reportico-web / reportico Goto Github PK

I would like to use reportico as a dependency and not commit it to my project. However, I would like to commit my project files to my project.

Particularly if we use reportico via composer it will be in the vendor directory which we typically want to have in the .gitignore file.

Is there a way to set it up with the projects folder outside of the reportico root?

http://reportico.org/yii2/web/index.php/quickstart link is broken on the site.

I am just testing right now but my validator gave me a lot of issues. Figured Id give back a bit if its helpful. A few on the pages I was looking at. I hope you dont mind and If you want me to send you the rest, I would be happy to? Thank You for the wonderful work!

Possible bugs

createproject.xml
Line 26
Line 38
Line 111

Lines 38 and 111 can be fixed by this above
use Reportico\Engine\ReporticoApp;

Line 26 I think you should call? $test = new \Reportico\Engine\reporticoDatasource();

Reportico.php
Line 405 should be ChartJpgraph not ChrtJpgraph

DatabaseEngine.php
Line 100 Cannont resolve to a type use Reportico\Engine\ReporticoUtility;

There are a few dozen more and you may already know but I didnt want to ignore it.

Ensure we pick up the correct path ending in .exe when running PhantomJS under Windows servers

Also pecularities exist which cause warnings under windows, these need to be fixed

I am hoping that you can help me out. I have install the latest version of Reportico. I am trying to get the following link to work properly.

localhost/reportico-7.0/index.php?r=reportico/mode/execute&project=PMTTS&target_format=PDF&new_reportico_window=1&report=ContactList.xml'

Currently it opens a screen with a list of all available reports within the PMTTS Project. I want to bypass this screen and any other screens, and show the screen display the report.

Any help with this would be greatly appreciated.

Thank you.

Lloyd

Just installed 4.4 and added the configuration and projects I had with 4.2 and I noticed a // printed on the top left:

Minor: the version is reported 4.3 even if it's 4.4.

Can anyone help me with how should I install the Reporticon.
step by step installation and configuration Video

This issue was reported 6 years ago in the forum and still exists today in 6.0.10 for example with the name O'Brien and others similar.
http://www.reportico.org/forum/d/39004-escaping-single-quotes-in-report-criteria

I wanted to embed Reportico into my existing project and went into problems with Smarty.
I use Smarty 3 in my project and Reportico has Smarty 2 included. This produces conflicts when embedding Reportico.

It would be great if you could upgrade to Smarty 3, ideally by pulling it in via composer.
Also, Reportico should check if Smarty is already available and only include it, if not.

Smarty is fed with $smarty->compile_dir = find_best_location_in_include_path( "templates_c" ); This has no knowledge of $compiled_templates_folder parameter.

Means that the compile dir can't be set outside the reportico file structure or be anything but templates_c.

I am trying to use the Reportico as API in Laravel 5

I have successfully done every thing only issue i had is if i try to access the Report in below format

http://localhost/laravel/public/phpreport?project=project_name&report=report_name&mode=EXECUTE&format=JSON

the response is downloading as JSON, instead of downloading the response i need to send the JSON as response to API

This is the code i am using

`$project = (isset($_REQUEST["project"]) && !empty($_REQUEST["project"])) ? $_REQUEST["project"] : "";
$report = isset($_REQUEST["report"]) && !empty($_REQUEST["report"]) ? $_REQUEST["report"] : "";
$mode = isset($_REQUEST["mode"]) && !empty($_REQUEST["mode"]) ? $_REQUEST["mode"] : "EXECUTE";
$format = isset($_REQUEST["format"]) && !empty($_REQUEST["format"]) ? strtoupper($_REQUEST["format"]) : "JSON";

$engine = \App::make("getReporticoEngine");
$engine->initial_execute_mode = $mode;
$engine->initial_output_format = $format;
$engine->initial_report = $report;
$engine->initial_project = $project;
$engine->clear_reportico_session = true;
$engine->execute();`

I have updated the core file ( laravel/vendor/reportico/laravel-reportico/src/Reportico/Reportico/reportico_report_json.php ) to make it work, but as its not a recommended solution,

Please advice me for any other possibilities

Thanks in advance

Using version 7.1.36-beta. Was having problems with a Date criteria input. Fortunately I was able to debug it and find solutions.

Item 1: Unexpected date format causes error

Tracked this down to ReporticoLocale.php, line 195, function parseDate(). It's with the default: return for the first switch() statement. If you have an $in_keyword that's simply a date (e.g., "2021-02-12"), it will fail the initial preg_match() and make its way to this switch() statement. Since the value is a date and not any of the keywords, it gets the default: action, which is to simply return the input parameter unchanged:

default:
  return $in_keyword;

It's pretty obvious from the calling code that the intention is for it to be converted to the prep_dateformat configuration format. This is not happening.

Solution: Replace the default code with the following:

default:
  try {
    $datetime = new \DateTime($in_keyword);
  } catch (Exception $e) {
    return $in_keyword;
  }
  return $datetime->format($in_mask);

Item 2: Report not generated when using a predefined date

There are several predefined dates ("Today", "Yesterday", etc.). I created a few of my own and found they didn't work. Didn't necessarily get an error, the report just didn't happen.

Tracked this down to widget/DatePicker.php. The code appears to have been copied from DateRangePicker.php and wasn't fully modified to work with a single date.

In function deriveValue(), line 237, we have this logic:

if ( isset($this->options[$this->range_name])) {
  $this->range_raw = $this->range_name;
  $dateRange = $this->options[$this->range_name]["phpEvaluate"];
  $this->range_start = (new \DateTime($dateRange[0]))->format("Y-m-d");
  $this->range_end = (new \DateTime($dateRange[1]))->format("Y-m-d");
} else {

The problem is that $dateRange isn't an array. For single dates, it's a string. So the array references break the code.

Here's a simple solution:

if ( isset($this->options[$this->range_name])) {
  $this->range_raw = $this->range_name;
  $tmp= $this->options[$this->range_name]["phpEvaluate"];   // modified to use $tmp
  $dateRange = (is_scalar($tmp) ? [$tmp, null] : $tmp);     // new code
  $this->range_start = (new \DateTime($dateRange[0]))->format("Y-m-d");
  $this->range_end = (new \DateTime($dateRange[1]))->format("Y-m-d");
} else {

This sets $this->range_end to be the current date. Alternatively it could be the same as $this->range_start. Don't know how you want to do that.

Item 3: Date text is too large for the input field and is truncated

For some reason the font size of the date inside the input field was too large, and the last digit of the year was always truncated. I fixed this by modifying the CSS in themes/bootstrap4/css/reportico.css to include a different font size:

Original:

.reportico-date-field { width: 100px !important; z-index: 1040; font-weight: normal; }

New:

.reportico-date-field { width: 100px !important; z-index: 1040; font-weight: normal; font-size: inherit; }

Hi Peter,
The license I see on the following URL is GPL2.0. It is not allowed to modify source code.
http://www.reportico.org/site/index.php/reportico-license
But you replied earlier that it was MIT license. Which one is correct, please?

Checking the current code layout in master I have the following questions:

• javascripts and js dirs, are both required or can everything go in one? (better js if there is a choice)
• css and stylesheet dirs, both required?
• fdpf and tcpdf dirs, both required? what is what?
• templates and templates_c dirs, both required?
• all php files in the root directory, is that required or can things go in such way there is an entry point (index.php, partial.php, embedded.php) and the rest of the files can go into a library dir?
• can the diff file be removed?

Was trying to fix the horrible black areas in some of the design screens by tweaking the css, but table shown has a broken format with 4 x TD in the first row and only 3 x TD in the remaining rows.

Name of the Affected Product:
Reportico

Affected Version:
Till 8.1.0

Vulnerability Scenario: Failure to Invalidate Cookie

Affected URL:
http://localhost/reportico-8.1.0/*
http://localhost/reportico-8.1.0/run.php?execute_mode=PREPARE&xmlin=qqqq.xml&reportico_session_name=joaacmh13taksmr7rg9to1cr3a_reportico&reportico_template=&reportico_ajax_called=1

Description:
This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the oversight in the application's implementation, the session cookie remains active even after logout. Consequently, if an attacker obtains the session cookie, they can exploit it to access the user's session and perform unauthorized actions.

Business Impact:
The failure to invalidate session cookies poses significant risks to the security and integrity of the application and its users' data. Attackers could exploit this vulnerability to impersonate legitimate users, access sensitive information, manipulate data, and compromise the overall security posture of the system. The potential consequences include financial loss, reputational damage, regulatory penalties, and legal liabilities for the affected organization.

Solution:
To mitigate the risk of failure to invalidate cookies, the application should implement proper session management practices. Upon logout, ensure that all session cookies are invalidated and cannot be reused.

Hello,

Didn't know where to put this, sorry if it's not the right place.

Page: http://www.reportico.org/yii2/web/index.php/site/embedding-reports
Link: Creating links to reports >> -> http://www.reportico.org/yii2/web/index.php/site/embed-links

Should be: http://www.reportico.org/yii2/web/index.php/site/embedding-links

Regards!.

Embedding reportico page http://www.reportico.org/documentation/4.5/doku.php?id=embedding_reportico should be updated. For new versions there is no file like reportico.php.
But the sample codes at the documentation page refer to this file like
require_once('{FULL PATH TO REPORTICO DIRECTORY}/reportico.php');

I get the following error trying to go to "Documentation" from Quickstart

Fatal error: Array and string offset access syntax with curly braces is no longer supported in /customers/7/a/f/reportico.org/httpd.www/dokuwiki/inc/init.php on line 557

Just some minor things my IDE caught:
prepare.tpl
Line 210: missing "display:" <div style="inline-block; margin-top:
Line 145: extra characters: data-target="#reportico-bootstrap-collapse"-->
Line 196: extra characters: name="debug_mode">';

menu.tpl:
Line 188: missing "display:" <div style="inline-block; margin-top: 6px">
Line 138: extra characters: data-target="#reportico-bootstrap-collapse"-->

The external connection option works via $q->external_connection if you manually add define('SW_DB_TYPE', 'existingconnection'); in the project's config.php but it can't be selected directly.

testing running i note that the only working driver connection are the mysql, the other does not work.. specially the PDO sybase (same as mocosoft SQL driver).. the postgres either work...

revised in internet, noted the pdo are not most usefully and trusted and there's no good support for...

odbc it be more switable! and we need it!

Tired Chrome\Edge and even IE, cant seem to setup a password. I have tried Private mode the password I have typed in muitples different password still no luck running Version [7.1.41-beta]

I am aware I am using beta software

Name of the Affected Product:
Reportico

Affected Version:
Till 8.1.0

Description:
This vulnerability occurs when a low privilege user is able to access and view configuration details that are intended to be restricted to admin users. These configuration details may include sensitive information related to SQL queries and other critical system settings. This unauthorized access allows the low privilege user to gain insights into the inner workings of the application or system, potentially leading to unintended exposure of sensitive data or exploitation of system weaknesses.

Impact:
This vulnerability poses serious risks to the security and integrity of the application and its underlying systems. By gaining access to sensitive configuration details, low-privileged users can exploit system weaknesses, potentially leading to data breaches, unauthorized data manipulation, or even system compromise.

URL:
http://localhost/reportico-8.1.0/run.php?execute_mode=PREPARE&xmlin=qqqq.xml&reportico_session_name=b137719u9cqjt0sqog9aorvcks_reportico
http://localhost/reportico-8.1.0/run.php?execute_mode=MAINTAIN&xmlin=qqqq.xml&reportico_session_name=b137719u9cqjt0sqog9aorvcks_reportico

Steps:
By changing the execute_mode parameter in URL from PREPARE TO MAINTAIN the low privilege user can view the config page which is restricted to the low privilege user.

Hi,

How can I report a security issue?
I wrote an email to the info@ from the web page but I've got no answer.

Please reply.

Looks like this project may no longer be supported. I am looking for a report generator for PHP and MySQL. But on PHP 8.0 (best version ever!) and see that this package has not been updated (bad ordering of default parameters is the first issue I see) for PHP 8.0.

I would be happy to help move the project forward if I decide to use it, but not sure what the long term prospects are. As I am still in the looking mode, I don't want to commit to something that may be abandoned, but also might be willing to take it over, depending on what else is out there.

I do like the general architecture and I see that there a lot of potential in this code base, so it would be shame to lose it.

Your thoughts?

I decided that Reportico wasn't what I needed. And would like to uninstall it.

I installed it by creating /composer folder and ran the install from there. Is it as simple as removing the /composer and all it's sub-folders. Or is there something else I need to do?

reportico.org is down

Existing and working code :

/*
 ** Reportico Javascript functions
 */
function setupDynamicGrids()
{
    if (typeof reportico_dynamic_grids === 'undefined') {
        return;
    }
    if (  reportico_jquery.type(reportico_dynamic_grids) != 'undefined' )
        if ( reportico_dynamic_grids )
        {
            reportico_jquery(".swRepPage").each(function(){
                reportico_jquery(this).dataTable(
                    {
                        "retrieve" : true,
                        "searching" : reportico_dynamic_grids_searchable,
                        "ordering" : reportico_dynamic_grids_sortable,
                        "paging" : reportico_dynamic_grids_paging,
                        "iDisplayLength": reportico_dynamic_grids_page_size
                    }
                );
            });
        }
}

but if i try to add extra option in datatable like following code then it throws error :

/*
 ** Reportico Javascript functions
 */
function setupDynamicGrids()
{
    if (typeof reportico_dynamic_grids === 'undefined') {
        return;
    }
    if (  reportico_jquery.type(reportico_dynamic_grids) != 'undefined' )
        if ( reportico_dynamic_grids )
        {
            reportico_jquery(".swRepPage").each(function(){
                reportico_jquery(this).dataTable(
                    {
                        "scrollCollapse": true,
                        "autoWidth": false,
                        "scrollX": true,
                        "retrieve" : true,
                        "searching" : reportico_dynamic_grids_searchable,
                        "ordering" : reportico_dynamic_grids_sortable,
                        "paging" : reportico_dynamic_grids_paging,
                        "iDisplayLength": reportico_dynamic_grids_page_size
                    }
                );
            });
        }
}

So please guide me that how can we pass extra options to reportico datatable ?

Hi,
I get an error while generating HTML report in Laravel-Reportico module.

Error: "Notice: ...\vendor\reportico\laravel-reportico\src\Reportico\Reportico\reportico_report_html.php Line 148 - A non well formed numeric value encountered"
Laravel version: 5.4.28
PHP version: 7.1.0
Laravel-Reportico version: 4.6

Hi,

I'm using version 7.1.42-beta with the laravel module and the file JQuery in widgets folder should be named Jquery to complain psr-4 (note the q is lowercase ).
If the file doesn't complain the psr-4 standard composer autoload will skip the class.

Let me know if i should make a pull request.

Thanks

Reportico 7.1.36 adds an equal sign to the front of every cell in the CSV-formatted report. This causes a spreadsheet import error when the cell value includes a comma.

The Problem

To recreate the error, put the following code in a *.csv file (attached as test.csv.txt) and open it with a spreadsheet program:

"Column 1","Column 2","Column 3"
="Value,1",="Value 2",="Value 3"

Here is what happens when I import this into LibreOffice:

As you can see, the comma inside "Value,1" is not ignored and causes the start of a new field.

I believe the base problem is that the CSV format requires the entire cell to be inside the double quotes in order for commas to be ignored. The equal sign is not a double quote, so the cell is not actually escaped.

The Solution

File src/ReportCsv.php

Change line 110 from:

$this->text .= "=\"" . $output . "\",";

to this:

$this->text .= "\"" . $output . "\",";

test.csv.txt

Dear Peter,

the very nice application we like to use more.
can you help me connect this application to MSsql?
Currently, we care using collation: SQL_Latin1_General_CP1_CI_AS
how I can connect with MSsql db.

hi,

can you guid me through supporting farsi/persian language in pdf files?
which config should I change? basically, where should i start ?

Name of the Affected Product:
Reportico

Affected Version:
Till 8.1.0

Description:
This vulnerability occurs when a low privilege user is able to get internal system path, file path and DB related information by manipulating the parameter from project=admin to project=admin' in the URL. This error message allows the low privilege user to gain insights into the inner workings of the application or system, potentially leading to unintended exposure of sensitive data or exploitation of system weaknesses.

Impact:
This vulnerability can have several detrimental consequences. Firstly, the exposure of internal paths provides attackers with insights into the directory structure of the application, facilitating further exploitation. Secondly, disclosing error messages can aid attackers in refining their attack strategies and identifying potential weaknesses within the application.

Updating Joomla Site (3.9.14 current) to php 7.3.11 causes this response in Reportico on all reports:

Notice: /nfs/c10/h05/mnt/144724/domains/test.airheads.org/html/components/com_reportico/reportico_report_html.php Line 151 - A non well formed numeric value encountered
Main Report Query - Error: Query Failed

SELECT s.state, v3.field_value as region, s.membership_id, s.first_name, s.last_name, s.city, s.zip, s.country, s.phone, s.email, v1.field_value, v2.field_value FROM j17_osmembership_subscribers=s LEFT JOIN j17_osmembership_field_value as v1 on (s.id=v1.subscriber_id and v1.field_id=21) LEFT JOIN j17_osmembership_field_value as v2 on (s.id=v2.subscriber_id and v2.field_id=30) LEFT JOIN j17_osmembership_field_value as v3 on (s.id=v3.subscriber_id and v3.field_id=31) WHERE 1=1 -- AND s.plan_id=5 AND v1.field_value="airmarshal" AND is_profile=1 -- AND plan_main_record=1 -- AND s.published=1 ORDER BY s.country DESC, s.state ASC

Status 0 -

I want my default date range to be blank (optional) in the Criteria

Like:

Not like:

How can this be done?

Hi,
is there a chance to make this project available via composer, like the Laravel or Yii version?
This would be great!

Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code, (typically HTML or JavaScript), into the contents of an outside website. When a victim views an infected page on the website, the injected code executes in the victim’s browser. Consequently, the attacker has bypassed the browser’s same origin policy and is able to steal private information from a victim associated with the website.

Steps:

1. Login into the Reportico-7.1 admin module
2. Under create report in project, enter the XSS payload in title section.
3. The payload will execute once it's saved.
   
   
   
   

the reportico ofers various date but all have separators.. could be a format that no have separators, specifically a YYYYMMDD such 20170401 this due its easy to compare as normal integers, by this way also easy to backported to other db's vendors

If use criteria with values containing backslash and Multiple Selection List Box (Expand Display) user couldn't set such criteria

f.e.
Criteria Type: Custom List
Criteria Display: No Entry
Expand Display: Multiple Selection List Box
List Values: abc=test/abc, def=test//def, klm=test\klm, nop=test\\nop

values 'test\klm' and 'test\\nop' could never be selected

Upgrading to PHP7.4 reports the following error.
Fatal Error: /opt/tk/core/web/temp_php_script/reportico2/src/XmlReader.php Line 1487 - Function get_magic_quotes_gpc() is deprecated