Merge pull request #72 from ckingbailey/feat/clean-csv

ckingbailey · web-flow · commit b79622f896fe · 2018-12-12T14:20:48.000-08:00
decode html entities and use new Export module for defs download
diff --git a/api/def.php b/api/def.php
@@ -0,0 +1,63 @@
+<?php
+use SVBX\Export;
+
+require 'vendor/autoload.php';
+require 'session.php';
+
+if (strcasecmp($_SERVER['REQUEST_METHOD'], 'POST')) {
+    header('Access-Control-Allow-Methods: POST', true, 405);
+    exit;
+}
+
+try {
+    // check Session vars against DB
+    $link = new MySqliDB(DB_CREDENTIALS);
+    $fields = [ 'username', 'userID', 'firstname', 'lastname', 'role' ];
+
+    $link->where('userID', $_SESSION['userID']);
+    $result = $link->getOne('users_enc', $fields);
+
+    if ($result['username'] !== $_SESSION['username']
+        || $result['role'] !== $_SESSION['role']
+        || $result['firstname'] !== $_SESSION['firstname']
+        || $result['lastname'] !== $_SESSION['lastname'])
+    {
+        header('Status: 403 Forbidden', true, 403);
+        exit;
+    }
+
+    // if Auth ok, validate fields on first data element of POST against fields in DB
+    // note: element at index 0 is heading names, not table data
+    $post = trim(file_get_contents('php://input'));
+    $post = json_decode($post, true);
+    $post = filter_var_array($post, FILTER_SANITIZE_SPECIAL_CHARS);
+
+    $link->where('table_name', 'CDL');
+    $link->orWhere('table_name', 'BARTDL');
+    $cols = $link->getValue('information_schema.columns', 'column_name', null); // returns 50+ columns
+    $cols = array_map('strtolower', $cols);
+
+    $postKeys = array_keys($post[1] + $post[count($post) - 1] + $post[floor((count($post) / 2))]); // grab keys from first, middle, and last element of post data
+
+    if (($idIndex = array_search('ID', $postKeys)) !== false) unset($postKeys[$idIndex]); // don't try to match ID col name
+
+    foreach ($postKeys as $key) {
+        if (array_search(strtolower($key), $cols) === false) {
+            header('Status: 400 Bad Request', true, 400);
+            exit;
+        }
+    }
+
+    header('Content-Type: text/csv', true);
+
+    echo Export::csv($post);
+} catch (\Exception $e) {
+    error_log($e);
+    header('500 Internal server error', true, 500);
+} catch (\Error $e) {
+    error_log($e);
+    header('500 Internal server error', true, 500);
+} finally {
+    if (is_a($link, 'MySqliDB')) $link->disconnect();
+    exit;
+}
diff --git a/src/Export.php b/src/Export.php
@@ -11,6 +11,9 @@ public static function csv($data) {
     private static function str_putcsv(array $input, $delimiter = ',', $enclosure = '"') {
         $pointer = fopen('php://temp', 'r+b'); // open memory stream with read/write permission and binary mode on
         foreach ($input as $line) {
+            $line = array_map(function($el) {
+                return html_entity_decode($el, ENT_QUOTES, 'utf-8');
+            }, $line);
             fputcsv($pointer, $line, $delimiter, $enclosure); // puts a single line
         }
         rewind($pointer);
diff --git a/templates/dashboard.html.twig b/templates/dashboard.html.twig
@@ -131,7 +131,7 @@
         }).then(text => {
             const date = new Date()
             const timestamp = date.getFullYear()
-                + '' + date.getMonth()
+                + '' + (date.getMonth() + 1)
                 + '' + date.getDate()
                 + '' + date.getHours()
                 + '' + date.getMinutes()
diff --git a/templates/defs.html.twig b/templates/defs.html.twig
@@ -27,9 +27,30 @@
     <script src='js/pie_chart.js'></script>
     <script>
         document.getElementById('getCsvBtn').addEventListener('click', event => {
-            const jsonData = {{ dataWithHeadings | json_encode | raw }}
-            getCsv(event, jsonData, res => {
-                download(res, `def_dump_${Date.now()}.csv`, 'text/csv')
+            const json = JSON.stringify({{ dataWithHeadings | json_encode | raw }})
+            fetch('/api/def.php', {
+                method: 'POST',
+                body: json,
+                credentials: 'same-origin',
+                headers: {
+                    'Content-type': 'application/json',
+                    'Accept': 'text/csv'
+                }
+            }).then(res => {
+                if (!res.ok) throw res
+                return res.text()
+            }).then(text => {
+                const d = new Date()
+                const timestamp = d.getFullYear()
+                    + '' + (d.getMonth() + 1)
+                    + '' + d.getDate()
+                    + '' + d.getHours()
+                    + '' + d.getMinutes()
+                    + '' + d.getSeconds()
+                download(text, `defs_summary_${timestamp}.csv`, 'text/csv')
+            }).catch(err => {
+                if (err.status) console.err(`${err.status} ${res.statusText} ${res.url}`)
+                else console.err(err)
             })
         })
     {% if view is same as('BART') %}
