diff --git a/include/filter.class.php b/include/filter.class.php
index 3578d7dcf..8357c8eb4 100644
--- a/include/filter.class.php
+++ b/include/filter.class.php
@@ -230,9 +230,11 @@ class filter extends basis_db
*/
public function loadValues($sql, $valuename, $showvalue)
{
-
$this->values = array();
+ // In case a decryption function is used then perform password substitution
+ $sql = $this->replaceSQLDecryptionPassword($sql);
+
if($this->db_query($sql))
{
while($row = $this->db_fetch_row())
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 7b3560dde..d27708ea9 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1196,4 +1196,28 @@ function anzahlTage($date1, $date2)
$diff = $date2_ts - $date1_ts;
return round($diff / 86400);
}
+
+/**
+ * Checks if the provided SQL string contains PostgreSQL functions to decrypt data, returns a boolean
+ */
+function hasSQLDecryption($sql)
+{
+ return stripos($sql, 'PGP_SYM_DECRYPT') !== false;
+}
+
+/**
+ * Checks if the provided SQL string contains PostgreSQL functions to decrypt data,
+ * and if it is used a variable instead of a readable password. Returns a boolean
+ */
+function isSQLDecryptionValid($sql)
+{
+ // If the SQL string contains decryption functions and there are _no_ password variables
+ if (hasSQLDecryption($sql) && strpos($sql, '${') === false)
+ {
+ return false; // then return false
+ }
+
+ return true; // in any other case return true
+}
+
?>
diff --git a/include/statistik.class.php b/include/statistik.class.php
index d8bea89f9..a72c8bbeb 100644
--- a/include/statistik.class.php
+++ b/include/statistik.class.php
@@ -514,6 +514,9 @@ class statistik extends basis_db
$this->countRows=0;
set_time_limit(120);
+ // In case a decryption function is used then perform password substitution
+ $this->sql = $this->replaceSQLDecryptionPassword($this->sql);
+
if($this->sql!='')
{
$sql = $this->sql;
diff --git a/vilesci/stammdaten/statistik_details.php b/vilesci/stammdaten/statistik_details.php
index 1ba840c02..8ad12dc0b 100644
--- a/vilesci/stammdaten/statistik_details.php
+++ b/vilesci/stammdaten/statistik_details.php
@@ -26,6 +26,7 @@ require_once('../../config/vilesci.config.inc.php');
require_once('../../include/statistik.class.php');
require_once('../../include/benutzerberechtigung.class.php');
require_once('../../include/berechtigung.class.php');
+require_once('../../include/functions.inc.php');
if(!$db = new basis_db())
{
@@ -140,18 +141,29 @@ if(!$rechte->isBerechtigt('basis/statistik', null, 'suid'))
$statistik->berechtigung_kurzbz = $berechtigung_kurzbz;
$statistik->preferences = $preferences;
- $success = $statistik->save();
+ // Check if the SQL string contains functions to decrypt data and if there are
+ // variables to replace the value of the password (no clear password wanted!)
+ if (isSQLDecryptionValid($statistik->sql))
+ {
+ $success = $statistik->save();
- if($success):
+ if($success):
+ ?>
+ Daten erfolgreich gespeichert
+
+
+ errormsg ?>
+
- Daten erfolgreich gespeichert
-
-
- errormsg ?>
-
+ preferences);
diff --git a/vilesci/statistik/filter_details.php b/vilesci/statistik/filter_details.php
index 8ff284b1f..c2f27d927 100644
--- a/vilesci/statistik/filter_details.php
+++ b/vilesci/statistik/filter_details.php
@@ -76,9 +76,18 @@
$filter->type = $_POST["type"];
$filter->htmlattr = $_POST["htmlattr"];
- if(!$filter->save())
+ // Check if the SQL string contains functions to decrypt data and if there are
+ // variables to replace the value of the password (no clear password wanted!)
+ if (isSQLDecryptionValid($filter->sql))
{
- $errorstr .= $filter->errormsg;
+ if (!$filter->save())
+ {
+ $errorstr .= $filter->errormsg;
+ }
+ }
+ else
+ {
+ $errorstr .= 'It is not possible to store a SQL that contains clear passwords to decrypt data from the DB';
}
$reloadstr .= "