<?php\r
/*\r
* Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)\r
- * Copyright (C) 2002-2009 The Nucleus Group\r
+ * Copyright (C) 2002-2011 The Nucleus Group\r
*\r
* This program is free software; you can redistribute it and/or\r
* modify it under the terms of the GNU General Public License\r
* The code for the Nucleus admin area\r
*\r
* @license http://nucleuscms.org/license.txt GNU General Public License\r
- * @copyright Copyright (C) 2002-2009 The Nucleus Group\r
+ * @copyright Copyright (C) 2002-2011 The Nucleus Group\r
* @version $Id$\r
* @version $NucleusJP: ADMIN.php,v 1.21.2.4 2007/10/30 19:04:24 kmorimatsu Exp $\r
*/\r
. ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid;\r
\r
if ($search)\r
- $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+ $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
\r
// non-blog-admins can only edit/delete their own items\r
if (!$member->blogAdminRights($blogid))\r
. ' WHERE iauthor='. $member->getID() .' and iauthor=mnumber and iblog=bnumber and icat=catid';\r
\r
if ($search)\r
- $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+ $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
\r
$query .= ' ORDER BY itime DESC'\r
. " LIMIT $start,$amount";\r
$query = 'SELECT cbody, cuser, cmail, cemail, mname, ctime, chost, cnumber, cip, citem FROM ' . sql_table('comment') . ' LEFT OUTER JOIN ' . sql_table('member') . ' ON mnumber = cmember WHERE citem = ' . $itemid;\r
\r
if ($search)\r
- $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+ $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
\r
$query .= ' ORDER BY ctime ASC'\r
. " LIMIT $start,$amount";\r
$query = 'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cmember=' . $member->getID();\r
\r
if ($search)\r
- $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+ $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
\r
$query .= ' ORDER BY ctime DESC'\r
. " LIMIT $start,$amount";\r
$query = 'SELECT cbody, cuser, cemail, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
\r
if ($search != '')\r
- $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+ $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
\r
\r
$query .= ' ORDER BY ctime DESC'\r
\r
// change <br /> to \n\r
$comment['body'] = str_replace('<br />','',$comment['body']);\r
-\r
- $comment['body'] = eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>","\\1",$comment['body']);\r
-\r
+ \r
+ // replaced eregi_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0\r
+ /* original eregi_replace: eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>", "\\1", $comment['body']) */\r
+ $comment['body'] = preg_replace("#<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>#i", "\\1", $comment['body']);\r
+ \r
$this->pagehead();\r
\r
?>\r
$url = postVar('url');\r
$email = postVar('email');\r
$body = postVar('body');\r
-\r
+ \r
+ # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original eregi: eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}", $body) != FALSE\r
+ # important note that '\' must be matched with '\\\\' in preg* expressions\r
// intercept words that are too long\r
- if (eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}",$body) != false)\r
+ if (preg_match('#[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}#', $body) != FALSE)\r
+ {\r
$this->error(_ERROR_COMMENT_LONGWORD);\r
-\r
+ }\r
+ \r
// check length\r
- if (strlen($body)<3)\r
+ if (strlen($body) < 3)\r
+ {\r
$this->error(_ERROR_COMMENT_NOCOMMENT);\r
+ }\r
if (strlen($body)>5000)\r
+ {\r
$this->error(_ERROR_COMMENT_TOOLONG);\r
-\r
-\r
+ }\r
+ \r
// prepare body\r
$body = COMMENT::prepareBody($body);\r
\r
$manager->notify('PreUpdateComment',array('body' => &$body));\r
\r
$query = 'UPDATE '.sql_table('comment')\r
- . " SET cmail = '" . addslashes($url) . "', cemail = '" . addslashes($email) . "', cbody = '" . addslashes($body) . "'"\r
+ . " SET cmail = '" . sql_real_escape_string($url) . "', cemail = '" . sql_real_escape_string($email) . "', cbody = '" . sql_real_escape_string($body) . "'"\r
. " WHERE cnumber=" . $commentid;\r
sql_query($query);\r
\r
<?php // show a dropdown list of all available languages\r
global $DIR_LANG;\r
$dirhandle = opendir($DIR_LANG);\r
- while ($filename = readdir($dirhandle)) {\r
- if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+ while ($filename = readdir($dirhandle))\r
+ {\r
+ # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original ereg: ereg("^(.*)\.php$", $filename, $matches)\r
+ if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+ {\r
$name = $matches[1];\r
- echo "<option value='$name'";\r
- if ($name == $mem->getLanguage())\r
- echo " selected='selected'";\r
+ echo "<option value=\"$name\"";\r
+ if ($name == $mem->getLanguage() )\r
+ {\r
+ echo " selected=\"selected\"";\r
+ }\r
echo ">$name</option>";\r
}\r
}\r
closedir($dirhandle);\r
-\r
+ \r
?>\r
</select>\r
\r
$email = strip_tags(postVar('email'));\r
$url = strip_tags(postVar('url'));\r
\r
- // Sometimes user didn't prefix the URL with http://, this cause a malformed URL. Let's fix it.\r
- if (!eregi("^https?://", $url))\r
- $url = "http://".$url;\r
-\r
+ # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original eregi: !eregi("^https?://", $url)\r
+ // begin if: sometimes user didn't prefix the URL with http:// or https://, this cause a malformed URL. Let's fix it.\r
+ if (!preg_match('#^https?://#', $url) )\r
+ {\r
+ $url = 'http://' . $url;\r
+ }\r
$admin = postVar('admin');\r
$canlogin = postVar('canlogin');\r
$notes = strip_tags(postVar('notes'));\r
$password = postVar('password');\r
$repeatpassword = postVar('repeatpassword');\r
\r
- if ($password != $repeatpassword)\r
+ if (!$password) {
+ return $this->_showActivationPage($key, _ERROR_PASSWORDMISSING);\r
+ }\r
+ \r
+ if ($password != $repeatpassword) {\r
return $this->_showActivationPage($key, _ERROR_PASSWORDMISMATCH);\r
-\r
- if ($password && (strlen($password) < 6))\r
+ }\r
+ \r
+ if (strlen($password) < 6) {\r
return $this->_showActivationPage($key, _ERROR_PASSWORDTOOSHORT);\r
-\r
+ }\r
+ \r
$pwdvalid = true;\r
$pwderror = '';\r
+ \r
global $manager;\r
$manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+ \r
if (!$pwdvalid) {\r
return $this->_showActivationPage($key,$pwderror);\r
}\r
-\r
+ \r
$error = '';\r
$manager->notify('ValidateForm', array('type' => 'activation', 'member' => $mem, 'error' => &$error));\r
if ($error != '')\r
<td><?php $this->input_yesno('reqemail',$blog->emailRequired(),72); ?></td>\r
</tr><tr>\r
<td><?php echo _EBLOG_NOTIFY?> <?php help('blognotify'); ?></td>\r
- <td><input name="notify" tabindex="80" maxlength="60" size="40" value="<?php echo htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
+ <td><input name="notify" tabindex="80" maxlength="128" size="40" value="<?php echo htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
</tr><tr>\r
<td><?php echo _EBLOG_NOTIFY_ON?></td>\r
<td>\r
if (!isValidCategoryName($cname))\r
$this->error(_ERROR_BADCATEGORYNAME);\r
\r
- $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid);\r
+ $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid);\r
$res = sql_query($query);\r
if (sql_num_rows($res) > 0)\r
$this->error(_ERROR_DUPCATEGORYNAME);\r
if (!isValidCategoryName($cname))\r
$this->error(_ERROR_BADCATEGORYNAME);\r
\r
- $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
+ $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
$res = sql_query($query);\r
if (sql_num_rows($res) > 0)\r
$this->error(_ERROR_DUPCATEGORYNAME);\r
\r
$query = 'UPDATE '.sql_table('category').' SET'\r
- . " cname='" . addslashes($cname) . "',"\r
- . " cdesc='" . addslashes($cdesc) . "'"\r
+ . " cname='" . sql_real_escape_string($cname) . "',"\r
+ . " cdesc='" . sql_real_escape_string($cdesc) . "'"\r
. " WHERE catid=" . $catid;\r
\r
sql_query($query);\r
\r
/* unlink comments from memberid */\r
if ($memberid) {\r
- $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. addslashes($mem->getDisplayName())\r
+ $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. sql_real_escape_string($mem->getDisplayName())\r
.'" WHERE cmember='.$memberid;\r
sql_query($query);\r
}\r
\r
\r
// add slashes for sql queries\r
- $bname = addslashes($bname);\r
- $bshortname = addslashes($bshortname);\r
- $btimeoffset = addslashes($btimeoffset);\r
- $bdesc = addslashes($bdesc);\r
- $bdefskin = addslashes($bdefskin);\r
+ $bname = sql_real_escape_string($bname);\r
+ $bshortname = sql_real_escape_string($bshortname);\r
+ $btimeoffset = sql_real_escape_string($btimeoffset);\r
+ $bdesc = sql_real_escape_string($bdesc);\r
+ $bdefskin = sql_real_escape_string($bdefskin);\r
\r
// create blog\r
$query = 'INSERT INTO '.sql_table('blog')." (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES ('$bname', '$bshortname', '$bdesc', '$btimeoffset', '$bdefskin')";\r
$blog =& $manager->getBlog($blogid);\r
\r
// create new category\r
-\r
-\r
+ $catdefname = (defined('_EBLOGDEFAULTCATEGORY_NAME') ? _EBLOGDEFAULTCATEGORY_NAME : 'General');\r
+ $catdefdesc = (defined('_EBLOGDEFAULTCATEGORY_DESC') ? _EBLOGDEFAULTCATEGORY_DESC : 'Items that do not fit in other categories');\r
$sql = 'INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, "%s", "%s")';\r
- sql_query(sprintf($sql, sql_table('category'), $blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC));\r
-\r
+ sql_query(sprintf($sql, sql_table('category'), $blogid, $catdefname, $catdefdesc));\r
// sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC)");\r
$catid = sql_insert_id();\r
\r
$memberid = $member->getID();\r
$query = 'INSERT INTO '.sql_table('team')." (tmember, tblog, tadmin) VALUES ($memberid, $blogid, 1)";\r
sql_query($query);\r
-\r
-\r
-\r
-\r
-\r
-\r
- $blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
-\r
-\r
+ \r
+ $itemdeftitle = (defined('_EBLOG_FIRSTITEM_TITLE') ? _EBLOG_FIRSTITEM_TITLE : 'First Item');\r
+ $itemdefbody = (defined('_EBLOG_FIRSTITEM_BODY') ? _EBLOG_FIRSTITEM_BODY : 'This is the first item in your weblog. Feel free to delete it.');\r
+ \r
+ $blog->additem($blog->getDefaultCategory(),$itemdeftitle,$itemdefbody,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+ //$blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+ \r
+ \r
+ \r
$manager->notify(\r
'PostAddBlog',\r
array(\r
$member->isAdmin() or $this->disallow();\r
\r
$extrahead = '<script type="text/javascript" src="javascript/templateEdit.js"></script>';\r
- $extrahead .= '<script type="text/javascript">setTemplateEditText("'.addslashes(_EDITTEMPLATE_EMPTY).'");</script>';\r
+ $extrahead .= '<script type="text/javascript">setTemplateEditText("'.sql_real_escape_string(_EDITTEMPLATE_EMPTY).'");</script>';\r
\r
$this->pagehead($extrahead);\r
\r
$this->error(_ERROR_DUPTEMPLATENAME);\r
\r
\r
- $name = addslashes($name);\r
- $desc = addslashes($desc);\r
+ $name = sql_real_escape_string($name);\r
+ $desc = sql_real_escape_string($desc);\r
\r
// 1. Remove all template parts\r
$query = 'DELETE FROM '.sql_table('template').' WHERE tdesc=' . $templateid;\r
* @todo document this\r
*/\r
function addToTemplate($id, $partname, $content) {\r
- $partname = addslashes($partname);\r
- $content = addslashes($content);\r
+ $partname = sql_real_escape_string($partname);\r
+ $content = sql_real_escape_string($content);\r
\r
$id = intval($id);\r
\r
<?php if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
?>\r
\r
-\r
+ <div style="width:100%;">\r
<form method="post" action="index.php">\r
<div>\r
\r
echo '<br />' . _SKINEDIT_ALLOWEDTEMPLATESS;\r
$query = 'SELECT tdname as name, tddesc as description FROM '.sql_table('template_desc');\r
showlist($query,'table',array('content'=>'shortnames'));\r
- echo '</div></form>';\r
+ echo '</div></form></div>';\r
$this->pagefoot();\r
}\r
\r
$newid = intval($newid);\r
$content = $skin->getContent($type);\r
if ($content) {\r
- $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". addslashes($content)."', '". addslashes($type)."')";\r
+ $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". sql_real_escape_string($content)."', '". sql_real_escape_string($type)."')";\r
sql_query($query);\r
}\r
}\r
<?php // show a dropdown list of all available languages\r
global $DIR_LANG;\r
$dirhandle = opendir($DIR_LANG);\r
- while ($filename = readdir($dirhandle)) {\r
- if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+ while ($filename = readdir($dirhandle) )\r
+ {\r
+ # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original ereg: ereg("^(.*)\.php$",$filename,$matches)\r
+ if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+ {\r
$name = $matches[1];\r
- echo "<option value='$name'";\r
+ echo "<option value=\"$name\"";\r
if ($name == $CONF['Language'])\r
- echo " selected='selected'";\r
+ {\r
+ echo " selected=\"selected\"";\r
+ }\r
echo ">$name</option>";\r
}\r
}\r
<input name="DefaultListSize" tabindex="10079" size="40" value="<?php echo htmlspecialchars((intval($CONF['DefaultListSize']) < 1 ? '10' : $CONF['DefaultListSize'])) ?>" />\r
</td>\r
</tr><tr>\r
+ <td><?php echo _SETTINGS_ADMINCSS?> \r
+ </td>\r
+ <td>\r
+ <select name="AdminCSS" tabindex="10080">\r
+ <?php // show a dropdown list of all available admin css files\r
+ global $DIR_NUCLEUS;\r
+ $dirhandle = opendir($DIR_NUCLEUS."styles/");\r
+ while ($filename = readdir($dirhandle) )\r
+ {\r
+ # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original ereg: ereg("^(.*)\.php$",$filename,$matches)\r
+ if (preg_match('#^admin_(.*)\.css$#', $filename, $matches) )\r
+ {\r
+ $name = $matches[1];\r
+ echo "<option value=\"$name\"";\r
+ if ($name == $CONF['AdminCSS'])\r
+ {\r
+ echo " selected=\"selected\"";\r
+ }\r
+ echo ">$name</option>";\r
+ }\r
+ }\r
+ closedir($dirhandle);\r
+ ?>\r
+ </select>\r
+ </td>\r
+ </tr><tr>\r
<th colspan="2"><?php echo _SETTINGS_MEDIA?> <?php help('media'); ?></th>\r
</tr><tr>\r
<td><?php echo _SETTINGS_MEDIADIR?></td>\r
</tr><tr>\r
<td><?php echo _SETTINGS_MEDIAURL?></td>\r
<td>\r
- <input name="MediaURL" tabindex="10080" size="40" value="<?php echo htmlspecialchars($CONF['MediaURL']) ?>" />\r
+ <input name="MediaURL" tabindex="10090" size="40" value="<?php echo htmlspecialchars($CONF['MediaURL']) ?>" />\r
</td>\r
</tr><tr>\r
<td><?php echo _SETTINGS_ALLOWUPLOAD?></td>\r
$this->updateConfig('CookiePrefix', postVar('CookiePrefix'));\r
$this->updateConfig('DebugVars', postVar('DebugVars'));\r
$this->updateConfig('DefaultListSize', postVar('DefaultListSize'));\r
+ $this->updateConfig('AdminCSS', postVar('AdminCSS'));\r
\r
// load new config and redirect (this way, the new language will be used is necessary)\r
// note that when changing cookie settings, this redirect might cause the user\r
* @todo document this\r
*/\r
function updateConfig($name, $val) {\r
- $name = addslashes($name);\r
- $val = trim(addslashes($val));\r
+ $name = sql_real_escape_string($name);\r
+ $val = trim(sql_real_escape_string($val));\r
\r
$query = 'UPDATE '.sql_table('config')\r
. " SET value='$val'"\r
<h2>Error!</h2>\r
<?php echo $msg;\r
echo "<br />";\r
- echo "<a href='index.php' onclick='history.back()'>"._BACK."</a>";\r
+ echo "<a href='index.php' onclick='history.back(); return false;'>"._BACK."</a>";\r
$this->pagefoot();\r
exit;\r
}\r
);\r
\r
$baseUrl = htmlspecialchars($CONF['AdminURL']);\r
-\r
- ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r
+ if (!array_key_exists('AdminCSS',$CONF)) \r
+ {\r
+ sql_query("INSERT INTO ".sql_table('config')." VALUES ('AdminCSS', 'contemporary_jp')");\r
+ $CONF['AdminCSS'] = 'contemporary_jp';\r
+ }\r
+ \r
+ ?>\r
+ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r
<html <?php echo _HTML_XML_NAME_SPACE_AND_LANG_CODE; ?>>\r
<head>\r
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET ?>" />\r
<title><?php echo htmlspecialchars($CONF['SiteName'])?> - Admin</title>\r
- <link rel="stylesheet" title="Nucleus Admin Default" type="text/css" href="<?php echo $baseUrl?>styles/admin.css" />\r
+ <link rel="stylesheet" title="Nucleus Admin Default" type="text/css" href="<?php echo $baseUrl?>styles/admin_<?php echo $CONF["AdminCSS"]?>.css" />\r
<link rel="stylesheet" title="Nucleus Admin Default" type="text/css"\r
href="<?php echo $baseUrl?>styles/addedit.css" />\r
\r
echo '<a href="' . $checkURL . '" title="' . _ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_TITLE . '">Nucleus CMS ' . $nucleus['version'] . $codenamestring . '</a>';\r
$newestVersion = getLatestVersion();\r
$newestCompare = str_replace('/','.',$newestVersion);\r
- $newestCompare = intval($newestCompare);\r
$currentVersion = str_replace(array('/','v'),array('.',''),$nucleus['version']);\r
+ $currentVersion = floatval($currentVersion);\r
if ($newestVersion && version_compare($newestCompare,$currentVersion) > 0) {\r
- echo '<br /><a style="color:red" href="http://nucleuscms.org/upgrade.php" title="'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TITLE.'">'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TEXT.$newestVersion.'</a>';\r
+ echo '<br /><a style="color:red" href="'._ADMINPAGEFOOT_OFFICIALURL.'upgrade.php" title="'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TITLE.'">'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TEXT.$newestVersion.'</a>';\r
}\r
} else {\r
echo 'Nucleus CMS ' . $nucleus['version'] . $codenamestring;\r
\r
}\r
\r
- /**\r
- * @todo document this\r
- */\r
+/*\r
+ * @todo document this\r
+ */\r
function action_pluginlist() {\r
global $member, $manager;\r
\r
</div></form>\r
\r
<h3><?php echo _PLUGS_TITLE_NEW?></h3>\r
-\r
- <?php // find a list of possibly non-installed plugins\r
+ \r
+ <?php\r
+ // find a list of possibly non-installed plugins\r
$candidates = array();\r
global $DIR_PLUGINS;\r
$dirhandle = opendir($DIR_PLUGINS);\r
- while ($filename = readdir($dirhandle)) {\r
- if (ereg('^NP_(.*)\.php$',$filename,$matches)) {\r
+ while ($filename = readdir($dirhandle) )\r
+ {\r
+ # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+ # original ereg: ereg('^NP_(.*)\.php$',$filename,$matches)\r
+ if (preg_match('#^NP_(.*)\.php$#', $filename, $matches) )\r
+ {\r
$name = $matches[1];\r
// only show in list when not yet installed\r
- $res = sql_query('SELECT * FROM '.sql_table('plugin').' WHERE pfile="NP_'.addslashes($name).'"');\r
+ $res = sql_query('SELECT * FROM ' . sql_table('plugin') . ' WHERE `pfile` = "NP_' . sql_real_escape_string($name) . '"');\r
if (sql_num_rows($res) == 0)\r
- array_push($candidates,$name);\r
+ {\r
+ array_push($candidates, $name);\r
+ }\r
}\r
}\r
closedir($dirhandle);\r
-\r
- if (sizeof($candidates) > 0) {\r
+ \r
+ if (sizeof($candidates) > 0)\r
+ {\r
?>\r
\r
<p><?php echo _PLUGS_ADD_TEXT?></p>\r
<input type='hidden' name='action' value='pluginadd' />\r
<?php $manager->addTicketHidden() ?>\r
<select name="filename" tabindex="30">\r
- <?php foreach($candidates as $name)\r
- echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+ <?php \r
+ foreach($candidates as $name)\r
+ {\r
+ echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+ }\r
?>\r
</select>\r
<input type='submit' tabindex="40" value='<?php echo _PLUGS_BTN_INSTALL?>' />\r
</div></form>\r
\r
- <?php } else { // sizeof(candidates) == 0\r
+ <?php\r
+ }\r
+ else\r
+ {\r
echo '<p>',_PLUGS_NOCANDIDATES,'</p>';\r
}\r
\r
);\r
\r
// do this before calling getPlugin (in case the plugin id is used there)\r
- $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.addslashes($name).'")';\r
+ $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.sql_real_escape_string($name).'")';\r
sql_query($query);\r
$iPid = sql_insert_id();\r
\r
{\r
$eventList = $plug->getEventList();\r
foreach ($eventList as $eventName)\r
- sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.addslashes($eventName).'\')');\r
+ sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.sql_real_escape_string($eventName).'\')');\r
}\r
}\r
\r
\r
// get list of oids per pid\r
$query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ',' . sql_table('plugin')\r
- . ' WHERE opid=pid and ocontext=\''.addslashes($context).'\' ORDER BY porder, oid ASC';\r
+ . ' WHERE opid=pid and ocontext=\''.sql_real_escape_string($context).'\' ORDER BY porder, oid ASC';\r
$res = sql_query($query);\r
$aOptions = array();\r
while ($o = sql_fetch_object($res)) {\r
// new plugin?\r
if ($iPrevPid != $aOption['pid']) {\r
$iPrevPid = $aOption['pid'];\r
-\r
-\r
-\r
+ if (!defined('_PLUGIN_OPTIONS_TITLE')) {\r
+ define('_PLUGIN_OPTIONS_TITLE', 'Options for %s');\r
+ }\r
echo '<tr><th colspan="2">'.sprintf(_PLUGIN_OPTIONS_TITLE, htmlspecialchars($aOption['pfile'], ENT_QUOTES)).'</th></tr>';\r
}\r
-\r
+ \r
$meta = NucleusPlugin::getOptionMeta($aOption['typeinfo']);\r
if (@$meta['access'] != 'hidden') {\r
echo '<tr>';\r
listplug_plugOptionRow($aOption);\r
echo '</tr>';\r
}\r
-\r
}\r
-\r
-\r
}\r
\r
/**\r