Fix smarty extended variable access check

It ultimate failed for the following reason.

If base class is passed on to some other class as object parameter
then accessing protected/private variables will be possible because the
__get method will interfer.
Also __set of protected/private variables is possible.

I rather run check for setting variables without defining them than
haveing open protected/private var access

.phan/config.php

@@ -109,8 +109,9 @@ return [
 		// ignore the old qq tests
 		'www/admin/qq_file_upload_front.php',
 		'www/admin/qq_file_upload_ajax.php',
-		// symlink files for msarty
+		// symlink ignore
 		'www/lib/smarty-3.1.30/SmartyBC.class.php',
+		'www/lib/htmlMimeMail-2.5.1/HtmlMimeMailCreate.php',
 	],
 
 	// what not to show as problem

4dev/database/ORDER

@@ -4,7 +4,7 @@ function/set_generic.sql
 function/random_string.sql
 function/set_edit_generic.sql
 function/edit_set_access_uid.sql
-function/edit_log_partition_trigger.sql
+function/edit_log_partition_insert.sql
 # generic tables
 table/edit_temp_files.sql
 table/edit_generic.sql
@@ -22,6 +22,7 @@ table/edit_page_access.sql
 table/edit_page_content.sql
 table/edit_user.sql
 table/edit_log.sql
+table/edit_log_overflow.sql
 table/edit_access.sql
 table/edit_access_user.sql
 table/edit_access_data.sql
@@ -30,9 +31,9 @@ trigger/trg_edit_access_right.sql
 trigger/trg_edit_access.sql
 trigger/trg_edit_access_data.sql
 trigger/trg_edit_access_user.sql
-trigger/trg_edit_generic.sql
 trigger/trg_edit_group.sql
 trigger/trg_edit_language.sql
+trigger/trg_edit_log_overflow.sql
 trigger/trg_edit_log.sql
 trigger/trg_edit_page_access.sql
 trigger/trg_edit_page_content.sql
@@ -42,6 +43,5 @@ trigger/trg_edit_scheme.sql
 trigger/trg_edit_user.sql
 trigger/trg_edit_visible_group.sql
 trigger/trg_edit_menu_group.sql
-trigger/trg_set_edit_access_uid.sql
 # insert data
 data/edit_tables.sql

4dev/database/bin/create_default_trigger.sh

@@ -15,22 +15,20 @@ function_name="set_generic";
 #sql_path_prep=`echo $sql_path | sed -e "s/\///g"`;
 
 # goes for each file and strips headers and endings, and creates trigger name
-for name in $sql_path*;
-do
+for name in $sql_path*; do
 	echo "Wokring on $name";
 	# strip ending
 #	t_name=`echo $name | sed -e 's/.sql$//g' | sed -e "s/^$sql_path_prep//g" | sed -e 's/\///g'`;
 	t_name=`echo $name | sed -e 's/^.*\///g' | sed -e 's/.sql$//g'`;
 	# clean all beginnings
-	for prefix in $file_prefix;
-	do
+	for prefix in $file_prefix; do
 		prefix=$prefix"_";
 		t_name=`echo $t_name | sed -e "s/\$prefix//g"`;
 	done;
 
-# those tables don't need a trigger
-# edit_generic
-# generic
+	# those tables don't need a trigger
+	# edit_generic
+	# generic
 
 	# copy the trigger template to the target
 	trg_filename=$trigger_path$trigger_prefix"_"$t_name".sql";

4dev/database/bin/drop_data.sh

@@ -14,17 +14,14 @@ file_prefix="trg";
 trigger_prefix="trg";
 index_prefix="idx";
 
-for file in `cat ORDER`;
-do
-	if [ -f $file ];
-	then
+for file in `cat ORDER`; do
+	if [ -f $file ]; then
 		# write them into a var, so we can re order them in the other way
 		new_order=$file" "$new_order;
 	fi;
 done;
 
-for file in $new_order;
-do
+for file in $new_order; do
 	sqltype=`echo $file | egrep "table/"`;
 	trgtype=`echo $file | egrep "trigger/"`;
 	idxtype=`echo $file | egrep "index/"`;
@@ -32,43 +29,34 @@ do
 	datatype=`echo $file | egrep "data/"`;
 	# remove all around to get table name
 	t_file=`echo $file | sed -e 's/^.*\///g' | sed -e 's/.sql$//g'`;
-	for prefix in $file_prefix;
-	do
+	for prefix in $file_prefix; do
 		prefix=$prefix"_";
 		t_file=`echo $t_file | sed -e "s/\$prefix//g"`;
 	done;
 	# copy the trigger template to the target
 
-	for path in $schemas;
-	do
-		if [ $sqltype ];
-		then
+	for path in $schemas; do
+		if [ $sqltype ]; then
 			echo "SQL "$path"."$t_file;
 			echo "DROP TABLE "$path"."$t_file" CASCADE;" | psql -U $user -h $host $db
 		fi;
-		if [ $trgtype ];
-		then
+		if [ $trgtype ]; then
 			trigger=$trigger_prefix"_"$t_file;
 			echo "TRG $trigger TBL "$path".$t_file";
 			echo "DROP TRIGGER "$path".$trigger ON "$t_file" CASCADE;" | psql -U $user -h $host $db
 		fi;
-		if [ $fcttype ];
-		then
+		if [ $fcttype ]; then
 			echo "FCT "$path"."$t_file;
 			echo "DROP FUNCTION "$path"."$t_file"();" | psql -U $user -h $host $db
 		fi;
-		if [ $idxtype ];
-		then
+		if [ $idxtype ]; then
 			index=$index_prefix"_"$t_file;
-	#		echo "IDX "$t_file;
-	#		echo "DROP INDEX $index ON $t_file;" | psql -U $user -h $host $db
+			# echo "IDX "$t_file;
+			# echo "DROP INDEX $index ON $t_file;" | psql -U $user -h $host $db
 		fi;
-		if [ $datatype ];
-		then
+		if [ $datatype ]; then
 			echo "DATA "$t_file;
-	#		echo "DROP FUNCTION "$t_file"();" | psql -U $user -h $host $db
+			# echo "DROP FUNCTION "$t_file"();" | psql -U $user -h $host $db
 		fi;
-
-	#	psql -U cms_user -h 192.168.12.14 -f $file CMSv2
 	done;
 done;

4dev/database/function/edit_set_group_uid.sql

@@ -0,0 +1,28 @@
+-- add uid add for edit_group table
+
+CREATE OR REPLACE FUNCTION set_edit_group_uid() RETURNS TRIGGER AS
+$$
+	DECLARE
+		myrec RECORD;
+		v_uid VARCHAR;
+	BEGIN
+		-- skip if NEW.name is not set
+		IF NEW.name IS NOT NULL AND NEW.name <> '' THEN
+			-- use NEW.name as base, remove all spaces
+			-- name data is already unique, so we do not need to worry about this here
+			v_uid := REPLACE(NEW.name, ' ', '');
+			IF TG_OP = 'INSERT' THEN
+				-- always set
+				NEW.uid := v_uid;
+			ELSIF TG_OP = 'UPDATE' THEN
+				-- check if not set, then set
+				SELECT INTO myrec t.* FROM edit_group t WHERE edit_group_id = NEW.edit_group_id;
+				IF FOUND THEN
+					NEW.uid := v_uid;
+				END IF;
+			END IF;
+		END IF;
+		RETURN NEW;
+	END;
+$$
+	LANGUAGE 'plpgsql';

4dev/database/log/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

4dev/database/table/edit_access_data.sql

@@ -9,8 +9,8 @@
 CREATE TABLE edit_access_data (
 	edit_access_data_id	SERIAL PRIMARY KEY,
 	edit_access_id INT NOT NULL,
+	FOREIGN KEY (edit_access_id) REFERENCES edit_access (edit_access_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	enabled	SMALLINT NOT NULL DEFAULT 0,
 	name	VARCHAR,
-	value	VARCHAR,
-	FOREIGN KEY (edit_access_id) REFERENCES edit_access (edit_access_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
+	value	VARCHAR
 ) INHERITS (edit_generic) WITHOUT OIDS;

4dev/database/table/edit_access_user.sql

@@ -9,11 +9,11 @@
 CREATE TABLE edit_access_user (
 	edit_access_user_id	SERIAL PRIMARY KEY,
 	edit_access_id	INT NOT NULL,
-	edit_user_id	INT NOT NULL,
-	edit_access_right_id	INT NOT NULL,
-	edit_default	SMALLINT DEFAULT 0,
-	enabled	SMALLINT NOT NULL DEFAULT 0,
 	FOREIGN KEY (edit_access_id) REFERENCES edit_access (edit_access_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
+	edit_user_id	INT NOT NULL,
 	FOREIGN KEY (edit_user_id) REFERENCES edit_user (edit_user_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
+	edit_access_right_id	INT NOT NULL,
+	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
+	edit_default	SMALLINT DEFAULT 0,
+	enabled	SMALLINT NOT NULL DEFAULT 0
 ) INHERITS (edit_generic) WITHOUT OIDS;

4dev/database/table/edit_group.sql

@@ -9,12 +9,12 @@
 CREATE TABLE edit_group (
 	edit_group_id	SERIAL PRIMARY KEY,
 	edit_scheme_id INT,
+	FOREIGN KEY (edit_scheme_id) REFERENCES edit_scheme (edit_scheme_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_access_right_id INT NOT NULL,
+	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	enabled	SMALLINT NOT NULL DEFAULT 0,
 	deleted	SMALLINT DEFAULT 0,
 	uid	VARCHAR,
 	name	VARCHAR,
-	additional_acl	JSONB,
-	FOREIGN KEY (edit_scheme_id) REFERENCES edit_scheme (edit_scheme_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
+	additional_acl	JSONB
 ) INHERITS (edit_generic) WITHOUT OIDS;

4dev/database/table/edit_log.sql

@@ -8,6 +8,8 @@
 -- DROP TABLE edit_log;
 CREATE TABLE edit_log (
 	edit_log_id	SERIAL PRIMARY KEY,
+	euid	INT, -- this is a foreign key, but I don't nedd to reference to it
+	FOREIGN KEY (euid) REFERENCES edit_user (edit_user_id) MATCH FULL ON UPDATE CASCADE ON DELETE SET NULL,
 	username	VARCHAR,
 	password	VARCHAR,
 	event_date	TIMESTAMP WITHOUT TIME ZONE DEFAULT CURRENT_TIMESTAMP,
@@ -26,7 +28,6 @@ CREATE TABLE edit_log (
 	action_value	VARCHAR,
 	action_type	VARCHAR,
 	action_error	VARCHAR,
-	euid	INT, -- this is a foreign key, but I don't nedd to reference to it
 	user_agent	VARCHAR,
 	referer	VARCHAR,
 	script_name	VARCHAR,
@@ -36,6 +37,5 @@ CREATE TABLE edit_log (
 	http_accept	VARCHAR,
 	http_accept_charset	VARCHAR,
 	http_accept_encoding	VARCHAR,
-	session_id	VARCHAR,
-	FOREIGN KEY (euid) REFERENCES edit_user (edit_user_id) MATCH FULL ON UPDATE CASCADE ON DELETE SET NULL
+	session_id	VARCHAR
 ) INHERITS (edit_generic) WITHOUT OIDS;

4dev/database/table/edit_page.sql

@@ -9,6 +9,7 @@
 CREATE TABLE edit_page (
 	edit_page_id	SERIAL PRIMARY KEY,
 	content_alias_edit_page_id	INT, -- alias for page content, if the page content is defined on a different page, ege for ajax backend pages
+	FOREIGN KEY (content_alias_edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE RESTRICT ON UPDATE CASCADE,
 	filename	VARCHAR,
 	name	VARCHAR UNIQUE,
 	order_number INT NOT NULL,
@@ -17,6 +18,5 @@ CREATE TABLE edit_page (
 	popup	SMALLINT NOT NULL DEFAULT 0,
 	popup_x	SMALLINT,
 	popup_y SMALLINT,
-	hostname	VARCHAR,
-	FOREIGN KEY (content_alias_edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE RESTRICT ON UPDATE CASCADE
+	hostname	VARCHAR
 ) INHERITS (edit_generic) WITHOUT OIDS;

4dev/database/table/edit_page_access.sql

@@ -9,12 +9,12 @@
 CREATE TABLE edit_page_access (
 	edit_page_access_id	SERIAL PRIMARY KEY,
 	edit_group_id	INT NOT NULL,
-	edit_page_id	INT NOT NULL,
-	edit_access_right_id	INT NOT NULL,
-	enabled	SMALLINT NOT NULL DEFAULT 0,
 	FOREIGN KEY (edit_group_id) REFERENCES edit_group (edit_group_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
+	edit_page_id	INT NOT NULL,
 	FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
+	edit_access_right_id	INT NOT NULL,
+	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
+	enabled	SMALLINT NOT NULL DEFAULT 0
 ) INHERITS (edit_generic) WITHOUT OIDS;
 
 

4dev/database/table/edit_page_content.sql

@@ -10,11 +10,11 @@
 CREATE TABLE edit_page_content (
 	edit_page_content_id	SERIAL PRIMARY KEY,
 	edit_page_id	INT NOT NULL,
+	FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_access_right_id	INT NOT NULL,
+	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	uid	VARCHAR UNIQUE,
 	name	VARCHAR,
 	order_number INT NOT NULL,
-	online	SMALLINT NOT NULL DEFAULT 0,
-	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
+	online	SMALLINT NOT NULL DEFAULT 0
 ) INHERITS (edit_generic) WITHOUT OIDS;

4dev/database/table/edit_page_menu_group.sql

@@ -8,7 +8,7 @@
 -- DROP TABLE edit_page_menu_group;
 CREATE TABLE edit_page_menu_group (
 	edit_page_id INT NOT NULL,
-	edit_menu_group_id INT NOT NULL,
 	FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
+	edit_menu_group_id INT NOT NULL,
 	FOREIGN KEY (edit_menu_group_id) REFERENCES edit_menu_group (edit_menu_group_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
 );

4dev/database/table/edit_page_visible_group.sql

@@ -8,7 +8,7 @@
 -- DROP TABLE edit_page_visible_group;
 CREATE TABLE edit_page_visible_group (
 	edit_page_id INT NOT NULL,
-	edit_visible_group_id INT NOT NULL,
 	FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
+	edit_visible_group_id INT NOT NULL,
 	FOREIGN KEY (edit_visible_group_id) REFERENCES edit_visible_group (edit_visible_group_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
 );

4dev/database/table/edit_query_string.sql

@@ -9,9 +9,9 @@
 CREATE TABLE edit_query_string (
 	edit_query_string_id	SERIAL PRIMARY KEY,
 	edit_page_id	INT NOT NULL,
+	FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	enabled	SMALLINT NOT NULL DEFAULT 0,
 	name	VARCHAR,
 	value	VARCHAR,
-	dynamic	SMALLINT NOT NULL DEFAULT 0,
-	FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
+	dynamic	SMALLINT NOT NULL DEFAULT 0
 ) INHERITS (edit_generic) WITHOUT OIDS;

4dev/database/table/edit_user.sql

@@ -9,10 +9,15 @@
 CREATE TABLE edit_user (
 	edit_user_id	SERIAL PRIMARY KEY,
 	connect_edit_user_id	INT, -- possible reference to other user
+	FOREIGN KEY (connect_edit_user_id) REFERENCES edit_user (edit_user_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_language_id INT NOT NULL,
+	FOREIGN KEY (edit_language_id) REFERENCES edit_language (edit_language_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_group_id INT NOT NULL,
+	FOREIGN KEY (edit_group_id) REFERENCES edit_group (edit_group_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_scheme_id INT,
+	FOREIGN KEY (edit_scheme_id) REFERENCES edit_scheme (edit_scheme_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	edit_access_right_id INT NOT NULL,
+	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
 	enabled	SMALLINT NOT NULL DEFAULT 0,
 	deleted	SMALLINT NOT NULL DEFAULT 0,
 	username	VARCHAR UNIQUE,
@@ -26,17 +31,17 @@ CREATE TABLE edit_user (
 	email	VARCHAR,
 	protected SMALLINT NOT NULL DEFAULT 0,
 	admin	SMALLINT NOT NULL DEFAULT 0,
-	login_error_count	INT,
+	login_error_count	INT DEFAULT 0,
 	login_error_date_last	TIMESTAMP WITHOUT TIME ZONE,
 	login_error_date_first	TIMESTAMP WITHOUT TIME ZONE,
 	strict	SMALLINT DEFAULT 0,
 	locked	SMALLINT DEFAULT 0,
 	password_change_date	TIMESTAMP WITHOUT TIME ZONE, -- only when password is first set or changed
 	password_change_interval	INTERVAL, -- null if no change is needed, or d/m/y time interval
-	additional_acl	JSONB, -- additional ACL as JSON string (can be set by other pages)
-	FOREIGN KEY (connect_edit_user_id) REFERENCES edit_user (edit_user_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	FOREIGN KEY (edit_language_id) REFERENCES edit_language (edit_language_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	FOREIGN KEY (edit_group_id) REFERENCES edit_group (edit_group_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	FOREIGN KEY (edit_scheme_id) REFERENCES edit_scheme (edit_scheme_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
-	FOREIGN KEY (edit_access_right_id) REFERENCES edit_access_right (edit_access_right_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE
+	password_reset_time	TIMESTAMP WITHOUT TIME ZONE, -- when the password reset was requested
+	password_reset_uid	VARCHAR, -- the uid to access the password reset page
+	additional_acl	JSONB -- additional ACL as JSON string (can be set by other pages)
 ) INHERITS (edit_generic) WITHOUT OIDS;
+
+COMMENT ON COLUMN edit_user.password_reset_time IS 'When the password reset was requested. For reset page uid valid check';
+COMMENT ON COLUMN edit_user.password_reset_uid IS 'Password reset page uid';

4dev/database/trigger/trg_edit_group.sql

@@ -2,3 +2,8 @@ DROP TRIGGER IF EXISTS trg_edit_group ON edit_group;
 CREATE TRIGGER trg_edit_group
 BEFORE INSERT OR UPDATE ON edit_group
 FOR EACH ROW EXECUTE PROCEDURE set_edit_generic();
+
+DROP TRIGGER IF EXISTS trg_set_edit_group_uid ON edit_group;
+CREATE TRIGGER trg_set_edit_group_uid
+BEFORE INSERT OR UPDATE ON edit_group
+FOR EACH ROW EXECUTE PROCEDURE set_edit_group_uid();

phpstan.neon

@@ -5,14 +5,17 @@ parameters:
 	level: 1
 	paths:
 		- %currentWorkingDirectory%/www
-	#bootstrap: %currentWorkingDirectory%/phpstan-bootstrap.php
-	#bootstrap: phpstan-bootstrap.php
-	autoload_directories:
-	autoload_files:
+	bootstrapFiles:
 		- %currentWorkingDirectory%/phpstan-bootstrap.php
+	scanDirectories:
+		- www/lib/Smarty
+	scanFiles:
+		- www/configs/config.php
 		- www/configs/config.master.php
 		- www/lib/autoloader.php
 		- www/vendor/autoload.php
+		- www/lib/Smarty/Autoloader.php
+		- www/lib/CoreLibs/Template/SmartyExtend.php
 	excludes_analyse:
 		# no check admin
 		- www/admin/qq_file_upload_front.php
@@ -40,10 +43,12 @@ parameters:
 		- www/tmp
 		- www/lib/pChart
 		- www/lib/pChart2.1.4
-		- www/lib/Smarty/
-		- www/lib/smarty-3.1.30/
+		- www/lib/Smarty
+		- www/lib/smarty-3.1.30
 		# ignore composer
 		- www/vendor
+		# ignore the smartyextend
+		- www/lib/CoreLibs/Template/SmartyExtend.php
 	# ignore errores with
 	# ignoreErrors:
 		#- 'error regex'

www/admin/class_test.php

@@ -213,6 +213,16 @@ print "RETURN DATA FOR search_path: ".$data."<br>";
 $status = $basic->dbExec("INSERT INTO test.schema_test (contents, id) VALUES ('TIME: ".time()."', ".rand(1, 10).")");
 print "OTHER SCHEMA INSERT STATUS: ".$status." | PK NAME: ".$basic->pk_name.", PRIMARY KEY: ".$basic->insert_id."<br>";
 
+print "<b>NULL TEST DB READ</b><br>";
+$q = "SELECT uid, null_varchar, null_int FROM test_null_data WHERE uid = 'A'";
+$res = $basic->dbReturnRow($q);
+var_dump($res);
+print "RES: ".$basic->printAr($res)."<br>";
+print "ISSET: ".isset($res['null_varchar'])."<br>";
+print "EMPTY: ".empty($res['null_varchar'])."<br>";
+
+// data read test
+
 // time string thest
 $timestamp = 5887998.33445;
 $time_string = $basic->timeStringFormat($timestamp);

www/admin/smarty_test.php

@@ -52,6 +52,7 @@ $options = array (
 
 if (is_object($smarty)) {
 	$smarty->DATA['drop_down_test'] = $options;
+	$smarty->DATA['loop_start'] = 2;
 	// require BASE.INCLUDES.'admin_smarty.php';
 	$smarty->setSmartyVarsAdmin();
 }

www/configs/config.master.php

@@ -101,8 +101,23 @@ define('LOGOUT_TARGET', '');
 define('PASSWORD_CHANGE', false);
 define('PASSWORD_FORGOT', false);
 // min/max password length
-define('PASSWORD_MIN_LENGTH', 8);
+define('PASSWORD_MIN_LENGTH', 9);
 define('PASSWORD_MAX_LENGTH', 255);
+// defines allowed special characters
+DEFINE('PASSWORD_SPECIAL_RANGE', '@$!%*?&');
+// password must have upper case, lower case, number, special
+// comment out for not mandatory
+DEFINE('PASSWORD_LOWER', '(?=.*[a-z])');
+DEFINE('PASSWORD_UPPER', '(?=.*[A-Z])');
+DEFINE('PASSWORD_NUMBER', '(?=.*\d)');
+DEFINE('PASSWORD_SPECIAL', "(?=.*[".PASSWORD_SPECIAL_RANGE."])");
+// define full regex
+DEFINE('PASSWORD_REGEX', "/^".
+	(defined('PASSWORD_LOWER') ? PASSWORD_LOWER : '').
+	(defined('PASSWORD_UPPER') ? PASSWORD_UPPER : '').
+	(defined('PASSWORD_NUMBER') ? PASSWORD_NUMBER : '').
+	(defined('PASSWORD_SPECIAL') ? PASSWORD_SPECIAL : '').
+	"[A-Za-z\d".PASSWORD_SPECIAL_RANGE."]{".PASSWORD_MIN_LENGTH.",".PASSWORD_MAX_LENGTH."}$/");
 
 /************* AJAX / ACCESS *************/
 // ajax request type
@@ -169,6 +184,8 @@ define('PUBLIC_SCHEMA', 'public');
 define('DEV_SCHEMA', 'public');
 define('TEST_SCHEMA', 'public');
 define('LIVE_SCHEMA', 'public');
+define('GLOBAL_DB_SCHEMA', '');
+define('LOGIN_DB_SCHEMA', '');
 
 /************* CORE HOST SETTINGS *****************/
 if (file_exists(BASE.CONFIGS.'config.host.php')) {

www/includes/edit_base.php

@@ -102,7 +102,7 @@ if ($form->my_page_name == 'edit_order') {
 	if (!isset($position)) {
 		$position = array();
 	}
-	$row_data_id = $_POST['row_data_id'];
+	$row_data_id = $_POST['row_data_id'] ?? [];
 	$original_id = $row_data_id;
 	if (count($position)) {
 		$row_data_order = $_POST['row_data_order'];
@@ -116,8 +116,8 @@ if ($form->my_page_name == 'edit_order') {
 				// this gets the old before (moves one "up")
 				// is done for every element in row
 				// echo "A: ".$row_data_id[$position[$i]]." (".$row_data_order[$position[$i]].") -- ".$row_data_id[$position[$i]-1]." (".$row_data_order[$position[$i]-1].")<br>";
-				$temp_id = $row_data_id[$position[$i]];
-				$row_data_id[$position[$i]] = $row_data_id[$position[$i] - 1];
+				$temp_id = $row_data_id[$position[$i]] ?? null;
+				$row_data_id[$position[$i]] = $row_data_id[$position[$i] - 1] ?? null;
 				$row_data_id[$position[$i] - 1] = $temp_id;
 				// echo "A: ".$row_data_id[$position[$i]]." (".$row_data_order[$position[$i]].") -- ".$row_data_id[$position[$i]-1]." (".$row_data_order[$position[$i]-1].")<br>";
 			} // for
@@ -129,8 +129,8 @@ if ($form->my_page_name == 'edit_order') {
 				// same as up, just up in other way, starts from bottom (last element) and moves "up"
 				// element before actuel gets temp, this element, becomes element after this,
 				// element after this, gets this
-				$temp_id = $row_data_id[$position[$i] + 1];
-				$row_data_id[$position[$i] + 1] = $row_data_id[$position[$i]];
+				$temp_id = $row_data_id[$position[$i] + 1] ?? null;
+				$row_data_id[$position[$i] + 1] = $row_data_id[$position[$i]] ?? null;
 				$row_data_id[$position[$i]] = $temp_id;
 			} // for
 		} // if down
@@ -140,8 +140,10 @@ if ($form->my_page_name == 'edit_order') {
 			(isset($down) && ($position[count($position) - 1] != (count($row_data_id) - 1)))
 		) {
 			for ($i = 0; $i < count($row_data_id); $i ++) {
-				$q = "UPDATE ".$table_name." SET order_number = ".$row_data_order[$i]." WHERE ".$table_name."_id = ".$row_data_id[$i];
-				$q = $form->dbExec($q);
+				if (isset($row_data_order[$i]) && isset($row_data_id[$i])) {
+					$q = "UPDATE ".$table_name." SET order_number = ".$row_data_order[$i]." WHERE ".$table_name."_id = ".$row_data_id[$i];
+					$q = $form->dbExec($q);
+				}
 			} // for all article ids ...
 		} // if write
 	} // if there is something to move
@@ -187,7 +189,9 @@ if ($form->my_page_name == 'edit_order') {
 		// list of points to order
 		for ($j = 0; $j < count($position); $j++) {
 			// if matches, put into select array
-			if ($original_id[$position[$j]] == $row_data[$i]['id']) {
+			if (isset($original_id[$position[$j]]) && isset($row_data[$i]['id']) &&
+				$original_id[$position[$j]] == $row_data[$i]['id']
+			) {
 				$options_selected[] = $i;
 			}
 		}
@@ -301,7 +305,7 @@ if ($form->my_page_name == 'edit_order') {
 					(!$data['hostname'] || strstr($data['hostname'], CONTENT_PATH) !== false)
 			))
 		) {
-			$position = $j;
+			$position = $i;
 			$menu_data[$i]['position'] = 1;
 			$menu_data[$i]['popup'] = 0;
 		} else {
@@ -326,7 +330,7 @@ if ($form->my_page_name == 'edit_order') {
 	} // for
 	// $form->debug('MENU ARRAY', $form->printAr($menu_data));
 	$DATA['menu_data'] = $menu_data;
-	$DATA['page_name'] = $menuarray[$position]['page_name'];
+	$DATA['page_name'] = $menuarray[$position]['page_name'] ?? '-Undefined ['.$position.'] -';
 	$L_TITLE = $DATA['page_name'];
 	// html title
 	$HEADER['HTML_TITLE'] = $form->l->__($L_TITLE);

www/includes/templates/admin/smarty_test.tpl

@@ -12,13 +12,19 @@
 <div class="jq-container">
 	<div id="jq-test" class="jp-test">
 		<div id="test-div" class="test-div">
-			Some content ehre or asdfasdfasf
+			Some content here or asdfasdfasf
 		</div>
 		<div id="translate-div">
 			TRANSLATION SMARTY: {t}I should be translated{/t}
 		</div>
 	</div>
 </div>
+<div class="loop-test">
+	<div>LOOP TEST</div>
+{section name=page_list start=1 loop=$loop_start+1}
+	<div>LOOP OUTPUT: {$smarty.section.page_list.index}</div>
+{/section}
+</div>
 {* progresss indicator *}
 <div id="indicator"></div>
 {* the action confirm box *}

www/layout/admin/css/edit.css

@@ -382,7 +382,7 @@ input[type="text"]:focus, textarea:focus, select:focus {
 	left: 0;
 	top: 0;
 	position: absolute;
-	z-index: 100;
+	z-index: 1000;
 }
 /* Animation for above progress */
 @keyframes rotate {

www/layout/admin/javascript/edit.jq.js

@@ -12,6 +12,10 @@ if (!DEBUG) {
 	});
 }*/
 
+// open overlay boxes counter
+var GL_OB_S = 10;
+var GL_OB_BASE = 10;
+
 /**
  * opens a popup window with winName and given features (string)
  * @param {String} theURL   the url
@@ -121,8 +125,7 @@ function setCenter(id, left, top)
 function goToPos(element, offset = 0)
 {
 	try {
-		if ($('#' + element).length)
-		{
+		if ($('#' + element).length) {
 			$('body,html').animate({
 				scrollTop: $('#' + element).offset().top - offset
 			}, 500);
@@ -279,12 +282,48 @@ function randomIdF()
 	return Math.random().toString(36).substring(2);
 }
 
+/**
+ * check if name is a function
+ * @param  {string}  name Name of function to check if exists
+ * @return {Boolean}      true/false
+ */
+function isFunction(name)
+{
+	if (typeof window[name] !== 'undefined' &&
+		typeof window[name] === 'function') {
+		return true;
+	} else {
+		return false;
+	}
+}
+
+/**
+ * call a function by its string name
+ * https://stackoverflow.com/a/359910
+ * example: executeFunctionByName("My.Namespace.functionName", window, arguments);
+ * @param  {string} functionName The function name or namespace + function
+ * @param  {mixed}  context      context (window or first namespace)
+ *                               hidden next are all the arguments
+ * @return {mixed}               Return values from functon
+ */
+function executeFunctionByName(functionName, context /*, args */)
+{
+	var args = Array.prototype.slice.call(arguments, 2);
+	var namespaces = functionName.split('.');
+	var func = namespaces.pop();
+	for (var i = 0; i < namespaces.length; i++) {
+		context = context[namespaces[i]];
+	}
+	return context[func].apply(context, args);
+}
+
 /**
  * checks if a variable is an object
  * @param  {Mixed}   val possible object
  * @return {Boolean}     true/false if it is an object or not
  */
-function isObject(val) {
+function isObject(val)
+{
 	if (val === null) {
 		return false;
 	}
@@ -296,7 +335,8 @@ function isObject(val) {
  * @param  {Object} object object to check
  * @return {Number} number of entry
  */
-function getObjectCount(object) {
+function getObjectCount(object)
+{
 	return Object.keys(object).length;
 }
 
@@ -339,6 +379,31 @@ function valueInObject(object, value)
 	// }) ? true : false;
 }
 
+/**
+ * true deep copy for Javascript objects
+ * if Object.assign({}, obj) is not working (shallow)
+ * or if JSON.parse(JSON.stringify(obj)) is failing
+ * @param  {Object} inObject Object to copy
+ * @return {Object}          Copied Object
+ */
+function deepCopyFunction(inObject)
+{
+	var outObject, value, key;
+	if (typeof inObject !== "object" || inObject === null) {
+		return inObject; // Return the value if inObject is not an object
+	}
+	// Create an array or object to hold the values
+	outObject = Array.isArray(inObject) ? [] : {};
+	// loop over ech entry in object
+	for (key in inObject) {
+		value = inObject[key];
+		// Recursively (deep) copy for nested objects, including arrays
+		outObject[key] = deepCopyFunction(value);
+	}
+
+	return outObject;
+}
+
 /**
  * checks if a DOM element actually exists
  * @param  {String}  id Element id to check for
@@ -394,6 +459,20 @@ function errorCatch(err)
 	}
 }
 
+/*************************************************************
+ * OLD action indicator and overlay boxes calls
+ * DO NOT USE
+ * actionIndicator -> showActionIndicator
+ * actionIndicator -> hideActionIndicator
+ * actionIndicatorShow -> showActionIndicator
+ * actionIndicatorHide -> hideActionIndicator
+ * overlayBoxShow -> showOverlayBoxLayers
+ * overlayBoxHide -> hideOverlayBoxLayers
+ * setOverlayBox -> showOverlayBoxLayers
+ * hideOverlayBox -> hideOverlayBoxLayers
+ * ClearCall -> ClearCallActionBox
+ * ***********************************************************/
+
 /**
  * show or hide the "do" overlay
  * @param {String}  loc            location name for action indicator
@@ -402,10 +481,10 @@ function errorCatch(err)
  */
 function actionIndicator(loc, overlay = true)
 {
-	if ($('#overlayBox').is(':visible')) {
+	if ($('#indicator').is(':visible')) {
 		actionIndicatorHide(loc, overlay);
 	} else {
-		 actionIndicatorShow(loc, overlay);
+		actionIndicatorShow(loc, overlay);
 	}
 }
 
@@ -418,9 +497,11 @@ function actionIndicator(loc, overlay = true)
  */
 function actionIndicatorShow(loc, overlay = true)
 {
-	console.log('Indicator: SHOW [%s]', loc);
+	// console.log('Indicator: SHOW [%s]', loc);
 	if (!$('#indicator').is(':visible')) {
-		$('#indicator').addClass('progress');
+		if (!$('#indicator').hasClass('progress')) {
+			$('#indicator').addClass('progress');
+		}
 		setCenter('indicator', true, true);
 		$('#indicator').show();
 	}
@@ -438,16 +519,15 @@ function actionIndicatorShow(loc, overlay = true)
  */
 function actionIndicatorHide(loc, overlay = true)
 {
-	console.log('Indicator: HIDE [%s]', loc);
+	// console.log('Indicator: HIDE [%s]', loc);
 	$('#indicator').hide();
-	$('#indicator').removeClass('progress');
 	if (overlay === true) {
 		overlayBoxHide();
 	}
 }
 
 /**
- * shows the overlay box
+ * shows the overlay box or if already visible, bumps the zIndex to 100
  */
 function overlayBoxShow()
 {
@@ -456,16 +536,17 @@ function overlayBoxShow()
 		$('#overlayBox').css('zIndex', '100');
 	} else {
 		$('#overlayBox').show();
+		$('#overlayBox').css('zIndex', '98');
 	}
 }
 
 /**
- * hides the overlay box
+ * hides the overlay box or if zIndex is 100 bumps it down to previous level
  */
 function overlayBoxHide()
 {
 	// if the overlay box z-index is 100, do no hide, but set to 98
-	if ($('#overlayBox').css('zIndex') == 100) {
+	if ($('#overlayBox').css('zIndex') >= 100) {
 		$('#overlayBox').css('zIndex', '98');
 	} else {
 		$('#overlayBox').hide();
@@ -482,16 +563,182 @@ function setOverlayBox()
 	}
 }
 
+/**
+ * opposite of set, always hides overlay box
+ */
+function hideOverlayBox()
+{
+	if ($('#overlayBox').is(':visible')) {
+		$('#overlayBox').hide();
+	}
+}
+
 /**
  * the abort call, clears the action box and hides it and the overlay box
  */
 function ClearCall()
 {
-	$('#actionBox').innerHTML = '';
+	$('#actionBox').html('');
 	$('#actionBox').hide();
 	$('#overlayBox').hide();
 }
 
+/*************************************************************
+ * NEW action indicator and overlay box calls
+ * USE THIS
+ * ***********************************************************/
+
+/**
+ * show action indicator
+ * - checks if not existing and add
+ * - only shows if not visible (else ignore)
+ * - overlaybox check is called and shown on a fixzed
+ *   zIndex of 1000
+ * - indicator is page centered
+ * @param {String} loc ID string, only used for console log
+ */
+function showActionIndicator(loc)
+{
+	// console.log('Indicator: SHOW [%s]', loc);
+	// check if indicator element exists
+	if ($('#indicator').length == 0) {
+		var el = document.createElement('div');
+		el.className = 'progress hide';
+		el.id = 'indicator';
+		$('body').append(el);
+	} else if (!$('#indicator').hasClass('progress')) {
+		// if I add a class it will not be hidden anymore
+		// hide it
+		$('#indicator').addClass('progress').hide();
+	}
+	// indicator not visible
+	if (!$('#indicator').is(':visible')) {
+		// check if overlay box element exits
+		checkOverlayExists();
+		// if not visible show
+		if (!$('#overlayBox').is(':visible')) {
+			$('#overlayBox').show();
+		}
+		// always set to 1000 zIndex to be top
+		$('#overlayBox').css('zIndex', 1000);
+		// show indicator
+		$('#indicator').show();
+		// center it
+		setCenter('indicator', true, true);
+	}
+}
+
+/**
+ * hide action indicator, if it is visiable
+ * If the global variable GL_OB_S is > 10 then
+ * the overlayBox is not hidden but the zIndex
+ * is set to this value
+ * @param {String} loc ID string, only used for console log
+ */
+function hideActionIndicator(loc)
+{
+	// console.log('Indicator: HIDE [%s]', loc);
+	// check if indicator is visible
+	if ($('#indicator').is(':visible')) {
+		// hide indicator
+		$('#indicator').hide();
+		// if global overlay box count is > 0
+		// then set it to this level and keep
+		if (GL_OB_S > GL_OB_BASE) {
+			$('#overlayBox').css('zIndex', GL_OB_S);
+		} else {
+			// else hide overlay box and set zIndex to 0
+			$('#overlayBox').hide();
+			$('#overlayBox').css('zIndex', GL_OB_BASE);
+		}
+	}
+}
+
+/**
+ * checks if overlayBox exists, if not it is
+ * added as hidden item at the body end
+ */
+function checkOverlayExists()
+{
+	// check if overlay box exists, if not create it
+	if ($('#overlayBox').length == 0) {
+		var el = document.createElement('div');
+		el.className = 'overlayBoxElement hide';
+		el.id = 'overlayBox';
+		$('body').append(el);
+	}
+}
+
+/**
+ * show overlay box
+ * if not visible show and set zIndex to 10 (GL_OB_BASE)
+ * if visible, add +1 to the GL_OB_S variable and
+ * up zIndex by this value
+ */
+function showOverlayBoxLayers(el_id)
+{
+	// console.log('SHOW overlaybox: %s', GL_OB_S);
+	// if overlay box is not visible show and set zIndex to 0
+	if (!$('#overlayBox').is(':visible')) {
+		$('#overlayBox').show();
+		$('#overlayBox').css('zIndex', GL_OB_BASE);
+		// also set start variable to 0
+		GL_OB_S = GL_OB_BASE;
+	}
+	// up the overlay box counter by 1
+	GL_OB_S ++;
+	// set zIndex
+	$('#overlayBox').css('zIndex', GL_OB_S);
+	// if element given raise zIndex and show
+	if (el_id) {
+		if ($('#' + el_id).length > 0) {
+			$('#' + el_id).css('zIndex', GL_OB_S + 1);
+			$('#' + el_id).show();
+		}
+	}
+	// console.log('SHOW overlaybox NEW zIndex: %s', $('#overlayBox').css('zIndex'));
+}
+
+/**
+ * hide overlay box
+ * lower GL_OB_S value by -1
+ * if we are 10 (GL_OB_BASE) or below hide the overlayIndex
+ * and set zIndex and GL_OB_S to 0
+ * else just set zIndex to the new GL_OB_S value
+ * @param {String} el_id Target to hide layer
+ */
+function hideOverlayBoxLayers(el_id)
+{
+	// console.log('HIDE overlaybox: %s', GL_OB_S);
+	// remove on layer
+	GL_OB_S --;
+	// if 0 or lower (overflow) hide it and
+	// set zIndex to 0
+	if (GL_OB_S <= GL_OB_BASE) {
+		GL_OB_S = GL_OB_BASE;
+		$('#overlayBox').hide();
+		$('#overlayBox').css('zIndex', GL_OB_BASE);
+	} else {
+		// if OB_S > 0 then set new zIndex
+		$('#overlayBox').css('zIndex', GL_OB_S);
+	}
+	if (el_id) {
+		$('#' + el_id).hide();
+		$('#' + el_id).css('zIndex', 0);
+	}
+	// console.log('HIDE overlaybox NEW zIndex: %s', $('#overlayBox').css('zIndex'));
+}
+
+/**
+ * only for single action box
+ */
+function clearCallActionBox()
+{
+	$('#actionBox').html('');
+	$('#actionBox').hide();
+	hideOverlayBoxLayers();
+}
+
 // *** DOM MANAGEMENT FUNCTIONS
 /**
  * reates object for DOM element creation flow
@@ -527,7 +774,8 @@ function ael(base, attach, id = '')
 	if (id) {
 		// base id match already
 		if (base.id == id) {
-			base.sub.push(Object.assign({}, attach));
+			// base.sub.push(Object.assign({}, attach));
+			base.sub.push(deepCopyFunction(attach));
 		} else {
 			// sub check
 			if (isObject(base.sub) && base.sub.length > 0) {
@@ -538,7 +786,8 @@ function ael(base, attach, id = '')
 			}
 		}
 	} else {
-		base.sub.push(Object.assign({}, attach));
+		// base.sub.push(Object.assign({}, attach));
+		base.sub.push(deepCopyFunction(attach));
 	}
 	return base;
 }
@@ -553,7 +802,24 @@ function ael(base, attach, id = '')
 function aelx(base, ...attach)
 {
 	for (var i = 0; i < attach.length; i ++) {
-		base.sub.push(Object.assign({}, attach[i]));
+		// base.sub.push(Object.assign({}, attach[i]));
+		base.sub.push(deepCopyFunction(attach[i]));
+	}
+	return base;
+}
+
+/**
+ * same as aelx, but instead of using objects as parameters
+ * get an array of objects to attach
+ * @param  {Object} base   object to where we attach the elements
+ * @param  {Array}  attach array of objects to attach
+ * @return {Object}        "none", technically there is no return needed, global attach
+ */
+function aelxar(base, attach)
+{
+	for (var i = 0; i < attach.length; i ++) {
+		// base.sub.push(Object.assign({}, attach[i]));
+		base.sub.push(deepCopyFunction(attach[i]));
 	}
 	return base;
 }
@@ -677,6 +943,22 @@ function phfo(tree)
 	// combine to string
 	return content.join('');
 }
+
+/**
+ * Create HTML elements from array list
+ * as a flat element without master object file
+ * Is like tree.sub call
+ * @param  {Array}  list Array of cel created objects
+ * @return {String}      HTML String
+ */
+function phfa(list)
+{
+	var content = [];
+	for (i = 0; i < list.length; i ++) {
+		content.push(phfo(list[i]));
+	}
+	return content.join('');
+}
 // *** DOM MANAGEMENT FUNCTIONS
 
 // BLOCK: html wrappers for quickly creating html data blocks
@@ -767,6 +1049,35 @@ function html_options_block(name, data, selected = '', multiple = 0, options_onl
 		element_option = cel('option', '', value, '', options);
 		// attach it to the select element
 		ael(element_select, element_option);
+		/*
+		// get the original data for this key
+		var opt_value = r_value[opt_key];
+		// if it is an object, we assume a sub group [original data]
+		if (isObject(opt_value)) {
+			element_group = document.createElement('optgroup');
+			element_group.label = opt_key;
+			// loop through attached sub key elements in order (key is orignal)
+			$.each(data.form_reference_order[key][opt_key], function(opt_group_pos, opt_group_key) {
+				var opt_group_value = r_value[opt_key][opt_group_key];
+				element_sub = document.createElement('option');
+				// check if w is object, if yes, the element is a subset drop down
+				element_sub.label = opt_group_value;
+				element_sub.value = opt_group_key;
+				element_sub.innerHTML = opt_group_value;
+				element_group.appendChild(element_sub);
+			});
+			element.appendChild(element_group);
+		} else if (!isObject(opt_key)) {
+			// if this is a plain element, attach as is
+			// we also skip any objects in the reference order group as they are handled different
+			element_sub = document.createElement('option');
+			element_sub.label = opt_value;
+			element_sub.value = opt_key;
+			element_sub.innerHTML = opt_value;
+			element.appendChild(element_sub);
+		}
+
+		 */
 	}
 	// if with select part, convert to text
 	if (!options_only) {

www/layout/admin/javascript/edit.js

@@ -1 +1 @@
-edit.pt.js
+edit.jq.js

www/layout/admin/javascript/edit.pt.js

@@ -176,7 +176,7 @@ function setCenter(id, left, top)
 	var viewport = getWindowSize();
 	var offset = getScrollOffset();
 
-	console.log('Id %s, type: %s, dimensions %s x %s, viewport %s x %s', id, type, dimensions.width, dimensions.height, viewport.width, viewport.height);
+	// console.log('Id %s, type: %s, dimensions %s x %s, viewport %s x %s', id, type, dimensions.width, dimensions.height, viewport.width, viewport.height);
 	// console.log('Scrolloffset left: %s, top: %s', offset.left, offset.top);
 	// console.log('Left: %s, Top: %s (%s)', parseInt((viewport.width / 2) - (dimensions.width / 2) + offset.left), parseInt((viewport.height / 2) - (dimensions.height / 2) + offset.top), parseInt((viewport.height / 2) - (dimensions.height / 2)));
 	if (left) {
@@ -201,8 +201,7 @@ function setCenter(id, left, top)
 function goToPos(element, offset = 0)
 {
 	try {
-		if ($(element))
-		{
+		if ($(element)) {
 			// get the element pos
 			var pos = $(element).cumulativeOffset();
 			// if not top element and no offset given, set auto offset for top element
@@ -485,7 +484,7 @@ function actionIndicator(loc = '')
  */
 function actionIndicatorShow(loc = '')
 {
-	console.log('Indicator: SHOW [%s]', loc);
+	// console.log('Indicator: SHOW [%s]', loc);
 	$('indicator').addClassName('progress');
 	setCenter('indicator', true, true);
 	$('indicator').show();
@@ -499,14 +498,14 @@ function actionIndicatorShow(loc = '')
  */
 function actionIndicatorHide(loc = '')
 {
-	console.log('Indicator: HIDE [%s]', loc);
+	// console.log('Indicator: HIDE [%s]', loc);
 	$('indicator').hide();
 	$('indicator').removeClassName('progress');
 	overlayBoxHide();
 }
 
 /**
- * shows the overlay box
+ * shows the overlay box or if already visible, bumps the zIndex to 100
  */
 function overlayBoxShow()
 {
@@ -519,7 +518,7 @@ function overlayBoxShow()
 }
 
 /**
- * hides the overlay box
+ * hides the overlay box or if zIndex is 100 bumps it down to previous level
  */
 function overlayBoxHide()
 {
@@ -544,6 +543,16 @@ function setOverlayBox()
 	$('overlayBox').show();
 }
 
+/**
+ * opposite of set, always hides overlay box
+ */
+function hideOverlayBox()
+{
+	if ($('overlayBox').visible()) {
+		$('overlayBox').hide();
+	}
+}
+
 /**
  * the abort call, clears the action box and hides it and the overlay box
  */
@@ -618,6 +627,21 @@ function aelx(base, ...attach)
 	return base;
 }
 
+/**
+ * same as aelx, but instead of using objects as parameters
+ * get an array of objects to attach
+ * @param  {Object} base   object to where we attach the elements
+ * @param  {Array}  attach array of objects to attach
+ * @return {Object}        "none", technically there is no return needed, global attach
+ */
+function aelxar(base, attach)
+{
+	attach.each(function(t) {
+		base.sub.push(Object.assign({}, t));
+	});
+	return base;
+}
+
 /**
  * resets the sub elements of the base element given
  * @param  {Object} base cel created element

www/layout/admin/javascript/flatpickr/flatpickr.ja.js

@@ -53,7 +53,8 @@
           ]
       },
       time_24hr: true,
-      rangeSeparator: ' から '
+      rangeSeparator: " から ",
+      firstDayOfWeek: 1
   };
   fp.l10ns.ja = Japanese;
   var ja = fp.l10ns;

www/lib/CoreLibs/ACL/Login.php

@@ -114,16 +114,15 @@ class Login extends \CoreLibs\DB\IO
 
 	/**
 	 * constructor, does ALL, opens db, works through connection checks, closes itself
-	 * @param array  $db_config        db config array
-	 * @param int    $set_control_flag class variable check flags
+	 * @param array $db_config db config array
 	 */
-	public function __construct(array $db_config, int $set_control_flag = 0)
+	public function __construct(array $db_config)
 	{
 		// log login data for this class only
 		$this->log_per_class = 1;
 
 		// create db connection and init base class
-		parent::__construct($db_config, $set_control_flag);
+		parent::__construct($db_config);
 		if ($this->db_init_error === true) {
 			echo 'Could not connect to DB<br>';
 			// if I can't connect to the DB to auth exit hard. No access allowed
@@ -161,8 +160,7 @@ class Login extends \CoreLibs\DB\IO
 
 		// if we have a search path we need to set it, to use the correct DB to login
 		// check what schema to use. if there is a login schema use this, else check if there is a schema set in the config, or fall back to DB_SCHEMA if this exists, if this also does not exists use public schema
-		if (defined('LOGIN_DB_SCHEMA')) {
-			/** @phan-suppress-next-line PhanUndeclaredConstant */
+		if (defined('LOGIN_DB_SCHEMA') && LOGIN_DB_SCHEMA) {
 			$SCHEMA = LOGIN_DB_SCHEMA;
 		} elseif (isset($db_config['db_schema']) && $db_config['db_schema']) {
 			$SCHEMA = $db_config['db_schema'];
@@ -598,7 +596,7 @@ class Login extends \CoreLibs\DB\IO
 			// unset mem limit if debug is set to 1
 			// if (($GLOBALS["DEBUG_ALL"] || $GLOBALS["DB_DEBUG"] || $_SESSION["DEBUG_ALL"] || $_SESSION["DB_DEBUG"]) && ini_get('memory_limit') != -1)
 			// 	ini_set('memory_limit', -1);
-			if ($res['filename'] == $this->page_name) {
+			if (isset($res['filename']) && $res['filename'] == $this->page_name) {
 				$this->permission_okay = true;
 			} else {
 				$this->login_error = 103;

www/lib/CoreLibs/Admin/Backend.php

@@ -68,17 +68,16 @@ class Backend extends \CoreLibs\DB\IO
 	// CONSTRUCTOR / DECONSTRUCTOR |====================================>
 	/**
 	 * main class constructor
-	 * @param array       $db_config        db config array
-	 * @param int|integer $set_control_flag class variable check flag
+	 * @param array $db_config db config array
 	 */
-	public function __construct(array $db_config, int $set_control_flag = 0)
+	public function __construct(array $db_config)
 	{
 		$this->setLangEncoding();
 		// get the language sub class & init it
 		$this->l = new \CoreLibs\Language\L10n($this->lang);
 
 		// init the database class
-		parent::__construct($db_config, $set_control_flag);
+		parent::__construct($db_config);
 
 		// set the action ids
 		foreach ($this->action_list as $_action) {
@@ -169,8 +168,7 @@ class Backend extends \CoreLibs\DB\IO
 		}
 
 		// check schema
-		if (defined('LOGIN_DB_SCHEMA')) {
-			/** @phan-suppress-next-line PhanUndeclaredConstant */
+		if (defined('LOGIN_DB_SCHEMA') && LOGIN_DB_SCHEMA) {
 			$SCHEMA = LOGIN_DB_SCHEMA;
 		} elseif ($this->dbGetSchema()) {
 			$SCHEMA = $this->dbGetSchema();
@@ -256,7 +254,6 @@ class Backend extends \CoreLibs\DB\IO
 						$type = 'popup';
 					} else {
 						$type = 'normal';
-						/** @phan-suppress-next-line PhanTypeArraySuspicious */
 						$data['popup'] = 0;
 					}
 					$query_string = '';
@@ -342,6 +339,7 @@ class Backend extends \CoreLibs\DB\IO
 		if ($filename === null) {
 			return $enabled;
 		}
+		/** @phan-suppress-next-line PhanNoopSwitchCases */
 		switch ($filename) {
 			default:
 				$enabled = true;
@@ -443,8 +441,7 @@ class Backend extends \CoreLibs\DB\IO
 		string $associate = null,
 		string $file = null
 	): void {
-		if (defined('GLOBAL_DB_SCHEMA')) {
-			/** @phan-suppress-next-line PhanUndeclaredConstant */
+		if (defined('GLOBAL_DB_SCHEMA') && GLOBAL_DB_SCHEMA) {
 			$SCHEMA = GLOBAL_DB_SCHEMA;
 		} elseif ($this->dbGetSchema()) {
 			$SCHEMA = $this->dbGetSchema();

www/lib/CoreLibs/Basic.php

@@ -188,19 +188,11 @@ class Basic
 	// ajax flag
 	protected $ajax_page_flag = false;
 
-	// METHOD: __construct
-	// PARAMS: set_control_flag [current sets set/get var errors]
-	// RETURN: none
-	// DESC  : class constructor
 	/**
 	 * main Basic constructor to init and check base settings
-	 * @param int $set_control_flag 0/1/2/3 to set internal class parameter check
 	 */
-	public function __construct(int $set_control_flag = 0)
+	public function __construct()
 	{
-		// init flags
-		$this->__setControlFlag($set_control_flag);
-
 		// set per run UID for logging
 		$this->running_uid = hash($this->hash_algo, uniqid((string)rand(), true));
 		// running time start for script
@@ -425,81 +417,6 @@ class Basic
 		// $this->fdebugFP('c');
 	}
 
-	// *************************************************************
-	// INTERAL VARIABLE ERROR HANDLER
-	// *************************************************************
-
-	/**
-	 * sets internal control flags for class variable check
-	 * 0 -> turn of all, works like default php class
-	 * CLASS_STRICT_MODE: 1 -> if set throws error on unset class variable
-	 * CLASS_OFF_COMPATIBLE_MODE: 2 -> if set turns of auto set for unset variables
-	 * 3 -> sets error on unset and does not set variable (strict)
-	 * @param  int    $set_control_flag control flag as 0/1/2/3
-	 * @return void
-	 */
-	private function __setControlFlag(int $set_control_flag): void
-	{
-		// is there either a constant or global set to override the control flag
-		if (defined('CLASS_VARIABLE_ERROR_MODE')) {
-			$set_control_flag = CLASS_VARIABLE_ERROR_MODE;
-		}
-		if (isset($GLOBALS['CLASS_VARIABLE_ERROR_MODE'])) {
-			$set_control_flag = $GLOBALS['CLASS_VARIABLE_ERROR_MODE'];
-		}
-		// bit wise check of int and set
-		if ($set_control_flag & self::CLASS_OFF_COMPATIBLE_MODE) {
-			$this->set_compatible = false;
-		} else {
-			$this->set_compatible = true;
-		}
-		if ($set_control_flag & self::CLASS_STRICT_MODE) {
-			$this->set_strict_mode = true;
-		} else {
-			$this->set_strict_mode = false;
-		}
-	}
-
-	/**
-	 * if strict mode is set, throws an error if the class variable is not set
-	 * if compatible mode is set, also auto sets variable even if not declared
-	 * default is strict mode false and compatible mode on
-	 * @param  mixed $name  class variable name
-	 * @return void
-	 */
-	public function __set($name, $value): void
-	{
-		if ($this->set_strict_mode === true && !property_exists($this, $name)) {
-			trigger_error('Undefined property via __set(): '.$name, E_USER_NOTICE);
-		}
-		// use this for fallback as to work like before to set unset
-		if ($this->set_compatible === true) {
-			$this->{$name} = $value;
-		}
-	}
-
-	/**
-	 * if strict mode is set, throws an error if the class variable is not set
-	 * default is strict mode false
-	 * @param  mixed $name class variable name
-	 * @return mixed       return set variable content
-	 */
-	public function &__get($name)
-	{
-		if ($this->set_strict_mode === true && !property_exists($this, $name)) {
-			trigger_error('Undefined property via __get(): '.$name, E_USER_NOTICE);
-		}
-		// on set return
-		if (property_exists($this, $name)) {
-			return $this->$name;
-		} elseif ($this->set_compatible === true && !property_exists($this, $name)) {
-			// if it is not set, and we are in compatible mode we need to init.
-			// This is so that $class->array['key'] = 'bar'; works
-			$this->{$name} = null;
-			return $this->$name;
-		}
-	}
-
 	// *************************************************************
 	// GENERAL METHODS
 	// *************************************************************
@@ -866,64 +783,64 @@ class Basic
 	 */
 	private function writeErrorMsg(string $level, string $error_string): void
 	{
-		if ($this->doDebugTrigger('debug', $level)) {
-			// only write if write is requested
-			if ($this->doDebugTrigger('print', $level)) {
-				// replace all html tags
-				// $error_string = preg_replace("/(<\/?)(\w+)([^>]*>)/", "##\\2##", $error_string);
-				// $error_string = preg_replace("/(<\/?)(\w+)([^>]*>)/", "", $error_string);
-				// replace special line break tag
-				// $error_string = str_replace('<!--#BR#-->', "\n", $error_string);
+		// only write if write is requested
+		if ($this->doDebugTrigger('debug', $level) &&
+			$this->doDebugTrigger('print', $level)
+		) {
+			// replace all html tags
+			// $error_string = preg_replace("/(<\/?)(\w+)([^>]*>)/", "##\\2##", $error_string);
+			// $error_string = preg_replace("/(<\/?)(\w+)([^>]*>)/", "", $error_string);
+			// replace special line break tag
+			// $error_string = str_replace('<!--#BR#-->', "\n", $error_string);
 
-				// init output variable
-				$output = $error_string; // output formated error string to output file
-				// init base file path
-				$fn = BASE.LOG.$this->log_print_file.'.'.$this->log_file_name_ext;
-				// log ID prefix settings, if not valid, replace with empty
-				if (preg_match("/^[A-Za-z0-9]+$/", $this->log_file_id)) {
-					$rpl_string = '_'.$this->log_file_id;
-				} else {
-					$rpl_string = '';
+			// init output variable
+			$output = $error_string; // output formated error string to output file
+			// init base file path
+			$fn = BASE.LOG.$this->log_print_file.'.'.$this->log_file_name_ext;
+			// log ID prefix settings, if not valid, replace with empty
+			if (preg_match("/^[A-Za-z0-9]+$/", $this->log_file_id)) {
+				$rpl_string = '_'.$this->log_file_id;
+			} else {
+				$rpl_string = '';
+			}
+			$fn = str_replace('##LOGID##', $rpl_string, $fn); // log id (like a log file prefix)
+
+			if ($this->log_per_run) {
+				if (isset($GLOBALS['LOG_FILE_UNIQUE_ID'])) {
+					$this->log_file_unique_id = $GLOBALS['LOG_FILE_UNIQUE_ID'];
 				}
-				$fn = str_replace('##LOGID##', $rpl_string, $fn); // log id (like a log file prefix)
-
-				if ($this->log_per_run) {
-					if (isset($GLOBALS['LOG_FILE_UNIQUE_ID'])) {
-						$this->log_file_unique_id = $GLOBALS['LOG_FILE_UNIQUE_ID'];
-					}
-					if (!$this->log_file_unique_id) {
-						$GLOBALS['LOG_FILE_UNIQUE_ID'] = $this->log_file_unique_id = date('Y-m-d_His').'_U_'.substr(hash('sha1', uniqid((string)mt_rand(), true)), 0, 8);
-					}
-					$rpl_string = '_'.$this->log_file_unique_id; // add 8 char unique string
-				} else {
-					$rpl_string = !$this->log_print_file_date ? '' : '_'.date('Y-m-d'); // add date to file
+				if (!$this->log_file_unique_id) {
+					$GLOBALS['LOG_FILE_UNIQUE_ID'] = $this->log_file_unique_id = date('Y-m-d_His').'_U_'.substr(hash('sha1', uniqid((string)mt_rand(), true)), 0, 8);
 				}
-				$fn = str_replace('##DATE##', $rpl_string, $fn); // create output filename
+				$rpl_string = '_'.$this->log_file_unique_id; // add 8 char unique string
+			} else {
+				$rpl_string = !$this->log_print_file_date ? '' : '_'.date('Y-m-d'); // add date to file
+			}
+			$fn = str_replace('##DATE##', $rpl_string, $fn); // create output filename
 
-				$rpl_string = !$this->log_per_level ? '' : '_'.$level; // if request to write to one file
-				$fn = str_replace('##LEVEL##', $rpl_string, $fn); // create output filename
+			$rpl_string = !$this->log_per_level ? '' : '_'.$level; // if request to write to one file
+			$fn = str_replace('##LEVEL##', $rpl_string, $fn); // create output filename
 
-				$rpl_string = !$this->log_per_class ? '' : '_'.str_replace('\\', '-', get_class($this)); // set sub class settings
-				$fn = str_replace('##CLASS##', $rpl_string, $fn); // create output filename
+			$rpl_string = !$this->log_per_class ? '' : '_'.str_replace('\\', '-', get_class($this)); // set sub class settings
+			$fn = str_replace('##CLASS##', $rpl_string, $fn); // create output filename
 
-				$rpl_string = !$this->log_per_page ? '' : '_'.$this->getPageName(1); // if request to write to one file
-				$fn = str_replace('##PAGENAME##', $rpl_string, $fn); // create output filename
+			$rpl_string = !$this->log_per_page ? '' : '_'.$this->getPageName(1); // if request to write to one file
+			$fn = str_replace('##PAGENAME##', $rpl_string, $fn); // create output filename
 
-				// write to file
-				// first check if max file size is is set and file is bigger
-				if ($this->log_max_filesize > 0 && ((filesize($fn) / 1024) > $this->log_max_filesize)) {
-					// for easy purpose, rename file only to attach timestamp, nur sequence numbering
-					rename($fn, $fn.'.'.date("YmdHis"));
-				}
-				$fp = fopen($fn, 'a');
-				if ($fp !== false) {
-					fwrite($fp, $output);
-					fclose($fp);
-				} else {
-					echo "<!-- could not open file: $fn //-->";
-				}
-			} // do write to file
-		}
+			// write to file
+			// first check if max file size is is set and file is bigger
+			if ($this->log_max_filesize > 0 && ((filesize($fn) / 1024) > $this->log_max_filesize)) {
+				// for easy purpose, rename file only to attach timestamp, nur sequence numbering
+				rename($fn, $fn.'.'.date("YmdHis"));
+			}
+			$fp = fopen($fn, 'a');
+			if ($fp !== false) {
+				fwrite($fp, $output);
+				fclose($fp);
+			} else {
+				echo "<!-- could not open file: $fn //-->";
+			}
+		} // do write to file
 	}
 
 	/**
@@ -1808,6 +1725,7 @@ class Basic
 	 */
 	public static function stringByteFormat($number, bool $dot_thousand = false)
 	{
+		$matches = [];
 		// detects up to exo bytes
 		preg_match("/([\d.,]*)\s?(eb|pb|tb|gb|mb|kb|e|p|t|g|m|k|b)$/", strtolower($number), $matches);
 		if (isset($matches[1]) && isset($matches[2])) {
@@ -2181,6 +2099,8 @@ class Basic
 			}
 			// if type is not in the list, but returns as PDF, we need to convert to JPEG before
 			if (!$type)	{
+				$output = [];
+				$return = null;
 				// is this a PDF, if no, return from here with nothing
 				$convert_prefix = 'png:';
 				# TEMP convert to PNG, we then override the file name
@@ -2562,17 +2482,33 @@ class Basic
 	}
 
 	/**
-	 * detects the source encoding of the string and if doesn't match to the given target encoding it convert is
+	 * detects the source encoding of the string and if doesn't match
+	 * to the given target encoding it convert is
+	 * if source encoding is set and auto check is true (default) a second
+	 * check is done so that the source string encoding actually matches
+	 * will be skipped if source encoding detection is ascii
 	 * @param  string $string          string to convert
 	 * @param  string $to_encoding     target encoding
 	 * @param  string $source_encoding optional source encoding, will try to auto detect
+	 * @param  bool   $auto_check      default true, if source encoding is set
+	 *                                 check that the source is actually matching
+	 *                                 to what we sav the source is
 	 * @return string                  encoding converted string
 	 */
-	public static function convertEncoding(string $string, string $to_encoding, string $source_encoding = ''): string
+	public static function convertEncoding(string $string, string $to_encoding, string $source_encoding = '', bool $auto_check = true): string
 	{
 		// set if not given
 		if (!$source_encoding) {
 			$source_encoding = mb_detect_encoding($string);
+		} else {
+			$_source_encoding = mb_detect_encoding($string);
+		}
+		if ($auto_check === true &&
+			isset($_source_encoding) &&
+			$_source_encoding == $source_encoding
+		) {
+			// trigger check if we have override source encoding.
+			// if different (_source is all but not ascii) then trigger skip if matching
 		}
 		if ($source_encoding != $to_encoding) {
 			if ($source_encoding) {

www/lib/CoreLibs/DB/Extended/ArrayIO.php

@@ -51,15 +51,14 @@ class ArrayIO extends \CoreLibs\DB\IO
 	/**
 	 * constructor for the array io class, set the
 	 * primary key name automatically (from array)
-	 * @param array       $db_config        db connection config
-	 * @param array       $table_array      table array config
-	 * @param string      $table_name       table name string
-	 * @param int|integer $set_control_flag set basic class set/get variable error flags
+	 * @param array  $db_config   db connection config
+	 * @param array  $table_array table array config
+	 * @param string $table_name  table name string
 	 */
-	public function __construct(array $db_config, array $table_array, string $table_name, int $set_control_flag = 0)
+	public function __construct(array $db_config, array $table_array, string $table_name)
 	{
 		// instance db_io class
-		parent::__construct($db_config, $set_control_flag);
+		parent::__construct($db_config);
 		// more error vars for this class
 		$this->error_string['91'] = 'No Primary Key given';
 		$this->error_string['92'] = 'Could not run Array Query';

www/lib/CoreLibs/DB/IO.php

@@ -128,13 +128,13 @@
 *	  - returns an hashed array of table column data
 *	function db_prepare($stm_name, $query)
 *     - prepares a query with the given stm name, returns false on error
-*   function db_execute($stm_name, $data = array())
+*   function db_execute($stm_name, $data = [])
 *     - execute a query that was previously prepared
 *   $string db_escape_string($string)
 *     - correctly escapes string for db insert
 *   $string db_boolean(string)
 *     - if the string value is 't' or 'f' it returns correct TRUE/FALSE for php
-*   $primary_key db_write_data($write_array, $not_write_array, $primary_key, $table, $data = array())
+*   $primary_key db_write_data($write_array, $not_write_array, $primary_key, $table, $data = [])
 *     - writes into one table based on arrays of columns to write and not write, reads data from global vars or optional array
 *   $boolean db_set_schema(schema)
 *     - sets search path to a schema
@@ -270,7 +270,7 @@ class IO extends \CoreLibs\Basic
 	public $cursor; // actual cursor (DBH)
 	public $num_rows; // how many rows have been found
 	public $num_fields; // how many fields has the query
-	public $field_names = array(); // array with the field names of the current query
+	public $field_names = []; // array with the field names of the current query
 	public $insert_id; // last inserted ID
 	public $insert_id_ext; // extended insert ID (for data outside only primary key)
 	private $temp_sql;
@@ -288,14 +288,15 @@ class IO extends \CoreLibs\Basic
 
 	// endless loop protection
 	private $MAX_QUERY_CALL;
-	private $query_called = array();
+	private $DEFAULT_MAX_QUERY_CALL = 20; // default
+	private $query_called = [];
 	// error string
-	protected $error_string = array();
+	protected $error_string = [];
 	// prepared list
-	public $prepare_cursor = array();
+	public $prepare_cursor = [];
 	// primary key per table list
 	// format is 'table' => 'pk_name'
-	public $pk_name_table = array();
+	public $pk_name_table = [];
 	// internal primary key name, for cross calls in async
 	public $pk_name;
 	// if we use RETURNING in the INSERT call
@@ -306,15 +307,14 @@ class IO extends \CoreLibs\Basic
 	/**
 	 * main DB concstructor with auto connection to DB and failure set on failed connection
 	 * @param array $db_config        DB configuration array
-	 * @param int   $set_control_flag 0/1/2/3 to set internal class parameter check
 	 */
-	public function __construct(array $db_config, int $set_control_flag = 0)
+	public function __construct(array $db_config)
 	{
 		// start basic class
-		parent::__construct($set_control_flag);
+		parent::__construct();
 		// dummy init array for db config if not array
 		if (!is_array($db_config)) {
-			$db_config = array();
+			$db_config = [];
 		}
 		// sets the names (for connect/reconnect)
 		$this->db_name = $db_config['db_name'] ?? '';
@@ -357,6 +357,8 @@ class IO extends \CoreLibs\Basic
 		$this->error_string['40'] = 'Query async call failed.';
 		$this->error_string['41'] = 'Connection is busy with a different query. Cannot execute.';
 		$this->error_string['42'] = 'Cannot check for async query, none has been started yet.';
+		$this->error_string['50'] = 'Setting max query call to -1 will disable loop protection for all subsequent runs';
+		$this->error_string['51'] = 'Max query call needs to be set to at least 1';
 
 		// set debug, either via global var, or debug var during call
 		$this->db_debug = false;
@@ -508,7 +510,7 @@ class IO extends \CoreLibs\Basic
 	{
 		$string = '';
 		if (!is_array($array)) {
-			$array = array();
+			$array = [];
 		}
 		foreach ($array as $key => $value) {
 			$string .= $this->nbsp.'<b>'.$key.'</b> => ';
@@ -614,7 +616,7 @@ class IO extends \CoreLibs\Basic
 	 * @param  array  $data     the data array
 	 * @return string           string of query with data inside
 	 */
-	private function __dbDebugPrepare(string $stm_name, array $data = array()): string
+	private function __dbDebugPrepare(string $stm_name, array $data = []): string
 	{
 		// get the keys from data array
 		$keys = array_keys($data);
@@ -633,6 +635,7 @@ class IO extends \CoreLibs\Basic
 	 */
 	private function __dbReturnTable(string $query): array
 	{
+		$matches = [];
 		if (preg_match("/^SELECT /i", $query)) {
 			preg_match("/ (FROM) (([\w_]+)\.)?([\w_]+) /i", $query, $matches);
 		} else {
@@ -655,6 +658,7 @@ class IO extends \CoreLibs\Basic
 	 */
 	private function __dbPrepareExec(string $query, string $pk_name)
 	{
+		$matches= [];
 		// to either use the returning method or the guess method for getting primary keys
 		$this->returning_id = false;
 		// set the query
@@ -729,7 +733,10 @@ class IO extends \CoreLibs\Basic
 			$this->query_called[$md5] = 0;
 		}
 		// count up the run, if this is run more than the max_run then exit with error
-		if ($this->query_called[$md5] > $this->MAX_QUERY_CALL) {
+		// if set to -1, then ignore it
+		if ($this->MAX_QUERY_CALL != -1 &&
+			$this->query_called[$md5] > $this->MAX_QUERY_CALL
+		) {
 				$this->error_id = 30;
 				$this->__dbError();
 				$this->__dbDebug('db', $this->query, 'dbExec', 'Q[nc]');
@@ -765,7 +772,7 @@ class IO extends \CoreLibs\Basic
 				// count the fields
 				$this->num_fields = $this->db_functions->__dbNumFields($this->cursor);
 				// set field names
-				$this->field_names = array();
+				$this->field_names = [];
 				for ($i = 0; $i < $this->num_fields; $i ++) {
 					$this->field_names[] = $this->db_functions->__dbFieldName($this->cursor, $i);
 				}
@@ -781,8 +788,8 @@ class IO extends \CoreLibs\Basic
 					if (!$this->returning_id) {
 						$this->insert_id = $this->db_functions->__dbInsertId($this->query, $this->pk_name);
 					} else {
-						$this->insert_id = array();
-						$this->insert_id_ext = array();
+						$this->insert_id = [];
+						$this->insert_id_ext = [];
 						// echo "** PREPARE RETURNING FOR CURSOR: ".$this->cursor."<br>";
 						// we have returning, now we need to check if we get one or many returned
 						// we'll need to loop this, if we have multiple insert_id returns
@@ -855,6 +862,52 @@ class IO extends \CoreLibs\Basic
 		return $this->db_debug;
 	}
 
+	/**
+	 * set max query calls, set to --1 to disable loop
+	 * protection. this will generate a warning
+	 * empty call (null) will reset to default
+	 * @param  int|null $max_calls Set the max loops allowed
+	 * @return bool                True for succesfull set
+	 */
+	public function dbSetMaxQueryCall(?int $max_calls = null): bool
+	{
+		$success = false;
+		// if null then reset to default
+		if ($max_calls === null) {
+			$max_calls = $this->DEFAULT_MAX_QUERY_CALL;
+		}
+		// if -1 then disable loop check
+		// DANGEROUS, WARN USER
+		if ($max_calls == -1) {
+			$this->warning_id = 50;
+			$this->__dbError();
+		}
+		// negative or 0
+		if ($max_calls < -1 || $max_calls == 0) {
+			$this->error_id = 51;
+			$this->__dbError();
+			// early abort
+			return false;
+		}
+		// ok entry, set
+		if ($max_calls == -1 ||
+			$max_calls > 0
+		) {
+			$this->MAX_QUERY_CALL = $max_calls;
+			$succes = true;
+		}
+		return $success;
+	}
+
+	/**
+	 * returns current set max query calls for loop avoidance
+	 * @return int Integer number, if -1 the loop check is disabled
+	 */
+	public function dbGetMaxQueryCall(): int
+	{
+		return $this->MAX_QUERY_CALL;
+	}
+
 	/**
 	 * resets the call times for the max query called to 0
 	 * USE CAREFULLY: rather make the query prepare -> execute
@@ -1157,7 +1210,7 @@ class IO extends \CoreLibs\Basic
 					$return = false;
 				} else {
 					// unset return value ...
-					$return = array();
+					$return = [];
 					for ($i = 0; $i < $this->cursor_ext[$md5]['num_fields']; $i ++) {
 						// create mixed return array
 						if ($assoc_only === false && isset($this->cursor_ext[$md5]['data'][$this->cursor_ext[$md5]['pos']][$i])) {
@@ -1193,7 +1246,7 @@ class IO extends \CoreLibs\Basic
 					$this->cursor_ext[$md5]['read_rows'] ++;
 					// if reset is <3 caching is done, else no
 					if ($reset < 3) {
-						$temp = array();
+						$temp = [];
 						foreach ($return as $field_name => $data) {
 							$temp[$field_name] = $data;
 						}
@@ -1383,9 +1436,9 @@ class IO extends \CoreLibs\Basic
 			return false;
 		}
 		$cursor = $this->dbExec($query);
-		$rows = array();
+		$rows = [];
 		while ($res = $this->dbFetchArray($cursor, $assoc_only)) {
-			$data = array();
+			$data = [];
 			for ($i = 0; $i < $this->num_fields; $i ++) {
 				$data[$this->field_names[$i]] = $res[$this->field_names[$i]];
 			}
@@ -1454,6 +1507,7 @@ class IO extends \CoreLibs\Basic
 	 */
 	public function dbPrepare(string $stm_name, string $query, string $pk_name = '')
 	{
+		$matches = [];
 		if (!$query) {
 			$this->error_id = 11;
 			$this->__dbError();
@@ -1507,6 +1561,7 @@ class IO extends \CoreLibs\Basic
 					$this->prepare_cursor[$stm_name]['pk_name'] = $pk_name;
 				}
 			}
+			$match = [];
 			// search for $1, $2, in the query and push it into the control array
 			preg_match_all('/(\$[0-9]{1,})/', $query, $match);
 			$this->prepare_cursor[$stm_name]['count'] = count($match[1]);
@@ -1534,7 +1589,7 @@ class IO extends \CoreLibs\Basic
 	 * @param  array         $data     data to run for this query, empty array for none
 	 * @return ?mixed                  false on error, or result on OK
 	 */
-	public function dbExecute(string $stm_name, array $data = array())
+	public function dbExecute(string $stm_name, array $data = [])
 	{
 		// if we do not have no prepare cursor array entry for this statement name, abort
 		if (!is_array($this->prepare_cursor[$stm_name])) {
@@ -1569,8 +1624,8 @@ class IO extends \CoreLibs\Basic
 				if (!$this->prepare_cursor[$stm_name]['returning_id']) {
 					$this->insert_id = $this->db_functions->__dbInsertId($this->prepare_cursor[$stm_name]['query'], $this->prepare_cursor[$stm_name]['pk_name']);
 				} elseif ($result) {
-					$this->insert_id = array();
-					$this->insert_id_ext = array();
+					$this->insert_id = [];
+					$this->insert_id_ext = [];
 					// we have returning, now we need to check if we get one or many returned
 					// we'll need to loop this, if we have multiple insert_id returns
 					while ($_insert_id = $this->db_functions->__dbFetchArray(
@@ -1665,6 +1720,7 @@ class IO extends \CoreLibs\Basic
 	 */
 	public function dbCompareVersion(string $compare): bool
 	{
+		$matches = [];
 		// compare has =, >, < prefix, and gets stripped, if the rest is not X.Y format then error
 		preg_match("/^([<>=]{1,})(\d{1,})\.(\d{1,})/", $compare, $matches);
 		$compare = $matches[1];
@@ -1760,18 +1816,18 @@ class IO extends \CoreLibs\Basic
 	 * @param  array    $data            data array to override _POST data
 	 * @return int|bool                  primary key
 	 */
-	public function dbWriteData(array $write_array, array $not_write_array, $primary_key, string $table, $data = array())
+	public function dbWriteData(array $write_array, array $not_write_array, $primary_key, string $table, $data = [])
 	{
 		if (!is_array($write_array)) {
-			$write_array = array();
+			$write_array = [];
 		}
 		if (!is_array($not_write_array)) {
-			$not_write_array = array();
+			$not_write_array = [];
 		}
 		if (is_array($table)) {
 			return false;
 		}
-		$not_write_update_array = array();
+		$not_write_update_array = [];
 		return $this->dbWriteDataExt($write_array, $primary_key, $table, $not_write_array, $not_write_update_array, $data);
 	}
 
@@ -1792,9 +1848,9 @@ class IO extends \CoreLibs\Basic
 		array $write_array,
 		$primary_key,
 		string $table,
-		array $not_write_array = array(),
-		array $not_write_update_array = array(),
-		array $data = array()
+		array $not_write_array = [],
+		array $not_write_update_array = [],
+		array $data = []
 	) {
 		if (!is_array($primary_key)) {
 			$primary_key = array(
@@ -1909,10 +1965,10 @@ class IO extends \CoreLibs\Basic
 	 */
 	public function dbTimeFormat(string $age, bool $show_micro = false): string
 	{
+		$matches = [];
 		// in string (datetime diff): 1786 days 22:11:52.87418
 		// or (age): 4 years 10 mons 21 days 12:31:11.87418
 		// also -09:43:54.781021 or without - prefix
-
 		preg_match("/(.*)?(\d{2}):(\d{2}):(\d{2})(\.(\d+))/", $age, $matches);
 
 		$prefix = $matches[1] != '-' ? $matches[1] : '';
@@ -1931,16 +1987,10 @@ class IO extends \CoreLibs\Basic
 	 */
 	public function dbArrayParse(string $text): array
 	{
-		$output = array();
+		$output = [];
 		return $this->db_functions->__dbArrayParse($text, $output);
 	}
 
-	// METHOD: dbSqlEscape
-	// WAS   : db_sql_escape
-	// PARAMS: value -> to escape data
-	//          kbn -> escape trigger type
-	// RETURN: escaped value
-	// DESC  : clear up any data for valid DB insert
 	/**
 	 * clear up any data for valid DB insert
 	 * @param  int|float|string $value to escape data
@@ -1968,6 +2018,60 @@ class IO extends \CoreLibs\Basic
 		}
 		return $value;
 	}
+
+	/**
+	 * return current set insert_id as is
+	 * @return string|int|null Primary key value, most likely int
+	 *                         Empty string for unset
+	 *                         Null for error
+	 */
+	public function getInsertPK()
+	{
+		return $this->insert_id;
+	}
+
+	/**
+	 * return the extended insert return string set
+	 * Most likely Array
+	 * @param  string|null       $key Optional key for insert_id_ext array
+	 *                                if found will return only this element,
+	 *                                else will return null
+	 * @return array|string|null      RETURNING values as array
+	 *                                Empty string for unset
+	 *                                Null for error
+	 */
+	public function getInsertReturn($key = null)
+	{
+		if ($key !== null) {
+			if (isset($this->insert_id_ext[$key])) {
+				return $this->insert_id_ext[$key];
+			} else {
+				return null;
+			}
+		}
+		return $this->insert_id_ext;
+	}
+
+	/**
+	 * returns the full array for cursor ext
+	 * @param  string|null $q Query string, if not null convert to md5
+	 *                        and return set cursor ext for only this
+	 *                        if not found or null return null
+	 * @return array|nul      Cursor Extended array
+	 *                        Key is md5 string from query run
+	 */
+	public function getCursorExt($q = null)
+	{
+		if ($q !== null) {
+			$q_md5 = md5($q);
+			if (isset($this->cursor_ext[$q_md5])) {
+				return $this->cursor_ext[$q_md5];
+			} else {
+				return null;
+			}
+		}
+		return $this->cursor_ext;
+	}
 } // end if db class
 
 // __END__

www/lib/CoreLibs/DB/SQL/PgSQL.php

@@ -311,7 +311,7 @@ class PgSQL
 			$q .= "AND indisprimary";
 			$cursor = $this->__dbQuery($q);
 			if ($cursor) {
-				return $this->__dbFetchArray($cursor)['column_name'];
+				return $this->__dbFetchArray($cursor)['column_name'] ?? false;
 			} else {
 				return false;
 			}

www/lib/CoreLibs/Language/L10n.php

@@ -37,13 +37,13 @@ class L10n extends \CoreLibs\Basic
 
 	/**
 	 * class constructor call for language getstring
-	 * @param string      $lang             language name (optional), fallback is en
-	 * @param string      $path             path, if empty fallback on default internal path
-	 * @param int|integer $set_control_flag control flags for Basic class set/get checks
+	 * @param string $lang language name (optional), fallback is en
+	 * @param string $path path, if empty fallback on default internal path
 	 */
-	public function __construct(string $lang = '', string $path = '', int $set_control_flag = 0)
+	public function __construct(string $lang = '', string $path = ''
+)
 	{
-		parent::__construct($set_control_flag);
+		parent::__construct();
 		if (!$lang) {
 			$this->lang = 'en';
 		} else {

www/lib/CoreLibs/Output/Form/Generate.php

@@ -255,11 +255,10 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 
 	/**
 	 * construct form generator
-	 * @param array       $db_config        db config array
-	 * @param int|integer $table_width      table/div width (default 750)
-	 * @param int|integer $set_control_flag basic class set/get variable error flags
+	 * @param array       $db_config   db config array
+	 * @param int|integer $table_width table/div width (default 750)
 	 */
-	public function __construct(array $db_config, int $table_width = 750, int $set_control_flag = 0)
+	public function __construct(array $db_config, int $table_width = 750)
 	{
 		$this->my_page_name = $this->getPageName(1);
 		$this->setLangEncoding();
@@ -289,7 +288,7 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 		}
 
 		// start the array_io class which will start db_io ...
-		parent::__construct($db_config, $config_array['table_array'], $config_array['table_name'], $set_control_flag);
+		parent::__construct($db_config, $config_array['table_array'], $config_array['table_name']);
 		// here should be a check if the config_array is correct ...
 		if (isset($config_array['show_fields']) && is_array($config_array['show_fields'])) {
 			$this->field_array = $config_array['show_fields'];
@@ -829,7 +828,7 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 			$data['checked'] = 0;
 			for ($i = (count($this->table_array[$element_name]['element_list']) - 1); $i >= 0; $i --) {
 				$data['value'][] = $i;
-				$data['output'][] = $this->table_array[$element_name]['element_list'][$i];
+				$data['output'][] = $this->table_array[$element_name]['element_list'][$i] ?? null;
 				$data['name'] = $element_name;
 				if (isset($this->table_array[$element_name]['value']) &&
 					(($i && $this->table_array[$element_name]['value']) ||
@@ -1234,9 +1233,9 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 						} elseif ($data_array['type'] == 'radio_group' && !isset($_POST[$prfx.$el_name])) {
 							// radio group and set where one not active
 							// $this->debug('edit_error_chk', 'RADIO GROUP');
-							$row_okay[$_POST[$prfx.$el_name][$i]] = 0;
-							$default_wrong[$_POST[$prfx.$el_name][$i]] = 1;
-							$error[$_POST[$prfx.$el_name][$i]] = 1;
+							$row_okay[$_POST[$prfx.$el_name][$i] ?? 0] = 0;
+							$default_wrong[$_POST[$prfx.$el_name][$i] ?? 0] = 1;
+							$error[$_POST[$prfx.$el_name][$i] ?? 0] = 1;
 						} elseif (isset($_POST[$prfx.$el_name][$i]) && !isset($error[$i])) {
 							// $this->debug('edit_error_chk', '[$i]');
 							$element_set[$i] = 1;
@@ -1646,7 +1645,7 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 							// data part, read from where [POST]
 							// radio group selections (only one can be active)
 							if ($data_array['type'] == 'radio_group') {
-								if ($i == $_POST[$prfx.$el_name]) {
+								if (isset($_POST[$prfx.$el_name]) && $i == $_POST[$prfx.$el_name]) {
 									$_value = $i + 1;
 								} else {
 									$_value = 'NULL';

www/lib/CoreLibs/Template/SmartyExtend.php

@@ -34,10 +34,10 @@ class SmartyExtend extends SmartyBC
 	public $page_name;
 
 	// array for data parsing
-	public $HEADER = array();
-	public $DATA = array();
-	public $DEBUG_DATA = array();
-	private $CONTENT_DATA = array();
+	public $HEADER = [];
+	public $DATA = [];
+	public $DEBUG_DATA = [];
+	private $CONTENT_DATA = [];
 	// control vars
 	public $USE_PROTOTYPE = USE_PROTOTYPE;
 	public $USE_JQUERY = USE_JQUERY;
@@ -354,7 +354,7 @@ class SmartyExtend extends SmartyBC
 			$this->DATA['nav_menu'] = $cms->adbTopMenu();
 			$this->DATA['nav_menu_count'] = is_array($this->DATA['nav_menu']) ? count($this->DATA['nav_menu']) : 0;
 			// messages = array('msg' =>, 'class' => 'error/warning/...')
-			$this->DATA['messages'] = $cms->messages ?? array();
+			$this->DATA['messages'] = $cms->messages ?? [];
 			// the page name
 			$this->DATA['page_name'] = $this->page_name;
 			$this->DATA['table_width'] = $this->PAGE_WIDTH ?? PAGE_WIDTH;
@@ -405,7 +405,9 @@ class SmartyExtend extends SmartyBC
 	{
 		// array merge HEADER, DATA, DEBUG DATA
 		foreach (array('HEADER', 'DATA', 'DEBUG_DATA') as $ext_smarty) {
-			if (is_array($cms->{$ext_smarty})) {
+			if (isset($cms->{$ext_smarty}) &&
+				is_array($cms->{$ext_smarty})
+			) {
 				$this->{$ext_smarty} = array_merge($this->{$ext_smarty}, $cms->{$ext_smarty});
 			}
 		}

www/lib/autoloader.php

@@ -44,7 +44,7 @@ if (class_exists('Autoload', false) === false) {
 			// print "(2) Class clean: $path<br>";
 			// if path is set and a valid file
 			if ($path !== false && is_file($path)) {
-				// echo "<b>(3)</b> Load Path: $path<br>";
+				// print "<b>(3)</b> Load Path: $path<br>";
 				// we should sub that
 				// self::loadFile($path);
 				include $path;

www/psalm.xml

@@ -6,6 +6,7 @@
     xmlns="https://getpsalm.org/schema/config"
     xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
     autoloader="lib/autoloader.php"
+    errorLevel="8"
 >
     <projectFiles>
 		<file name="admin/class_test.php" />
@@ -28,7 +29,8 @@
             <directory name="tmp" />
             <directory name="log" />
             <directory name="media" />
-			<directory name="lib/pChart" />
+			<directory name="lib/FileUpload" />
+            <directory name="lib/pChart" />
 			<directory name="lib/pChart2.1.4" />
 			<directory name="lib/Smarty" />
 			<directory name="lib/smarty-3.1.30" />