}\r
\r
function commentsallowed($pictureid) {\r
- $query = 'select a.commentsallowed from '.sql_table('plug_gallery_album').' as a, '.sql_table('plug_gallery_picture').' as b where a.albumid=b.albumid and pictureid='.$pictureid;\r
+ $query = 'select a.commentsallowed from '.sql_table('plug_gallery_album').' as a, '.sql_table('plug_gallery_picture').' as b where a.albumid=b.albumid and pictureid='.intval($pictureid);\r
$res = sql_query($query);\r
$row = mysql_fetch_object($res);\r
return $row->commentsallowed;\r
function add_new($data) {\r
$atitle = addslashes($data['title']);\r
$adescription = addslashes($data['description']);\r
- $aowner = $data['ownerid'];\r
- $apublicalbum = $data['publicalbum'];\r
+ $aowner = intval($data['ownerid']);\r
+ $apublicalbum = addslashes($data['publicalbum']);\r
if(!$aowner) $aowner = 0; //make the owner guest\r
$query = "insert into ".sql_table('plug_gallery_album')." (albumid, title, description, ownerid, modified, numberofimages, commentsallowed, publicalbum) values ".\r
"(NULL, '$atitle','$adescription',$aowner,NULL,0,1,'$apublicalbum')";\r
}\r
\r
function get_data($id) {\r
- $result = sql_query("select a.*,b.mname as name from ".sql_table('plug_gallery_album').' as a left join '.sql_table('member')." as b on a.ownerid=b.mnumber where a.albumid=$id" );\r
+ $result = sql_query("select a.*,b.mname as name from ".sql_table('plug_gallery_album').' as a left join '.sql_table('member')." as b on a.ownerid=b.mnumber where a.albumid=".intval($id) );\r
if(mysql_num_rows($result)) $data = mysql_fetch_object($result); \r
else {\r
$data->albumid = 0;\r
\r
//default album thumbnail if thumbnail is blank\r
if(!$data->thumbnail) {\r
- $query = 'select thumb_filename from '.sql_table('plug_gallery_picture').' where albumid='.$data->albumid.' LIMIT 1';\r
+ $query = 'select thumb_filename from '.sql_table('plug_gallery_picture').' where albumid='.intval($data->albumid).' LIMIT 1';\r
$result = sql_query($query);\r
if(mysql_num_rows($result) ){\r
$row = mysql_fetch_object($result);\r
$data->thumbnail = $row->thumb_filename;\r
- sql_query('update '.sql_table('plug_gallery_album').' set thumbnail=\''.$row->thumb_filename.'\' where albumid='.$data->albumid);\r
+ sql_query('update '.sql_table('plug_gallery_album').' set thumbnail=\''.addslashes($row->thumb_filename).'\' where albumid='.intval($data->albumid));\r
}\r
}\r
return $data;\r
}\r
\r
function get_team($id) {\r
- $result = sql_query("select a.*, b.mname from ".sql_table('member').' as b, '.sql_table('plug_gallery_album_team')." as a where a.talbumid=$id and a.tmemberid=b.mnumber");\r
+ $result = sql_query("select a.*, b.mname from ".sql_table('member').' as b, '.sql_table('plug_gallery_album_team')." as a where a.talbumid=".intval($id)." and a.tmemberid=b.mnumber");\r
if(!mysql_num_rows($result)) return false;\r
$j=0;\r
while ($team[$j] = mysql_fetch_object($result)) {\r
\r
function get_pictures($id = 0,$so) {\r
if($this->query == '' && $id == 0) return null;\r
- if($this->query == '') $this->query = "select * from ".sql_table('plug_gallery_picture')." where albumid=$id $so";\r
+ if($this->query == '') $this->query = "select * from ".sql_table('plug_gallery_picture')." where albumid=".intval($id)." $so";\r
$result = sql_query($this->query);\r
$i=0;\r
while ($row = mysql_fetch_object($result)) {\r
$data[$i] = $row;\r
- $res = sql_query('select views from '.sql_table('plug_gallery_views').' where vpictureid = '.$row->pictureid);\r
+ $res = sql_query('select views from '.sql_table('plug_gallery_views').' where vpictureid = '.intval($row->pictureid));\r
if(mysql_num_rows($res)) {\r
$row2 = mysql_fetch_object($res);\r
$data[$i]->views = $row2->views;\r
while ($j<$limit){\r
$keyword = $splitdata[$j];\r
//echo $keyword;\r
- $this->query = "select * from ".sql_table('plug_gallery_picture')." WHERE keywords like '%".$keyword."%' ";\r
+ $this->query = "select * from ".sql_table('plug_gallery_picture')." WHERE keywords like '%".addslashes($keyword)."%' ";\r
$result = sql_query($this->query);\r
while ($row = @mysql_fetch_object($result)) {\r
$data[$i] = $row;\r
- $res = sql_query('select views from '.sql_table('plug_gallery_views').' where vpictureid = '.$row->pictureid);\r
+ $res = sql_query('select views from '.sql_table('plug_gallery_views').' where vpictureid = '.intval($row->pictureid));\r
if(mysql_num_rows($res)) {\r
$row2 = mysql_fetch_object($res);\r
$data[$i]->views = $row2->views;\r
\r
function increaseNumberByOne($id) {\r
if(!$id) $id = $this->id;\r
- $result = sql_query("update ".sql_table('plug_gallery_album')." set numberofimages = numberofimages + 1 where albumid =$id");\r
+ $result = sql_query("update ".sql_table('plug_gallery_album')." set numberofimages = numberofimages + 1 where albumid =".intval($id));\r
}\r
\r
function decreaseNumberByOne($id) {\r
if(!$id) $id = $this->id;\r
- $result = sql_query("update ".sql_table('plug_gallery_album')." set numberofimages = numberofimages - 1 where albumid =$id");\r
+ $result = sql_query("update ".sql_table('plug_gallery_album')." set numberofimages = numberofimages - 1 where albumid =".intval($id));\r
}\r
\r
function fixnumberofimages($id) {\r
$numberofimages = $this->numberofimages;\r
}\r
else {\r
- $result = sql_query('select numberofimages from '.sql_table('plug_gallery_album'). " where albumid=$id");\r
+ $result = sql_query('select numberofimages from '.sql_table('plug_gallery_album'). " where albumid=".intval($id));\r
$row = mysql_fetch_object($result);\r
$numberofimages = $row->numberofimages;\r
}\r
- $result = sql_query('select count(*) as noi from '.sql_table('plug_gallery_picture')." where albumid=$id");\r
+ $result = sql_query('select count(*) as noi from '.sql_table('plug_gallery_picture')." where albumid=".intval($id));\r
$row = mysql_fetch_object($result);\r
$noi = $row->noi;\r
if($noi <> $numberofimages) {\r
- sql_query("update ".sql_table('plug_gallery_album')." set numberofimages=$noi where albumid=$id");\r
+ sql_query("update ".sql_table('plug_gallery_album')." set numberofimages=$noi where albumid=".intval($id));\r
}\r
}\r
function write() {\r
$query = "update ".sql_table('plug_gallery_album')\r
- ." set title='{$this->title}', "\r
- ." commentsallowed= {$this->option['commentsallowed']}, "\r
- ." thumbnail='{$this->thumbnail}', "\r
- ." description='{$this->description}', "\r
- ." publicalbum= {$this->option['publicalbum']}"\r
- ." where albumid={$this->id}";\r
+ ." set title='".addslashes($this->title)."', "\r
+ ." commentsallowed= ".intval($this->option['commentsallowed']).", "\r
+ ." thumbnail='".addslashes($this->thumbnail)."', "\r
+ ." description='".addslashes($this->description)."', "\r
+ ." publicalbum= ".intval($this->option['publicalbum']).""\r
+ ." where albumid=".intval($this->id)."";\r
sql_query($query);\r
}\r
\r