=========================================================== .___ __ __ _________________ __ __ __| _/|__|/ |_ / ___\_` __ \__ \ | | \/ __ | | \\_ __\ / /_/ > | \// __ \| | / /_/ | | || | \___ /|__| (____ /____/\____ | |__||__| /_____/ \/ \/ grep rough audit - static analysis tool v2.8 written by @Wireghoul =================================[justanotherhacker.com]=== pfm-2.0.8/forms.tcl-397- set query "SELECT value, description FROM pfm_value " pfm-2.0.8/forms.tcl:398: append query "WHERE valuelist = '$attribDef($attrib,valuelist)' " pfm-2.0.8/forms.tcl-399- append query "ORDER BY value" ############################################## pfm-2.0.8/forms.tcl-860- set query "SELECT value, description FROM pfm_value " pfm-2.0.8/forms.tcl:861: append query "WHERE valuelist = '$attribDef($attrib,valuelist)' " pfm-2.0.8/forms.tcl-862- append query "ORDER BY value" ############################################## pfm-2.0.8/forms.tcl-946- public method onHelp {} { pfm-2.0.8/forms.tcl:947: set query "SELECT help FROM pfm_form WHERE name = '${formName}'" pfm-2.0.8/forms.tcl-948- if {[$::dbObject select_query_list $query numTuples \ ############################################## pfm-2.0.8/doc/en/body.html-1578- LEFT JOIN person p ON m.person = p.id pfm-2.0.8/doc/en/body.html:1579: WHERE "group" = '$(group)' pfm-2.0.8/doc/en/body.html-1580- ORDER BY g.name, p.name, p.christian_name ############################################## pfm-2.0.8/examples/install_addressbook.sql-3119-pfm_link pfm_link f f linkname, sqlwhere, orderby, displayattrib, fromform, toform pfm_link \N A link is a navigation tool which allows you to follow a "one-to-many"\nor "many-to-one" relationship from one form to another.\n\nEvery link is stored as a record in the pfm_link table, which has the\nfollowing attributes:\n\n - linkname : the name of the link, which is displayed on\n a link button on the "fromform";\n\n - fromform : the name of the form from which the link\n originates;\n\n - toform : the name of the form to which the link leads;\n\n - sqlwhere : the "WHERE"-clause which is used to open the\n "toform" and in which the value of an attribute of the\n "fromform" may be represented by $(attrib-x), where\n 'attrib-x' is the name of the attribute;\n\n - orderby : an 'order by' clause which determines the order of the\n records in the 'toform';\n\n - displayattrib : a space separated list of\n attributes of the 'fromform', the value of which is displayed on\n the 'toform' to remind the user from which record the link\n originated.\n\nNote: Postgres Forms does not provide any checks to safeguard\n the referential integrity of the data base in case of updates or\n deletions. However, postgreSQL provides these functions as\n 'foreign key' table constraints (see postgreSQL documentation). fromform linkname fromform, linkname \N pfm-2.0.8/examples/install_addressbook.sql:3120:pfm_report pfm_report f f name, description, sqlselect pfm_report \N The table pfm_report defines all the reports for the current data\nbase.\n\npfm_report has the following attributes:\n\n - name: the name of the report. This is the name that\n appears in the selection list of the "Run Report" function.\n\n - description: free text describing the purpose of the\n report in more detail.\n\n - sqlselect: an SQL SELECT statement that generates the\n data for the report.\n\nThe sqlselect may contain one or more parameters for which a\nvalue is requested at "Run report" time. A parameter in the sqlwhere\nmust be formatted as $(parameter_name).\n\nExample:\n\nsqlselect: \n\n SELECT g.name AS "group", g.description, p.id, p.name,\n p.christian_name, p.street, p."ZIPcode", p.town, p.country\n FROM "group" g\n LEFT JOIN memberlist m ON g.name = m."group"\n LEFT JOIN person p ON m.person = p.id\n WHERE "group" = '$(group)'\n ORDER BY g.name, p.name, p.christian_name\n\nWhen the report is run, the user is prompted to enter a value for the\nparameter "group". Then the report data are generated by executing the\nsqlselect statement in which $(group) is replaced with the value\nentered by the user.\n name name \N ############################################## pfm-2.0.8/examples/install_addressbook.sql-3130-outgoing links fromform='$(name)' toform name pfm_form pfm_link pfm-2.0.8/examples/install_addressbook.sql:3131:Where used? valuelist='$(name)' name pfm_value_list pfm_attribute pfm-2.0.8/examples/install_addressbook.sql-3132-Values valuelist='$(name)' value name pfm_value_list pfm_value ############################################## pfm-2.0.8/examples/install_addressbook.sql-3150-Groups and persons Lists all groups and their members SELECT g.name AS "group", g.description, p.id, p.name, p.christian_name,\n p.street, p."ZIPcode", p.town, p.country\nFROM "group" g\n LEFT JOIN memberlist m ON g.name = m."group"\n LEFT JOIN person p ON m.person = p.id\nORDER BY g.name, p.name, p.christian_name pfm-2.0.8/examples/install_addressbook.sql:3151:Group List all the members of a certain group SELECT g.name AS "group", g.description, p.id, p.name,\n p.christian_name, p.street, p."ZIPcode", p.town, p.country\nFROM "group" g\n LEFT JOIN memberlist m ON g.name = m."group"\n LEFT JOIN person p ON m.person = p.id\nWHERE "group" = '$(group)'\nORDER BY g.name, p.name, p.christian_name pfm-2.0.8/examples/install_addressbook.sql-3152-\. ############################################## pfm-2.0.8/examples/install_customerdb.sql-247-pfm_link pfm_link f f linkname, sqlwhere, orderby, displayattrib, fromform, toform pfm_link \N A link is a navigation tool which allows you to follow a "one-to-many"\nor "many-to-one" relationship from one form to another.\n\nEvery link is stored as a record in the pfm_link table, which has the\nfollowing attributes:\n\n - linkname : the name of the link, which is displayed on\n a link button on the "fromform";\n\n - fromform : the name of the form from which the link\n originates;\n\n - toform : the name of the form to which the link leads;\n\n - sqlwhere : the "WHERE"-clause which is used to open the\n "toform" and in which the value of an attribute of the\n "fromform" may be represented by $(attrib-x), where\n 'attrib-x' is the name of the attribute;\n\n - orderby : an 'order by' clause which determines the order of the\n records in the 'toform';\n\n - displayattrib : a space separated list of\n attributes of the 'fromform', the value of which is displayed on\n the 'toform' to remind the user from which record the link\n originated.\n\nNote: Postgres Forms does not provide any checks to safeguard\n the referential integrity of the data base in case of updates or\n deletions. However, postgreSQL provides these functions as\n 'foreign key' table constraints (see postgreSQL documentation). fromform linkname fromform, linkname \N pfm-2.0.8/examples/install_customerdb.sql:248:pfm_report pfm_report f f name, description, sqlselect pfm_report \N The table pfm_report defines all the reports for the current data\nbase.\n\npfm_report has the following attributes:\n\n - name: the name of the report. This is the name that\n appears in the selection list of the "Run Report" function.\n\n - description: free text describing the purpose of the\n report in more detail.\n\n - sqlselect: an SQL SELECT statement that generates the\n data for the report.\n\nThe sqlselect may contain one or more parameters for which a\nvalue is requested at "Run report" time. A parameter in the sqlwhere\nmust be formatted as $(parameter_name).\n\nExample:\n\nsqlselect: \n\n SELECT g.name AS "group", g.description, p.id, p.name,\n p.christian_name, p.street, p."ZIPcode", p.town, p.country\n FROM "group" g\n LEFT JOIN memberlist m ON g.name = m."group"\n LEFT JOIN person p ON m.person = p.id\n WHERE "group" = '$(group)'\n ORDER BY g.name, p.name, p.christian_name\n\nWhen the report is run, the user is prompted to enter a value for the\nparameter "group". Then the report data are generated by executing the\nsqlselect statement in which $(group) is replaced with the value\nentered by the user. name name \N pfm-2.0.8/examples/install_customerdb.sql-249-pfm_value_list pfm_value_list f f name pfm_value_list \N The table "pfm_value_list" contains all the value lists of all the forms.\n\nIts only attribute is\n\n - name : a name uniquely identifying the value list.\n name name \N ############################################## pfm-2.0.8/examples/install_customerdb.sql-259-outgoing links fromform='$(name)' toform name pfm_form pfm_link pfm-2.0.8/examples/install_customerdb.sql:260:Where used? valuelist='$(name)' name pfm_value_list pfm_attribute pfm-2.0.8/examples/install_customerdb.sql-261-Values valuelist='$(name)' value name pfm_value_list pfm_value ############################################## pfm-2.0.8/examples/install_customerdb.sql-275-COPY pfm_report (name, description, sqlselect) FROM stdin; pfm-2.0.8/examples/install_customerdb.sql:276:Invoices Invoices since a certain date SELECT i.id, i."date", i.customer, c.name AS c_name, c.street, c.town, c.country,\n o.product, p.name AS p_name, p.price, o.how_many,\n (p.price * o.how_many)::numeric(9,2) AS amount\nFROM invoice i\n LEFT OUTER JOIN customer c ON (i.customer = c.id)\n LEFT OUTER JOIN "order" o ON (i.id = o.invoice)\n LEFT OUTER JOIN product p ON (o.product = p.id)\nWHERE i."date" >= '$(since)'\nORDER BY c.name, i."date" pfm-2.0.8/examples/install_customerdb.sql-277-DefinedForms Report showing the form definitions of this database SELECT f.name, f.tablename, f.sqlselect AS "SELECT", f.sqlfrom AS "FROM",\n f.groupby AS "GROUP BY", f.sqlorderby AS "ORDER BY",\n f.sqllimit AS "LIMIT", f.pkey AS "PRIM. KEY", f.showform, f."view",\n a.attribute, a.typeofattrib, a.typeofget, a.sqlselect, a.nr,\n a.valuelist, a."default"\nFROM pfm_form f LEFT OUTER JOIN pfm_attribute a ON (f.name = a.form)\nORDER BY f.showform DESC, f.name, a.nr ############################################## pfm-2.0.8/install_pfm.sql-123-pfm_link pfm_link f f linkname, sqlwhere, orderby, displayattrib, fromform, toform pfm_link \N A link is a navigation tool which allows you to follow a "one-to-many"\nor "many-to-one" relationship from one form to another.\n\nEvery link is stored as a record in the pfm_link table, which has the\nfollowing attributes:\n\n - linkname : the name of the link, which is displayed on\n a link button on the "fromform";\n\n - fromform : the name of the form from which the link\n originates;\n\n - toform : the name of the form to which the link leads;\n\n - sqlwhere : the "WHERE"-clause which is used to open the\n "toform" and in which the value of an attribute of the\n "fromform" may be represented by $(attrib-x), where\n 'attrib-x' is the name of the attribute;\n\n - orderby : an 'order by' clause which determines the order of the\n records in the 'toform';\n\n - displayattrib : a space separated list of\n attributes of the 'fromform', the value of which is displayed on\n the 'toform' to remind the user from which record the link\n originated.\n\nNote: Postgres Forms does not provide any checks to safeguard\n the referential integrity of the data base in case of updates or\n deletions. However, postgreSQL provides these functions as\n 'foreign key' table constraints (see postgreSQL documentation). fromform linkname fromform, linkname \N pfm-2.0.8/install_pfm.sql:124:pfm_report pfm_report f f name, description, sqlselect pfm_report \N The table pfm_report defines all the reports for the current data\nbase.\n\npfm_report has the following attributes:\n\n - name: the name of the report. This is the name that\n appears in the selection list of the "Run Report" function.\n\n - description: free text describing the purpose of the\n report in more detail.\n\n - sqlselect: an SQL SELECT statement that generates the\n data for the report.\n\nThe sqlselect may contain one or more parameters for which a\nvalue is requested at "Run report" time. A parameter in the sqlwhere\nmust be formatted as $(parameter_name).\n\nExample:\n\nsqlselect: \n\n SELECT g.name AS "group", g.description, p.id, p.name,\n p.christian_name, p.street, p."ZIPcode", p.town, p.country\n FROM "group" g\n LEFT JOIN memberlist m ON g.name = m."group"\n LEFT JOIN person p ON m.person = p.id\n WHERE "group" = '$(group)'\n ORDER BY g.name, p.name, p.christian_name\n\nWhen the report is run, the user is prompted to enter a value for the\nparameter "group". Then the report data are generated by executing the\nsqlselect statement in which $(group) is replaced with the value\nentered by the user. name name \N pfm-2.0.8/install_pfm.sql-125-pfm_value pfm_value f f value, description, valuelist pfm_value \N The table "pfm_value" contains all the values of the lists defined in\npfm_value_list.\n\nIt has the following attributes:\n\n - valuelist : the name of the valuelist to which this value belongs\n\n - value : a character string;\n\n - description : a description of the value.\n valuelist value valuelist, value \N ############################################## pfm-2.0.8/install_pfm.sql-136-outgoing links fromform='$(name)' toform name pfm_form pfm_link pfm-2.0.8/install_pfm.sql:137:Where used? valuelist='$(name)' name pfm_value_list pfm_attribute pfm-2.0.8/install_pfm.sql-138-Values valuelist='$(name)' value name pfm_value_list pfm_value ############################################## pfm-2.0.8/report.tcl-156- set query {SELECT name, description, sqlselect FROM pfm_report} pfm-2.0.8/report.tcl:157: append query " WHERE name = '$reportName'" pfm-2.0.8/report.tcl-158- if {[$::dbObject select_query_list $query numTuples attribList resultList errorMsg]} then { ############################################## pfm-2.0.8/report.tcl-233- set query {SELECT level, fieldlist, layout, summary FROM pfm_section} pfm-2.0.8/report.tcl:234: append query " WHERE report = '${reportName}' ORDER BY level" pfm-2.0.8/report.tcl-235- if {[$::dbObject select_query $query numTuples sectionDef errMsg]} then { ############################################## pfm-2.0.8/convert_from_1.0.4.sql-354- LEFT JOIN person p ON m.person = p.id pfm-2.0.8/convert_from_1.0.4.sql:355: WHERE "group" = ''$(group)'' pfm-2.0.8/convert_from_1.0.4.sql-356- ORDER BY g.name, p.name, p.christian_name ############################################## pfm-2.0.8/database.tcl-26- append query {FROM pfm_form } pfm-2.0.8/database.tcl:27: append query "WHERE name = '$formName'" pfm-2.0.8/database.tcl-28- if {[$db select_query_list $query numTuples attribList resultList errorMsg]} then { ############################################## pfm-2.0.8/database.tcl-53- set query {SELECT attribute, typeofattrib, typeofget, sqlselect, nr, valuelist, "default" } pfm-2.0.8/database.tcl:54: append query "FROM pfm_attribute WHERE form = '${formName}' " pfm-2.0.8/database.tcl-55- append query {ORDER BY nr} ############################################## pfm-2.0.8/database.tcl-80- set query {SELECT linkname, sqlwhere, orderby, displayattrib, toform} pfm-2.0.8/database.tcl:81: append query " FROM pfm_link WHERE fromform = '$formName'" pfm-2.0.8/database.tcl-82- append query { ORDER BY linkname} ############################################## pfm-2.0.8/convert_from_1.1.0.sql-22-UPDATE pfm_link pfm-2.0.8/convert_from_1.1.0.sql:23:SET sqlwhere = 'name=''$(form)''' pfm-2.0.8/convert_from_1.1.0.sql-24-WHERE (fromform = 'pfm_attribute') AND (linkname = 'Form');