Pull Request # 1 - MC

icsls/application/.htaccess

@@ -1 +0,0 @@
-Deny from all

icsls/application/controllers/librarian.php

@@ -57,7 +57,7 @@ public function display_search_results($query_id = 0, $offset = 0){
 
 		$query_array = array(
 			'category' => $this->input->get('selectCategory'),
-			'text' => htmlspecialchars($this->input->get('inputText')),
+			'text' => htmlspecialchars($this->input->get('inputText'), ENT_QUOTES),
 			'sortCategory' => $this->input->get('selectSortCategory'),
 			'row' => $this->input->get('selectRows'),
 			'accessType' => $this->input->get('selectAccessType'),
@@ -66,12 +66,14 @@ public function display_search_results($query_id = 0, $offset = 0){
 			'match' => $this->input->get('radioMatch')
 		);
 
-		//Do not continue if user tried to make the database retrieval fail by editing URL's GET 
+		//Do not continue if user tried to make the database retrieval fail by XSS Node deletion 
 		foreach($query_array as $element):
 			if($element === FALSE)
 				redirect('librarian/search_reference_index');
 		endforeach;
 
+
+
 		$offset = $this->input->get('per_page') ? $this->input->get('per_page') : 0;
 
 		$data['total_rows'] = $this->librarian_model->get_number_of_rows($query_array);
@@ -151,14 +153,25 @@ public function edit_reference(){
 		//Filter the user's input of HTML special symbols
 		$title = htmlspecialchars(mysql_real_escape_string(trim($this->input->post('title'))));
 		$author = htmlspecialchars(mysql_real_escape_string(trim($this->input->post('author'))));
-		$isbn = $this->input->post('isbn');
-		$category = $this->input->post('category');
+		$isbn = htmlspecialchars(mysql_real_escape_string($this->input->post('isbn')));
+		$category = htmlspecialchars(mysql_real_escape_string($this->input->post('category')));
 		$publisher = htmlspecialchars(mysql_real_escape_string(trim($this->input->post('publisher'))));
-		$publication_year = $this->input->post('publication_year');
-		$access_type = $this->input->post('access_type');
-		$course_code = $this->input->post('course_code');
+		$publication_year = htmlspecialchars(mysql_real_escape_string($this->input->post('publication_year')));
+		$access_type = htmlspecialchars(mysql_real_escape_string($this->input->post('access_type')));
+		$course_code = htmlspecialchars(mysql_real_escape_string($this->input->post('course_code')));
 		$description = htmlspecialchars(mysql_real_escape_string(trim($this->input->post('description'))));
-		$total_stock = $this->input->post('total_stock');
+		$total_stock = htmlspecialchars(mysql_real_escape_string($this->input->post('total_stock')));
+
+		//DO NOT TRUST the user's input. Server-side input validation
+		if($total_stock <= 0)
+			redirect('librarian/edit_reference_index/' . $id);			
+		if(! in_array(strtoupper($category), array('B', 'S', 'C', 'J', 'M', 'T')))
+			redirect('librarian/edit_reference_index/' . $id);
+		if(! is_int(intval($publication_year)))
+			redirect('librarian/edit_reference_index/' . $id);
+		//if(preg_match("\A[A-Z]{2,3}\d{2,3}\z", $course_code) === FALSE)
+		//	redirect('librarian/edit_reference_index/' . $id);
+
 
 		//Store the input from user to be passed on the model
 	    $query_array = array(
@@ -176,28 +189,12 @@ public function edit_reference(){
 	    );
 
 	    $result = $this->librarian_model->edit_reference($query_array);
-	    redirect('librarian');
+	    redirect('librarian/view_reference/' . $id);
 	}//end of function edit_reference
 
 	/* ******************** END OF EDIT REFERENCE MODULE ******************** */
 
 	/* ******************** DELETE REFERENCE MODULE ******************** */
-	/*
-	public function delete_ready_reference(){
-		if(!empty($_POST['chch'])):
-			if(count($_POST['chch'])>0):
-				$toDelete = $_POST['chch'];
-
-				for($i=0;$i< count($toDelete);$i++){
-					$result = $this->librarian_model->delete_references($toDelete[$i]);
-				}
-
-			endif;
-		endif;
-
-		redirect( base_url() . 'index.php/librarian','refresh');
-	}
-	*/
 
 	/**
 	 * Delete selected references specified by its respective checkbox
@@ -208,8 +205,8 @@ public function delete_reference(){
         $data['title'] = 'Delete Reference';
 
 		$cannotBeDeleted = array();
-		if(!empty($_POST['ch'])){
-			if(count($_POST['ch'])>0):
+		if(! empty($_POST['ch'])){
+			if(count($_POST['ch']) > 0):
 				$toDelete = $_POST['ch'];
 
 				for($i = 0; $i < count($toDelete); $i++){
@@ -220,7 +217,7 @@ public function delete_reference(){
 			endif;
 		}
 
-		if(count($cannotBeDeleted)>0){
+		if(count($cannotBeDeleted) > 0){
 			$data['forDeletion'] = $this->librarian_model->get_selected_books($cannotBeDeleted);
 			$this->load->view('for_deletion_view',$data);
 		}
@@ -235,7 +232,7 @@ public function delete_reference(){
 	public function change_forDeletion(){
 		 $data['title'] = 'Delete Reference';
 
-		 if(!empty($_POST['ch'])):
+		 if(! empty($_POST['ch'])):
 			$toUpdate = $_POST['ch'];
 			for($i = 0; $i < count($toUpdate); $i++){
 				$this->librarian_model->update_for_deletion($toUpdate[$i]);
@@ -304,7 +301,7 @@ public function file_upload(){
 			}
 			else{
 				$uploadData = array('upload_data' => $this->upload->data());
-				$filename='./uploads/'.$uploadData['upload_data']['file_name'];
+				$filename='./uploads/' . $uploadData['upload_data']['file_name'];
 				$this->load->library('csvreader');
 		        $data['csvData'] = $this->csvreader->parse_file($filename);	
 				$this->load->view("uploadSuccess_view", $data);

icsls/application/controllers/login.php

@@ -12,8 +12,8 @@ public function index(){
 			$password = "";
 		}
 		else{
-			$username = $_POST["username"];
-			$password = md5($_POST["password"]);
+			$username = $_POST['username'];//mysql_real_escape_string($_POST["username"]);
+			$password = md5($_POST['password']);//mysql_real_escape_string(md5($_POST["password"]));
 		}
 
 		//Checks if the user is registered

icsls/application/helpers/MY_Helper.php

@@ -0,0 +1,19 @@
+<?php
+function set_value($field = '', $default = '')
+{
+	if (FALSE === ($OBJ =& _get_validation_object()))
+	{
+		if (isset($_POST[$field]))
+		{
+			return form_prep($_POST[$field], $field);
+		}
+		if (isset($_GET[$field]))
+		{
+			return form_prep($_GET[$field], $field);
+		}
+
+		return $default;
+	}
+
+	return form_prep($OBJ->set_value($field, $default), $field);
+}

icsls/application/js/delete_script.js

@@ -0,0 +1,78 @@
+//Confirm to Delete the selected books
+function confirmDelete(){
+	var noOfBooksToDelete = $('#booktable').find("input:checkbox:checked").length;
+	if(noOfBooksToDelete > 0){
+		var option= confirm("Are you Sure?");
+		if(option==true){		
+			alert(noOfBooksToDelete+" Book"+((noOfBooksToDelete>1)?'s':'')+" Selected.");
+		}else{
+			return false;
+		}
+	}else{
+		alert("No books selected.");
+		return false;
+		}
+	}
+
+//Confirm To Delete Ready for Deletion Books
+function confirmDeleteReady(){
+	var noOfBooksToDelete = $('#readytodeletetable').find("input:checkbox:checked").length;
+	if(noOfBooksToDelete > 0){
+		var option= confirm("Are you Sure?");
+		if(option==true){		
+			alert(noOfBooksToDelete+" Book"+((noOfBooksToDelete>1)?'s':'')+" Selected.");
+		}else{
+			return false;
+		}
+	}else{
+		alert("No books selected.");
+		return false;
+		}
+	}
+
+//Confirm to change the ForDeletion 
+function confirmChangeForDeletion(){
+	var noOfBooksToDelete = $('#booktable').find("input:checkbox:checked").length;
+	if(noOfBooksToDelete > 0){
+		var option= confirm("Are you Sure?");
+		if(option==true){		 
+			alert(noOfBooksToDelete+" Book"+((noOfBooksToDelete>1)?'s':'')+" Selected.");
+		}else{
+			return false;
+		}
+	}else{
+		alert("No books selected.");
+		}
+	}
+
+//Mark All checkboxes when choosing
+$('#markAll').click(function (){
+	var buttonText = $('#markAll').text();
+	if(buttonText === 'Mark All'){
+		$('#booktable').find('input[name="ch[]"]').each(function(){
+			$(this).prop('checked', true);
+		});
+		$('#markAll').text('UnMark All');
+	}
+	else if(buttonText === 'UnMark All'){
+		$('#booktable').find('input[name="ch[]"]').each(function(){
+			$(this).prop('checked', false);
+		});
+		$('#markAll').text('Mark All');
+	}
+});
+$('#markAlla').click(function (){
+	var buttonText = $('#markAlla').text();
+	if(buttonText === 'Mark All'){
+		$('#readytodeletetable').find('input[name="chch[]"]').each(function(){
+			$(this).prop('checked', true);
+		});
+		$('#markAlla').text('UnMark All');
+	}
+	else if(buttonText === 'UnMark All'){
+		$('#readytodeletetable').find('input[name="chch[]"]').each(function(){
+			$(this).prop('checked', false);
+		});
+		$('#markAlla').text('Mark All');
+	}
+});

icsls/application/js/scripts.js

@@ -0,0 +1,18 @@
+function changeUserSearchTextCriteria(){
+	var category = document.getElementById("category").value;
+	var input = document.getElementById("search_text");
+
+	if(category == "username"){
+		input.title = "Must be 4-30 characters.";
+		input.pattern = "[a-z]{1,1}[a-z0-9_]{3,29}";
+	}else if(category == "student_number"){
+		input.title = "Must be 10 characters.";
+		input.pattern = "[0-9]{4}-[0-9]{5}";
+	}else if(category == "employee_number"){
+		input.title = "Must be 9 characters.";
+		input.pattern = "[0-9]{9,9}";
+	}else if(category == "first_name" || category == "last_name"){
+		input.title = 'Must be 2-30 characters.';
+		input.pattern='[A-Za-z]{2,30}' 
+	}
+}