Bug 17900: Fix possible SQL injection in patron cards template editing
[koha.git] / admin / marctagstructure.pl
blob4800b3461bbfa92b8467f21f06ede4c94598177a
1 #!/usr/bin/perl
4 # Copyright 2000-2002 Katipo Communications
6 # This file is part of Koha.
8 # Koha is free software; you can redistribute it and/or modify it
9 # under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # Koha is distributed in the hope that it will be useful, but
14 # WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with Koha; if not, see <http://www.gnu.org/licenses>.
21 use strict;
22 use warnings;
23 use CGI qw ( -utf8 );
24 use C4::Auth;
25 use C4::Koha;
26 use C4::Context;
27 use C4::Output;
28 use C4::Context;
30 use Koha::Caches;
31 use Koha::AuthorisedValues;
32 use Koha::BiblioFrameworks;
34 # retrieve parameters
35 my $input = new CGI;
36 my $frameworkcode = $input->param('frameworkcode') || ''; # set to select framework
37 my $existingframeworkcode = $input->param('existingframeworkcode') || '';
38 my $searchfield = $input->param('searchfield') || 0;
39 $searchfield=~ s/\,//g;
41 my $offset = $input->param('offset') || 0;
42 my $op = $input->param('op') || '';
43 my $dspchoice = $input->cookie("marctagstructure_selectdisplay") // $input->param('select_display');
44 my $pagesize = 20;
46 my $script_name = "/cgi-bin/koha/admin/marctagstructure.pl";
48 my $dbh = C4::Context->dbh;
49 my $cache = Koha::Caches->get_instance();
51 # open template
52 my ($template, $loggedinuser, $cookie)
53 = get_template_and_user({template_name => "admin/marctagstructure.tt",
54 query => $input,
55 type => "intranet",
56 authnotrequired => 0,
57 flagsrequired => {parameters => 'parameters_remaining_permissions'},
58 debug => 1,
59 });
61 my $frameworks = Koha::BiblioFrameworks->search({}, { order_by => ['frameworktext'] });
63 # check that framework is defined in marc_tag_structure
64 my $sth=$dbh->prepare("select count(*) from marc_tag_structure where frameworkcode=?");
65 $sth->execute($frameworkcode);
66 my ($frameworkexist) = $sth->fetchrow;
67 unless ($frameworkexist) {
68 # if frameworkcode does not exists, then OP must be changed to "create framework" if we are not on the way to create it
69 # (op = itemtyp_create_confirm)
70 if ($op eq "framework_create_confirm") {
71 duplicate_framework($frameworkcode, $existingframeworkcode);
72 $op = ""; # unset $op to go back to framework list
73 } else {
74 $op = "framework_create";
78 my $framework = $frameworks->search({ frameworkcode => $frameworkcode })->next;
79 $template->param(
80 frameworks => $frameworks,
81 framework => $framework,
82 script_name => $script_name,
83 ( $op || 'else' ) => 1,
87 ################## ADD_FORM ##################################
88 # called by default. Used to create form to add or modify a record
89 if ($op eq 'add_form') {
90 #---- if primkey exists, it's a modify action, so read values to modify...
91 my $data;
92 if ($searchfield) {
93 $sth=$dbh->prepare("select tagfield,liblibrarian,libopac,repeatable,mandatory,authorised_value from marc_tag_structure where tagfield=? and frameworkcode=?");
94 $sth->execute($searchfield,$frameworkcode);
95 $data=$sth->fetchrow_hashref;
98 if ($searchfield) {
99 $template->param(searchfield => $searchfield);
100 $template->param(action => "Modify tag");
101 $template->param('heading_modify_tag_p' => 1);
102 } else {
103 $template->param(action => "Add tag");
104 $template->param('heading_add_tag_p' => 1);
106 $template->param('use_heading_flags_p' => 1);
107 $template->param(liblibrarian => $data->{'liblibrarian'},
108 libopac => $data->{'libopac'},
109 repeatable => $data->{'repeatable'},
110 mandatory => $data->{'mandatory'},
111 authorised_value => $data->{authorised_value},
112 frameworkcode => $frameworkcode,
113 ); # FIXME: move checkboxes to presentation layer
114 # END $OP eq ADD_FORM
115 ################## ADD_VALIDATE ##################################
116 # called by add_form, used to insert/modify data in DB
117 } elsif ($op eq 'add_validate') {
118 my $tagfield = $input->param('tagfield');
119 my $liblibrarian = $input->param('liblibrarian');
120 my $libopac = $input->param('libopac');
121 my $repeatable = $input->param('repeatable') ? 1 : 0;
122 my $mandatory = $input->param('mandatory') ? 1 : 0;
123 my $authorised_value = $input->param('authorised_value');
124 unless (C4::Context->config('demo')) {
125 if ($input->param('modif')) {
126 $sth = $dbh->prepare(
127 "UPDATE marc_tag_structure SET liblibrarian=? ,libopac=? ,repeatable=? ,mandatory=? ,authorised_value=? WHERE frameworkcode=? AND tagfield=?"
129 $sth->execute( $liblibrarian,
130 $libopac,
131 $repeatable,
132 $mandatory,
133 $authorised_value,
134 $frameworkcode,
135 $tagfield
137 } else {
138 $sth = $dbh->prepare(
139 "INSERT INTO marc_tag_structure (tagfield,liblibrarian,libopac,repeatable,mandatory,authorised_value,frameworkcode) values (?,?,?,?,?,?,?)"
141 $sth->execute($tagfield,
142 $liblibrarian,
143 $libopac,
144 $repeatable,
145 $mandatory,
146 $authorised_value,
147 $frameworkcode
150 $cache->clear_from_cache("MarcStructure-0-$frameworkcode");
151 $cache->clear_from_cache("MarcStructure-1-$frameworkcode");
152 $cache->clear_from_cache("default_value_for_mod_marc-$frameworkcode");
153 $cache->clear_from_cache("MarcSubfieldStructure-$frameworkcode");
155 print $input->redirect("/cgi-bin/koha/admin/marctagstructure.pl?searchfield=$tagfield&frameworkcode=$frameworkcode");
156 exit;
157 # END $OP eq ADD_VALIDATE
158 ################## DELETE_CONFIRM ##################################
159 # called by default form, used to confirm deletion of data in DB
160 } elsif ($op eq 'delete_confirm') {
161 $sth=$dbh->prepare("select tagfield,liblibrarian,libopac,repeatable,mandatory,authorised_value from marc_tag_structure where tagfield=? and frameworkcode=?");
162 $sth->execute($searchfield, $frameworkcode);
163 my $data = $sth->fetchrow_hashref;
164 $template->param(
165 liblibrarian => $data->{'liblibrarian'},
166 searchfield => $searchfield,
167 frameworkcode => $frameworkcode,
169 # END $OP eq DELETE_CONFIRM
170 ################## DELETE_CONFIRMED ##################################
171 # called by delete_confirm, used to effectively confirm deletion of data in DB
172 } elsif ($op eq 'delete_confirmed') {
173 unless (C4::Context->config('demo')) {
174 my $sth1 = $dbh->prepare("DELETE FROM marc_tag_structure WHERE tagfield=? AND frameworkcode=?");
175 my $sth2 = $dbh->prepare("DELETE FROM marc_subfield_structure WHERE tagfield=? AND frameworkcode=?");
176 $sth1->execute($searchfield, $frameworkcode);
177 $sth2->execute($searchfield, $frameworkcode);
178 $cache->clear_from_cache("MarcStructure-0-$frameworkcode");
179 $cache->clear_from_cache("MarcStructure-1-$frameworkcode");
180 $cache->clear_from_cache("default_value_for_mod_marc-$frameworkcode");
181 $cache->clear_from_cache("MarcSubfieldStructure-$frameworkcode");
183 $template->param(
184 searchfield => $searchfield,
185 frameworkcode => $frameworkcode,
187 # END $OP eq DELETE_CONFIRMED
188 ################## ITEMTYPE_CREATE ##################################
189 # called automatically if an unexisting frameworkis selected
190 } elsif ($op eq 'framework_create') {
191 $sth = $dbh->prepare("select count(*),marc_tag_structure.frameworkcode,frameworktext from marc_tag_structure,biblio_framework where biblio_framework.frameworkcode=marc_tag_structure.frameworkcode group by marc_tag_structure.frameworkcode");
192 $sth->execute;
193 my @existingframeworkloop;
194 while (my ($tot,$thisframeworkcode,$frameworktext) = $sth->fetchrow) {
195 if ($tot>0) {
196 push @existingframeworkloop, {
197 value => $thisframeworkcode,
198 frameworktext => $frameworktext,
202 $template->param(existingframeworkloop => \@existingframeworkloop,
203 frameworkcode => $frameworkcode,
205 ################## DEFAULT ##################################
206 } else { # DEFAULT
207 # here, $op can be unset or set to "framework_create_confirm".
208 if ($searchfield ne '') {
209 $template->param(searchfield => $searchfield);
211 my $cnt=0;
212 if ($dspchoice) {
213 #here, user only wants used tags/subfields displayed
214 $searchfield=~ s/\'/\\\'/g;
215 my @data=split(' ',$searchfield);
216 my $sth=$dbh->prepare("
217 SELECT marc_tag_structure.tagfield AS mts_tagfield,
218 marc_tag_structure.liblibrarian as mts_liblibrarian,
219 marc_tag_structure.libopac as mts_libopac,
220 marc_tag_structure.repeatable as mts_repeatable,
221 marc_tag_structure.mandatory as mts_mandatory,
222 marc_tag_structure.authorised_value as mts_authorized_value,
223 marc_subfield_structure.*
224 FROM marc_tag_structure
225 LEFT JOIN marc_subfield_structure ON (marc_tag_structure.tagfield=marc_subfield_structure.tagfield AND marc_tag_structure.frameworkcode=marc_subfield_structure.frameworkcode) WHERE (marc_tag_structure.tagfield >= ? and marc_tag_structure.frameworkcode=?) AND marc_subfield_structure.tab>=0 ORDER BY marc_tag_structure.tagfield,marc_subfield_structure.tagsubfield");
226 #could be ordoned by tab
227 $sth->execute($data[0], $frameworkcode);
228 my @results = ();
229 while (my $data=$sth->fetchrow_hashref){
230 push(@results,$data);
231 $cnt++;
234 my @loop_data = ();
235 my $j=1;
236 my $i=$offset;
237 while ( $i < $cnt ) {
238 my %row_data; # get a fresh hash for the row data
239 $row_data{tagfield} = $results[$i]->{'mts_tagfield'};
240 $row_data{liblibrarian} = $results[$i]->{'mts_liblibrarian'};
241 $row_data{repeatable} = $results[$i]->{'mts_repeatable'};
242 $row_data{mandatory} = $results[$i]->{'mts_mandatory'};
243 $row_data{authorised_value} = $results[$i]->{'mts_authorised_value'};
244 $row_data{subfield_link} = "marc_subfields_structure.pl?op=add_form&amp;tagfield=".$results[$i]->{'mts_tagfield'}."&amp;frameworkcode=".$frameworkcode;
245 $row_data{edit} = "$script_name?op=add_form&amp;searchfield=" .$results[$i]->{'mts_tagfield'}."&amp;frameworkcode=".$frameworkcode;
246 $row_data{delete} = "$script_name?op=delete_confirm&amp;searchfield=" .$results[$i]->{'mts_tagfield'}."&amp;frameworkcode=".$frameworkcode;
247 $j=$i;
248 my @internal_loop = ();
249 while ( ( $j < $cnt ) and ( $results[$i]->{'tagfield'} == $results[$j]->{'tagfield'} ) ) {
250 my %subfield_data;
251 $subfield_data{tagsubfield} = $results[$j]->{'tagsubfield'};
252 $subfield_data{liblibrarian} = $results[$j]->{'liblibrarian'};
253 $subfield_data{kohafield} = $results[$j]->{'kohafield'};
254 $subfield_data{repeatable} = $results[$j]->{'repeatable'};
255 $subfield_data{mandatory} = $results[$j]->{'mandatory'};
256 $subfield_data{tab} = $results[$j]->{'tab'};
257 $subfield_data{seealso} = $results[$j]->{'seealso'};
258 $subfield_data{authorised_value} = $results[$j]->{'authorised_value'};
259 $subfield_data{authtypecode} = $results[$j]->{'authtypecode'};
260 $subfield_data{value_builder} = $results[$j]->{'value_builder'};
261 # warn "tagfield : ".$results[$j]->{'tagfield'}." tagsubfield :".$results[$j]->{'tagsubfield'};
262 push @internal_loop,\%subfield_data;
263 $j++;
265 $row_data{'subfields'}=\@internal_loop;
266 push(@loop_data, \%row_data);
267 $i=$j;
269 $template->param(select_display => "True",
270 loop => \@loop_data);
271 } else {
272 # Hidden feature: If search was field$subfield, redirect to the subfield edit form
273 my ( $tagfield, $tagsubfield ) = split /\$/, $searchfield;
274 if ( $tagsubfield ) {
275 print $input->redirect('/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&tagfield='.$tagfield.'&frameworkcode='.$frameworkcode.'#sub'.$tagsubfield.'field');
276 exit;
278 #here, normal old style : display every tags
279 my ($count,$results)=StringSearch($searchfield,$frameworkcode);
280 $cnt = $count;
281 my @loop_data = ();
282 for ( my $i = $offset ; $i < $count ; $i++ ) {
283 my %row_data; # get a fresh hash for the row data
284 $row_data{tagfield} = $results->[$i]{'tagfield'};
285 $row_data{liblibrarian} = $results->[$i]{'liblibrarian'};
286 $row_data{repeatable} = $results->[$i]{'repeatable'};
287 $row_data{mandatory} = $results->[$i]{'mandatory'};
288 $row_data{authorised_value} = $results->[$i]{'authorised_value'};
289 $row_data{subfield_link} = "marc_subfields_structure.pl?tagfield=" .$results->[$i]{'tagfield'}."&amp;frameworkcode=".$frameworkcode;
290 $row_data{edit} = "$script_name?op=add_form&amp;searchfield=" .$results->[$i]{'tagfield'}."&amp;frameworkcode=".$frameworkcode;
291 $row_data{delete} = "$script_name?op=delete_confirm&amp;searchfield=".$results->[$i]{'tagfield'}."&amp;frameworkcode=".$frameworkcode;
292 push(@loop_data, \%row_data);
294 $template->param(loop => \@loop_data);
296 if ($offset>0) {
297 $template->param(isprevpage => $offset,
298 prevpage=> $offset-$pagesize,
299 searchfield => $searchfield,
300 script_name => $script_name,
301 frameworkcode => $frameworkcode,
304 if ($offset+$pagesize<$cnt) {
305 $template->param(nextpage =>$offset+$pagesize,
306 searchfield => $searchfield,
307 script_name => $script_name,
308 frameworkcode => $frameworkcode,
311 } #---- END $OP eq DEFAULT
313 output_html_with_http_headers $input, $cookie, $template->output;
316 # the sub used for searches
318 sub StringSearch {
319 my ($searchstring,$frameworkcode)=@_;
320 my $sth = C4::Context->dbh->prepare("
321 SELECT tagfield,liblibrarian,libopac,repeatable,mandatory,authorised_value
322 FROM marc_tag_structure
323 WHERE (tagfield >= ? and frameworkcode=?)
324 ORDER BY tagfield
326 $sth->execute($searchstring, $frameworkcode);
327 my $results = $sth->fetchall_arrayref({});
328 return (scalar(@$results), $results);
332 # the sub used to duplicate a framework from an existing one in MARC parameters tables.
334 sub duplicate_framework {
335 my ($newframeworkcode,$oldframeworkcode) = @_;
336 my $dbh = C4::Context->dbh;
337 $dbh->do(q|INSERT INTO marc_tag_structure (tagfield, liblibrarian, libopac, repeatable, mandatory, authorised_value, frameworkcode)
338 SELECT tagfield,liblibrarian,libopac,repeatable,mandatory,authorised_value, ? from marc_tag_structure where frameworkcode=?|, undef, $newframeworkcode, $oldframeworkcode );
340 $dbh->do(q|INSERT INTO marc_subfield_structure (frameworkcode,tagfield,tagsubfield,liblibrarian,libopac,repeatable,mandatory,kohafield,tab,authorised_value,authtypecode,value_builder,seealso,hidden)
341 SELECT ?,tagfield,tagsubfield,liblibrarian,libopac,repeatable,mandatory,kohafield,tab,authorised_value,authtypecode,value_builder,seealso,hidden from marc_subfield_structure where frameworkcode=?
342 |, undef, $newframeworkcode, $oldframeworkcode );