Certainly don't mind sharing!
Her site was being worked on for PCI complicance when she noticed this (geekhost). php version is 5.5.32
[PHP]<?php
/*
* Rapid Inventory Update Module (RIUM) - A module to allow rapid, bulk
* updates to the inventory of the shop.
*
* Author: Alex Balashov <
[email protected]>, 2004.
*/
function D($var=NULL)
{ // show $var (debug):
PRIN($var,false);
}
function DD($var=NULL)
{ // show $var and exit (debug & die):
PRIN($var,true,true);
}
function PRIN($variable=NULL,$die=true,$debug=false)
{ // displays $variable contents and stops execution
if(!isset($variable))
$variable = "Not set."; // show all if nothing set:
echo "<pre style='background-color:white;'>";
print_r($variable);
if($debug)
{ // display call stack:
$s = debug_backtrace();
echo "\n\n";
foreach($s as $k=>$v)
echo "Line ".str_pad($v["line"]." ",5,' ',STR_PAD_RIGHT)." ".$v["file"]." ".$v["function"]."()\n";
}
echo "</pre>";
if($die)exit;
}
require('includes/application_top.php');
global $db;
$action = (isset($_GET['action']) ? $_GET['action'] : '');
// If we are processing an update, sanity-check values, and produce an error if something
// is amiss.
if($action == "process") {
foreach(array_keys($_POST) as $qty_var) {
// Process by quantity field. For every quantity field, find corresponding
// date field and run a single update query. This structure is more of a
// database query optimisation than anything.
if(preg_match("/product_qty_(\d+)/", $qty_var, $matches)) {
// Warn if non-numeric values encountered, otherwise process.
if(preg_match("/([^0-9\-]+)/", $POST_[$qty_var])) {
$messageStack->add(sprintf(WARNING_NON_NUMERIC_QUANTITIES, $matches[1]),
'warning');
// Force integerdom anyway in order to avoid SQL errors, injection.
settype($HTTP_POST_VARS[$qty_var], 'integer');
}
$nkey = "product_date_available_" . $matches[1];
if(!preg_match("/([0-9]+)\-([0-9]+)\-([0-9]+)/", $HTTP_POST_VARS[$nkey], $date_comp) &&
($HTTP_POST_VARS[$nkey] != "now"))
{
$messageStack->add(sprintf(WARNING_INVALID_DATE_FORMAT,
$matches[1]),
'warning');
$HTTP_POST_VARS[$nkey] = "now";
}
// Update if the field is not "now".
// Assuming an MM-DD-YYYY format, convert to YYYY-MM-DD.
// Take note that the datestamp string already includes
// single quotes if need be -- so that the null token can
// be inserted as well.
if($_POST[$nkey] == "now")
$datestamp = "null";
else {
array_shift($date_comp);
$datestamp = "'" . implode('-', array($date_comp[2], $date_comp[0], $date_comp[1])) . "'";
}
# Now run the query. Force integers with sprintf() in order to avoid
# SQL injection and otherwise make values what they are expected to be.
$db->Execute("UPDATE products SET "
. "products_quantity = "
. sprintf("%d", $_POST[$qty_var]) . ", "
. "products_date_available = $datestamp "
. "WHERE products_id = " . sprintf("%d", $matches[1]));
}
}
$messageStack->add(SUCCESS_INVENTORY_UPDATE, "success");
}
?>
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET;
?>">
<title><?php echo TITLE; ?></title>
<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0" bgcolor="#FFFFFF">
<!-- header -->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- end of header -->
<!-- body -->
<?php echo zen_draw_form('products_update', 'inventory_stock.php', 'action=process'); ?>
<h1> <?php echo HEADING_TITLE; ?></h1>
<table border=0 cellpadding=0 cellspacing=3>
<tr class="dataTableHeadingRow">
<td class="dataTableHeadingContent"><?php echo HEADING_PRODUCT_CATEGORY; ?></td>
<td class="dataTableHeadingContent"><?php echo HEADING_PRODUCT; ?></td>
</tr>
<tr>
<td valign="top" align="right" colspan="2"><br>
<input type="submit" value="update" />
</td>
</tr>
<?php
// First fetch all categories that have at least one parent.
$categories = array();
// Consolidate the below into a join, so we can alphabetise, among other things.
$result = $db->Execute("SELECT c.categories_id, c.parent_id, cd.categories_name FROM categories AS c, categories_description AS cd WHERE c.parent_id > 0 AND cd.categories_id = c.categories_id ORDER BY cd.categories_name ASC");
// Buffer the categories.
while(!$result->EOF) {
$categories[] = array('categories_id' => $result->fields['categories_id'],
'parent_id' => $result->fields['parent_id'],
'name' => $result->fields['categories_name']);
$result->MoveNext();
}
foreach($categories as $category) {
$categories_products_query = $db->Execute("SELECT products_id FROM products_to_categories WHERE categories_id = " . $category['categories_id']);
$categories_products_query = $db->Execute("SELECT * FROM products_to_categories WHERE categories_id = " . $category['categories_id']);
// d($categories_products_query);
if($categories_products_query->RecordCount()) {
echo "<tr>\n"
. " <td valign=\"top\" class=\"dataTableContent\" width=\"30%\">\n"
. $category['name'] . "\n"
. " </td>\n"
. " <td width=\"70%\">\n<br>\n"
. " <table border=0 cellpadding=1 cellspacing=1 width=\"100%\">";
$products_query = $db->Execute("SELECT p.products_id, pd.products_name, p.products_quantity, DATE_FORMAT(p.products_date_available, '%m-%d-%Y') AS products_date_available "
. "FROM products AS p, products_description AS pd WHERE p.products_id = pd.products_id AND p.products_id = " . $categories_products_query->fields['products_id']);
$products_query = $db->Execute("SELECT p.* "
. "FROM products AS p WHERE p.master_categories_id = " . $categories_products_query->fields['categories_id']);
$products_query = $db->Execute("SELECT p.products_id, pd.products_name, p.products_quantity, DATE_FORMAT(p.products_date_available, '%m-%d-%Y') AS products_date_available "
. "FROM products AS p, products_description AS pd WHERE p.products_id = pd.products_id AND p.master_categories_id = " . $categories_products_query->fields['categories_id']);
// dd($products_query);
//original file has a while statement at this point to run thru the products that belong to each category where I can only get one product per category to show up. So the while statement below is not working.
while(!$products_query->EOF) {
// d($products_query);
//tried to make an array in case one does't exist but doesn't work
//$products[] = array('products_id' => $products_query->fields['products_id'],
// 'products_name' => $products_query->fields['products_name'],
// 'products_quantity' => $products_query->fields['products_quantity'],
// 'product_date_available' => $products_query->fields['product_date_available']);
echo " <tr>\n"
. " <td valign=\"top\" align=\"left\" width=\"50%\" class=\"dataTableContent\">\n"
. $products_query->fields['products_name']
. " </td>\n"
. " <td valign=\"top\" align=\"right\" width=\"20%\" class=\"dataTableContent\">\n"
. zen_draw_input_field('product_qty_' . $products_query->fields['products_id'], $products_query->fields['products_quantity'], 'maxlength=10, size=7', false, $type = 'text', false)
. " </td>\n"
. " <td valign=\"top\" align=\"right\" width=\"30%\" class=\"dataTableContent\">\n"
. zen_draw_input_field('product_date_available_' . $products_query->fields['products_id'],
isset($products_query->fields['products_date_available']) ?
$products_query->fields['products_date_available'] : "now",
'maxlength=15, size=10', false, $type = 'text', false)
. " </td>\n"
. " </tr>\n";
// this marks the end of the movement thru the while statement.
$products_query->MoveNext();
}
echo " </table>\n<br>\n"
. " </td>\n"
. "</tr>\n";
}
}
echo "<tr>\n"
. " <td valign=\"center\" colspan=2>\n"
. zen_draw_separator('pixel_black.gif', '100%', 1)
. " </td>"
. "</tr>\n"
. "<tr>\n"
. " <td valign=\"top\" align=\"right\" colspan=2>\n<br>\n"
. zen_image_submit('button_update.gif', IMAGE_UPDATE)
. " </td>\n"
. "</tr>\n";
?>
</table>
<!-- end body text -->
</form>
<!-- end of body -->
<?php
// Footer.
require(DIR_WS_INCLUDES . 'footer.php');
?>
</body>
</html>
<?php
require(DIR_WS_INCLUDES . 'application_bottom.php');
?>[/PHP]