow();
   639 		$r = $result->fetchRow();
   640 		return $r["type"];
   640 		return $r["type"];
   641 	}
   641 	}
   642 	else
   642 	else
   643 	{
   643 	{
   653 function get_name_from_record_id($id)
   653 function get_name_from_record_id($id)
   654 {
   654 {
   655 	global $db;
   655 	global $db;
   656 	if (is_numeric($id))
   656 	if (is_numeric($id))
   657 	{
   657 	{
   658 		$result = $db->query("SELECT name FROM records WHERE id=$id");
   658 		$result = $db->query("SELECT name FROM records WHERE id=".$db->quote($id));
   659 		$r = $result->fetchRow();
   659 		$r = $result->fetchRow();
   660 		return $r["name"];
   660 		return $r["name"];
   661 	}
   661 	}
   662 	else
   662 	else
   663 	{
   663 	{
   683 		$res_full = $db->query("SELECT 
   683 		$res_full = $db->query("SELECT 
   684 					domains.id AS domain_id, 
   684 					domains.id AS domain_id, 
   685 					domains.name AS name 
   685 					domains.name AS name 
   686 					FROM domains 
   686 					FROM domains 
   687 					LEFT JOIN zones ON domains.id=zones.domain_id 
   687 					LEFT JOIN zones ON domains.id=zones.domain_id 
   688 					WHERE owner=$id"); 
   688 					WHERE owner=".$db->quote($id)); 
   689 		
   689 		
   690 		// Process the output.
   690 		// Process the output.
   691 
   691 
   692 		$numrows = $res_full->numRows();
   692 		$numrows = $res_full->numRows();
   693 		$i=1;
   693 		$i=1;
   708 				// Create AND NOT for query of zones the user has 
   708 				// Create AND NOT for query of zones the user has 
   709 				// only partial access to. In that query we just 
   709 				// only partial access to. In that query we just 
   710 				// want to see the zones he has not full access to 
   710 				// want to see the zones he has not full access to 
   711 				// as well.
   711 				// as well.
   712 
   712 
   713 				$andnot.=$r["domain_id"];
   713 				$andnot.=$db->quote($r["domain_id"]);
   714 				if ($i < $numrows) {
   714 				if ($i < $numrows) {
   715 					$andnot.=",";
   715 					$andnot.=",";
   716 					$i++;
   716 					$i++;
   717 				}
   717 				}
   718 
   718 
   728 
   728 
   729 		$res_partial = $db->query("SELECT DISTINCT 
   729 		$res_partial = $db->query("SELECT DISTINCT 
   730 					records.domain_id, 
   730 					records.domain_id, 
   731 					domains.name 
   731 					domains.name 
   732 					FROM records, record_owners, domains 
   732 					FROM records, record_owners, domains 
   733 					WHERE record_owners.user_id = '".$id."' 
   733 					WHERE record_owners.user_id = ".$db->quote($id)." 
   734 					AND records.id = record_owners.record_id 
   734 					AND records.id = record_owners.record_id 
   735 					AND domains.id = records.domain_id
   735 					AND domains.id = records.domain_id
   736 					".$andnot.";");
   736 					".$andnot);
   737 		
   737 		
   738 		// Add these zones to the array as well.
   738 		// Add these zones to the array as well.
   739 
   739 
   740 		while ($r = $res_partial->fetchRow())
   740 		while ($r = $res_partial->fetchRow())
   741 		{
   741 		{
   766 	{
   766 	{
   767 		error(ERR_RECORD_ACCESS_DENIED);
   767 		error(ERR_RECORD_ACCESS_DENIED);
   768 	}
   768 	}
   769 	if (is_numeric($id))
   769 	if (is_numeric($id))
   770 	{
   770 	{
   771 		$result = $db->query("SELECT name FROM domains WHERE id=$id");
   771 		$result = $db->query("SELECT name FROM domains WHERE id=".$db->quote($id));
   772 		if ($result->numRows() == 1)
   772 		if ($result->numRows() == 1)
   773 		{
   773 		{
   774  			$r = $result->fetchRow();
   774  			$r = $result->fetchRow();
   775  			return $r["name"];
   775  			return $r["name"];
   776 		}
   776 		}
   808 	domains.name AS name,
   808 	domains.name AS name,
   809 	users.fullname AS owner,
   809 	users.fullname AS owner,
   810 	count(record_owners.id) AS aantal
   810 	count(record_owners.id) AS aantal
   811 	FROM domains, users, record_owners, records
   811 	FROM domains, users, record_owners, records
   812 	
   812 	
   813         WHERE record_owners.user_id = ".$_SESSION["userid"]."
   813         WHERE record_owners.user_id = ".$db->quote($_SESSION["userid"])."
   814         AND record_owners.record_id = records.id
   814         AND record_owners.record_id = records.id
   815 	AND records.domain_id = ".$id."
   815 	AND records.domain_id = ".$db->quote($id)."
   816 
   816 
   817 	GROUP BY domains.name, owner, users.fullname, domains.type
   817 	GROUP BY domains.name, owner, users.fullname, domains.type
   818 	ORDER BY domains.name";
   818 	ORDER BY domains.name";
   819 	
   819 	
   820 	$result = $db->queryRow($sqlq);
   820 	$result = $db->queryRow($sqlq);
   881 	{
   881 	{
   882 		error(ERR_LEVEL_5);
   882 		error(ERR_LEVEL_5);
   883 	}
   883 	}
   884 	if (is_valid_domain($domain))
   884 	if (is_valid_domain($domain))
   885 	{
   885 	{
   886 		$result = $db->query("SELECT id FROM domains WHERE name='$domain'");
   886 		$result = $db->query("SELECT id FROM domains WHERE name=".$db->quote($domain));
   887 		if ($result->numRows() == 0)
   887 		if ($result->numRows() == 0)
   888 		{
   888 		{
   889 			return false;
   889 			return false;
   890 		}
   890 		}
   891 		elseif ($result->numRows() >= 1)
   891 		elseif ($result->numRows() >= 1)
   930         {
   930         {
   931                 error(ERR_LEVEL_5);
   931                 error(ERR_LEVEL_5);
   932         }
   932         }
   933         if (is_valid_ip($master_ip) || is_valid_ip6($master_ip))
   933         if (is_valid_ip($master_ip) || is_valid_ip6($master_ip))
   934         {
   934         {
   935                 $result = $db->query("SELECT ip FROM supermasters WHERE ip = '$master_ip'");
   935                 $result = $db->query("SELECT ip FROM supermasters WHERE ip = ".$db->quote($master_ip));
   936                 if ($result->numRows() == 0)
   936                 if ($result->numRows() == 0)
   937                 {
   937                 {
   938                         return false;
   938                         return false;
   939                 }
   939                 }
   940                 elseif ($result->numRows() >= 1)
   940                 elseif ($result->numRows() >= 1)
   959 {
   959 {
   960 	global $db;
   960 	global $db;
   961 	global $sql_regexp;
   961 	global $sql_regexp;
   962 	if((!level(5) || !$userid) && !level(10) && !level(5))
   962 	if((!level(5) || !$userid) && !level(10) && !level(5))
   963 	{
   963 	{
   964 		$add = " AND zones.owner=".$_SESSION["userid"];
   964 		$add = " AND zones.owner=".$db->quote($_SESSION["userid"]);
   965 	}
   965 	}
   966 	else
   966 	else
   967 	{
   967 	{
   968 		$add = "";
   968 		$add = "";
   969 	}
   969 	}
   975 	FROM domains
   975 	FROM domains
   976 	LEFT JOIN zones ON domains.id=zones.domain_id 
   976 	LEFT JOIN zones ON domains.id=zones.domain_id 
   977 	LEFT JOIN records ON records.domain_id=domains.id
   977 	LEFT JOIN records ON records.domain_id=domains.id
   978 	WHERE 1=1 $add ";
   978 	WHERE 1=1 $add ";
   979 	if ($letterstart!=all && $letterstart!=1) {
   979 	if ($letterstart!=all && $letterstart!=1) {
   980 	   $sqlq.=" AND substring(domains.name,1,1) ".$sql_regexp." '^".$letterstart."' ";
   980 	   $sqlq.=" AND substring(domains.name,1,1) ".$sql_regexp." ".$db->quote("^".$letterstart);
   981 	} elseif ($letterstart==1) {
   981 	} elseif ($letterstart==1) {
   982 	   $sqlq.=" AND substring(domains.name,1,1) ".$sql_regexp." '^[[:digit:]]'";
   982 	   $sqlq.=" AND substring(domains.name,1,1) ".$sql_regexp." '^[[:digit:]]'";
   983 	}
   983 	}
   984 	$sqlq.=" GROUP BY domainname, domains.id
   984 	$sqlq.=" GROUP BY domainname, domains.id
   985 	ORDER BY domainname
   985 	ORDER BY domainname";
   986 	LIMIT $rowamount OFFSET $rowstart";
   986 
   987 
   987 	$db->setLimit($rowstart, $rowamount);
   988 	$result = $db->query($sqlq);
   988 	$result = $db->query($sqlq);
       
   989 	// Set limit needs to be called before each query
       
   990 	$db->setLimit($rowstart, $rowamount);
   989 	$result2 = $db->query($sqlq); 
   991 	$result2 = $db->query($sqlq); 
   990 	
   992 	
   991 	$numrows = $result2->numRows();
   993 	$numrows = $result2->numRows();
   992 	$i=1;
   994 	$i=1;
   993 	if ($numrows > 0) {
   995 	if ($numrows > 0) {
   994 		$andnot=" AND NOT domains.id IN (";
   996 		$andnot=" AND NOT domains.id IN (";
   995 		while($r = $result2->fetchRow()) {
   997 		while($r = $result2->fetchRow()) {
   996 			$andnot.=$r["domain_id"];
   998 			$andnot.=$db->quote($r["domain_id"]);
   997 			if ($i < $numrows) {
   999 			if ($i < $numrows) {
   998 				$andnot.=",";
  1000 				$andnot.=",";
   999 				$i++;
  1001 				$i++;
  1000 			}
  1002 			}
  1001 		}
  1003 		}
  1010 
  1012 
  1011 		$sqlq = "SELECT domains.id AS domain_id,
  1013 		$sqlq = "SELECT domains.id AS domain_id,
  1012 		count(DISTINCT record_owners.record_id) AS aantal,
  1014 		count(DISTINCT record_owners.record_id) AS aantal,
  1013 		domains.name AS domainname
  1015 		domains.name AS domainname
  1014 		FROM domains, record_owners,records, zones
  1016 		FROM domains, record_owners,records, zones
  1015 		WHERE record_owners.user_id = '".$_SESSION["userid"]."'
  1017 		WHERE record_owners.user_id = ".$db->quote($_SESSION["userid"])."
  1016 		AND (records.id = record_owners.record_id
  1018 		AND (records.id = record_owners.record_id
  1017 		AND domains.id = records.domain_id)
  1019 		AND domains.id = records.domain_id)
  1018 		$andnot 
  1020 		$andnot 
  1019 		AND domains.name LIKE '".$letterstart."%' 
  1021 		AND domains.name LIKE ".$db->quote($letterstart."%")." 
  1020 		AND (zones.domain_id != records.domain_id AND zones.owner!='".$_SESSION["userid"]."')
  1022 		AND (zones.domain_id != records.domain_id AND zones.owner!=".$db->quote($_SESSION["userid"]).")
  1021 		GROUP BY domainname, domains.id
  1023 		GROUP BY domainname, domains.id
  1022 		ORDER BY domainname";
  1024 		ORDER BY domainname";
  1023 
  1025 
  1024 		$result_extra = $db->query($sqlq);
  1026 		$result_extra = $db->query($sqlq);
  1025 
  1027 
  1027 
  1029 
  1028 		$sqlq = "SELECT domains.id AS domain_id,
  1030 		$sqlq = "SELECT domains.id AS domain_id,
  1029 		count(DISTINCT record_owners.record_id) AS aantal,
  1031 		count(DISTINCT record_owners.record_id) AS aantal,
  1030 		domains.name AS domainname
  1032 		domains.name AS domainname
  1031 		FROM domains, record_owners,records, zones
  1033 		FROM domains, record_owners,records, zones
  1032 		WHERE record_owners.user_id = '".$_SESSION["userid"]."'
  1034 		WHERE record_owners.user_id = ".$db->quote($_SESSION["userid"])."
  1033 		AND (records.id = record_owners.record_id
  1035 		AND (records.id = record_owners.record_id
  1034 		AND domains.id = records.domain_id)
  1036 		AND domains.id = records.domain_id)
  1035 		$andnot 
  1037 		$andnot 
  1036 		AND substring(domains.name,1,1) ".$sql_regexp." '^[[:digit:]]'
  1038 		AND substring(domains.name,1,1) ".$sql_regexp." '^[[:digit:]]'
  1037 		AND (zones.domain_id != records.domain_id AND zones.owner!='".$_SESSION["userid"]."')
  1039 		AND (zones.domain_id != records.domain_id AND zones.owner!=".$db->quote($_SESSION["userid"]).")
  1038 		GROUP BY domainname, domains.id
  1040 		GROUP BY domainname, domains.id
  1039 		ORDER BY domainname";
  1041 		ORDER BY domainname";
  1040 
  1042 
  1041 		$result_extra[$i] = $db->query($sqlq);
  1043 		$result_extra[$i] = $db->query($sqlq);
  1042 
  1044 
  1107         global $db;
  1109         global $db;
  1108 	global $sql_regexp;
  1110 	global $sql_regexp;
  1109         if((!level(5) || !$userid) && !level(10) && !level(5))
  1111         if((!level(5) || !$userid) && !level(10) && !level(5))
  1110         {
  1112         {
  1111 		// First select the zones for which we have ownership on one or more records.
  1113 		// First select the zones for which we have ownership on one or more records.
  1112 		$query = 'SELECT records.domain_id FROM records, record_owners WHERE user_id = '.$_SESSION['userid'].' AND records.id = record_owners.record_id';
  1114 		$query = 'SELECT records.domain_id FROM records, record_owners WHERE user_id = '.$db->quote($_SESSION['userid']).' AND records.id = record_owners.record_id';
  1113 		$result = $db->query($query);
  1115 		$result = $db->query($query);
  1114 		$zones = array();
  1116 		$zones = array();
  1115 		if (!PEAR::isError($result)) {
  1117 		if (!PEAR::isError($result)) {
  1116 			$zones = $result->fetchCol();
  1118 			$zones = $result->fetchCol();
  1117 		}
  1119 		}
  1118 	
  1120 	
  1119                 $add = " AND (zones.owner=".$_SESSION["userid"];
  1121                 $add = " AND (zones.owner=".$db->quote($_SESSION["userid"]);
  1120 		if (count($zones) > 0) {
  1122 		if (count($zones) > 0) {
  1121 			$add .= ' OR zones.domain_id IN ('.implode(',', $zones).') '; 
  1123 			$add .= ' OR zones.domain_id IN ('.implode(',', $zones).') '; 
  1122 
  1124 
  1123 		}
  1125 		}
  1124 		$add .= ')';
  1126 		$add .= ')';
  1127         {
  1129         {
  1128                 $add = "";
  1130                 $add = "";
  1129         }
  1131         }
  1130 
  1132 
  1131         if ($letterstart!=all && $letterstart!=1) {
  1133         if ($letterstart!=all && $letterstart!=1) {
  1132            $add .=" AND domains.name LIKE '".$letterstart."%' ";
  1134            $add .=" AND domains.name LIKE ".$db->quote($letterstart."%")." ";
  1133         } elseif ($letterstart==1) {
  1135         } elseif ($letterstart==1) {
  1134            $add .=" AND substring(domains.name,1,1) ".$sql_regexp." '^[[:digit:]]'";
  1136            $add .=" AND substring(domains.name,1,1) ".$sql_regexp." '^[[:digit:]]'";
  1135         }
  1137         }
  1136 
  1138 
  1137         if (level(5))
  1139         if (level(5))
  1154 function get_record_from_id($id)
  1156 function get_record_from_id($id)
  1155 {
  1157 {
  1156 	global $db;
  1158 	global $db;
  1157 	if (is_numeric($id))
  1159 	if (is_numeric($id))
  1158 	{
  1160 	{
  1159 		$result = $db->query("SELECT id, domain_id, name, type, content, ttl, prio, change_date FROM records WHERE id=$id");
  1161 		$result = $db->query("SELECT id, domain_id, name, type, content, ttl, prio, change_date FROM records WHERE id=".$db->quote($id));
  1160 		if($result->numRows() == 0)
  1162 		if($result->numRows() == 0)
  1161 		{
  1163 		{
  1162 			return -1;
  1164 			return -1;
  1163 		}
  1165 		}
  1164 		elseif ($result->numRows() == 1)
  1166 		elseif ($result->numRows() == 1)
  1197 {
  1199 {
  1198 	global $db;
  1200 	global $db;
  1199 	if (is_numeric($id))
  1201 	if (is_numeric($id))
  1200 	{
  1202 	{
  1201 		if ($_SESSION[$id."_ispartial"] == 1) {
  1203 		if ($_SESSION[$id."_ispartial"] == 1) {
  1202 
  1204 		$db->setLimit($rowstart, $rowamount);
  1203 		$result = $db->query("SELECT record_owners.record_id as id
  1205 		$result = $db->query("SELECT record_owners.record_id as id
  1204 		FROM record_owners,domains,records
  1206 		FROM record_owners,domains,records
  1205 		WHERE record_owners.user_id = ".$_SESSION["userid"]."
  1207 		WHERE record_owners.user_id = ".$db->quote($_SESSION["userid"])."
  1206 		AND record_owners.record_id = records.id
  1208 		AND record_owners.record_id = records.id
  1207 		AND records.domain_id = ".$id."
  1209 		AND records.domain_id = ".$db->quote($id)."
  1208 		GROUP bY record_owners.record_id
  1210 		GROUP bY record_owners.record_id");
  1209 		LIMIT $rowamount OFFSET $rowstart");
       
  1210 
  1211 
  1211 		$ret = array();
  1212 		$ret = array();
  1212 		if($result->numRows() == 0)
  1213 		if($result->numRows() == 0)
  1213 		{
  1214 		{
  1214 		return -1;
  1215 		return -1;
  1225 		}
  1226 		}
  1226 		return $ret;
  1227 		return $ret;
  1227 		}
  1228 		}
  1228 
  1229 
  1229 		} else {
  1230 		} else {
  1230 
  1231 		$db->setLimit($rowstart, $rowamount);
  1231 		$result = $db->query("SELECT id FROM records WHERE domain_id=$id LIMIT $rowamount OFFSET $rowstart");
  1232 		$result = $db->query("SELECT id FROM records WHERE domain_id=".$db->quote($id));
  1232 		$ret = array();
  1233 		$ret = array();
  1233 		if($result->numRows() == 0)
  1234 		if($result->numRows() == 0)
  1234 		{
  1235 		{
  1235 			return -1;
  1236 			return -1;
  1236 		}
  1237 		}
  1257 
  1258 
  1258 
  1259 
  1259 function get_users_from_domain_id($id)
  1260 function get_users_from_domain_id($id)
  1260 {
  1261 {
  1261 	global $db;
  1262 	global $db;
  1262 	$result = $db->queryCol("SELECT owner FROM zones WHERE domain_id=$id");
  1263 	$result = $db->queryCol("SELECT owner FROM zones WHERE domain_id=".$db->quote($id));
  1263 	$ret = array();
  1264 	$ret = array();
  1264 	foreach($result as $uid)
  1265 	foreach($result as $uid)
  1265 	{
  1266 	{
  1266 		$fullname = $db->queryOne("SELECT fullname FROM users WHERE id=$uid");
  1267 		$fullname = $db->queryOne("SELECT fullname FROM users WHERE id=".$db->quote($uid));
  1267 		$ret[] = array(
  1268 		$ret[] = array(
  1268 		"id" 		=> 	$uid,
  1269 		"id" 		=> 	$uid,
  1269 		"fullname"	=>	$fullname		
  1270 		"fullname"	=>	$fullname		
  1270 		);		
  1271 		);		
  1271 	}
  1272 	}
  1279 
  1280 
  1280 	if (is_valid_search($question))
  1281 	if (is_valid_search($question))
  1281 	{
  1282 	{
  1282 		$sqlq = "SELECT * 
  1283 		$sqlq = "SELECT * 
  1283 				FROM records 
  1284 				FROM records 
  1284 				WHERE content LIKE '".$question."' 
  1285 				WHERE content LIKE ".$db->quote($question)." 
  1285 				OR name LIKE '".$question."' 
  1286 				OR name LIKE ".$db->quote($question)."
  1286 				ORDER BY type DESC";
  1287 				ORDER BY type DESC";
  1287 		$result = $db->query($sqlq);
  1288 		$result = $db->query($sqlq);
  1288 		$ret_r = array();
  1289 		$ret_r = array();
  1289 		while ($r = $result->fetchRow())
  1290 		while ($r = $result->fetchRow())
  1290 		{
  1291 		{
  1305 
  1306 
  1306 		$sqlq = "SELECT domains.id, domains.name, count(records.id) AS numrec, zones.owner, records.domain_id
  1307 		$sqlq = "SELECT domains.id, domains.name, count(records.id) AS numrec, zones.owner, records.domain_id
  1307 				FROM domains, records, zones  
  1308 				FROM domains, records, zones  
  1308 				WHERE domains.id = records.domain_id 
  1309 				WHERE domains.id = records.domain_id 
  1309 				AND zones.domain_id = domains.id 
  1310 				AND zones.domain_id = domains.id 
  1310 				AND domains.name LIKE '".$question."' 
  1311 				AND domains.name LIKE ".$db->quote($question)." 
  1311 				GROUP BY domains.id, domains.name, zones.owner, records.domain_id";
  1312 				GROUP BY domains.id, domains.name, zones.owner, records.domain_id";
  1312 		$result = $db->query($sqlq);
  1313 		$result = $db->query($sqlq);
  1313 		$ret_d = array();
  1314 		$ret_d = array();
  1314 		while ($r = $result->fetchRow())
  1315 		while ($r = $result->fetchRow())
  1315 		{
  1316 		{
  1335 function get_domain_type($id)
  1336 function get_domain_type($id)
  1336 {
  1337 {
  1337 	global $db;
  1338 	global $db;
  1338         if (is_numeric($id))
  1339         if (is_numeric($id))
  1339 	{
  1340 	{
  1340 		$type = $db->queryOne("SELECT type FROM domains WHERE id = '".$id."'");
  1341 		$type = $db->queryOne("SELECT type FROM domains WHERE id = ".$db->quote($id));
  1341 		if($type == "")
  1342 		if($type == "")
  1342 		{
  1343 		{
  1343 			$type = "NATIVE";
  1344 			$type = "NATIVE";
  1344 		}
  1345 		}
  1345 		return $type;
  1346 		return $type;
  1353 function get_domain_slave_master($id)
  1354 function get_domain_slave_master($id)
  1354 {
  1355 {
  1355 	global $db;
  1356 	global $db;
  1356         if (is_numeric($id))
  1357         if (is_numeric($id))
  1357 	{
  1358 	{
  1358 		$slave_master = $db->queryOne("SELECT master FROM domains WHERE type = 'SLAVE' and id = '".$id."'");
  1359 		$slave_master = $db->queryOne("SELECT master FROM domains WHERE type = 'SLAVE' and id = ".$db->quote($id));
  1359 		return $slave_master;
  1360 		return $slave_master;
  1360         }
  1361         }
  1361         else
  1362         else
  1362         {
  1363         {
  1363                 error(sprintf(ERR_INV_ARG, "get_domain_slave_master", "no or no valid zoneid given"));
  1364                 error(sprintf(ERR_INV_ARG, "get_domain_slave_master", "no or no valid zoneid given"));
  1375 		// fiedl, but it is cleaner anyway.
  1376 		// fiedl, but it is cleaner anyway.
  1376 		if ($type != "SLAVE")
  1377 		if ($type != "SLAVE")
  1377 		{
  1378 		{
  1378 			$add = ", master=''";
  1379 			$add = ", master=''";
  1379 		}
  1380 		}
  1380 		$result = $db->query("UPDATE domains SET type = '" .$type. "'".$add." WHERE id = '".$id."'");
  1381 		$result = $db->query("UPDATE domains SET type = " .$db->quote($type). $add." WHERE id = ".$db->quote($id));
  1381 	}
  1382 	}
  1382         else
  1383         else
  1383         {
  1384         {
  1384                 error(sprintf(ERR_INV_ARG, "change_domain_type", "no or no valid zoneid given"));
  1385                 error(sprintf(ERR_INV_ARG, "change_domain_type", "no or no valid zoneid given"));
  1385         }
  1386         }
  1390 	global $db;
  1391 	global $db;
  1391         if (is_numeric($id))
  1392         if (is_numeric($id))
  1392 	{
  1393 	{
  1393        		if (is_valid_ip($slave_master) || is_valid_ip6($slave_master))
  1394        		if (is_valid_ip($slave_master) || is_valid_ip6($slave_master))
  1394 		{
  1395 		{
  1395 			$result = $db->query("UPDATE domains SET master = '" .$slave_master. "' WHERE id = '".$id."'");
  1396 			$result = $db->query("UPDATE domains SET master = " .$db->quote($slave_master). " WHERE id = ".$db->quote($id));
  1396 		}
  1397 		}
  1397 		else
  1398 		else
  1398 		{
  1399 		{
  1399 			error(sprintf(ERR_INV_ARGC, "change_domain_slave_master", "This is not a valid IPv4 or IPv6 address: $slave_master"));
  1400 			error(sprintf(ERR_INV_ARGC, "change_domain_slave_master", "This is not a valid IPv4 or IPv6 address: $slave_master"));
  1400 		}
  1401 		}