|
|
@@ -104,21 +104,20 @@ class report {
|
|
|
$all_id = strtolower($all_id);
|
|
|
$unique_arr = explode(';', $all_id);
|
|
|
//构建安全的数组字面量用于 PostgreSQL 的 && 交集判断
|
|
|
- if (!empty($unique_arr)) {
|
|
|
- // 转义每个 ID 防注入
|
|
|
- $escaped_ids = array();
|
|
|
- foreach($unique_arr as $id){
|
|
|
- $id = trim($id);
|
|
|
- if (empty($id))
|
|
|
- continue;
|
|
|
- $escaped_ids[] = "'" .common::check_input($id) . "'";
|
|
|
- }
|
|
|
- if(empty($escaped_ids)){
|
|
|
- $escaped_ids[] = "'" .common::check_input('default_value_that_does_not_exist') . "'";
|
|
|
- }
|
|
|
- $array_str = 'ARRAY[' . implode(',', $escaped_ids) . ']';
|
|
|
- $sqlWhere_party_id = " OR party_ids && $array_str ";
|
|
|
+ // 转义每个 ID 防注入
|
|
|
+ $escaped_ids = array();
|
|
|
+ foreach($unique_arr as $id){
|
|
|
+ $id = trim($id);
|
|
|
+ if (empty($id))
|
|
|
+ continue;
|
|
|
+ $escaped_ids[] = "'" .common::check_input($id) . "'";
|
|
|
}
|
|
|
+ if(empty($escaped_ids)){
|
|
|
+ $escaped_ids[] = "'" .common::check_input('default_value_that_does_not_exist') . "'";
|
|
|
+ }
|
|
|
+ $array_str = 'ARRAY[' . implode(',', $escaped_ids) . ']';
|
|
|
+ $sqlWhere_party_id = " OR party_ids && $array_str ";
|
|
|
+
|
|
|
//Group Name 判断
|
|
|
$company = _getCompanyHandNew($_SESSION["ONLINE_USER"],'public');
|
|
|
$company = strtolower($company);
|
|
|
@@ -135,13 +134,13 @@ class report {
|
|
|
$escaped_company[] = "'" . common::check_input('default_value_that_does_not_exist') . "'";
|
|
|
}
|
|
|
$array_str = 'ARRAY[' . implode(',', $escaped_company) . ']';
|
|
|
- $sqlWhere_group_name = " OR group_names && $array_str";
|
|
|
+ $sqlWhere_group_name = " OR lower(group_names) && $array_str";
|
|
|
|
|
|
$systemAccountsqlWhere = " OR '".common::check_input(_getLoginName())."' = any(system_account)";
|
|
|
$sqlWhere .= " and ( access_type = 'All Users' ".$sqlWhere_party_id . " ".$sqlWhere_group_name ." ".$systemAccountsqlWhere .")";
|
|
|
} else {
|
|
|
- $systemAccountsqlWhere = " OR system_account IS NULL OR array_length(system_account, 1) = 0 OR '".common::check_input(_getLoginName())."' = any(system_account)";
|
|
|
- $sqlWhere .= " and ( 1<>1 ".$systemAccountsqlWhere .")";
|
|
|
+ //$systemAccountsqlWhere = " OR system_account IS NULL OR array_length(system_account, 1) = 0 OR '".common::check_input(_getLoginName())."' = any(system_account)";
|
|
|
+ //$sqlWhere .= " and ( 1<>1 ".$systemAccountsqlWhere .")";
|
|
|
}
|
|
|
|
|
|
$rc = $_POST ['rc'];
|
|
|
@@ -401,21 +400,20 @@ class report {
|
|
|
$all_id = strtolower($all_id);
|
|
|
$unique_arr = explode(';', $all_id);
|
|
|
//构建安全的数组字面量用于 PostgreSQL 的 && 交集判断
|
|
|
- if (!empty($unique_arr)) {
|
|
|
- // 转义每个 ID 防注入
|
|
|
- $escaped_ids = array();
|
|
|
- foreach($unique_arr as $id){
|
|
|
- $id = trim($id);
|
|
|
- if (empty($id))
|
|
|
- continue;
|
|
|
- $escaped_ids[] = "'" .common::check_input($id) . "'";
|
|
|
- }
|
|
|
- if(empty($escaped_ids)){
|
|
|
- $escaped_ids[] = "'" .common::check_input('default_value_that_does_not_exist') . "'";
|
|
|
- }
|
|
|
- $array_str = 'ARRAY[' . implode(',', $escaped_ids) . ']';
|
|
|
- $sqlWhere_party_id = " OR party_ids && $array_str ";
|
|
|
+ // 转义每个 ID 防注入
|
|
|
+ $escaped_ids = array();
|
|
|
+ foreach($unique_arr as $id){
|
|
|
+ $id = trim($id);
|
|
|
+ if (empty($id))
|
|
|
+ continue;
|
|
|
+ $escaped_ids[] = "'" .common::check_input($id) . "'";
|
|
|
+ }
|
|
|
+ if(empty($escaped_ids)){
|
|
|
+ $escaped_ids[] = "'" .common::check_input('default_value_that_does_not_exist') . "'";
|
|
|
}
|
|
|
+ $array_str = 'ARRAY[' . implode(',', $escaped_ids) . ']';
|
|
|
+ $sqlWhere_party_id = " OR party_ids && $array_str ";
|
|
|
+
|
|
|
//Group Name 判断
|
|
|
$company = _getCompanyHandNew($_SESSION["ONLINE_USER"],'public');
|
|
|
$company = strtolower($company);
|
|
|
@@ -429,16 +427,16 @@ class report {
|
|
|
$escaped_company[] = "'" . common::check_input($value) . "'";
|
|
|
}
|
|
|
if(empty($escaped_company)){
|
|
|
- $escaped_company[] = "'" . common::check_input('default_value_that_does_not_exist') . "'";
|
|
|
+ $escaped_company[] = "'" . common::check_input('default_value_that_does_not_exist') . "'";
|
|
|
}
|
|
|
$array_str = 'ARRAY[' . implode(',', $escaped_company) . ']';
|
|
|
- $sqlWhere_group_name = " OR group_names && $array_str";
|
|
|
+ $sqlWhere_group_name = " OR lower(group_names) && $array_str";
|
|
|
|
|
|
$systemAccountsqlWhere = " OR '".common::check_input(_getLoginName())."' = any(system_account)";
|
|
|
$sqlWhere .= " and ( access_type = 'All Users' ".$sqlWhere_party_id . " ".$sqlWhere_group_name ." ".$systemAccountsqlWhere .")";
|
|
|
} else {
|
|
|
- $systemAccountsqlWhere = " OR system_account IS NULL OR array_length(system_account, 1) = 0 OR '".common::check_input(_getLoginName())."' = any(system_account)";
|
|
|
- $sqlWhere .= " and ( 1<>1 ".$systemAccountsqlWhere .")";
|
|
|
+ //$systemAccountsqlWhere = " OR system_account IS NULL OR array_length(system_account, 1) = 0 OR '".common::check_input(_getLoginName())."' = any(system_account)";
|
|
|
+ //$sqlWhere .= " and ( 1<>1 ".$systemAccountsqlWhere .")";
|
|
|
}
|
|
|
|
|
|
|
