<?php\r
/*\r
* Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)\r
- * Copyright (C) 2002-2009 The Nucleus Group\r
+ * Copyright (C) 2002-2011 The Nucleus Group\r
*\r
* This program is free software; you can redistribute it and/or\r
* modify it under the terms of the GNU General Public License\r
* The code for the Nucleus admin area\r
*\r
* @license http://nucleuscms.org/license.txt GNU General Public License\r
- * @copyright Copyright (C) 2002-2009 The Nucleus Group\r
+ * @copyright Copyright (C) 2002-2011 The Nucleus Group\r
* @version $Id$\r
* @version $NucleusJP: ADMIN.php,v 1.21.2.4 2007/10/30 19:04:24 kmorimatsu Exp $\r
*/\r
);\r
/*\r
// the rest of the actions needs to be checked\r
- $aActionsToCheck = array('additem', 'itemupdate', 'itemmoveto', 'categoryupdate', 'categorydeleteconfirm', 'itemdeleteconfirm', 'commentdeleteconfirm', 'teamdeleteconfirm', 'memberdeleteconfirm', 'templatedeleteconfirm', 'skindeleteconfirm', 'banlistdeleteconfirm', 'plugindeleteconfirm', 'batchitem', 'batchcomment', 'batchmember', 'batchcategory', 'batchteam', 'regfile', 'commentupdate', 'banlistadd', 'changemembersettings', 'clearactionlog', 'settingsupdate', 'blogsettingsupdate', 'categorynew', 'teamchangeadmin', 'teamaddmember', 'memberadd', 'addnewlog', 'addnewlog2', 'backupcreate', 'backuprestore', 'pluginup', 'plugindown', 'pluginupdate', 'pluginadd', 'pluginoptionsupdate', 'skinupdate', 'skinclone', 'skineditgeneral', 'templateclone', 'templatenew', 'templateupdate', 'skinieimport', 'skinieexport', 'skiniedoimport', 'skinnew', 'deleteblogconfirm', 'sendping', 'rawping', 'activatesetpwd');\r
+ $aActionsToCheck = array('additem', 'itemupdate', 'itemmoveto', 'categoryupdate', 'categorydeleteconfirm', 'itemdeleteconfirm', 'commentdeleteconfirm', 'teamdeleteconfirm', 'memberdeleteconfirm', 'templatedeleteconfirm', 'skindeleteconfirm', 'banlistdeleteconfirm', 'plugindeleteconfirm', 'batchitem', 'batchcomment', 'batchmember', 'batchcategory', 'batchteam', 'regfile', 'commentupdate', 'banlistadd', 'changemembersettings', 'clearactionlog', 'settingsupdate', 'blogsettingsupdate', 'categorynew', 'teamchangeadmin', 'teamaddmember', 'memberadd', 'addnewlog', 'addnewlog2', 'backupcreate', 'backuprestore', 'pluginup', 'plugindown', 'pluginupdate', 'pluginadd', 'pluginoptionsupdate', 'skinupdate', 'skinclone', 'skineditgeneral', 'templateclone', 'templatenew', 'templateupdate', 'skinieimport', 'skinieexport', 'skiniedoimport', 'skinnew', 'deleteblogconfirm', 'activatesetpwd');\r
*/\r
if (!in_array($this->action, $aActionsNotToCheck))\r
{\r
<input type="checkbox" value="1" name="shared" tabindex="40" id="shared" /><label for="shared"><?php echo _LOGIN_SHARED?></label>\r
<br /><a href="forgotpassword.html"><?php echo _LOGIN_FORGOT?></a>\r
</small>\r
- <?php // pass through vars\r
+ <?php // pass through vars\r
\r
$oldaction = postVar('oldaction');\r
if ( ($oldaction != 'logout') && ($oldaction != 'login') && $passvars ) {\r
\r
?>\r
</p></form>\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
}\r
\r
\r
\r
$search = postVar('search'); // search through items\r
\r
- $query = 'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime'\r
+ $query = 'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime, bnumber, catid'\r
. ' FROM ' . sql_table('item') . ', ' . sql_table('blog') . ', ' . sql_table('member') . ', ' . sql_table('category')\r
. ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid;\r
\r
if ($search)\r
- $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+ $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
\r
// non-blog-admins can only edit/delete their own items\r
if (!$member->blogAdminRights($blogid))\r
case 'unsetadmin':\r
// there should always remain at least one super-admin\r
$r = sql_query('SELECT * FROM '.sql_table('member'). ' WHERE madmin=1 and mcanlogin=1');\r
- if (mysql_num_rows($r) < 2)\r
+ if (sql_num_rows($r) < 2)\r
$error = _ERROR_ATLEASTONEADMIN;\r
else\r
sql_query('UPDATE ' . sql_table('member') .' SET madmin=0 WHERE mnumber='.$memberid);\r
case 'unsetadmin':\r
// there should always remain at least one admin\r
$r = sql_query('SELECT * FROM '.sql_table('team').' WHERE tadmin=1 and tblog='.$blogid);\r
- if (mysql_num_rows($r) < 2)\r
+ if (sql_num_rows($r) < 2)\r
$error = _ERROR_ATLEASTONEBLOGADMIN;\r
else\r
sql_query('UPDATE '.sql_table('team').' SET tadmin=0 WHERE tblog='.$blogid.' and tmember='.$memberid);\r
$error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
}\r
\r
- echo '<b>',($error ? 'Error: '.$error : _BATCH_SUCCESS),'</b>';\r
+ echo '<b>',($error ? _ERROR . ': '.$error : _BATCH_SUCCESS),'</b>';\r
echo '</li>';\r
}\r
\r
<input type="submit" value="<?php echo _MOVE_BTN?>" onclick="return checkSubmit();" />\r
\r
</div></form>\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
exit;\r
}\r
\r
<input type="submit" value="<?php echo _MOVECAT_BTN?>" onclick="return checkSubmit();" />\r
\r
</div></form>\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
exit;\r
}\r
\r
<?php $manager->addTicketHidden() ?>\r
<input type="hidden" name="batchaction" value="delete" />\r
<input type="hidden" name="confirmation" value="yes" />\r
- <?php // insert selected item numbers\r
+ <?php // insert selected item numbers\r
$idx = 0;\r
foreach ($ids as $id)\r
echo '<input type="hidden" name="batch[',($idx++),']" value="',intval($id),'" />';\r
<input type="submit" value="<?php echo _BATCH_DELETE_CONFIRM_BTN?>" onclick="return checkSubmit();" />\r
\r
</div></form>\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
exit;\r
}\r
\r
\r
/**\r
* Inserts a HTML select element with choices for all blogs to which the user has access\r
- * mode = 'blog' => shows blognames and values are blogids\r
- * mode = 'category' => show category names and values are catids\r
+ * mode = 'blog' => shows blognames and values are blogids\r
+ * mode = 'category' => show category names and values are catids\r
*\r
* @param $iForcedBlogInclude\r
- * ID of a blog that always needs to be included, without checking if the\r
- * member is on the blog team (-1 = none)\r
+ * ID of a blog that always needs to be included, without checking if the\r
+ * member is on the blog team (-1 = none)\r
* @todo document parameters\r
*/\r
function selectBlog($name, $mode='blog', $selected = 0, $tabindex = 0, $showNewCat = 0, $iForcedBlogInclude = -1) {\r
else\r
$queryBlogs = 'SELECT bnumber FROM '.sql_table('blog').', '.sql_table('team').' WHERE tblog=bnumber and tmember=' . $member->getID();\r
$rblogids = sql_query($queryBlogs);\r
- while ($o = mysql_fetch_object($rblogids))\r
+ while ($o = sql_fetch_object($rblogids))\r
if ($o->bnumber != $iForcedBlogInclude)\r
$aBlogIds[] = intval($o->bnumber);\r
\r
$queryBlogs = 'SELECT bnumber, bname FROM '.sql_table('blog').' WHERE bnumber in ('.implode(',',$aBlogIds).') ORDER BY bname';\r
$blogs = sql_query($queryBlogs);\r
if ($mode == 'category') {\r
- if (mysql_num_rows($blogs) > 1)\r
+ if (sql_num_rows($blogs) > 1)\r
$multipleBlogs = 1;\r
\r
- while ($oBlog = mysql_fetch_object($blogs)) {\r
+ while ($oBlog = sql_fetch_object($blogs)) {\r
if ($multipleBlogs)\r
echo '<optgroup label="',htmlspecialchars($oBlog->bname),'">';\r
\r
\r
// 2. for each category in that blog\r
$categories = sql_query('SELECT cname, catid FROM '.sql_table('category').' WHERE cblog=' . $oBlog->bnumber . ' ORDER BY cname ASC');\r
- while ($oCat = mysql_fetch_object($categories)) {\r
+ while ($oCat = sql_fetch_object($categories)) {\r
if ($oCat->catid == $selected)\r
$selectText = ' selected="selected" ';\r
else\r
}\r
} else {\r
// blog mode\r
- while ($oBlog = mysql_fetch_object($blogs)) {\r
+ while ($oBlog = sql_fetch_object($blogs)) {\r
echo '<option value="',$oBlog->bnumber,'"';\r
if ($oBlog->bnumber == $selected)\r
echo ' selected="selected"';\r
. ' WHERE iauthor='. $member->getID() .' and iauthor=mnumber and iblog=bnumber and icat=catid';\r
\r
if ($search)\r
- $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+ $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
\r
$query .= ' ORDER BY itime DESC'\r
. " LIMIT $start,$amount";\r
$query = 'SELECT cbody, cuser, cmail, cemail, mname, ctime, chost, cnumber, cip, citem FROM ' . sql_table('comment') . ' LEFT OUTER JOIN ' . sql_table('member') . ' ON mnumber = cmember WHERE citem = ' . $itemid;\r
\r
if ($search)\r
- $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+ $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
\r
$query .= ' ORDER BY ctime ASC'\r
. " LIMIT $start,$amount";\r
$query = 'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cmember=' . $member->getID();\r
\r
if ($search)\r
- $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+ $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
\r
$query .= ' ORDER BY ctime DESC'\r
. " LIMIT $start,$amount";\r
echo '<h2>', _COMMENTS_YOUR ,'</h2>';\r
\r
$template['content'] = 'commentlist';\r
- $template['canAddBan'] = 0; // doesn't make sense to allow banning yourself\r
+ $template['canAddBan'] = 0; // doesn't make sense to allow banning yourself\r
\r
$manager->loadClass("ENCAPSULATE");\r
$navList =& new NAVLIST('browseowncomments', $start, $amount, 0, 1000, 0, $search, 0);\r
$query = 'SELECT cbody, cuser, cemail, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
\r
if ($search != '')\r
- $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+ $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
\r
\r
$query .= ' ORDER BY ctime DESC'\r
return;\r
}\r
\r
- $body = postVar('body');\r
- $title = postVar('title');\r
- $more = postVar('more');\r
+ $body = postVar('body');\r
+ $title = postVar('title');\r
+ $more = postVar('more');\r
$closed = intPostVar('closed');\r
$draftid = intPostVar('draftid');\r
\r
$wasdraft: set to 1 when the item used to be a draft item\r
$publish: set to 1 when the edited item is not a draft\r
*/\r
-/*<del by shizuki>\r
- switch ($actiontype) {\r
- case 'adddraft':\r
- $publish = 0;\r
- $wasdraft = 1;\r
- $timestamp = 0;\r
- break;\r
- case 'addfuture':\r
- $wasdraft = 1;\r
- $publish = 1;\r
- $timestamp = mktime(intPostVar('hour'), intPostVar('minutes'), 0, intPostVar('month'), intPostVar('day'), intPostVar('year'));\r
- break;\r
- case 'addnow':\r
- $wasdraft = 1;\r
- $publish = 1;\r
- $timestamp = 0;\r
- break;\r
- case 'changedate':\r
- $timestamp = mktime(intPostVar('hour'), intPostVar('minutes'), 0, intPostVar('month'), intPostVar('day'), intPostVar('year'));\r
- $publish = 1;\r
- $wasdraft = 0;\r
- break;\r
- case 'backtodrafts':\r
- $wasdraft = 0;\r
- $publish = 0;\r
- $timestamp = 0;\r
- break;\r
- case 'edit':\r
- default:\r
- $publish = 1;\r
- $wasdraft = 0;\r
- $timestamp = 0;\r
- }\r
-</del by shizuki>*/\r
-// <add by shizuki>\r
$blogid = getBlogIDFromItemID($itemid);\r
$blog =& $manager->getBlog($blogid);\r
\r
} else {\r
$timestamp =0;\r
}\r
- $doping = ($publish && $timestamp < $blog->getCorrectTime() && postVar('dosendping')) ? 1 : 0;\r
-// </add by shizuki>\r
\r
// edit the item for real\r
ITEM::update($itemid, $catid, $title, $body, $more, $closed, $wasdraft, $publish, $timestamp);\r
\r
-/* <del by shizuki>\r
- $blogid = getBlogIDFromItemID($itemid);\r
- $blog =& $manager->getBlog($blogid);\r
-\r
- $isFuture = 0;\r
- if ($timestamp > $blog->getCorrectTime(time())) {\r
- $isFuture = 1;\r
- }\r
-\r
-</del by shizuki>*/\r
$this->updateFuturePosted($blogid);\r
\r
if ($draftid > 0) {\r
ITEM::delete($draftid);\r
}\r
\r
-// if (!$closed && $publish && $wasdraft && $blog->sendPing() && numberOfEventSubscriber('SendPing') > 0 && !$isFuture) {\r
- if (!$closed && $doping && $blog->sendPing() && numberOfEventSubscriber('SendPing') > 0) { //<mod by shizuki />\r
- $this->action_sendping($blogid);\r
- return;\r
- }\r
-\r
// show category edit window when we created a new category\r
// ($catid will then be a new category ID, while postVar('catid') will be 'newcat-x')\r
if ($catid != intPostVar('catid')) {\r
$currenttime = $blog->getCorrectTime(time());\r
$result = sql_query("SELECT * FROM ".sql_table('item').\r
" WHERE iblog='".$blogid."' AND iposted=0 AND itime>".mysqldate($currenttime));\r
- if (mysql_num_rows($result) > 0) {\r
+ if (sql_num_rows($result) > 0) {\r
$blog->setFuturePost();\r
}\r
else {\r
* Adds a item to the chosen blog\r
*/\r
function action_additem() {\r
- global $member, $manager, $CONF;\r
+ global $manager, $CONF;\r
\r
$manager->loadClass('ITEM');\r
\r
\r
$blogid = getBlogIDFromItemID($result['itemid']);\r
$blog =& $manager->getBlog($blogid);\r
-/* <del by shizuki>\r
- $pingUrl = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=sendping&blogid=' . intval($blogid));\r
-\r
- if ($result['status'] == 'newcategory')\r
- $this->action_categoryedit(\r
- $result['catid'],\r
- $blogid,\r
- $blog->sendPing() && numberOfEventSubscriber('SendPing') > 0 ? $pingUrl : ''\r
- );\r
- elseif ((postVar('actiontype') == 'addnow') && $blog->sendPing() && numberOfEventSubscriber('SendPing') > 0)\r
- $this->action_sendping($blogid);\r
- else\r
- $this->action_itemlist($blogid);\r
-</del by shizuki>*/\r
-// <add by shizuki>\r
$btimestamp = $blog->getCorrectTime();\r
- $bPingInfo = ($blog->sendPing() && numberOfEventSubscriber('SendPing') > 0);\r
- $item = $manager->getItem(intval($result['itemid']), 1, 1);\r
- $iPingInfo = (!$item['draft'] && postVar('dosendping') && $item['timestamp'] <= $btimestamp);\r
- if ($iPingInfo && $bPingInfo) {\r
- $nextAction = 'sendping';\r
- } else {\r
- $nextAction = 'itemlist';\r
- }\r
+ $item = $manager->getItem(intval($result['itemid']), 1, 1);\r
+\r
if ($result['status'] == 'newcategory') {\r
-// $distURI = ($nextAction == 'sendping') ? $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action='\r
-// . $nextAction . '&blogid=' . intval($blogid)) :\r
-// '';\r
- $distURI = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=' . $nextAction . '&blogid=' . intval($blogid));\r
+ $distURI = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=itemList&blogid=' . intval($blogid));\r
$this->action_categoryedit($result['catid'], $blogid, $distURI);\r
} else {\r
- $methodName = 'action_' . $nextAction;\r
+ $methodName = 'action_itemList';\r
call_user_func(array(&$this, $methodName), $blogid);\r
}\r
-//</add by shizuki>\r
- }\r
-\r
- /**\r
- * Shows a window that says we're about to ping.\r
- * immediately refresh to the real pinging page, which will\r
- * show an error, or redirect to the blog.\r
- *\r
- * @param int $blogid ID of blog for which ping needs to be sent out\r
- */\r
- function action_sendping($blogid = -1) {\r
- global $member, $manager;\r
-\r
- if ($blogid == -1)\r
- $blogid = intRequestVar('blogid');\r
-\r
- $member->isLoggedIn() or $this->disallow();\r
-\r
- $rawPingUrl = $manager->addTicketToUrl('index.php?action=rawping&blogid=' . intval($blogid));\r
-\r
- $this->pagehead('<meta http-equiv="refresh" content="1; url='.htmlspecialchars($rawPingUrl).'" />');\r
- echo _UPDATEDPING_MESSAGE;\r
- ?>\r
- <a href="index.php?action=rawping&blogid=<?php echo $blogid?>"><?php echo _UPDATEDPING_GOPINGPAGE ?></a>\r
- </p>\r
- <?php\r
- $this->pagefoot();\r
- }\r
-\r
- /**\r
- * Sends the real ping (can take up to 10 seconds!)\r
- */\r
- function action_rawping() {\r
- global $manager;\r
- // TODO: checks?\r
-\r
- $blogid = intRequestVar('blogid');\r
- $blog =& $manager->getBlog($blogid);\r
-\r
- $this->pagehead();\r
-\r
- ?>\r
-\r
- <h2><?php echo _UPDATEDPING_PINGING ?></h2>\r
- <div class='note'>\r
- <?php\r
-\r
- // send sendPing event\r
- $manager->notify('SendPing', array('blogid' => $blogid));\r
-\r
- ?>\r
- </div>\r
-\r
- <ul>\r
- <li><a href="index.php?action=itemlist&blogid=<?php echo $blog->getID()?>"><?php echo _UPDATEDPING_VIEWITEM . htmlspecialchars($blog->getName())?></a></li>\r
- <li><a href="<?php echo $blog->getURL()?>"><?php echo _UPDATEDPING_VISITOWNSITE ?></a></li>\r
- </ul>\r
-\r
- <?php $this->pagefoot();\r
}\r
\r
/**\r
\r
// change <br /> to \n\r
$comment['body'] = str_replace('<br />','',$comment['body']);\r
-\r
- $comment['body'] = eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>","\\1",$comment['body']);\r
-\r
+ \r
+ // replaced eregi_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0\r
+ /* original eregi_replace: eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>", "\\1", $comment['body']) */\r
+ $comment['body'] = preg_replace("#<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>#i", "\\1", $comment['body']);\r
+ \r
$this->pagehead();\r
\r
?>\r
</tr><tr>\r
<td><?php echo _EDITC_WHO?></td>\r
<td>\r
- <?php if ($comment['member'])\r
+ <?php if ($comment['member'])\r
echo $comment['member'] . " (" . _EDITC_MEMBER . ")";\r
else\r
echo $comment['user'] . " (" . _EDITC_NONMEMBER . ")";\r
<tr>\r
<td><?php echo _EDITC_TEXT?></td>\r
<td>\r
- <textarea name="body" tabindex="10" rows="10" cols="50"><?php // htmlspecialchars not needed (things should be escaped already)\r
+ <textarea name="body" tabindex="10" rows="10" cols="50"><?php // htmlspecialchars not needed (things should be escaped already)\r
echo $comment['body'];\r
?></textarea>\r
</td>\r
$url = postVar('url');\r
$email = postVar('email');\r
$body = postVar('body');\r
-\r
+ \r
+ # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original eregi: eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}", $body) != FALSE\r
+ # important note that '\' must be matched with '\\\\' in preg* expressions\r
// intercept words that are too long\r
- if (eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}",$body) != false)\r
+ if (preg_match('#[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}#', $body) != FALSE)\r
+ {\r
$this->error(_ERROR_COMMENT_LONGWORD);\r
-\r
+ }\r
+ \r
// check length\r
- if (strlen($body)<3)\r
+ if (strlen($body) < 3)\r
+ {\r
$this->error(_ERROR_COMMENT_NOCOMMENT);\r
+ }\r
if (strlen($body)>5000)\r
+ {\r
$this->error(_ERROR_COMMENT_TOOLONG);\r
-\r
-\r
+ }\r
+ \r
// prepare body\r
$body = COMMENT::prepareBody($body);\r
\r
$manager->notify('PreUpdateComment',array('body' => &$body));\r
\r
$query = 'UPDATE '.sql_table('comment')\r
- . " SET cmail = '" . addslashes($url) . "', cemail = '" . addslashes($email) . "', cbody = '" . addslashes($body) . "'"\r
+ . " SET cmail = '" . sql_real_escape_string($url) . "', cemail = '" . sql_real_escape_string($email) . "', cbody = '" . sql_real_escape_string($body) . "'"\r
. " WHERE cnumber=" . $commentid;\r
sql_query($query);\r
\r
// get itemid\r
$res = sql_query('SELECT citem FROM '.sql_table('comment').' WHERE cnumber=' . $commentid);\r
- $o = mysql_fetch_object($res);\r
+ $o = sql_fetch_object($res);\r
$itemid = $o->citem;\r
\r
if ($member->canAlterItem($itemid))\r
\r
// get item id first\r
$res = sql_query('SELECT citem FROM '.sql_table('comment') .' WHERE cnumber=' . $commentid);\r
- $o = mysql_fetch_object($res);\r
+ $o = sql_fetch_object($res);\r
$itemid = $o->citem;\r
\r
$error = $this->deleteOneComment($commentid);\r
<td><?php echo _MEMBERS_DISPLAY?> <?php help('shortnames');?>\r
<br /><small><?php echo _MEMBERS_DISPLAY_INFO?></small>\r
</td>\r
- <td><input tabindex="10010" name="name" size="16" maxlength="16" /></td>\r
+ <td><input tabindex="10010" name="name" size="32" maxlength="32" /></td>\r
</tr><tr>\r
<td><?php echo _MEMBERS_REALNAME?></td>\r
<td><input name="realname" tabindex="10020" size="40" maxlength="60" /></td>\r
</td>\r
<td>\r
<?php if ($CONF['AllowLoginEdit'] || $member->isAdmin()) { ?>\r
- <input name="name" tabindex="10" maxlength="16" size="16" value="<?php echo htmlspecialchars($mem->getDisplayName()); ?>" />\r
+ <input name="name" tabindex="10" maxlength="32" size="32" value="<?php echo htmlspecialchars($mem->getDisplayName()); ?>" />\r
<?php } else {\r
echo htmlspecialchars($member->getDisplayName());\r
}\r
\r
<select name="deflang" tabindex="85">\r
<option value=""><?php echo _MEMBERS_USESITELANG?></option>\r
- <?php // show a dropdown list of all available languages\r
+ <?php // show a dropdown list of all available languages\r
global $DIR_LANG;\r
$dirhandle = opendir($DIR_LANG);\r
- while ($filename = readdir($dirhandle)) {\r
- if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+ while ($filename = readdir($dirhandle))\r
+ {\r
+ # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original ereg: ereg("^(.*)\.php$", $filename, $matches)\r
+ if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+ {\r
$name = $matches[1];\r
- echo "<option value='$name'";\r
- if ($name == $mem->getLanguage())\r
- echo " selected='selected'";\r
+ echo "<option value=\"$name\"";\r
+ if ($name == $mem->getLanguage() )\r
+ {\r
+ echo " selected=\"selected\"";\r
+ }\r
echo ">$name</option>";\r
}\r
}\r
closedir($dirhandle);\r
-\r
+ \r
?>\r
</select>\r
\r
// check if allowed\r
($member->getID() == $memberid) or $member->isAdmin() or $this->disallow();\r
\r
- $name = trim(strip_tags(postVar('name')));\r
- $realname = trim(strip_tags(postVar('realname')));\r
- $password = postVar('password');\r
- $repeatpassword = postVar('repeatpassword');\r
- $email = strip_tags(postVar('email'));\r
+ $name = trim(strip_tags(postVar('name')));\r
+ $realname = trim(strip_tags(postVar('realname')));\r
+ $password = postVar('password');\r
+ $repeatpassword = postVar('repeatpassword');\r
+ $email = strip_tags(postVar('email'));\r
$url = strip_tags(postVar('url'));\r
\r
- // Sometimes user didn't prefix the URL with http://, this cause a malformed URL. Let's fix it.\r
- if (!eregi("^https?://", $url))\r
- $url = "http://".$url;\r
-\r
- $admin = postVar('admin');\r
- $canlogin = postVar('canlogin');\r
- $notes = strip_tags(postVar('notes'));\r
+ # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original eregi: !eregi("^https?://", $url)\r
+ // begin if: sometimes user didn't prefix the URL with http:// or https://, this cause a malformed URL. Let's fix it.\r
+ if (!preg_match('#^https?://#', $url) )\r
+ {\r
+ $url = 'http://' . $url;\r
+ }\r
+ $admin = postVar('admin');\r
+ $canlogin = postVar('canlogin');\r
+ $notes = strip_tags(postVar('notes'));\r
$deflang = postVar('deflang');\r
\r
$mem = MEMBER::createFromID($memberid);\r
\r
if ($password && (strlen($password) < 6))\r
$this->error(_ERROR_PASSWORDTOOSHORT);\r
+\r
+ if ($password) {\r
+ $pwdvalid = true;\r
+ $pwderror = '';\r
+ $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+ if (!$pwdvalid) {\r
+ $this->error($pwderror);\r
+ }\r
+ }\r
}\r
\r
if (!isValidMailAddress($email))\r
\r
// check if there will remain at least one site member with both the logon and admin rights\r
// (check occurs when taking away one of these rights from such a member)\r
- if ( (!$admin && $mem->isAdmin() && $mem->canLogin())\r
+ if ( (!$admin && $mem->isAdmin() && $mem->canLogin())\r
|| (!$canlogin && $mem->isAdmin() && $mem->canLogin())\r
)\r
{\r
$r = sql_query('SELECT * FROM '.sql_table('member').' WHERE madmin=1 and mcanlogin=1');\r
- if (mysql_num_rows($r) < 2)\r
+ if (sql_num_rows($r) < 2)\r
$this->error(_ERROR_ATLEASTONEADMIN);\r
}\r
\r
* @author dekarma\r
*/\r
function action_activatesetpwd() {\r
-\r
+ \r
$key = postVar('key');\r
\r
// clean up old activation keys\r
if (!$mem)\r
return $this->_showActivationPage($key, _ERROR_ACTIVATE);\r
\r
- $password = postVar('password');\r
- $repeatpassword = postVar('repeatpassword');\r
+ $password = postVar('password');\r
+ $repeatpassword = postVar('repeatpassword');\r
\r
- if ($password != $repeatpassword)\r
+ if (!$password) {
+ return $this->_showActivationPage($key, _ERROR_PASSWORDMISSING);\r
+ }\r
+ \r
+ if ($password != $repeatpassword) {\r
return $this->_showActivationPage($key, _ERROR_PASSWORDMISMATCH);\r
-\r
- if ($password && (strlen($password) < 6))\r
+ }\r
+ \r
+ if (strlen($password) < 6) {\r
return $this->_showActivationPage($key, _ERROR_PASSWORDTOOSHORT);\r
-\r
- $error = '';\r
+ }\r
+ \r
+ $pwdvalid = true;\r
+ $pwderror = '';\r
+ \r
global $manager;\r
+ $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+ \r
+ if (!$pwdvalid) {\r
+ return $this->_showActivationPage($key,$pwderror);\r
+ }\r
+ \r
+ $error = '';\r
$manager->notify('ValidateForm', array('type' => 'activation', 'member' => $mem, 'error' => &$error));\r
if ($error != '')\r
return $this->_showActivationPage($key, $error);\r
\r
<table><tr>\r
<td><?php echo _TEAM_CHOOSEMEMBER?></td>\r
- <td><?php // TODO: try to make it so only non-team-members are listed\r
+ <td><?php // TODO: try to make it so only non-team-members are listed\r
$query = 'SELECT mname as text, mnumber as value'\r
. ' FROM '.sql_table('member');\r
\r
return _ERROR_DISALLOWED;\r
\r
// check if: - there remains at least one blog admin\r
- // - (there remains at least one team member)\r
+ // - (there remains at least one team member)\r
$tmem = MEMBER::createFromID($memberid);\r
\r
$manager->notify('PreDeleteTeamMember', array('member' => &$tmem, 'blogid' => $blogid));\r
// (check for at least two admins before deletion)\r
$query = 'SELECT * FROM '.sql_table('team') . ' WHERE tblog='.$blogid.' and tadmin=1';\r
$r = sql_query($query);\r
- if (mysql_num_rows($r) < 2)\r
+ if (sql_num_rows($r) < 2)\r
return _ERROR_ATLEASTONEBLOGADMIN;\r
}\r
\r
// don't allow when there is only one admin at this moment\r
if ($mem->isBlogAdmin($blogid)) {\r
$r = sql_query('SELECT * FROM '.sql_table('team') . " WHERE tblog=$blogid and tadmin=1");\r
- if (mysql_num_rows($r) == 1)\r
+ if (sql_num_rows($r) == 1)\r
$this->error(_ERROR_ATLEASTONEBLOGADMIN);\r
}\r
\r
<?php\r
$res = sql_query('SELECT mname, mrealname FROM ' . sql_table('member') . ',' . sql_table('team') . ' WHERE mnumber=tmember AND tblog=' . intval($blogid));\r
$aMemberNames = array();\r
- while ($o = mysql_fetch_object($res))\r
+ while ($o = sql_fetch_object($res))\r
array_push($aMemberNames, htmlspecialchars($o->mname) . ' (' . htmlspecialchars($o->mrealname). ')');\r
echo implode(',', $aMemberNames);\r
?>\r
<td><?php $this->input_yesno('reqemail',$blog->emailRequired(),72); ?></td>\r
</tr><tr>\r
<td><?php echo _EBLOG_NOTIFY?> <?php help('blognotify'); ?></td>\r
- <td><input name="notify" tabindex="80" maxlength="60" size="40" value="<?php echo htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
+ <td><input name="notify" tabindex="80" maxlength="128" size="40" value="<?php echo htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
</tr><tr>\r
<td><?php echo _EBLOG_NOTIFY_ON?></td>\r
<td>\r
/><label for="notifyNewItem"><?php echo _EBLOG_NOTIFY_ITEM?></label>\r
</td>\r
</tr><tr>\r
- <?php\r
- if (numberOfEventSubscriber('SendPing') > 0) {\r
- ?>\r
- <td><?php echo _EBLOG_PING?> <?php help('sendping'); ?></td>\r
- <td><?php $this->input_yesno('sendping',$blog->sendPing(),85); ?></td>\r
- </tr><tr>\r
- <?php\r
- }\r
- ?>\r
<td><?php echo _EBLOG_MAXCOMMENTS?> <?php help('blogmaxcomments'); ?></td>\r
<td><input name="maxcomments" tabindex="90" size="3" value="<?php echo htmlspecialchars($blog->getMaxComments()); ?>" /></td>\r
</tr><tr>\r
if (!isValidCategoryName($cname))\r
$this->error(_ERROR_BADCATEGORYNAME);\r
\r
- $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid);\r
+ $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid);\r
$res = sql_query($query);\r
- if (mysql_num_rows($res) > 0)\r
+ if (sql_num_rows($res) > 0)\r
$this->error(_ERROR_DUPCATEGORYNAME);\r
\r
- $blog =& $manager->getBlog($blogid);\r
- $newCatID = $blog->createNewCategory($cname, $cdesc);\r
+ $blog =& $manager->getBlog($blogid);\r
+ $newCatID = $blog->createNewCategory($cname, $cdesc);\r
\r
$this->action_blogsettings();\r
}\r
$member->blogAdminRights($blogid) or $this->disallow();\r
\r
$res = sql_query('SELECT * FROM '.sql_table('category')." WHERE cblog=$blogid AND catid=$catid");\r
- $obj = mysql_fetch_object($res);\r
+ $obj = sql_fetch_object($res);\r
\r
$cname = $obj->cname;\r
$cdesc = $obj->cdesc;\r
if (!isValidCategoryName($cname))\r
$this->error(_ERROR_BADCATEGORYNAME);\r
\r
- $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
+ $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
$res = sql_query($query);\r
- if (mysql_num_rows($res) > 0)\r
+ if (sql_num_rows($res) > 0)\r
$this->error(_ERROR_DUPCATEGORYNAME);\r
\r
$query = 'UPDATE '.sql_table('category').' SET'\r
- . " cname='" . addslashes($cname) . "',"\r
- . " cdesc='" . addslashes($cdesc) . "'"\r
+ . " cname='" . sql_real_escape_string($cname) . "',"\r
+ . " cdesc='" . sql_real_escape_string($cdesc) . "'"\r
. " WHERE catid=" . $catid;\r
\r
sql_query($query);\r
// check if catid is the only category left for blogid\r
$query = 'SELECT catid FROM '.sql_table('category').' WHERE cblog=' . $blogid;\r
$res = sql_query($query);\r
- if (mysql_num_rows($res) == 1)\r
+ if (sql_num_rows($res) == 1)\r
$this->error(_ERROR_DELETELASTCATEGORY);\r
\r
\r
\r
$catid = intval($catid);\r
\r
- $manager->notify('PreDeleteCategory', array('catid' => $catid));\r
-\r
$blogid = getBlogIDFromCatID($catid);\r
\r
if (!$member->blogAdminRights($blogid))\r
// check if catid is the only category left for blogid\r
$query = 'SELECT catid FROM '.sql_table('category').' WHERE cblog=' . $blogid;\r
$res = sql_query($query);\r
- if (mysql_num_rows($res) == 1)\r
+ if (sql_num_rows($res) == 1)\r
return _ERROR_DELETELASTCATEGORY;\r
\r
+ $manager->notify('PreDeleteCategory', array('catid' => $catid));\r
+\r
// change category for all items to the default category\r
$query = 'UPDATE '.sql_table('item')." SET icat=$destcatid WHERE icat=$catid";\r
sql_query($query);\r
// update comments table (cblog)\r
$query = 'SELECT inumber FROM '.sql_table('item').' WHERE icat='.$catid;\r
$items = sql_query($query);\r
- while ($oItem = mysql_fetch_object($items)) {\r
+ while ($oItem = sql_fetch_object($items)) {\r
sql_query('UPDATE '.sql_table('comment').' SET cblog='.$destblogid.' WHERE citem='.$oItem->inumber);\r
}\r
\r
\r
$blog =& $manager->getBlog($blogid);\r
\r
- $notify = trim(postVar('notify'));\r
- $shortname = trim(postVar('shortname'));\r
- $updatefile = trim(postVar('update'));\r
+ $notify = trim(postVar('notify'));\r
+ $shortname = trim(postVar('shortname'));\r
+ $updatefile = trim(postVar('update'));\r
\r
- $notifyComment = intPostVar('notifyComment');\r
- $notifyVote = intPostVar('notifyVote');\r
- $notifyNewItem = intPostVar('notifyNewItem');\r
+ $notifyComment = intPostVar('notifyComment');\r
+ $notifyVote = intPostVar('notifyVote');\r
+ $notifyNewItem = intPostVar('notifyNewItem');\r
\r
if ($notifyComment == 0) $notifyComment = 1;\r
- if ($notifyVote == 0) $notifyVote = 1;\r
+ if ($notifyVote == 0) $notifyVote = 1;\r
if ($notifyNewItem == 0) $notifyNewItem = 1;\r
\r
$notifyType = $notifyComment * $notifyVote * $notifyNewItem;\r
$blog->setDefaultSkin(intPostVar('defskin'));\r
$blog->setDescription(trim(postVar('desc')));\r
$blog->setPublic(postVar('public'));\r
- $blog->setPingUserland(postVar('sendping'));\r
$blog->setConvertBreaks(intPostVar('convertbreaks'));\r
$blog->setAllowPastPosting(intPostVar('allowpastposting'));\r
$blog->setDefaultCategory(intPostVar('defcat'));\r
\r
/* unlink comments from memberid */\r
if ($memberid) {\r
- $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. addslashes($mem->getDisplayName())\r
+ $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. sql_real_escape_string($mem->getDisplayName())\r
.'" WHERE cmember='.$memberid;\r
sql_query($query);\r
}\r
. ' FROM '.sql_table('skin_desc');\r
$template['name'] = 'defskin';\r
$template['tabindex'] = 50;\r
- $template['selected'] = $CONF['BaseSkin']; // set default selected skin to be globally defined base skin\r
+ $template['selected'] = $CONF['BaseSkin']; // set default selected skin to be globally defined base skin\r
showlist($query,'select',$template);\r
?>\r
</td>\r
// Only Super-Admins can do this\r
$member->isAdmin() or $this->disallow();\r
\r
- $bname = trim(postVar('name'));\r
- $bshortname = trim(postVar('shortname'));\r
+ $bname = trim(postVar('name'));\r
+ $bshortname = trim(postVar('shortname'));\r
$btimeoffset = postVar('timeoffset');\r
- $bdesc = trim(postVar('desc'));\r
- $bdefskin = postVar('defskin');\r
+ $bdesc = trim(postVar('desc'));\r
+ $bdefskin = postVar('defskin');\r
\r
if (!isValidShortName($bshortname))\r
$this->error(_ERROR_BADSHORTBLOGNAME);\r
$manager->notify(\r
'PreAddBlog',\r
array(\r
- 'name' => &$bname,\r
+ 'name' => &$bname,\r
'shortname' => &$bshortname,\r
'timeoffset' => &$btimeoffset,\r
'description' => &$bdesc,\r
\r
\r
// add slashes for sql queries\r
- $bname = addslashes($bname);\r
- $bshortname = addslashes($bshortname);\r
- $btimeoffset = addslashes($btimeoffset);\r
- $bdesc = addslashes($bdesc);\r
- $bdefskin = addslashes($bdefskin);\r
+ $bname = sql_real_escape_string($bname);\r
+ $bshortname = sql_real_escape_string($bshortname);\r
+ $btimeoffset = sql_real_escape_string($btimeoffset);\r
+ $bdesc = sql_real_escape_string($bdesc);\r
+ $bdefskin = sql_real_escape_string($bdefskin);\r
\r
// create blog\r
$query = 'INSERT INTO '.sql_table('blog')." (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES ('$bname', '$bshortname', '$bdesc', '$btimeoffset', '$bdefskin')";\r
sql_query($query);\r
- $blogid = mysql_insert_id();\r
- $blog =& $manager->getBlog($blogid);\r
+ $blogid = sql_insert_id();\r
+ $blog =& $manager->getBlog($blogid);\r
\r
// create new category\r
+ $catdefname = (defined('_EBLOGDEFAULTCATEGORY_NAME') ? _EBLOGDEFAULTCATEGORY_NAME : 'General');\r
+ $catdefdesc = (defined('_EBLOGDEFAULTCATEGORY_DESC') ? _EBLOGDEFAULTCATEGORY_DESC : 'Items that do not fit in other categories');\r
$sql = 'INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, "%s", "%s")';\r
- sql_query(sprintf($sql, sql_table('category'), $blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC));\r
+ sql_query(sprintf($sql, sql_table('category'), $blogid, $catdefname, $catdefdesc));\r
// sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC)");\r
- $catid = mysql_insert_id();\r
+ $catid = sql_insert_id();\r
\r
// set as default category\r
$blog->setDefaultCategory($catid);\r
$memberid = $member->getID();\r
$query = 'INSERT INTO '.sql_table('team')." (tmember, tblog, tadmin) VALUES ($memberid, $blogid, 1)";\r
sql_query($query);\r
-\r
-\r
- $blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
-\r
+ \r
+ $itemdeftitle = (defined('_EBLOG_FIRSTITEM_TITLE') ? _EBLOG_FIRSTITEM_TITLE : 'First Item');\r
+ $itemdefbody = (defined('_EBLOG_FIRSTITEM_BODY') ? _EBLOG_FIRSTITEM_BODY : 'This is the first item in your weblog. Feel free to delete it.');\r
+ \r
+ $blog->additem($blog->getDefaultCategory(),$itemdeftitle,$itemdefbody,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+ //$blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+ \r
+ \r
+ \r
$manager->notify(\r
'PostAddBlog',\r
array(\r
$manager->notify(\r
'PostAddCategory',\r
array(\r
- 'blog' => &$blog,\r
- 'name' => _EBLOGDEFAULTCATEGORY_NAME,\r
+ 'blog' => &$blog,\r
+ 'name' => _EBLOGDEFAULTCATEGORY_NAME,\r
'description' => _EBLOGDEFAULTCATEGORY_DESC,\r
- 'catid' => $catid\r
+ 'catid' => $catid\r
)\r
);\r
\r
</tr></table>\r
</div></form>\r
\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
\r
}\r
\r
\r
$member->blogAdminRights($blogid) or $this->disallow();\r
\r
- $burl = requestVar('url');\r
- $blogid = intRequestVar('blogid');\r
+ $burl = requestVar('url');\r
+ $blogid = intRequestVar('blogid');\r
\r
$blog =& $manager->getBlog($blogid);\r
$blog->setURL(trim($burl));\r
<h2><?php echo _SKINIE_TITLE_IMPORT?></h2>\r
\r
<p><label for="skinie_import_local"><?php echo _SKINIE_LOCAL?></label>\r
- <?php global $DIR_SKINS;\r
+ <?php global $DIR_SKINS;\r
\r
$candidates = SKINIMPORT::searchForCandidates($DIR_SKINS);\r
\r
<?php $manager->addTicketHidden() ?>\r
<input type="hidden" name="mode" value="file" />\r
<select name="skinfile" id="skinie_import_local">\r
- <?php foreach ($candidates as $skinname => $skinfile) {\r
+ <?php foreach ($candidates as $skinname => $skinfile) {\r
$html = htmlspecialchars($skinfile);\r
echo '<option value="',$html,'">',$skinname,'</option>';\r
}\r
</select>\r
<input type="submit" value="<?php echo _SKINIE_BTN_IMPORT?>" />\r
</div></form>\r
- <?php } else {\r
+ <?php } else {\r
echo _SKINIE_NOCANDIDATES;\r
}\r
?>\r
<table><tr>\r
<th colspan="2"><?php echo _SKINIE_EXPORT_SKINS?></th>\r
</tr><tr>\r
- <?php // show list of skins\r
+ <?php // show list of skins\r
$res = sql_query('SELECT * FROM '.sql_table('skin_desc'));\r
- while ($skinObj = mysql_fetch_object($res)) {\r
+ while ($skinObj = sql_fetch_object($res)) {\r
$id = 'skinexp' . $skinObj->sdnumber;\r
echo '<td><input type="checkbox" name="skin[',$skinObj->sdnumber,']" id="',$id,'" />';\r
echo '<label for="',$id,'">',htmlspecialchars($skinObj->sdname),'</label></td>';\r
\r
// show list of templates\r
$res = sql_query('SELECT * FROM '.sql_table('template_desc'));\r
- while ($templateObj = mysql_fetch_object($res)) {\r
+ while ($templateObj = sql_fetch_object($res)) {\r
$id = 'templateexp' . $templateObj->tdnumber;\r
echo '<td><input type="checkbox" name="template[',$templateObj->tdnumber,']" id="',$id,'" />';\r
echo '<label for="',$id,'">',htmlspecialchars($templateObj->tdname),'</label></td>';\r
include_once($DIR_LIBS . 'skinie.php');\r
\r
$skinFileRaw= postVar('skinfile');\r
- $mode = postVar('mode');\r
+ $mode = postVar('mode');\r
\r
$importer =& new SKINIMPORT();\r
\r
// clashes\r
$skinNameClashes = $importer->checkSkinNameClashes();\r
$templateNameClashes = $importer->checkTemplateNameClashes();\r
- $hasNameClashes = (count($skinNameClashes) > 0) || (count($templateNameClashes) > 0);\r
+ $hasNameClashes = (count($skinNameClashes) > 0) || (count($templateNameClashes) > 0);\r
\r
if ($error) $this->error($error);\r
\r
include_once($DIR_LIBS . 'skinie.php');\r
\r
$skinFileRaw= postVar('skinfile');\r
- $mode = postVar('mode');\r
+ $mode = postVar('mode');\r
\r
$allowOverwrite = intPostVar('overwrite');\r
\r
<li><p><strong><?php echo _SKINIE_INFO_IMPORTEDTEMPLS?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->getTemplateNames())?></p></li>\r
</ul>\r
\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
\r
}\r
\r
$member->isAdmin() or $this->disallow();\r
\r
$extrahead = '<script type="text/javascript" src="javascript/templateEdit.js"></script>';\r
- $extrahead .= '<script type="text/javascript">setTemplateEditText("'.addslashes(_EDITTEMPLATE_EMPTY).'");</script>';\r
+ $extrahead .= '<script type="text/javascript">setTemplateEditText("'.sql_real_escape_string(_EDITTEMPLATE_EMPTY).'");</script>';\r
\r
$this->pagehead($extrahead);\r
\r
\r
<h2><?php echo _TEMPLATE_EDIT_TITLE?> '<?php echo htmlspecialchars($templatename); ?>'</h2>\r
\r
- <?php if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
+ <?php if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
?>\r
\r
<p><?php echo _TEMPLATE_EDIT_MSG?></p>\r
</tr><tr>\r
<td><?php echo $description?> <?php if ($help) help('template'.$help); ?></td>\r
<td id="td<?php echo $count?>"><textarea class="templateedit" name="<?php echo $name?>" tabindex="<?php echo $tabindex?>" cols="50" rows="<?php echo $big?10:5?>" id="textarea<?php echo $count?>"><?php echo htmlspecialchars($template[$name]); ?></textarea></td>\r
- <?php $count++;\r
+ <?php $count++;\r
}\r
\r
/**\r
$this->error(_ERROR_DUPTEMPLATENAME);\r
\r
\r
- $name = addslashes($name);\r
- $desc = addslashes($desc);\r
+ $name = sql_real_escape_string($name);\r
+ $desc = sql_real_escape_string($desc);\r
\r
// 1. Remove all template parts\r
$query = 'DELETE FROM '.sql_table('template').' WHERE tdesc=' . $templateid;\r
* @todo document this\r
*/\r
function addToTemplate($id, $partname, $content) {\r
- $partname = addslashes($partname);\r
- $content = addslashes($content);\r
+ $partname = sql_real_escape_string($partname);\r
+ $content = sql_real_escape_string($content);\r
\r
$id = intval($id);\r
\r
\r
$query = 'INSERT INTO '.sql_table('template')." (tdesc, tpartname, tcontent) "\r
. "VALUES ($id, '$partname', '$content')";\r
- sql_query($query) or exit(_ADMIN_SQLDIE_QUERYERROR . mysql_error());\r
- return mysql_insert_id();\r
+ sql_query($query) or exit(_ADMIN_SQLDIE_QUERYERROR . sql_error());\r
+ return sql_insert_id();\r
}\r
\r
/**\r
// 3. create clone\r
// go through parts of old template and add them to the new one\r
$res = sql_query('SELECT tpartname, tcontent FROM '.sql_table('template').' WHERE tdesc=' . $templateid);\r
- while ($o = mysql_fetch_object($res)) {\r
+ while ($o = sql_fetch_object($res)) {\r
$this->addToTemplate($newid, $o->tpartname, $o->tcontent);\r
}\r
\r
echo '<input type="submit" tabindex="140" value="' . _SKIN_CREATE . '" onclick="return checkSubmit();" />' . "\r\n";\r
echo '</form>' . "\r\n";\r
\r
- if ($res && mysql_num_rows($res) > 0) {\r
+ if ($res && sql_num_rows($res) > 0) {\r
echo '<ul>';\r
$tabstart = 75;\r
\r
- while ($row = mysql_fetch_assoc($res)) {\r
- echo '<li><a tabindex="' . ($tabstart++) . '" href="index.php?action=skinedittype&skinid=' . $skinid . '&type=' . htmlspecialchars(strtolower($row['stype'])) . '">' . htmlspecialchars(ucfirst($row['stype'])) . '</a> (<a tabindex="' . ($tabstart++) . '" href="index.php?action=skinremovetype&skinid=' . $skinid . '&type=' . htmlspecialchars(strtolower($row['stype'])) . '">remove</a>)</li>';\r
+ while ($row = sql_fetch_assoc($res)) {\r
+ echo '<li><a tabindex="' . ($tabstart++) . '" href="index.php?action=skinedittype&skinid=' . $skinid . '&type=' . htmlspecialchars(strtolower($row['stype'])) . '">' . htmlspecialchars(ucfirst($row['stype'])) . '</a> (<a tabindex="' . ($tabstart++) . '" href="index.php?action=skinremovetype&skinid=' . $skinid . '&type=' . htmlspecialchars(strtolower($row['stype'])) . '">'._LISTS_DELETE.'</a>)</li>';\r
}\r
\r
echo '</ul>';\r
</form>\r
\r
\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
}\r
\r
/**\r
\r
<h2><?php echo _SKIN_EDITPART_TITLE?> '<?php echo htmlspecialchars($skin->getName()) ?>': <?php echo htmlspecialchars(isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?></h2>\r
\r
- <?php if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
+ <?php if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
?>\r
\r
-\r
+ <div style="width:100%;">\r
<form method="post" action="index.php">\r
<div>\r
\r
\r
<br /><br />\r
<?php echo _SKIN_ALLOWEDVARS?>\r
- <?php $actions = SKIN::getAllowedActionsForType($type);\r
+ <?php $actions = SKIN::getAllowedActionsForType($type);\r
\r
sort($actions);\r
\r
echo '<br />' . _SKINEDIT_ALLOWEDTEMPLATESS;\r
$query = 'SELECT tdname as name, tddesc as description FROM '.sql_table('template_desc');\r
showlist($query,'table',array('content'=>'shortnames'));\r
- echo '</div></form>';\r
+ echo '</div></form></div>';\r
$this->pagefoot();\r
}\r
\r
// don't allow deletion of default skins for blogs\r
$query = 'SELECT bname FROM '.sql_table('blog').' WHERE bdefskin=' . $skinid;\r
$r = sql_query($query);\r
- if ($o = mysql_fetch_object($r))\r
+ if ($o = sql_fetch_object($r))\r
$this->error(_ERROR_SKINDEFDELETE . htmlspecialchars($o->bname));\r
\r
$this->pagehead();\r
// don't allow deletion of default skins for blogs\r
$query = 'SELECT bname FROM '.sql_table('blog').' WHERE bdefskin=' . $skinid;\r
$r = sql_query($query);\r
- if ($o = mysql_fetch_object($r))\r
+ if ($o = sql_fetch_object($r))\r
$this->error(_ERROR_SKINDEFDELETE .$o->bname);\r
\r
$manager->notify('PreDeleteSkin', array('skinid' => $skinid));\r
\r
$query = "SELECT stype FROM " . sql_table('skin') . " WHERE sdesc = " . $skinid;\r
$res = sql_query($query);\r
- while ($row = mysql_fetch_assoc($res)) {\r
+ while ($row = sql_fetch_assoc($res)) {\r
$this->skinclonetype($skin, $newid, $row['stype']);\r
}\r
\r
$newid = intval($newid);\r
$content = $skin->getContent($type);\r
if ($content) {\r
- $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". addslashes($content)."', '". addslashes($type)."')";\r
+ $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". sql_real_escape_string($content)."', '". sql_real_escape_string($type)."')";\r
sql_query($query);\r
}\r
}\r
<td>\r
\r
<select name="Language" tabindex="10050">\r
- <?php // show a dropdown list of all available languages\r
+ <?php // show a dropdown list of all available languages\r
global $DIR_LANG;\r
$dirhandle = opendir($DIR_LANG);\r
- while ($filename = readdir($dirhandle)) {\r
- if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+ while ($filename = readdir($dirhandle) )\r
+ {\r
+ # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original ereg: ereg("^(.*)\.php$",$filename,$matches)\r
+ if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+ {\r
$name = $matches[1];\r
- echo "<option value='$name'";\r
+ echo "<option value=\"$name\"";\r
if ($name == $CONF['Language'])\r
- echo " selected='selected'";\r
+ {\r
+ echo " selected=\"selected\"";\r
+ }\r
echo ">$name</option>";\r
}\r
}\r
</td>\r
<td><?php /* $this->input_yesno('DisableJsTools',$CONF['DisableJsTools'],10075); */?>\r
<select name="DisableJsTools" tabindex="10075">\r
- <?php $extra = ($CONF['DisableJsTools'] == 1) ? 'selected="selected"' : '';\r
+ <?php $extra = ($CONF['DisableJsTools'] == 1) ? 'selected="selected"' : '';\r
echo "<option $extra value='1'>",_SETTINGS_JSTOOLBAR_NONE,"</option>";\r
$extra = ($CONF['DisableJsTools'] == 2) ? 'selected="selected"' : '';\r
echo "<option $extra value='2'>",_SETTINGS_JSTOOLBAR_SIMPLE,"</option>";\r
<input name="DefaultListSize" tabindex="10079" size="40" value="<?php echo htmlspecialchars((intval($CONF['DefaultListSize']) < 1 ? '10' : $CONF['DefaultListSize'])) ?>" />\r
</td>\r
</tr><tr>\r
+ <td><?php echo _SETTINGS_ADMINCSS?> \r
+ </td>\r
+ <td>\r
+ <select name="AdminCSS" tabindex="10080">\r
+ <?php // show a dropdown list of all available admin css files\r
+ global $DIR_NUCLEUS;\r
+ $dirhandle = opendir($DIR_NUCLEUS."styles/");\r
+ while ($filename = readdir($dirhandle) )\r
+ {\r
+ # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original ereg: ereg("^(.*)\.php$",$filename,$matches)\r
+ if (preg_match('#^admin_(.*)\.css$#', $filename, $matches) )\r
+ {\r
+ $name = $matches[1];\r
+ echo "<option value=\"$name\"";\r
+ if ($name == $CONF['AdminCSS'])\r
+ {\r
+ echo " selected=\"selected\"";\r
+ }\r
+ echo ">$name</option>";\r
+ }\r
+ }\r
+ closedir($dirhandle);\r
+ ?>\r
+ </select>\r
+ </td>\r
+ </tr><tr>\r
<th colspan="2"><?php echo _SETTINGS_MEDIA?> <?php help('media'); ?></th>\r
</tr><tr>\r
<td><?php echo _SETTINGS_MEDIADIR?></td>\r
<td><?php echo htmlspecialchars($DIR_MEDIA) ?>\r
<i><?php echo _SETTINGS_SEECONFIGPHP?></i>\r
- <?php if (!is_dir($DIR_MEDIA))\r
+ <?php if (!is_dir($DIR_MEDIA))\r
echo "<br /><b>" . _WARNING_NOTADIR . "</b>";\r
if (!is_readable($DIR_MEDIA))\r
echo "<br /><b>" . _WARNING_NOTREADABLE . "</b>";\r
</tr><tr>\r
<td><?php echo _SETTINGS_MEDIAURL?></td>\r
<td>\r
- <input name="MediaURL" tabindex="10080" size="40" value="<?php echo htmlspecialchars($CONF['MediaURL']) ?>" />\r
+ <input name="MediaURL" tabindex="10090" size="40" value="<?php echo htmlspecialchars($CONF['MediaURL']) ?>" />\r
</td>\r
</tr><tr>\r
<td><?php echo _SETTINGS_ALLOWUPLOAD?></td>\r
\r
\r
// save settings\r
- $this->updateConfig('DefaultBlog', postVar('DefaultBlog'));\r
- $this->updateConfig('BaseSkin', postVar('BaseSkin'));\r
- $this->updateConfig('IndexURL', postVar('IndexURL'));\r
- $this->updateConfig('AdminURL', postVar('AdminURL'));\r
+ $this->updateConfig('DefaultBlog', postVar('DefaultBlog'));\r
+ $this->updateConfig('BaseSkin', postVar('BaseSkin'));\r
+ $this->updateConfig('IndexURL', postVar('IndexURL'));\r
+ $this->updateConfig('AdminURL', postVar('AdminURL'));\r
$this->updateConfig('PluginURL', postVar('PluginURL'));\r
- $this->updateConfig('SkinsURL', postVar('SkinsURL'));\r
+ $this->updateConfig('SkinsURL', postVar('SkinsURL'));\r
$this->updateConfig('ActionURL', postVar('ActionURL'));\r
- $this->updateConfig('Language', postVar('Language'));\r
- $this->updateConfig('AdminEmail', postVar('AdminEmail'));\r
+ $this->updateConfig('Language', postVar('Language'));\r
+ $this->updateConfig('AdminEmail', postVar('AdminEmail'));\r
$this->updateConfig('SessionCookie', postVar('SessionCookie'));\r
$this->updateConfig('AllowMemberCreate',postVar('AllowMemberCreate'));\r
- $this->updateConfig('AllowMemberMail', postVar('AllowMemberMail'));\r
+ $this->updateConfig('AllowMemberMail', postVar('AllowMemberMail'));\r
$this->updateConfig('NonmemberMail', postVar('NonmemberMail'));\r
- $this->updateConfig('ProtectMemNames', postVar('ProtectMemNames'));\r
- $this->updateConfig('SiteName', postVar('SiteName'));\r
+ $this->updateConfig('ProtectMemNames', postVar('ProtectMemNames'));\r
+ $this->updateConfig('SiteName', postVar('SiteName'));\r
$this->updateConfig('NewMemberCanLogon',postVar('NewMemberCanLogon'));\r
- $this->updateConfig('DisableSite', postVar('DisableSite'));\r
- $this->updateConfig('DisableSiteURL', postVar('DisableSiteURL'));\r
+ $this->updateConfig('DisableSite', postVar('DisableSite'));\r
+ $this->updateConfig('DisableSiteURL', postVar('DisableSiteURL'));\r
$this->updateConfig('LastVisit', postVar('LastVisit'));\r
- $this->updateConfig('MediaURL', postVar('MediaURL'));\r
- $this->updateConfig('AllowedTypes', postVar('AllowedTypes'));\r
- $this->updateConfig('AllowUpload', postVar('AllowUpload'));\r
+ $this->updateConfig('MediaURL', postVar('MediaURL'));\r
+ $this->updateConfig('AllowedTypes', postVar('AllowedTypes'));\r
+ $this->updateConfig('AllowUpload', postVar('AllowUpload'));\r
$this->updateConfig('MaxUploadSize', postVar('MaxUploadSize'));\r
- $this->updateConfig('MediaPrefix', postVar('MediaPrefix'));\r
- $this->updateConfig('AllowLoginEdit', postVar('AllowLoginEdit'));\r
- $this->updateConfig('DisableJsTools', postVar('DisableJsTools'));\r
- $this->updateConfig('CookieDomain', postVar('CookieDomain'));\r
- $this->updateConfig('CookiePath', postVar('CookiePath'));\r
- $this->updateConfig('CookieSecure', postVar('CookieSecure'));\r
- $this->updateConfig('URLMode', postVar('URLMode'));\r
- $this->updateConfig('CookiePrefix', postVar('CookiePrefix'));\r
+ $this->updateConfig('MediaPrefix', postVar('MediaPrefix'));\r
+ $this->updateConfig('AllowLoginEdit', postVar('AllowLoginEdit'));\r
+ $this->updateConfig('DisableJsTools', postVar('DisableJsTools'));\r
+ $this->updateConfig('CookieDomain', postVar('CookieDomain'));\r
+ $this->updateConfig('CookiePath', postVar('CookiePath'));\r
+ $this->updateConfig('CookieSecure', postVar('CookieSecure'));\r
+ $this->updateConfig('URLMode', postVar('URLMode'));\r
+ $this->updateConfig('CookiePrefix', postVar('CookiePrefix'));\r
$this->updateConfig('DebugVars', postVar('DebugVars'));\r
- $this->updateConfig('DefaultListSize', postVar('DefaultListSize'));\r
+ $this->updateConfig('DefaultListSize', postVar('DefaultListSize'));\r
+ $this->updateConfig('AdminCSS', postVar('AdminCSS'));\r
\r
// load new config and redirect (this way, the new language will be used is necessary)\r
// note that when changing cookie settings, this redirect might cause the user\r
echo "\t\t" . '<td>' . phpversion() . "</td>\n";\r
echo "\t</tr><tr>\n";\r
echo "\t\t" . '<td>' . _ADMIN_SYSTEMOVERVIEW_MYSQLVERSION . "</td>\n";\r
- echo "\t\t" . '<td>' . mysql_get_server_info() . ' (' . mysql_get_client_info() . ')' . "</td>\n";\r
+ echo "\t\t" . '<td>' . sql_get_server_info() . ' (' . sql_get_client_info() . ')' . "</td>\n";\r
echo "\t</tr>";\r
echo "</table>\n";\r
\r
* @todo document this\r
*/\r
function updateConfig($name, $val) {\r
- $name = addslashes($name);\r
- $val = trim(addslashes($val));\r
+ $name = sql_real_escape_string($name);\r
+ $val = trim(sql_real_escape_string($val));\r
\r
$query = 'UPDATE '.sql_table('config')\r
. " SET value='$val'"\r
. " WHERE name='$name'";\r
\r
- sql_query($query) or die("Query error: " . mysql_error());\r
- return mysql_insert_id();\r
+ sql_query($query) or die(_ADMIN_SQLDIE_QUERYERROR . sql_error());\r
+ return sql_insert_id();\r
}\r
\r
/**\r
$this->pagehead();\r
?>\r
<h2>Error!</h2>\r
- <?php echo $msg;\r
+ <?php echo $msg;\r
echo "<br />";\r
- echo "<a href='index.php' onclick='history.back()'>"._BACK."</a>";\r
+ echo "<a href='index.php' onclick='history.back(); return false;'>"._BACK."</a>";\r
$this->pagefoot();\r
exit;\r
}\r
);\r
\r
$baseUrl = htmlspecialchars($CONF['AdminURL']);\r
-\r
+ if (!array_key_exists('AdminCSS',$CONF)) \r
+ {\r
+ sql_query("INSERT INTO ".sql_table('config')." VALUES ('AdminCSS', 'contemporary_jp')");\r
+ $CONF['AdminCSS'] = 'contemporary_jp';\r
+ }\r
+ \r
?>\r
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r
<html <?php echo _HTML_XML_NAME_SPACE_AND_LANG_CODE; ?>>\r
<head>\r
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET ?>" />\r
<title><?php echo htmlspecialchars($CONF['SiteName'])?> - Admin</title>\r
- <link rel="stylesheet" title="Nucleus Admin Default" type="text/css" href="<?php echo $baseUrl?>styles/admin.css" />\r
+ <link rel="stylesheet" title="Nucleus Admin Default" type="text/css" href="<?php echo $baseUrl?>styles/admin_<?php echo $CONF["AdminCSS"]?>.css" />\r
<link rel="stylesheet" title="Nucleus Admin Default" type="text/css"\r
href="<?php echo $baseUrl?>styles/addedit.css" />\r
\r
<?php echo $extrahead?>\r
</head>\r
<body>\r
+ <div id="adminwrapper">\r
<div class="header">\r
<h1><?php echo htmlspecialchars($CONF['SiteName'])?></h1>\r
</div>\r
<div id="container">\r
<div id="content">\r
<div class="loginname">\r
- <?php if ($member->isLoggedIn())\r
+ <?php if ($member->isLoggedIn())\r
echo _LOGGEDINAS . ' ' . $member->getDisplayName()\r
." - <a href='index.php?action=logout'>" . _LOGOUT. "</a>"\r
. "<br /><a href='index.php?action=overview'>" . _ADMINHOME . "</a> - ";\r
if ($member->isLoggedIn() && $member->isAdmin()) {\r
$checkURL = sprintf(_ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_URL, getNucleusVersion(), getNucleusPatchLevel());\r
echo '<a href="' . $checkURL . '" title="' . _ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_TITLE . '">Nucleus CMS ' . $nucleus['version'] . $codenamestring . '</a>';\r
+ $newestVersion = getLatestVersion();\r
+ $newestCompare = str_replace('/','.',$newestVersion);\r
+ $currentVersion = str_replace(array('/','v'),array('.',''),$nucleus['version']);\r
+ $currentVersion = floatval($currentVersion);\r
+ if ($newestVersion && version_compare($newestCompare,$currentVersion) > 0) {\r
+ echo '<br /><a style="color:red" href="'._ADMINPAGEFOOT_OFFICIALURL.'upgrade.php" title="'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TITLE.'">'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TEXT.$newestVersion.'</a>';\r
+ }\r
} else {\r
echo 'Nucleus CMS ' . $nucleus['version'] . $codenamestring;\r
}\r
<li><a href="index.php?action=overview"><?php echo _BACKHOME?></a></li>\r
<li><a href='index.php?action=logout'><?php echo _LOGOUT?></a></li>\r
</ul>\r
- <?php }\r
+ <?php }\r
?>\r
<div class="foot">\r
<a href="<?php echo _ADMINPAGEFOOT_OFFICIALURL ?>">Nucleus CMS</a> © 2002-<?php echo date('Y') . ' ' . _ADMINPAGEFOOT_COPYRIGHT; ?>\r
\r
<div id="quickmenu">\r
\r
- <?php // ---- user settings ----\r
+ <?php // ---- user settings ----\r
if (($action != 'showlogin') && ($member->isLoggedIn())) {\r
echo '<ul>';\r
echo '<li><a href="index.php?action=overview">',_QMENU_HOME,'</a></li>';\r
</div>\r
\r
<!-- content / quickmenu container -->\r
+ <div class="clear"></div> <!-- new -->\r
</div>\r
\r
-\r
+ <!-- adminwrapper --> <!-- new -->\r
+ </div> <!-- new -->\r
</body>\r
</html>\r
- <?php }\r
+ <?php }\r
\r
/**\r
* @todo document this\r
\r
</form>\r
\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
}\r
\r
/**\r
function action_banlistadd() {\r
global $member;\r
\r
- $blogid = intPostVar('blogid');\r
- $allblogs = postVar('allblogs');\r
- $iprange = postVar('iprange');\r
+ $blogid = intPostVar('blogid');\r
+ $allblogs = postVar('allblogs');\r
+ $iprange = postVar('iprange');\r
if ($iprange == "custom")\r
$iprange = postVar('customiprange');\r
- $reason = postVar('reason');\r
+ $reason = postVar('reason');\r
\r
$member->blogAdminRights($blogid) or $this->disallow();\r
\r
<br /><?php echo _RESTORE_WARNING?>\r
</p></form>\r
\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
}\r
\r
/**\r
$this->pagehead();\r
?>\r
<h2><?php echo _RESTORE_COMPLETE?></h2>\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
\r
}\r
\r
- /**\r
- * @todo document this\r
- */\r
+/*\r
+ * @todo document this\r
+ */\r
function action_pluginlist() {\r
global $member, $manager;\r
\r
\r
echo '<h2>' , _PLUGS_TITLE_MANAGE , ' ', help('plugins'), '</h2>';\r
\r
- echo '<h3>' , _PLUGS_TITLE_INSTALLED , '</h3>';\r
+ echo '<h3>' , _PLUGS_TITLE_INSTALLED , ' <span style="font-size:smaller">', helplink('getplugins'), _PLUGS_TITLE_GETPLUGINS, '</a></span></h3>';\r
\r
\r
$query = 'SELECT * FROM '.sql_table('plugin').' ORDER BY porder ASC';\r
</div></form>\r
\r
<h3><?php echo _PLUGS_TITLE_NEW?></h3>\r
-\r
- <?php // find a list of possibly non-installed plugins\r
+ \r
+ <?php\r
+ // find a list of possibly non-installed plugins\r
$candidates = array();\r
global $DIR_PLUGINS;\r
$dirhandle = opendir($DIR_PLUGINS);\r
- while ($filename = readdir($dirhandle)) {\r
- if (ereg('^NP_(.*)\.php$',$filename,$matches)) {\r
+ while ($filename = readdir($dirhandle) )\r
+ {\r
+ # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original ereg: ereg('^NP_(.*)\.php$',$filename,$matches)\r
+ if (preg_match('#^NP_(.*)\.php$#', $filename, $matches) )\r
+ {\r
$name = $matches[1];\r
// only show in list when not yet installed\r
- $res = sql_query('SELECT * FROM '.sql_table('plugin').' WHERE pfile="NP_'.addslashes($name).'"');\r
- if (mysql_num_rows($res) == 0)\r
- array_push($candidates,$name);\r
+ $res = sql_query('SELECT * FROM ' . sql_table('plugin') . ' WHERE `pfile` = "NP_' . sql_real_escape_string($name) . '"');\r
+ if (sql_num_rows($res) == 0)\r
+ {\r
+ array_push($candidates, $name);\r
+ }\r
}\r
}\r
closedir($dirhandle);\r
-\r
- if (sizeof($candidates) > 0) {\r
+ \r
+ if (sizeof($candidates) > 0)\r
+ {\r
?>\r
\r
<p><?php echo _PLUGS_ADD_TEXT?></p>\r
<input type='hidden' name='action' value='pluginadd' />\r
<?php $manager->addTicketHidden() ?>\r
<select name="filename" tabindex="30">\r
- <?php foreach($candidates as $name)\r
- echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+ <?php \r
+ foreach($candidates as $name)\r
+ {\r
+ echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+ }\r
?>\r
</select>\r
<input type='submit' tabindex="40" value='<?php echo _PLUGS_BTN_INSTALL?>' />\r
</div></form>\r
\r
- <?php } else { // sizeof(candidates) == 0\r
+ <?php\r
+ }\r
+ else\r
+ {\r
echo '<p>',_PLUGS_NOCANDIDATES,'</p>';\r
}\r
\r
if (($plug->supportsFeature('HelpPage') > 0) && (@file_exists($helpFile))) {\r
@readfile($helpFile);\r
} else {\r
- echo '<p>Error: ', _ERROR_PLUGNOHELPFILE,'</p>';\r
+ echo '<p>' . _ERROR .': ', _ERROR_PLUGNOHELPFILE,'</p>';\r
echo '<p><a href="index.php?action=pluginlist">(',_BACK,')</a></p>';\r
}\r
\r
\r
// get number of currently installed plugins\r
$res = sql_query('SELECT * FROM '.sql_table('plugin'));\r
- $numCurrent = mysql_num_rows($res);\r
+ $numCurrent = sql_num_rows($res);\r
\r
// plugin will be added as last one in the list\r
$newOrder = $numCurrent + 1;\r
);\r
\r
// do this before calling getPlugin (in case the plugin id is used there)\r
- $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.addslashes($name).'")';\r
+ $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.sql_real_escape_string($name).'")';\r
sql_query($query);\r
- $iPid = mysql_insert_id();\r
+ $iPid = sql_insert_id();\r
\r
$manager->clearCachedInfo('installedPlugins');\r
\r
{\r
\r
$res = sql_query('SELECT * FROM '.sql_table('plugin') . ' WHERE pfile="' . $pluginName . '"');\r
- if (mysql_num_rows($res) == 0)\r
+ if (sql_num_rows($res) == 0)\r
{\r
// uninstall plugin again...\r
$this->deleteOnePlugin($plugin->getID());\r
* @todo document this\r
*/\r
function action_pluginupdate() {\r
- global $member, $manager;\r
+ global $member, $manager, $CONF;\r
\r
// check if allowed\r
$member->isAdmin() or $this->disallow();\r
\r
// loop over all installed plugins\r
$res = sql_query('SELECT pid, pfile FROM '.sql_table('plugin'));\r
- while($o = mysql_fetch_object($res)) {\r
+ while($o = sql_fetch_object($res)) {\r
$pid = $o->pid;\r
$plug =& $manager->getPlugin($o->pfile);\r
if ($plug)\r
{\r
$eventList = $plug->getEventList();\r
foreach ($eventList as $eventName)\r
- sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.addslashes($eventName).'\')');\r
+ sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.sql_real_escape_string($eventName).'\')');\r
}\r
}\r
\r
- redirect('?action=pluginlist');\r
+ redirect($CONF['AdminURL'] . '?action=pluginlist');\r
// $this->action_pluginlist();\r
}\r
\r
<input type="hidden" name="plugid" value="<?php echo $pid; ?>" />\r
<input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />\r
</div></form>\r
- <?php $this->pagefoot();\r
+ <?php\r
+ $this->pagefoot();\r
}\r
\r
/**\r
* @todo document this\r
*/\r
function action_plugindeleteconfirm() {\r
- global $member, $manager;\r
+ global $member, $manager, $CONF;\r
\r
// check if allowed\r
$member->isAdmin() or $this->disallow();\r
$this->error($error);\r
}\r
\r
- redirect('?action=pluginlist');\r
+ redirect($CONF['AdminURL'] . '?action=pluginlist');\r
// $this->action_pluginlist();\r
}\r
\r
\r
// check dependency before delete\r
$res = sql_query('SELECT pfile FROM '.sql_table('plugin'));\r
- while($o = mysql_fetch_object($res)) {\r
+ while($o = sql_fetch_object($res)) {\r
$plug =& $manager->getPlugin($o->pfile);\r
if ($plug)\r
{\r
// get OIDs from plugin_option_desc\r
$res = sql_query('SELECT oid FROM ' . sql_table('plugin_option_desc') . ' WHERE opid=' . $pid);\r
$aOIDs = array();\r
- while ($o = mysql_fetch_object($res)) {\r
+ while ($o = sql_fetch_object($res)) {\r
array_push($aOIDs, $o->oid);\r
}\r
\r
\r
// update order numbers\r
$res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid=' . $pid);\r
- $o = mysql_fetch_object($res);\r
+ $o = sql_fetch_object($res);\r
sql_query('UPDATE '.sql_table('plugin').' SET porder=(porder - 1) WHERE porder>'.$o->porder);\r
\r
// delete row\r
* @todo document this\r
*/\r
function action_pluginup() {\r
- global $member, $manager;\r
+ global $member, $manager, $CONF;\r
\r
// check if allowed\r
$member->isAdmin() or $this->disallow();\r
\r
// 1. get old order number\r
$res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid='.$plugid);\r
- $o = mysql_fetch_object($res);\r
+ $o = sql_fetch_object($res);\r
$oldOrder = $o->porder;\r
\r
// 2. calculate new order number\r
\r
//$this->action_pluginlist();\r
// To avoid showing ticket in the URL, redirect to pluginlist, instead.\r
- redirect('?action=pluginlist');\r
+ redirect($CONF['AdminURL'] . '?action=pluginlist');\r
}\r
\r
/**\r
* @todo document this\r
*/\r
function action_plugindown() {\r
- global $member, $manager;\r
+ global $member, $manager, $CONF;\r
\r
// check if allowed\r
$member->isAdmin() or $this->disallow();\r
\r
// 1. get old order number\r
$res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid='.$plugid);\r
- $o = mysql_fetch_object($res);\r
+ $o = sql_fetch_object($res);\r
$oldOrder = $o->porder;\r
\r
$res = sql_query('SELECT * FROM '.sql_table('plugin'));\r
- $maxOrder = mysql_num_rows($res);\r
+ $maxOrder = sql_num_rows($res);\r
\r
// 2. calculate new order number\r
$newOrder = ($oldOrder < $maxOrder) ? ($oldOrder + 1) : $maxOrder;\r
\r
//$this->action_pluginlist();\r
// To avoid showing ticket in the URL, redirect to pluginlist, instead.\r
- redirect('?action=pluginlist');\r
+ redirect($CONF['AdminURL'] . '?action=pluginlist');\r
}\r
\r
/**\r
$aOIDs = array();\r
$query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ' WHERE ocontext=\'global\' and opid=' . $pid . ' ORDER BY oid ASC';\r
$r = sql_query($query);\r
- while ($o = mysql_fetch_object($r)) {\r
+ while ($o = sql_fetch_object($r)) {\r
array_push($aOIDs, $o->oid);\r
$aOptions[$o->oid] = array(\r
'oid' => $o->oid,\r
// fill out actual values\r
if (count($aOIDs) > 0) {\r
$r = sql_query('SELECT oid, ovalue FROM ' . sql_table('plugin_option') . ' WHERE oid in ('.implode(',',$aOIDs).')');\r
- while ($o = mysql_fetch_object($r))\r
+ while ($o = sql_fetch_object($r))\r
$aOptions[$o->oid]['value'] = $o->ovalue;\r
}\r
\r
?>\r
</div>\r
</form>\r
- <?php $this->pagefoot();\r
+ <?php $this->pagefoot();\r
\r
\r
\r
// (note: this might contain doubles for overlapping contextids)\r
$aIdToValue = array();\r
$res = sql_query('SELECT oid, ovalue FROM ' . sql_table('plugin_option') . ' WHERE ocontextid=' . intval($contextid));\r
- while ($o = mysql_fetch_object($res)) {\r
+ while ($o = sql_fetch_object($res)) {\r
$aIdToValue[$o->oid] = $o->ovalue;\r
}\r
\r
// get list of oids per pid\r
$query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ',' . sql_table('plugin')\r
- . ' WHERE opid=pid and ocontext=\''.addslashes($context).'\' ORDER BY porder, oid ASC';\r
+ . ' WHERE opid=pid and ocontext=\''.sql_real_escape_string($context).'\' ORDER BY porder, oid ASC';\r
$res = sql_query($query);\r
$aOptions = array();\r
- while ($o = mysql_fetch_object($res)) {\r
+ while ($o = sql_fetch_object($res)) {\r
if (in_array($o->oid, array_keys($aIdToValue)))\r
$value = $aIdToValue[$o->oid];\r
else\r
// new plugin?\r
if ($iPrevPid != $aOption['pid']) {\r
$iPrevPid = $aOption['pid'];\r
-\r
- echo '<tr><th colspan="2">Options for ', htmlspecialchars($aOption['pfile']),'</th></tr>';\r
+ if (!defined('_PLUGIN_OPTIONS_TITLE')) {\r
+ define('_PLUGIN_OPTIONS_TITLE', 'Options for %s');\r
+ }\r
+ echo '<tr><th colspan="2">'.sprintf(_PLUGIN_OPTIONS_TITLE, htmlspecialchars($aOption['pfile'], ENT_QUOTES)).'</th></tr>';\r
}\r
-\r
+ \r
$meta = NucleusPlugin::getOptionMeta($aOption['typeinfo']);\r
if (@$meta['access'] != 'hidden') {\r
echo '<tr>';\r
listplug_plugOptionRow($aOption);\r
echo '</tr>';\r
}\r
-\r
}\r
-\r
-\r
}\r
\r
/**\r
\r
if ($name=="admin") {\r
echo '<input onclick="selectCanLogin(true);" type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';\r
- } else {\r
+ } else {\r
echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';\r
}\r
\r