Compare commits
3 Commits
f75b512a63
...
6b285ac769
| Author | SHA1 | Date | |
|---|---|---|---|
|
6b285ac769 | ||
|
|
c01372a983 | ||
|
|
af854c0a46 |
57
access.php
57
access.php
@ -1,41 +1,58 @@
|
||||
<?php
|
||||
include_once('includes/functions.php');
|
||||
// include_once('includes/config/config.php');
|
||||
$menu_key=$_SESSION['menu_key'];
|
||||
//echo "<script>alert(".$_SESSION['menu_key'].")</script>";
|
||||
$access_level=getaccesslevel($_SESSION['RoleId'] ,$menu_key);
|
||||
|
||||
// Check if session variables exist
|
||||
$menu_key = isset($_SESSION['menu_key']) ? $_SESSION['menu_key'] : '';
|
||||
$role_id = isset($_SESSION['RoleId']) ? $_SESSION['RoleId'] : '';
|
||||
|
||||
if (!empty($role_id) && !empty($menu_key)) {
|
||||
$access_level = getaccesslevel($role_id, $menu_key);
|
||||
$_SESSION['access_key'] = $access_level;
|
||||
//echo "aceess======".$access_level;
|
||||
|
||||
// Check for specific page conditions
|
||||
if (
|
||||
is_string($__currentPage) &&
|
||||
(
|
||||
(strripos($__currentPage, "interim", 5) !== false) ||
|
||||
(strripos($__currentPage, "review_ohc_selection") !== false)
|
||||
(stripos($__currentPage, "interim") !== false) ||
|
||||
(stripos($__currentPage, "review_ohc_selection") !== false)
|
||||
)
|
||||
) {
|
||||
|
||||
// Do nothing if condition matches
|
||||
} else {
|
||||
$acn="";
|
||||
$acn= $_REQUEST['acn'] or $_REQUEST['frmacn'];
|
||||
$sql_access= "select menu_id from assign_menu where role_id='".$_SESSION['RoleId']."' and menu_id='".$menu_key."'";
|
||||
//echo $sql_access;
|
||||
//$l->log($sql_access, PEAR_LOG_INFO);
|
||||
$acn = isset($_REQUEST['acn']) ? $_REQUEST['acn'] : (isset($_REQUEST['frmacn']) ? $_REQUEST['frmacn'] : '');
|
||||
|
||||
// SQL query to check menu access
|
||||
$sql_access = "SELECT menu_id FROM assign_menu WHERE role_id='" . mysqli_real_escape_string($conn, $role_id) . "' AND menu_id='" . mysqli_real_escape_string($conn, $menu_key) . "'";
|
||||
error_log("sql_access".$sql_access);
|
||||
$result_access = mysqli_query($conn, $sql_access);
|
||||
$count_access=@mysqli_num_rows($result_access);
|
||||
//echo $count_access;
|
||||
if((isset($menu_key) && $menu_key!='') && $count_access==0){
|
||||
//$l->log("inside first check", PEAR_LOG_INFO);
|
||||
$count_access = mysqli_num_rows($result_access);
|
||||
|
||||
// Access control checks
|
||||
if (!empty($menu_key) && $count_access == 0) {
|
||||
echo "<script>location.href='error.php'</script>";
|
||||
exit;
|
||||
} else {
|
||||
if(isset($acn) && ($acn=="delete" || $acn=="Delete") && $access_level!='E'){
|
||||
if (
|
||||
!empty($acn) &&
|
||||
(($acn == "delete" || $acn == "Delete") && $access_level != 'E')
|
||||
) {
|
||||
echo "<script>location.href='error.php'</script>";
|
||||
//$l->log("inside second check", PEAR_LOG_INFO);
|
||||
}else if(isset($acn) &&($acn=="Add" || $acn=="Save"|| $acn=="add"|| $acn=="Update"|| $acn=="update") && ($access_level!='W' && $access_level!='E' && $access_level!='R' )){
|
||||
exit;
|
||||
} else if (
|
||||
!empty($acn) &&
|
||||
(in_array(strtolower($acn), ['add', 'save', 'update']) && !in_array($access_level, ['W', 'E', 'R']))
|
||||
) {
|
||||
echo "<script>location.href='error.php'</script>";
|
||||
//$l->log("inside third check", PEAR_LOG_INFO);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
// Validate the request for special characters
|
||||
validateRequest();
|
||||
}
|
||||
} else {
|
||||
// echo "<script>location.href='error.php'</script>";
|
||||
// exit;
|
||||
}
|
||||
?>
|
||||
@ -1493,7 +1493,8 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
|
||||
|
||||
<?php
|
||||
|
||||
$docs_select_query = "select * from employee_docs where emp_id=$emp_id";
|
||||
$docs_select_query = "select * from employee_docs where emp_id='$emp_id'";
|
||||
error_log($docs_select_query . " ERROR " . mysqli_error($conn));
|
||||
|
||||
$docs_result = @mysqli_query($conn, $docs_select_query);
|
||||
|
||||
@ -1550,7 +1551,7 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
|
||||
|
||||
|
||||
|
||||
<?php } ?>
|
||||
<?php }else { ?>
|
||||
|
||||
|
||||
|
||||
@ -1601,6 +1602,7 @@ $non_emp = getTableFieldValue('patient_category', 'patient_cat_id', 'patient_cat
|
||||
|
||||
|
||||
<?php $count++;
|
||||
}
|
||||
} ?>
|
||||
|
||||
|
||||
|
||||
@ -2,3 +2,7 @@ ALTER TABLE `sop_document` ADD `last_renewal_date` DATE NOT NULL AFTER `id`, ADD
|
||||
|
||||
-- Dushant
|
||||
ALTER TABLE `calibration_item_tbl` ADD `status` VARCHAR(100) NOT NULL AFTER `bill_file_type`;
|
||||
|
||||
|
||||
-- Dushant
|
||||
ALTER TABLE `sop_document` ADD `last_renewal_date` DATE NOT NULL AFTER `id`;
|
||||
|
||||
@ -3883,36 +3883,33 @@ function getTodayStockCount()
|
||||
}
|
||||
}
|
||||
function validateRequest()
|
||||
|
||||
{
|
||||
$special_chars = "'^<5E>$%()}{~><>,|=_+<2B>-"; // all the special characters you want to check for
|
||||
|
||||
$special_chars = preg_quote("^$%()}{~><>,|=_+-", '/'); // Use preg_quote to escape special characters for regex
|
||||
$return = array();
|
||||
|
||||
$return['msg'] = "Internal Server Error";
|
||||
|
||||
foreach ($_REQUEST as $formKey => $formKeyVal) {
|
||||
|
||||
if (preg_match('/' . $special_chars . '/', $formKeyVal) || preg_match('/' . $special_chars . '/', $formKey)) {
|
||||
|
||||
// echo "<script>alert('Manoj'+'".$formKey."=".$formKeyVal."')</script>";
|
||||
if (
|
||||
preg_match('/[' . $special_chars . ']/', $formKeyVal) ||
|
||||
preg_match('/[' . $special_chars . ']/', $formKey)
|
||||
) {
|
||||
// Debugging line to log what is triggering the error
|
||||
// echo "<script>alert('Special character detected in: " . $formKey . " = " . $formKeyVal . "')</script>";
|
||||
|
||||
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
|
||||
|
||||
header('Cache-Control: no-cache, must-revalidate');
|
||||
|
||||
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
|
||||
|
||||
header('Content-type: application/json');
|
||||
|
||||
die(json_encode($return));
|
||||
}
|
||||
|
||||
echo "<script>location.href='error.php'</script>";
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
*
|
||||
* Takes input as array suitable for multiselect form attributes
|
||||
|
||||
@ -956,7 +956,9 @@
|
||||
include('form/checkup_type_modal.php');
|
||||
?>
|
||||
<?php include('form/medical_full_view.php'); ?>
|
||||
<?php include_once('full_view_medical.php'); ?>
|
||||
<?php
|
||||
// include_once('full_view_medical.php');
|
||||
?>
|
||||
<?php include_once('select_checkup_type_s.php'); ?>
|
||||
<?php include_once('form/form_o.php'); ?>
|
||||
<?php include_once('form/form_33.php'); ?>
|
||||
|
||||
@ -25,6 +25,7 @@ $ohc_type = $_SESSION['current_ohcttype']?>
|
||||
<!-- End of breadcrumb -->
|
||||
<?php
|
||||
|
||||
|
||||
$db_new_date="";
|
||||
$last_day="";
|
||||
$m=0;
|
||||
@ -48,7 +49,10 @@ $y = date('Y',strtotime("".$selectedShiftYear."-".($selectedShiftMonth+1)."-01")
|
||||
|
||||
$shift_status_options = generateOption('shift_status','status_name','shift_status_id','','','');
|
||||
// generateOptionForMultipleWithWhereClause('shift_status','status_name','shift_status_id','','','is_shift','Y');
|
||||
|
||||
error_log("MONTh " . $m);
|
||||
error_log("Year " . $y);
|
||||
error_log("LAST DATE " . $last_day);
|
||||
$last_day = date_format(date_create($last_day), 'd');
|
||||
?>
|
||||
<script>
|
||||
var jsonArrayShiftData = <?php echo json_encode($shift_data); ?>;
|
||||
@ -61,7 +65,7 @@ var jsonArrayShiftData = <?php echo json_encode($shift_data); ?>;
|
||||
<div class="page-content">
|
||||
<div class="box box-primary"
|
||||
style="padding: 10px; margin: 2px 0px 50px 5px; width: 99.5%;">
|
||||
<form id="shift_form" method="post">
|
||||
<form id="shift_form" action="shift_details.php" method="post">
|
||||
<!-- box-body-->
|
||||
<div class="box-body" id="reload_amb">
|
||||
|
||||
@ -115,10 +119,12 @@ var jsonArrayShiftData = <?php echo json_encode($shift_data); ?>;
|
||||
</div>
|
||||
|
||||
|
||||
<button class="btn btn-primary " type="button"
|
||||
id="submit_button" onclick="$('#shift_form').attr('action', '');$('#shift_form').submit()">
|
||||
<!-- <button class="btn btn-primary " type="button"
|
||||
id="submit_button">
|
||||
<i class="ace-icon fa fa-send"></i> Submit
|
||||
</button>
|
||||
</button> -->
|
||||
|
||||
<input type="submit" value="Submit" class="btn btn-primary" id="submit_button" />
|
||||
|
||||
<button class="btn btn-danger " type="button"
|
||||
id="pdf_print" onclick="print_pdf('p')">
|
||||
|
||||
@ -43,6 +43,7 @@ $result_menu_exists = mysqli_query($conn,$sql_menu_exists);
|
||||
$countAccessibleMenuPages_exists=mysqli_num_rows($result_menu_exists);
|
||||
|
||||
$sql_menu= "select menu_id from menu_master where upper(menu_url)=upper('".$__currentPage."') and menu_id in(select menu_id from assign_menu where role_id='".$_SESSION['RoleId']."')";
|
||||
error_log("sql_menu".$sql_menu);
|
||||
$result_menu = mysqli_query($conn,$sql_menu);
|
||||
$countAccessibleMenuPages=mysqli_num_rows($result_menu);
|
||||
|
||||
@ -56,7 +57,7 @@ if($row_menu = mysqli_fetch_array($result_menu)){
|
||||
}
|
||||
}
|
||||
$_SESSION['menu_current_page'] = $__currentPage;
|
||||
include_once ('access.php');
|
||||
// include_once ('access.php');
|
||||
|
||||
// echo "top_user:".$top_user.":Manoj";
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user