OSDN Git Service

Add some codes from 3.61. Currently files under /nucleus/libs and /nucleus/libs/sql...
[nucleus-jp/nucleus-jp-ancient.git] / utf8 / nucleus / libs / ADMIN.php
index 657362f..6b6e536 100755 (executable)
@@ -1,35 +1,48 @@
 <?php\r
+/*\r
+ * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)\r
+ * Copyright (C) 2002-2010 The Nucleus Group\r
+ *\r
+ * This program is free software; you can redistribute it and/or\r
+ * modify it under the terms of the GNU General Public License\r
+ * as published by the Free Software Foundation; either version 2\r
+ * of the License, or (at your option) any later version.\r
+ * (see nucleus/documentation/index.html#license for more info)\r
+ */\r
 /**\r
-  * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)\r
-  * Copyright (C) 2002-2005 The Nucleus Group\r
-  *\r
-  * This program is free software; you can redistribute it and/or\r
-  * modify it under the terms of the GNU General Public License\r
-  * as published by the Free Software Foundation; either version 2\r
-  * of the License, or (at your option) any later version.\r
-  * (see nucleus/documentation/index.html#license for more info)\r
-  *\r
-  * The code for the Nucleus admin area\r
-  *\r
-  * $Id: ADMIN.php,v 1.4 2005-03-12 06:19:04 kimitake Exp $\r
-  * $NucleusJP$\r
-  */\r
+ * The code for the Nucleus admin area\r
+ *\r
+ * @license http://nucleuscms.org/license.txt GNU General Public License\r
+ * @copyright Copyright (C) 2002-2010 The Nucleus Group\r
+ * @version $Id$\r
+ * @version $NucleusJP: ADMIN.php,v 1.21.2.4 2007/10/30 19:04:24 kmorimatsu Exp $\r
+ */\r
+\r
+if ( !function_exists('requestVar') ) exit;\r
+require_once dirname(__FILE__) . '/showlist.php';\r
 \r
+/**\r
+ * Builds the admin area and executes admin actions\r
+ */\r
 class ADMIN {\r
 \r
-       // action currently being executed ($action=xxxx -> action_xxxx method)\r
+       /**\r
+        * @var string $action action currently being executed ($action=xxxx -> action_xxxx method)\r
+        */\r
        var $action;\r
 \r
+       /**\r
+        * Class constructor\r
+        */\r
        function ADMIN() {\r
 \r
        }\r
 \r
        /**\r
-         * Executes an action\r
-         *\r
-         * @param $action\r
-         *             action to be performed\r
-         */\r
+        * Executes an action\r
+        *\r
+        * @param string $action action to be performed\r
+        */\r
        function action($action) {\r
                global $CONF, $manager;\r
 \r
@@ -39,7 +52,7 @@ class ADMIN {
                        '' => 'overview'\r
                );\r
 \r
-               if ($alias[$action])\r
+               if (isset($alias[$action]))\r
                        $action = $alias[$action];\r
 \r
                $methodName = 'action_' . $action;\r
@@ -49,10 +62,60 @@ class ADMIN {
                // check ticket. All actions need a ticket, unless they are considered to be safe (a safe action\r
                // is an action that requires user interaction before something is actually done)\r
                // all safe actions are in this array:\r
-               $aActionsNotToCheck = array('showlogin', 'login', 'overview', 'itemlist', 'blogcommentlist', 'bookmarklet', 'blogsettings', 'banlist', 'deleteblog', 'editmembersettings', 'browseownitems', 'browseowncomments', 'createitem', 'itemedit', 'itemmove', 'categoryedit', 'categorydelete', 'manage', 'actionlog', 'settingsedit', 'backupoverview', 'pluginlist', 'createnewlog', 'usermanagement', 'skinoverview', 'templateoverview', 'skinieoverview', 'itemcommentlist', 'commentedit', 'commentdelete', 'banlistnewfromitem', 'banlistdelete', 'itemdelete', 'manageteam', 'teamdelete', 'banlistnew', 'memberedit', 'memberdelete', 'pluginhelp', 'pluginoptions', 'plugindelete', 'skinedittype', 'skindelete', 'skinedit', 'templateedit', 'templatedelete', 'activate');\r
+               $aActionsNotToCheck = array(\r
+                       'showlogin',\r
+                       'login',\r
+                       'overview',\r
+                       'itemlist',\r
+                       'blogcommentlist',\r
+                       'bookmarklet',\r
+                       'blogsettings',\r
+                       'banlist',\r
+                       'deleteblog',\r
+                       'editmembersettings',\r
+                       'browseownitems',\r
+                       'browseowncomments',\r
+                       'createitem',\r
+                       'itemedit',\r
+                       'itemmove',\r
+                       'categoryedit',\r
+                       'categorydelete',\r
+                       'manage',\r
+                       'actionlog',\r
+                       'settingsedit',\r
+                       'backupoverview',\r
+                       'pluginlist',\r
+                       'createnewlog',\r
+                       'usermanagement',\r
+                       'skinoverview',\r
+                       'templateoverview',\r
+                       'skinieoverview',\r
+                       'itemcommentlist',\r
+                       'commentedit',\r
+                       'commentdelete',\r
+                       'banlistnewfromitem',\r
+                       'banlistdelete',\r
+                       'itemdelete',\r
+                       'manageteam',\r
+                       'teamdelete',\r
+                       'banlistnew',\r
+                       'memberedit',\r
+                       'memberdelete',\r
+                       'pluginhelp',\r
+                       'pluginoptions',\r
+                       'plugindelete',\r
+                       'skinedittype',\r
+                       'skinremovetype',\r
+                       'skindelete',\r
+                       'skinedit',\r
+                       'templateedit',\r
+                       'templatedelete',\r
+                       'activate',\r
+                       'systemoverview'\r
+               );\r
 /*\r
                // the rest of the actions needs to be checked\r
-               $aActionsToCheck = array('additem', 'itemupdate', 'itemmoveto', 'categoryupdate', 'categorydeleteconfirm', 'itemdeleteconfirm', 'commentdeleteconfirm', 'teamdeleteconfirm', 'memberdeleteconfirm', 'templatedeleteconfirm', 'skindeleteconfirm', 'banlistdeleteconfirm', 'plugindeleteconfirm', 'batchitem', 'batchcomment', 'batchmember', 'batchcategory', 'batchteam', 'regfile', 'commentupdate', 'banlistadd', 'changemembersettings', 'clearactionlog', 'settingsupdate', 'blogsettingsupdate', 'categorynew', 'teamchangeadmin', 'teamaddmember', 'memberadd', 'addnewlog', 'addnewlog2', 'backupcreate', 'backuprestore', 'pluginup', 'plugindown', 'pluginupdate', 'pluginadd', 'pluginoptionsupdate', 'skinupdate', 'skinclone', 'skineditgeneral', 'templateclone', 'templatenew', 'templateupdate', 'skinieimport', 'skinieexport', 'skiniedoimport', 'skinnew', 'deleteblogconfirm', 'sendping', 'rawping', 'activatesetpwd');\r
+               $aActionsToCheck = array('additem', 'itemupdate', 'itemmoveto', 'categoryupdate', 'categorydeleteconfirm', 'itemdeleteconfirm', 'commentdeleteconfirm', 'teamdeleteconfirm', 'memberdeleteconfirm', 'templatedeleteconfirm', 'skindeleteconfirm', 'banlistdeleteconfirm', 'plugindeleteconfirm', 'batchitem', 'batchcomment', 'batchmember', 'batchcategory', 'batchteam', 'regfile', 'commentupdate', 'banlistadd', 'changemembersettings', 'clearactionlog', 'settingsupdate', 'blogsettingsupdate', 'categorynew', 'teamchangeadmin', 'teamaddmember', 'memberadd', 'addnewlog', 'addnewlog2', 'backupcreate', 'backuprestore', 'pluginup', 'plugindown', 'pluginupdate', 'pluginadd', 'pluginoptionsupdate', 'skinupdate', 'skinclone', 'skineditgeneral', 'templateclone', 'templatenew', 'templateupdate', 'skinieimport', 'skinieexport', 'skiniedoimport', 'skinnew', 'deleteblogconfirm', 'activatesetpwd');\r
 */\r
                if (!in_array($this->action, $aActionsNotToCheck))\r
                {\r
@@ -63,16 +126,21 @@ class ADMIN {
                if (method_exists($this, $methodName))\r
                        call_user_func(array(&$this, $methodName));\r
                else\r
-                       $this->error(_BADACTION . " ($action)");\r
+                       $this->error(_BADACTION . htmlspecialchars(" ($action)"));\r
 \r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_showlogin() {\r
                global $error;\r
                $this->action_login($error);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_login($msg = '', $passvars = 1) {\r
                global $member;\r
 \r
@@ -89,9 +157,9 @@ class ADMIN {
                ?>\r
 \r
                <form action="index.php" method="post"><p>\r
-               <?php echo _LOGIN_NAME?>: <br /><input name="login"  tabindex="10" />\r
+               <?php echo _LOGIN_NAME; ?> <br /><input name="login"  tabindex="10" />\r
                <br />\r
-               <?php echo _LOGIN_PASSWORD?>: <br /><input name="password"  tabindex="20" type="password" />\r
+               <?php echo _LOGIN_PASSWORD; ?> <br /><input name="password"  tabindex="20" type="password" />\r
                <br />\r
                <input name="action" value="login" type="hidden" />\r
                <br />\r
@@ -101,7 +169,7 @@ class ADMIN {
                        <input type="checkbox" value="1" name="shared" tabindex="40" id="shared" /><label for="shared"><?php echo _LOGIN_SHARED?></label>\r
                        <br /><a href="forgotpassword.html"><?php echo _LOGIN_FORGOT?></a>\r
                </small>\r
-               <?php                   // pass through vars\r
+               <?php              // pass through vars\r
 \r
                        $oldaction = postVar('oldaction');\r
                        if (  ($oldaction != 'logout')  && ($oldaction != 'login')  && $passvars ) {\r
@@ -111,13 +179,14 @@ class ADMIN {
 \r
                ?>\r
                </p></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
 \r
        /**\r
-         * provides a screen with the overview of the actions available\r
-         */\r
+        * provides a screen with the overview of the actions available\r
+        * @todo document parameter\r
+        */\r
        function action_overview($msg = '') {\r
                global $member;\r
 \r
@@ -149,7 +218,7 @@ class ADMIN {
                if (($showAll != 'yes') && ($member->isAdmin())) {\r
                        $total = quickQuery('SELECT COUNT(*) as result FROM ' . sql_table('blog'));\r
                        if ($total > $amount)\r
-                               echo '<p><a href="index.php?action=overview&amp;showall=yes">Show all blogs</a></p>';\r
+                               echo '<p><a href="index.php?action=overview&amp;showall=yes">' . _OVERVIEW_SHOWALL . '</a></p>';\r
                }\r
 \r
                if ($amount == 0)\r
@@ -186,11 +255,17 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
-       // returns a link to a weblog (takes BLOG object as parameter)\r
+       /**\r
+        * Returns a link to a weblog\r
+        * @param object BLOG\r
+        */\r
        function bloglink(&$blog) {\r
-               return '<a href="'.htmlspecialchars($blog->getURL()).'" title="'._BLOGLIST_TT_VISIT.'">'.$blog->getName() .'</a>';\r
+               return '<a href="'.htmlspecialchars($blog->getURL()).'" title="'._BLOGLIST_TT_VISIT.'">'. htmlspecialchars( $blog->getName() ) .'</a>';\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_manage($msg = '') {\r
                global $member;\r
 \r
@@ -229,8 +304,11 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemlist($blogid = '') {\r
-               global $member, $manager;\r
+               global $member, $manager, $CONF;\r
 \r
                if ($blogid == '')\r
                        $blogid = intRequestVar('blogid');\r
@@ -255,17 +333,20 @@ class ADMIN {
                // amount of items to show\r
                if (postVar('amount'))\r
                        $amount = intPostVar('amount');\r
-               else\r
-                       $amount = 10;\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
 \r
                $search = postVar('search');    // search through items\r
 \r
-               $query =  'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime'\r
+               $query =  'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime, bnumber, catid'\r
                           . ' FROM ' . sql_table('item') . ', ' . sql_table('blog') . ', ' . sql_table('member') . ', ' . sql_table('category')\r
                           . ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid;\r
 \r
                if ($search)\r
-                       $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+                       $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
 \r
                // non-blog-admins can only edit/delete their own items\r
                if (!$member->blogAdminRights($blogid))\r
@@ -278,7 +359,7 @@ class ADMIN {
                $template['content'] = 'itemlist';\r
                $template['now'] = $blog->getCorrectTime(time());\r
 \r
-\r
+               $manager->loadClass("ENCAPSULATE");\r
                $navList =& new NAVLIST('itemlist', $start, $amount, 0, 1000, $blogid, $search, 0);\r
                $navList->showBatchList('item',$query,'table',$template);\r
 \r
@@ -286,7 +367,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchitem() {\r
                global $member, $manager;\r
 \r
@@ -334,7 +417,7 @@ class ADMIN {
                                        $error = $this->moveOneItem($itemid, $destCatid);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
                        echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';\r
@@ -349,6 +432,9 @@ class ADMIN {
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchcomment() {\r
                global $member;\r
 \r
@@ -387,7 +473,7 @@ class ADMIN {
                                        $error = $this->deleteOneComment($commentid);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
                        echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';\r
@@ -402,6 +488,9 @@ class ADMIN {
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchmember() {\r
                global $member;\r
 \r
@@ -445,13 +534,13 @@ class ADMIN {
                                case 'unsetadmin':\r
                                        // there should always remain at least one super-admin\r
                                        $r = sql_query('SELECT * FROM '.sql_table('member'). ' WHERE madmin=1 and mcanlogin=1');\r
-                                       if (mysql_num_rows($r) < 2)\r
+                                       if (sql_num_rows($r) < 2)\r
                                                $error = _ERROR_ATLEASTONEADMIN;\r
                                        else\r
                                                sql_query('UPDATE ' . sql_table('member') .' SET madmin=0 WHERE mnumber='.$memberid);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
                        echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';\r
@@ -466,7 +555,9 @@ class ADMIN {
 \r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchteam() {\r
                global $member;\r
 \r
@@ -513,13 +604,13 @@ class ADMIN {
                                case 'unsetadmin':\r
                                        // there should always remain at least one admin\r
                                        $r = sql_query('SELECT * FROM '.sql_table('team').' WHERE tadmin=1 and tblog='.$blogid);\r
-                                       if (mysql_num_rows($r) < 2)\r
+                                       if (sql_num_rows($r) < 2)\r
                                                $error = _ERROR_ATLEASTONEBLOGADMIN;\r
                                        else\r
                                                sql_query('UPDATE '.sql_table('team').' SET tadmin=0 WHERE tblog='.$blogid.' and tmember='.$memberid);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
                        echo '<b>',($error ? $error : _BATCH_SUCCESS),'</b>';\r
@@ -534,8 +625,9 @@ class ADMIN {
 \r
        }\r
 \r
-\r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_batchcategory() {\r
                global $member, $manager;\r
 \r
@@ -582,10 +674,10 @@ class ADMIN {
                                        $error = $this->moveOneCategory($catid, $destBlogId);\r
                                        break;\r
                                default:\r
-                                       $error = _BATCH_UNKNOWN . $action;\r
+                                       $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
-                       echo '<b>',($error ? 'Error: '.$error : _BATCH_SUCCESS),'</b>';\r
+                       echo '<b>',($error ? _ERROR . ': '.$error : _BATCH_SUCCESS),'</b>';\r
                        echo '</li>';\r
                }\r
 \r
@@ -596,6 +688,9 @@ class ADMIN {
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function batchMoveSelectDestination($type, $ids) {\r
                global $manager;\r
                $this->pagehead();\r
@@ -622,10 +717,13 @@ class ADMIN {
                        <input type="submit" value="<?php echo _MOVE_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function batchMoveCategorySelectDestination($type, $ids) {\r
                global $manager;\r
                $this->pagehead();\r
@@ -652,10 +750,13 @@ class ADMIN {
                        <input type="submit" value="<?php echo _MOVECAT_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function batchAskDeleteConfirmation($type, $ids) {\r
                global $manager;\r
 \r
@@ -668,7 +769,7 @@ class ADMIN {
                        <?php $manager->addTicketHidden() ?>\r
                        <input type="hidden" name="batchaction" value="delete" />\r
                        <input type="hidden" name="confirmation" value="yes" />\r
-                       <?php                           // insert selected item numbers\r
+                       <?php                      // insert selected item numbers\r
                                $idx = 0;\r
                                foreach ($ids as $id)\r
                                        echo '<input type="hidden" name="batch[',($idx++),']" value="',intval($id),'" />';\r
@@ -688,27 +789,30 @@ class ADMIN {
                        <input type="submit" value="<?php echo _BATCH_DELETE_CONFIRM_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
 \r
 \r
        /**\r
-         * Inserts a HTML select element with choices for all categories to which the current\r
-         * member has access\r
-         */\r
+        * Inserts a HTML select element with choices for all categories to which the current\r
+        * member has access\r
+        * @see function selectBlog\r
+        */\r
        function selectBlogCategory($name, $selected = 0, $tabindex = 0, $showNewCat = 0, $iForcedBlogInclude = -1) {\r
                ADMIN::selectBlog($name, 'category', $selected, $tabindex, $showNewCat, $iForcedBlogInclude);\r
        }\r
 \r
        /**\r
-         * Inserts a HTML select element with choices for all blogs to which the user has access\r
-         *             mode = 'blog' => shows blognames and values are blogids\r
-         *             mode = 'category' => show category names and values are catids\r
-         *\r
-         * @param $iForcedBlogInclude\r
-         *             ID of a blog that always needs to be included, without checking if the member is on the blog team (-1 = none)\r
-         */\r
+        * Inserts a HTML select element with choices for all blogs to which the user has access\r
+        *        mode = 'blog' => shows blognames and values are blogids\r
+        *        mode = 'category' => show category names and values are catids\r
+        *\r
+        * @param $iForcedBlogInclude\r
+        *        ID of a blog that always needs to be included, without checking if the\r
+        *        member is on the blog team (-1 = none)\r
+        * @todo document parameters\r
+        */\r
        function selectBlog($name, $mode='blog', $selected = 0, $tabindex = 0, $showNewCat = 0, $iForcedBlogInclude = -1) {\r
                global $member, $CONF;\r
 \r
@@ -722,7 +826,7 @@ class ADMIN {
                else\r
                        $queryBlogs =  'SELECT bnumber FROM '.sql_table('blog').', '.sql_table('team').' WHERE tblog=bnumber and tmember=' . $member->getID();\r
                $rblogids = sql_query($queryBlogs);\r
-               while ($o = mysql_fetch_object($rblogids))\r
+               while ($o = sql_fetch_object($rblogids))\r
                        if ($o->bnumber != $iForcedBlogInclude)\r
                                $aBlogIds[] = intval($o->bnumber);\r
 \r
@@ -736,10 +840,10 @@ class ADMIN {
                $queryBlogs =  'SELECT bnumber, bname FROM '.sql_table('blog').' WHERE bnumber in ('.implode(',',$aBlogIds).') ORDER BY bname';\r
                $blogs = sql_query($queryBlogs);\r
                if ($mode == 'category') {\r
-                       if (mysql_num_rows($blogs) > 1)\r
+                       if (sql_num_rows($blogs) > 1)\r
                                $multipleBlogs = 1;\r
 \r
-                       while ($oBlog = mysql_fetch_object($blogs)) {\r
+                       while ($oBlog = sql_fetch_object($blogs)) {\r
                                if ($multipleBlogs)\r
                                        echo '<optgroup label="',htmlspecialchars($oBlog->bname),'">';\r
 \r
@@ -752,7 +856,7 @@ class ADMIN {
 \r
                                // 2. for each category in that blog\r
                                $categories = sql_query('SELECT cname, catid FROM '.sql_table('category').' WHERE cblog=' . $oBlog->bnumber . ' ORDER BY cname ASC');\r
-                               while ($oCat = mysql_fetch_object($categories)) {\r
+                               while ($oCat = sql_fetch_object($categories)) {\r
                                        if ($oCat->catid == $selected)\r
                                                $selectText = ' selected="selected" ';\r
                                        else\r
@@ -765,7 +869,7 @@ class ADMIN {
                        }\r
                } else {\r
                        // blog mode\r
-                       while ($oBlog = mysql_fetch_object($blogs)) {\r
+                       while ($oBlog = sql_fetch_object($blogs)) {\r
                                echo '<option value="',$oBlog->bnumber,'"';\r
                                if ($oBlog->bnumber == $selected)\r
                                        echo ' selected="selected"';\r
@@ -776,8 +880,11 @@ class ADMIN {
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_browseownitems() {\r
-               global $member;\r
+               global $member, $manager, $CONF;\r
 \r
                $this->pagehead();\r
 \r
@@ -786,15 +893,18 @@ class ADMIN {
 \r
                // start index\r
                if (postVar('start'))\r
-                       $start = postVar('start');\r
+                       $start = intPostVar('start');\r
                else\r
                        $start = 0;\r
 \r
                // amount of items to show\r
                if (postVar('amount'))\r
-                       $amount = postVar('amount');\r
-               else\r
-                       $amount = 10;\r
+                       $amount = intPostVar('amount');\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
 \r
                $search = postVar('search');    // search through items\r
 \r
@@ -803,7 +913,7 @@ class ADMIN {
                           . ' WHERE iauthor='. $member->getID() .' and iauthor=mnumber and iblog=bnumber and icat=catid';\r
 \r
                if ($search)\r
-                       $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+                       $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
 \r
                $query .= ' ORDER BY itime DESC'\r
                                . " LIMIT $start,$amount";\r
@@ -811,7 +921,8 @@ class ADMIN {
                $template['content'] = 'itemlist';\r
                $template['now'] = time();\r
 \r
-               $navList =& new NAVLIST('browseownitems', $start, $amount, 0, 1000, $blogid, $search, 0);\r
+               $manager->loadClass("ENCAPSULATE");\r
+               $navList =& new NAVLIST('browseownitems', $start, $amount, 0, 1000, /*$blogid*/ 0, $search, 0);\r
                $navList->showBatchList('item',$query,'table',$template);\r
 \r
                $this->pagefoot();\r
@@ -819,10 +930,11 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Show all the comments for a given item\r
-         */\r
+        * Show all the comments for a given item\r
+        * @param int $itemid\r
+        */\r
        function action_itemcommentlist($itemid = '') {\r
-               global $member;\r
+               global $member, $manager, $CONF;\r
 \r
                if ($itemid == '')\r
                        $itemid = intRequestVar('itemid');\r
@@ -836,25 +948,28 @@ class ADMIN {
 \r
                // start index\r
                if (postVar('start'))\r
-                       $start = postVar('start');\r
+                       $start = intPostVar('start');\r
                else\r
                        $start = 0;\r
 \r
                // amount of items to show\r
                if (postVar('amount'))\r
-                       $amount = postVar('amount');\r
-               else\r
-                       $amount = 10;\r
+                       $amount = intPostVar('amount');\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
 \r
                $search = postVar('search');\r
 \r
                echo '<p>(<a href="index.php?action=itemlist&amp;blogid=',$blogid,'">',_BACKTOOVERVIEW,'</a>)</p>';\r
                echo '<h2>',_COMMENTS,'</h2>';\r
 \r
-               $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE citem=' . $itemid;\r
+               $query = 'SELECT cbody, cuser, cmail, cemail, mname, ctime, chost, cnumber, cip, citem FROM ' . sql_table('comment') . ' LEFT OUTER JOIN ' . sql_table('member') . ' ON mnumber = cmember WHERE citem = ' . $itemid;\r
 \r
                if ($search)\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
                $query .= ' ORDER BY ctime ASC'\r
                                . " LIMIT $start,$amount";\r
@@ -862,6 +977,7 @@ class ADMIN {
                $template['content'] = 'commentlist';\r
                $template['canAddBan'] = $member->blogAdminRights(getBlogIDFromItemID($itemid));\r
 \r
+               $manager->loadClass("ENCAPSULATE");\r
                $navList =& new NAVLIST('itemcommentlist', $start, $amount, 0, 1000, 0, $search, $itemid);\r
                $navList->showBatchList('comment',$query,'table',$template,_NOCOMMENTS);\r
 \r
@@ -869,22 +985,25 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Browse own comments\r
-         */\r
+        * Browse own comments\r
+        */\r
        function action_browseowncomments() {\r
-               global $member;\r
+               global $member, $manager, $CONF;\r
 \r
                // start index\r
                if (postVar('start'))\r
-                       $start = postVar('start');\r
+                       $start = intPostVar('start');\r
                else\r
                        $start = 0;\r
 \r
                // amount of items to show\r
                if (postVar('amount'))\r
-                       $amount = postVar('amount');\r
-               else\r
-                       $amount = 10;\r
+                       $amount = intPostVar('amount');\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
 \r
                $search = postVar('search');\r
 \r
@@ -892,7 +1011,7 @@ class ADMIN {
                $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cmember=' . $member->getID();\r
 \r
                if ($search)\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
                $query .= ' ORDER BY ctime DESC'\r
                                . " LIMIT $start,$amount";\r
@@ -903,8 +1022,9 @@ class ADMIN {
                echo '<h2>', _COMMENTS_YOUR ,'</h2>';\r
 \r
                $template['content'] = 'commentlist';\r
-               $template['canAddBan'] = 0;     // doesn't make sense to allow banning yourself\r
+               $template['canAddBan'] = 0; // doesn't make sense to allow banning yourself\r
 \r
+               $manager->loadClass("ENCAPSULATE");\r
                $navList =& new NAVLIST('browseowncomments', $start, $amount, 0, 1000, 0, $search, 0);\r
                $navList->showBatchList('comment',$query,'table',$template,_NOCOMMENTS_YOUR);\r
 \r
@@ -912,11 +1032,12 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Browse all comments for a weblog\r
-         */\r
+        * Browse all comments for a weblog\r
+        * @param int $blogid\r
+        */\r
        function action_blogcommentlist($blogid = '')\r
        {\r
-               global $member, $manager;\r
+               global $member, $manager, $CONF;\r
 \r
                if ($blogid == '')\r
                        $blogid = intRequestVar('blogid');\r
@@ -927,23 +1048,26 @@ class ADMIN {
 \r
                // start index\r
                if (postVar('start'))\r
-                       $start = postVar('start');\r
+                       $start = intPostVar('start');\r
                else\r
                        $start = 0;\r
 \r
                // amount of items to show\r
                if (postVar('amount'))\r
-                       $amount = postVar('amount');\r
-               else\r
-                       $amount = 10;\r
+                       $amount = intPostVar('amount');\r
+               else {\r
+                       $amount = intval($CONF['DefaultListSize']);\r
+                       if ($amount < 1)\r
+                               $amount = 10;\r
+               }\r
 \r
                $search = postVar('search');            // search through comments\r
 \r
 \r
-               $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
+               $query =  'SELECT cbody, cuser, cemail, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
 \r
                if ($search != '')\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
 \r
                $query .= ' ORDER BY ctime DESC'\r
@@ -960,6 +1084,7 @@ class ADMIN {
                $template['content'] = 'commentlist';\r
                $template['canAddBan'] = $member->blogAdminRights($blogid);\r
 \r
+               $manager->loadClass("ENCAPSULATE");\r
                $navList =& new NAVLIST('blogcommentlist', $start, $amount, 0, 1000, $blogid, $search, 0);\r
                $navList->showBatchList('comment',$query,'table',$template, _NOCOMMENTS_BLOG);\r
 \r
@@ -967,8 +1092,8 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Provide a page to item a new item to the given blog\r
-         */\r
+        * Provide a page to item a new item to the given blog\r
+        */\r
        function action_createitem() {\r
                global $member, $manager;\r
 \r
@@ -990,6 +1115,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemedit() {\r
                global $member, $manager;\r
 \r
@@ -1015,6 +1143,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemupdate() {\r
                global $member, $manager, $CONF;\r
 \r
@@ -1032,10 +1163,11 @@ class ADMIN {
                        return;\r
                }\r
 \r
-               $body   = postVar('body');\r
-               $title  = postVar('title');\r
-               $more   = postVar('more');\r
+               $body   = postVar('body');\r
+               $title  = postVar('title');\r
+               $more   = postVar('more');\r
                $closed = intPostVar('closed');\r
+               $draftid = intPostVar('draftid');\r
 \r
                // default action = add now\r
                if (!$actiontype)\r
@@ -1067,42 +1199,26 @@ class ADMIN {
                                $wasdraft: set to 1 when the item used to be a draft item\r
                                $publish: set to 1 when the edited item is not a draft\r
                */\r
-               switch ($actiontype) {\r
-                       case 'adddraft':\r
-                               $publish = 0;\r
-                               $wasdraft = 1;\r
-                               $timestamp = 0;\r
-                               break;\r
-                       case 'addfuture':\r
-                               $wasdraft = 1;\r
-                               $publish = 1;\r
-                               $timestamp = mktime(postVar('hour'), postVar('minutes'), 0, postVar('month'), postVar('day'), postVar('year'));\r
-                               break;\r
-                       case 'addnow':\r
-                               $wasdraft = 1;\r
-                               $publish = 1;\r
-                               $timestamp = 0;\r
-                               break;\r
-                       case 'changedate':\r
-                               $timestamp = mktime(postVar('hour'), postVar('minutes'), 0, postVar('month'), postVar('day'), postVar('year'));\r
-                               $publish = 1;\r
-                               $wasdraft = 0;\r
-                               break;\r
-                       case 'edit':\r
-                       default:\r
-                               $publish = 1;\r
-                               $wasdraft = 0;\r
-                               $timestamp = 0;\r
+               $blogid =  getBlogIDFromItemID($itemid);\r
+               $blog   =& $manager->getBlog($blogid);\r
+\r
+               $wasdrafts = array('adddraft', 'addfuture', 'addnow');\r
+               $wasdraft  = in_array($actiontype, $wasdrafts) ? 1 : 0;\r
+               $publish   = ($actiontype != 'adddraft' && $actiontype != 'backtodrafts') ? 1 : 0;\r
+               if ($actiontype == 'addfuture' || $actiontype == 'changedate') {\r
+                       $timestamp = mktime(intPostVar('hour'), intPostVar('minutes'), 0, intPostVar('month'), intPostVar('day'), intPostVar('year'));\r
+               } else {\r
+                       $timestamp =0;\r
                }\r
 \r
                // edit the item for real\r
                ITEM::update($itemid, $catid, $title, $body, $more, $closed, $wasdraft, $publish, $timestamp);\r
 \r
-               $blogid = getBlogIDFromItemID($itemid);\r
-               $blog =& $manager->getBlog($blogid);\r
-               if (!$closed && $publish && $wasdraft && $blog->pingUserland()) {\r
-                       $this->action_sendping($blogid);\r
-                       return;\r
+               $this->updateFuturePosted($blogid);\r
+\r
+               if ($draftid > 0) {\r
+                       // delete permission is checked inside ITEM::delete()\r
+                       ITEM::delete($draftid);\r
                }\r
 \r
                // show category edit window when we created a new category\r
@@ -1119,6 +1235,9 @@ class ADMIN {
                }\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemdelete() {\r
                global $member, $manager;\r
 \r
@@ -1157,6 +1276,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemdeleteconfirm() {\r
                global $member;\r
 \r
@@ -1174,7 +1296,10 @@ class ADMIN {
                $this->action_itemlist($blogid);\r
        }\r
 \r
-       // deletes one item and returns error if something goes wrong\r
+       /**\r
+        * Deletes one item and returns error if something goes wrong\r
+        * @param int $itemid\r
+        */\r
        function deleteOneItem($itemid) {\r
                global $member, $manager;\r
 \r
@@ -1182,10 +1307,38 @@ class ADMIN {
                if (!$member->canAlterItem($itemid))\r
                        return _ERROR_DISALLOWED;\r
 \r
+               // need to get blogid before the item is deleted\r
+               $blogid = getBlogIDFromItemId($itemid);\r
+\r
                $manager->loadClass('ITEM');\r
                ITEM::delete($itemid);\r
+\r
+               // update blog's futureposted\r
+               $this->updateFuturePosted($blogid);\r
+       }\r
+\r
+       /**\r
+        * Update a blog's future posted flag\r
+        * @param int $blogid\r
+        */\r
+       function updateFuturePosted($blogid) {\r
+               global $manager;\r
+\r
+               $blog =& $manager->getBlog($blogid);\r
+               $currenttime = $blog->getCorrectTime(time());\r
+               $result = sql_query("SELECT * FROM ".sql_table('item').\r
+                       " WHERE iblog='".$blogid."' AND iposted=0 AND itime>".mysqldate($currenttime));\r
+               if (sql_num_rows($result) > 0) {\r
+                               $blog->setFuturePost();\r
+               }\r
+               else {\r
+                               $blog->clearFuturePost();\r
+               }\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemmove() {\r
                global $member, $manager;\r
 \r
@@ -1215,6 +1368,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_itemmoveto() {\r
                global $member, $manager;\r
 \r
@@ -1238,8 +1394,16 @@ class ADMIN {
                // only allow if user is allowed to alter item\r
                $member->canUpdateItem($itemid, $catid) or $this->disallow();\r
 \r
+               $old_blogid = getBlogIDFromItemId($itemid);\r
+\r
                ITEM::move($itemid, $catid);\r
 \r
+               // set the futurePosted flag on the blog\r
+               $this->updateFuturePosted(getBlogIDFromItemId($itemid));\r
+\r
+               // reset the futurePosted in case the item is moved from one blog to another\r
+               $this->updateFuturePosted($old_blogid);\r
+\r
                if ($catid != intRequestVar('catid'))\r
                        $this->action_categoryedit($catid, $blog->getID());\r
                else\r
@@ -1247,9 +1411,11 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Moves one item to a given category (category existance should be checked by caller)\r
-         * errors are returned\r
-         */\r
+        * Moves one item to a given category (category existance should be checked by caller)\r
+        * errors are returned\r
+        * @param int $itemid\r
+        * @param int $destCatid category ID to which the item will be moved\r
+        */\r
        function moveOneItem($itemid, $destCatid) {\r
                global $member;\r
 \r
@@ -1261,10 +1427,10 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Adds a item to the chosen blog\r
-         */\r
+        * Adds a item to the chosen blog\r
+        */\r
        function action_additem() {\r
-               global $member, $manager, $CONF;\r
+               global $manager, $CONF;\r
 \r
                $manager->loadClass('ITEM');\r
 \r
@@ -1275,86 +1441,21 @@ class ADMIN {
 \r
                $blogid = getBlogIDFromItemID($result['itemid']);\r
                $blog =& $manager->getBlog($blogid);\r
+               $btimestamp = $blog->getCorrectTime();\r
+               $item      = $manager->getItem(intval($result['itemid']), 1, 1);\r
 \r
-               $pingUrl = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=sendping&blogid=' . intval($blogid));\r
-\r
-               if ($result['status'] == 'newcategory')\r
-                       $this->action_categoryedit(\r
-                               $result['catid'],\r
-                               $blogid,\r
-                               $blog->pingUserland() ? $pingUrl : ''\r
-                       );\r
-               elseif ((postVar('actiontype') == 'addnow') && $blog->pingUserland())\r
-                       $this->action_sendping($blogid);\r
-               else\r
-                       $this->action_itemlist($blogid);\r
-       }\r
-\r
-       /**\r
-         * Shows a window that says we're about to ping weblogs.com.\r
-         * immediately refresh to the real pinging page, which will\r
-         * show an error, or redirect to the blog.\r
-         *\r
-         * @param $blogid ID of blog for which ping needs to be sent out\r
-         */\r
-       function action_sendping($blogid = -1) {\r
-               global $member, $manager;\r
-\r
-               if ($blogid == -1)\r
-                       $blogid = intRequestVar('blogid');\r
-\r
-               $member->isLoggedIn() or $this->disallow();\r
-\r
-               $rawPingUrl = $manager->addTicketToUrl('index.php?action=rawping&blogid=' . intval($blogid));\r
-\r
-               $this->pagehead('<meta http-equiv="refresh" content="1; url='.htmlspecialchars($rawPingUrl).'" />');\r
-               ?>\r
-               <h2>Site Updated, Now pinging weblogs.com</h2>\r
-\r
-               <p>\r
-                       Pinging weblogs.com! This can a while...\r
-                       <br />\r
-                       When the ping is complete (and successfull), your weblog will show up in the weblogs.com updates list.\r
-               </p>\r
-\r
-               <p>\r
-                       If you aren't automatically passed through, <a href="index.php?action=rawping&amp;blogid=<?php echo $blogid?>">try again</a>\r
-               </p>\r
-               <?php           $this->pagefoot();\r
-       }\r
-\r
-       // ping to Weblogs.com\r
-       // sends the real ping (can take up to 10 seconds!)\r
-       function action_rawping() {\r
-               global $manager;\r
-               // TODO: checks?\r
-\r
-               $blogid = intRequestVar('blogid');\r
-               $blog =& $manager->getBlog($blogid);\r
-\r
-               $result = $blog->sendUserlandPing();\r
-\r
-               $this->pagehead();\r
-\r
-               ?>\r
-\r
-               <h2>Ping Results</h2>\r
-\r
-               <p>The following message was returned by weblogs.com:</p>\r
-\r
-               <div class='note'><?php echo  $result ?></div>\r
-\r
-               <ul>\r
-                       <li><a href="index.php?action=itemlist&amp;blogid=<?php echo $blog->getID()?>">View list of recent items for <?php echo htmlspecialchars($blog->getName())?></a></li>\r
-                       <li><a href="<?php echo $blog->getURL()?>">Visit your own site</a></li>\r
-               </ul>\r
-\r
-               <?php           $this->pagefoot();\r
+               if ($result['status'] == 'newcategory') {\r
+                       $distURI = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=itemList&blogid=' . intval($blogid));\r
+                       $this->action_categoryedit($result['catid'], $blogid, $distURI);\r
+               } else {\r
+                       $methodName = 'action_itemList';\r
+                       call_user_func(array(&$this, $methodName), $blogid);\r
+               }\r
        }\r
 \r
        /**\r
-         * Allows to edit previously made comments\r
-         */\r
+        * Allows to edit previously made comments\r
+        */\r
        function action_commentedit() {\r
                global $member, $manager;\r
 \r
@@ -1368,9 +1469,11 @@ class ADMIN {
 \r
                // change <br /> to \n\r
                $comment['body'] = str_replace('<br />','',$comment['body']);\r
-\r
-               $comment['body'] = eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>","\\1",$comment['body']);\r
-\r
+               \r
+               // replaced eregi_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0\r
+               /* original eregi_replace: eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>", "\\1", $comment['body']) */\r
+               $comment['body'] = preg_replace("#<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>#I", "\\1", $comment['body']);\r
+               \r
                $this->pagehead();\r
 \r
                ?>\r
@@ -1386,7 +1489,7 @@ class ADMIN {
                </tr><tr>\r
                        <td><?php echo _EDITC_WHO?></td>\r
                        <td>\r
-                       <?php                           if ($comment['member'])\r
+                       <?php                      if ($comment['member'])\r
                                        echo $comment['member'] . " (" . _EDITC_MEMBER . ")";\r
                                else\r
                                        echo $comment['user'] . " (" . _EDITC_NONMEMBER . ")";\r
@@ -1398,10 +1501,19 @@ class ADMIN {
                </tr><tr>\r
                        <td><?php echo _EDITC_HOST?></td>\r
                        <td><?php echo  $comment['host']; ?></td>\r
-               </tr><tr>\r
+               </tr>\r
+               <tr>\r
+                       <td><?php echo _EDITC_URL; ?></td>\r
+                       <td><input type="text" name="url" size="30" tabindex="6" value="<?php echo $comment['userid']; ?>" /></td>\r
+               </tr>\r
+               <tr>\r
+                       <td><?php echo _EDITC_EMAIL; ?></td>\r
+                       <td><input type="text" name="email" size="30" tabindex="8" value="<?php echo $comment['email']; ?>" /></td>\r
+               </tr>\r
+               <tr>\r
                        <td><?php echo _EDITC_TEXT?></td>\r
                        <td>\r
-                               <textarea name="body" tabindex="10" rows="10" cols="50"><?php                                   // htmlspecialchars not needed (things should be escaped already)\r
+                               <textarea name="body" tabindex="10" rows="10" cols="50"><?php                              // htmlspecialchars not needed (things should be escaped already)\r
                                        echo $comment['body'];\r
                                ?></textarea>\r
                        </td>\r
@@ -1415,6 +1527,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_commentupdate() {\r
                global $member, $manager;\r
 \r
@@ -1422,19 +1537,28 @@ class ADMIN {
 \r
                $member->canAlterComment($commentid) or $this->disallow();\r
 \r
+               $url = postVar('url');\r
+               $email = postVar('email');\r
                $body = postVar('body');\r
-\r
+               \r
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+               # original eregi: eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}", $body) != FALSE\r
+               # important note that '\' must be matched with '\\\\' in preg* expressions\r
                // intercept words that are too long\r
-               if (eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}",$body) != false)\r
+               if (preg_match('#[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}#', $body) != FALSE)\r
+               {\r
                        $this->error(_ERROR_COMMENT_LONGWORD);\r
-\r
+               }\r
+               \r
                // check length\r
-               if (strlen($body)<3)\r
+               if (strlen($body) < 3) {\r
                        $this->error(_ERROR_COMMENT_NOCOMMENT);\r
+               }\r
                if (strlen($body)>5000)\r
+               {\r
                        $this->error(_ERROR_COMMENT_TOOLONG);\r
-\r
-\r
+               }\r
+               \r
                // prepare body\r
                $body = COMMENT::prepareBody($body);\r
 \r
@@ -1442,13 +1566,13 @@ class ADMIN {
                $manager->notify('PreUpdateComment',array('body' => &$body));\r
 \r
                $query =  'UPDATE '.sql_table('comment')\r
-                          . " SET cbody='" .addslashes($body). "'"\r
+                          . " SET cmail = '" . sql_real_escape_string($url) . "', cemail = '" . sql_real_escape_string($email) . "', cbody = '" . sql_real_escape_string($body) . "'"\r
                           . " WHERE cnumber=" . $commentid;\r
                sql_query($query);\r
 \r
                // get itemid\r
                $res = sql_query('SELECT citem FROM '.sql_table('comment').' WHERE cnumber=' . $commentid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                $itemid = $o->citem;\r
 \r
                if ($member->canAlterItem($itemid))\r
@@ -1458,6 +1582,9 @@ class ADMIN {
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_commentdelete() {\r
                global $member, $manager;\r
 \r
@@ -1498,6 +1625,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_commentdeleteconfirm() {\r
                global $member;\r
 \r
@@ -1505,7 +1635,7 @@ class ADMIN {
 \r
                // get item id first\r
                $res = sql_query('SELECT citem FROM '.sql_table('comment') .' WHERE cnumber=' . $commentid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                $itemid = $o->citem;\r
 \r
                $error = $this->deleteOneComment($commentid);\r
@@ -1518,6 +1648,9 @@ class ADMIN {
                        $this->action_browseowncomments();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function deleteOneComment($commentid) {\r
                global $member, $manager;\r
 \r
@@ -1538,8 +1671,8 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Usermanagement main\r
-         */\r
+        * Usermanagement main\r
+        */\r
        function action_usermanagement() {\r
                global $member, $manager;\r
 \r
@@ -1560,12 +1693,13 @@ class ADMIN {
                $template['content'] = 'memberlist';\r
                $template['tabindex'] = 10;\r
 \r
+               $manager->loadClass("ENCAPSULATE");\r
                $batch =& new BATCH('member');\r
                $batch->showlist($query,'table',$template);\r
 \r
                echo '<h3>' . _MEMBERS_NEW .'</h3>';\r
                ?>\r
-                       <form method="post" action="index.php"><div>\r
+                       <form method="post" action="index.php" name="memberedit"><div>\r
 \r
                        <input type="hidden" name="action" value="memberadd" />\r
                        <?php $manager->addTicketHidden() ?>\r
@@ -1575,9 +1709,9 @@ class ADMIN {
                                <th colspan="2"><?php echo _MEMBERS_NEW?></th>\r
                        </tr><tr>\r
                                <td><?php echo _MEMBERS_DISPLAY?> <?php help('shortnames');?>\r
-                                       <br /><small>(This is the name used to logon)</small>\r
+                               <br /><small><?php echo _MEMBERS_DISPLAY_INFO?></small>\r
                                </td>\r
-                               <td><input tabindex="10010" name="name" size="16" maxlength="16" /></td>\r
+                               <td><input tabindex="10010" name="name" size="32" maxlength="32" /></td>\r
                        </tr><tr>\r
                                <td><?php echo _MEMBERS_REALNAME?></td>\r
                                <td><input name="realname" tabindex="10020" size="40" maxlength="60" /></td>\r
@@ -1613,11 +1747,15 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Edit member settings\r
-         */\r
+        * Edit member settings\r
+        */\r
        function action_memberedit() {\r
                $this->action_editmembersettings(intRequestVar('memberid'));\r
        }\r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_editmembersettings($memberid = '') {\r
                global $member, $manager, $CONF;\r
 \r
@@ -1641,7 +1779,7 @@ class ADMIN {
                $mem = MEMBER::createFromID($memberid);\r
 \r
                ?>\r
-               <form method="post" action="index.php"><div>\r
+               <form method="post" action="index.php" name="memberedit"><div>\r
 \r
                <input type="hidden" name="action" value="changemembersettings" />\r
                <input type="hidden" name="memberid" value="<?php echo  $memberid; ?>" />\r
@@ -1655,7 +1793,7 @@ class ADMIN {
                        </td>\r
                        <td>\r
                        <?php if ($CONF['AllowLoginEdit'] || $member->isAdmin()) { ?>\r
-                               <input name="name" tabindex="10" maxlength="16" size="16" value="<?php echo  htmlspecialchars($mem->getDisplayName()); ?>" />\r
+                               <input name="name" tabindex="10" maxlength="32" size="32" value="<?php echo  htmlspecialchars($mem->getDisplayName()); ?>" />\r
                        <?php } else {\r
                                echo htmlspecialchars($member->getDisplayName());\r
                           }\r
@@ -1689,7 +1827,7 @@ class ADMIN {
                                <td><?php $this->input_yesno('admin',$mem->isAdmin(),60); ?></td>\r
                        </tr><tr>\r
                                <td><?php echo _MEMBERS_CANLOGIN?> <?php help('canlogin'); ?></td>\r
-                               <td><?php $this->input_yesno('canlogin',$mem->canLogin(),70); ?></td>\r
+                               <td><?php $this->input_yesno('canlogin',$mem->canLogin(),70,1,0,_YES,_NO,$mem->isAdmin()); ?></td>\r
                <?php } ?>\r
                </tr><tr>\r
                        <td><?php echo _MEMBERS_NOTES?></td>\r
@@ -1701,25 +1839,35 @@ class ADMIN {
 \r
                                <select name="deflang" tabindex="85">\r
                                        <option value=""><?php echo _MEMBERS_USESITELANG?></option>\r
-                               <?php                           // show a dropdown list of all available languages\r
+                               <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle))\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg("^(.*)\.php$", $filename, $matches)\r
+                                       if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
-                                               echo "<option value='$name'";\r
-                                               if ($name == $mem->getLanguage())\r
-                                                       echo " selected='selected'";\r
+                                               echo "<option value=\"$name\"";\r
+                                               if ($name == $mem->getLanguage() )\r
+                                               {\r
+                                                       echo " selected=\"selected\"";\r
+                                               }\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
-\r
+                               \r
                                ?>\r
                                </select>\r
 \r
                        </td>\r
                </tr>\r
+               <tr>\r
+                       <td><?php echo _MEMBERS_USEAUTOSAVE?> <?php help('autosave'); ?></td>\r
+                       <td><?php $this->input_yesno('autosave', $mem->getAutosave(), 87); ?></td>\r
+               </tr>\r
                <?php\r
                        // plugin options\r
                        $this->_insertPluginOptions('member',$memberid);\r
@@ -1746,7 +1894,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_changemembersettings() {\r
                global $member, $CONF, $manager;\r
 \r
@@ -1755,20 +1905,23 @@ class ADMIN {
                // check if allowed\r
                ($member->getID() == $memberid) or $member->isAdmin() or $this->disallow();\r
 \r
-               $name                   = trim(postVar('name'));\r
-               $realname               = trim(postVar('realname'));\r
-               $password               = postVar('password');\r
-               $repeatpassword = postVar('repeatpassword');\r
-               $email                  = postVar('email');\r
-               $url                    = postVar('url');\r
-\r
-               // Sometimes user didn't prefix the URL with http://, this cause a malformed URL. Let's fix it.\r
-               if (!eregi("^https?://", $url))\r
-                       $url = "http://".$url;\r
-\r
-               $admin                  = postVar('admin');\r
-               $canlogin               = postVar('canlogin');\r
-               $notes                  = postVar('notes');\r
+               $name              = trim(strip_tags(postVar('name')));\r
+               $realname          = trim(strip_tags(postVar('realname')));\r
+               $password          = postVar('password');\r
+               $repeatpassword = postVar('repeatpassword');\r
+               $email            = strip_tags(postVar('email'));\r
+               $url                    = strip_tags(postVar('url'));\r
+\r
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+               # original eregi: !eregi("^https?://", $url)\r
+               // begin if: sometimes user didn't prefix the URL with http:// or https://, this cause a malformed URL. Let's fix it.\r
+               if (!preg_match('#^https?://#', $url) )\r
+               {\r
+                       $url = "http://" . $url;\r
+               }\r
+               $admin            = postVar('admin');\r
+               $canlogin          = postVar('canlogin');\r
+               $notes            = strip_tags(postVar('notes'));\r
                $deflang                = postVar('deflang');\r
 \r
                $mem = MEMBER::createFromID($memberid);\r
@@ -1786,6 +1939,15 @@ class ADMIN {
 \r
                        if ($password && (strlen($password) < 6))\r
                                $this->error(_ERROR_PASSWORDTOOSHORT);\r
+\r
+                       if ($password) {\r
+                               $pwdvalid = true;\r
+                               $pwderror = '';\r
+                               $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+                               if (!$pwdvalid) {\r
+                                       $this->error($pwderror);\r
+                               }\r
+                       }\r
                }\r
 \r
                if (!isValidMailAddress($email))\r
@@ -1800,12 +1962,12 @@ class ADMIN {
 \r
                // check if there will remain at least one site member with both the logon and admin rights\r
                // (check occurs when taking away one of these rights from such a member)\r
-               if (    (!$admin && $mem->isAdmin() && $mem->canLogin())\r
+               if (    (!$admin && $mem->isAdmin() && $mem->canLogin())\r
                         || (!$canlogin && $mem->isAdmin() && $mem->canLogin())\r
                   )\r
                {\r
                        $r = sql_query('SELECT * FROM '.sql_table('member').' WHERE madmin=1 and mcanlogin=1');\r
-                       if (mysql_num_rows($r) < 2)\r
+                       if (sql_num_rows($r) < 2)\r
                                $this->error(_ERROR_ATLEASTONEADMIN);\r
                }\r
 \r
@@ -1815,9 +1977,6 @@ class ADMIN {
                                $mem->setPassword($password);\r
                }\r
 \r
-               if ($newpass)\r
-                       $mem->setPassword($password);\r
-\r
                $oldEmail = $mem->getEmail();\r
 \r
                $mem->setRealName($realname);\r
@@ -1833,28 +1992,33 @@ class ADMIN {
                        $mem->setCanLogin($canlogin);\r
                }\r
 \r
+               $autosave = postVar ('autosave');\r
+               $mem->setAutosave($autosave);\r
 \r
                $mem->write();\r
 \r
+               // store plugin options\r
+               $aOptions = requestArray('plugoption');\r
+               NucleusPlugin::_applyPluginOptions($aOptions);\r
+               $manager->notify('PostPluginOptionsUpdate',array('context' => 'member', 'memberid' => $memberid, 'member' => &$mem));\r
+\r
                // if email changed, generate new password\r
                if ($oldEmail != $mem->getEmail())\r
                {\r
                        $mem->sendActivationLink('addresschange', $oldEmail);\r
                        // logout member\r
                        $mem->newCookieKey();\r
-                       $member->logout();\r
+\r
+                       // only log out if the member being edited is the current member.\r
+                       if ($member->getID() == $memberid)\r
+                               $member->logout();\r
                        $this->action_login(_MSG_ACTIVATION_SENT, 0);\r
                        return;\r
                }\r
 \r
 \r
-               // store plugin options\r
-               $aOptions = requestArray('plugoption');\r
-               NucleusPlugin::_applyPluginOptions($aOptions);\r
-               $manager->notify('PostPluginOptionsUpdate',array('context' => 'member', 'memberid' => $memberid, 'member' => &$mem));\r
-\r
                if (  ( $mem->getID() == $member->getID() )\r
-                  && ( $newpass || ( $mem->getDisplayName() != $member->getDisplayName() ) )\r
+                  && ( $mem->getDisplayName() != $member->getDisplayName() )\r
                   ) {\r
                        $mem->newCookieKey();\r
                        $member->logout();\r
@@ -1864,8 +2028,11 @@ class ADMIN {
                }\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_memberadd() {\r
-               global $member;\r
+               global $member, $manager;\r
 \r
                // check if allowed\r
                $member->isAdmin() or $this->disallow();\r
@@ -1879,6 +2046,11 @@ class ADMIN {
                if ($res != 1)\r
                        $this->error($res);\r
 \r
+               // fire PostRegister event\r
+               $newmem = new MEMBER();\r
+               $newmem->readFromName(postVar('name'));\r
+               $manager->notify('PostRegister',array('member' => &$newmem));\r
+\r
                $this->action_usermanagement();\r
        }\r
 \r
@@ -1893,6 +2065,9 @@ class ADMIN {
                $this->_showActivationPage($key);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function _showActivationPage($key, $message = '')\r
        {\r
                global $manager;\r
@@ -1992,7 +2167,7 @@ class ADMIN {
         * @author dekarma\r
         */\r
        function action_activatesetpwd() {\r
-\r
+               \r
                $key = postVar('key');\r
 \r
                // clean up old activation keys\r
@@ -2009,17 +2184,25 @@ class ADMIN {
                if (!$mem)\r
                        return $this->_showActivationPage($key, _ERROR_ACTIVATE);\r
 \r
-               $password               = postVar('password');\r
-               $repeatpassword = postVar('repeatpassword');\r
+               $password          = postVar('password');\r
+               $repeatpassword = postVar('repeatpassword');\r
 \r
                if ($password != $repeatpassword)\r
                        return $this->_showActivationPage($key, _ERROR_PASSWORDMISMATCH);\r
 \r
                if ($password && (strlen($password) < 6))\r
                        return $this->_showActivationPage($key, _ERROR_PASSWORDTOOSHORT);\r
-\r
+               \r
+               if ($password) {\r
+                       $pwdvalid = true;\r
+                       $pwderror = '';\r
+                       global $manager;\r
+                       $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+                       if (!$pwdvalid) {\r
+                               return $this->_showActivationPage($key,$pwderror);\r
+                       }\r
+               }\r
                $error = '';\r
-               global $manager;\r
                $manager->notify('ValidateForm', array('type' => 'activation', 'member' => $mem, 'error' => &$error));\r
                if ($error != '')\r
                        return $this->_showActivationPage($key, $error);\r
@@ -2039,8 +2222,8 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Manage team\r
-         */\r
+        * Manage team\r
+        */\r
        function action_manageteam() {\r
                global $member, $manager;\r
 \r
@@ -2066,6 +2249,7 @@ class ADMIN {
                $template['content'] = 'teamlist';\r
                $template['tabindex'] = 10;\r
 \r
+               $manager->loadClass("ENCAPSULATE");\r
                $batch =& new BATCH('team');\r
                $batch->showlist($query, 'table', $template);\r
 \r
@@ -2080,7 +2264,7 @@ class ADMIN {
 \r
                        <table><tr>\r
                                <td><?php echo _TEAM_CHOOSEMEMBER?></td>\r
-                               <td><?php                                       // TODO: try to make it so only non-team-members are listed\r
+                               <td><?php                                  // TODO: try to make it so only non-team-members are listed\r
                                        $query =  'SELECT mname as text, mnumber as value'\r
                                                   . ' FROM '.sql_table('member');\r
 \r
@@ -2102,8 +2286,8 @@ class ADMIN {
        }\r
 \r
        /**\r
-         * Add member tot tram\r
-         */\r
+        * Add member to team\r
+        */\r
        function action_teamaddmember() {\r
                global $member, $manager;\r
 \r
@@ -2122,6 +2306,9 @@ class ADMIN {
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_teamdelete() {\r
                global $member, $manager;\r
 \r
@@ -2138,7 +2325,7 @@ class ADMIN {
                ?>\r
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
 \r
-                       <p><?php echo _CONFIRMTXT_TEAM1?><b><?php echo  $teammem->getDisplayName() ?></b><?php echo _CONFIRMTXT_TEAM2?><b><?php echo  htmlspecialchars(strip_tags($blog->getName())) ?></b>\r
+                       <p><?php echo _CONFIRMTXT_TEAM1?><b><?php echo  htmlspecialchars($teammem->getDisplayName()) ?></b><?php echo _CONFIRMTXT_TEAM2?><b><?php echo  htmlspecialchars(strip_tags($blog->getName())) ?></b>\r
                        </p>\r
 \r
 \r
@@ -2153,6 +2340,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_teamdeleteconfirm() {\r
                global $member;\r
 \r
@@ -2167,6 +2357,9 @@ class ADMIN {
                $this->action_manageteam();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function deleteOneTeamMember($blogid, $memberid) {\r
                global $member, $manager;\r
 \r
@@ -2178,28 +2371,31 @@ class ADMIN {
                        return _ERROR_DISALLOWED;\r
 \r
                // check if: - there remains at least one blog admin\r
-               //           - (there remains at least one team member)\r
+               //                 - (there remains at least one team member)\r
                $tmem = MEMBER::createFromID($memberid);\r
 \r
-               $manager->notify('PreDeleteTeamMember', array('member' => &$mem, 'blogid' => $blogid));\r
+               $manager->notify('PreDeleteTeamMember', array('member' => &$tmem, 'blogid' => $blogid));\r
 \r
                if ($tmem->isBlogAdmin($blogid)) {\r
                        // check if there are more blog members left and at least one admin\r
                        // (check for at least two admins before deletion)\r
                        $query = 'SELECT * FROM '.sql_table('team') . ' WHERE tblog='.$blogid.' and tadmin=1';\r
                        $r = sql_query($query);\r
-                       if (mysql_num_rows($r) < 2)\r
+                       if (sql_num_rows($r) < 2)\r
                                return _ERROR_ATLEASTONEBLOGADMIN;\r
                }\r
 \r
                $query = 'DELETE FROM '.sql_table('team')." WHERE tblog=$blogid and tmember=$memberid";\r
                sql_query($query);\r
 \r
-               $manager->notify('PostDeleteTeamMember', array('member' => &$mem, 'blogid' => $blogid));\r
+               $manager->notify('PostDeleteTeamMember', array('member' => &$tmem, 'blogid' => $blogid));\r
 \r
                return '';\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_teamchangeadmin() {\r
                global $member;\r
 \r
@@ -2214,7 +2410,7 @@ class ADMIN {
                // don't allow when there is only one admin at this moment\r
                if ($mem->isBlogAdmin($blogid)) {\r
                        $r = sql_query('SELECT * FROM '.sql_table('team') . " WHERE tblog=$blogid and tadmin=1");\r
-                       if (mysql_num_rows($r) == 1)\r
+                       if (sql_num_rows($r) == 1)\r
                                $this->error(_ERROR_ATLEASTONEBLOGADMIN);\r
                }\r
 \r
@@ -2233,6 +2429,9 @@ class ADMIN {
                        $this->action_overview(_MSG_ADMINCHANGED);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_blogsettings() {\r
                global $member, $manager;\r
 \r
@@ -2252,11 +2451,11 @@ class ADMIN {
 \r
                <h3><?php echo _EBLOG_TEAM_TITLE?></h3>\r
 \r
-               <p>Members currently on your team:\r
+               <p><?php echo _EBLOG_CURRENT_TEAM_MEMBER; ?>\r
                <?php\r
                        $res = sql_query('SELECT mname, mrealname FROM ' . sql_table('member') . ',' . sql_table('team') . ' WHERE mnumber=tmember AND tblog=' . intval($blogid));\r
                        $aMemberNames = array();\r
-                       while ($o = mysql_fetch_object($res))\r
+                       while ($o = sql_fetch_object($res))\r
                                array_push($aMemberNames, htmlspecialchars($o->mname) . ' (' . htmlspecialchars($o->mrealname). ')');\r
                        echo implode(',', $aMemberNames);\r
                ?>\r
@@ -2321,8 +2520,12 @@ class ADMIN {
                        </td>\r
                        <td><?php $this->input_yesno('public',$blog->isPublic(),70); ?></td>\r
                </tr><tr>\r
+       <td><?php echo _EBLOG_REQUIREDEMAIL?>\r
+                </td>\r
+                <td><?php $this->input_yesno('reqemail',$blog->emailRequired(),72); ?></td>\r
+         </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY?> <?php help('blognotify'); ?></td>\r
-                       <td><input name="notify" tabindex="80" maxlength="60" size="40" value="<?php echo  htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
+                       <td><input name="notify" tabindex="80" maxlength="128" size="40" value="<?php echo  htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY_ON?></td>\r
                        <td>\r
@@ -2339,9 +2542,6 @@ class ADMIN {
                                /><label for="notifyNewItem"><?php echo _EBLOG_NOTIFY_ITEM?></label>\r
                        </td>\r
                </tr><tr>\r
-                       <td><?php echo _EBLOG_PING?> <?php help('pinguserland'); ?></td>\r
-                       <td><?php $this->input_yesno('pinguserland',$blog->pingUserland(),85); ?></td>\r
-               </tr><tr>\r
                        <td><?php echo _EBLOG_MAXCOMMENTS?> <?php help('blogmaxcomments'); ?></td>\r
                        <td><input name="maxcomments" tabindex="90" size="3" value="<?php echo  htmlspecialchars($blog->getMaxComments()); ?>" /></td>\r
                </tr><tr>\r
@@ -2391,6 +2591,7 @@ class ADMIN {
                $template['content'] = 'categorylist';\r
                $template['tabindex'] = 200;\r
 \r
+               $manager->loadClass("ENCAPSULATE");\r
                $batch =& new BATCH('category');\r
                $batch->showlist($query,'table',$template);\r
 \r
@@ -2431,6 +2632,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categorynew() {\r
                global $member, $manager;\r
 \r
@@ -2444,18 +2648,20 @@ class ADMIN {
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
 \r
-               $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid);\r
+               $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid);\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) > 0)\r
+               if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
 \r
-               $blog           =& $manager->getBlog($blogid);\r
-               $newCatID       =  $blog->createNewCategory($cname, $cdesc);\r
+               $blog      =& $manager->getBlog($blogid);\r
+               $newCatID   =  $blog->createNewCategory($cname, $cdesc);\r
 \r
                $this->action_blogsettings();\r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categoryedit($catid = '', $blogid = '', $desturl = '') {\r
                global $member, $manager;\r
 \r
@@ -2471,7 +2677,7 @@ class ADMIN {
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
                $res = sql_query('SELECT * FROM '.sql_table('category')." WHERE cblog=$blogid AND catid=$catid");\r
-               $obj = mysql_fetch_object($res);\r
+               $obj = sql_fetch_object($res);\r
 \r
                $cname = $obj->cname;\r
                $cdesc = $obj->cdesc;\r
@@ -2479,6 +2685,8 @@ class ADMIN {
                $extrahead = '<script type="text/javascript" src="javascript/numbercheck.js"></script>';\r
                $this->pagehead($extrahead);\r
 \r
+               echo "<p><a href='index.php?action=blogsettings&amp;blogid=$blogid'>(",_BACK_TO_BLOGSETTINGS,")</a></p>";\r
+\r
                ?>\r
                <h2><?php echo _EBLOG_CAT_UPDATE?> '<?php echo htmlspecialchars($cname)?>'</h2>\r
                <form method='post' action='index.php'><div>\r
@@ -2513,7 +2721,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categoryupdate() {\r
                global $member, $manager;\r
 \r
@@ -2528,14 +2738,14 @@ class ADMIN {
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
 \r
-               $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
+               $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) > 0)\r
+               if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
 \r
                $query =  'UPDATE '.sql_table('category').' SET'\r
-                          . " cname='" . addslashes($cname) . "',"\r
-                          . " cdesc='" . addslashes($cdesc) . "'"\r
+                          . " cname='" . sql_real_escape_string($cname) . "',"\r
+                          . " cdesc='" . sql_real_escape_string($cdesc) . "'"\r
                           . " WHERE catid=" . $catid;\r
 \r
                sql_query($query);\r
@@ -2554,6 +2764,9 @@ class ADMIN {
                }\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categorydelete() {\r
                global $member, $manager;\r
 \r
@@ -2575,7 +2788,7 @@ class ADMIN {
                // check if catid is the only category left for blogid\r
                $query = 'SELECT catid FROM '.sql_table('category').' WHERE cblog=' . $blogid;\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) == 1)\r
+               if (sql_num_rows($res) == 1)\r
                        $this->error(_ERROR_DELETELASTCATEGORY);\r
 \r
 \r
@@ -2584,7 +2797,7 @@ class ADMIN {
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
 \r
                        <div>\r
-                       <?php echo _CONFIRMTXT_CATEGORY?><b><?php echo  $blog->getCategoryName($catid)?></b>\r
+                       <?php echo _CONFIRMTXT_CATEGORY?><b><?php echo  htmlspecialchars($blog->getCategoryName($catid))?></b>\r
                        </div>\r
 \r
                        <form method="post" action="index.php"><div>\r
@@ -2598,6 +2811,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_categorydeleteconfirm() {\r
                global $member, $manager;\r
 \r
@@ -2613,13 +2829,14 @@ class ADMIN {
                $this->action_blogsettings();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function deleteOneCategory($catid) {\r
                global $manager, $member;\r
 \r
                $catid = intval($catid);\r
 \r
-               $manager->notify('PreDeleteCategory', array('catid' => $catid));\r
-\r
                $blogid = getBlogIDFromCatID($catid);\r
 \r
                if (!$member->blogAdminRights($blogid))\r
@@ -2641,9 +2858,11 @@ class ADMIN {
                // check if catid is the only category left for blogid\r
                $query = 'SELECT catid FROM '.sql_table('category').' WHERE cblog=' . $blogid;\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) == 1)\r
+               if (sql_num_rows($res) == 1)\r
                        return _ERROR_DELETELASTCATEGORY;\r
 \r
+               $manager->notify('PreDeleteCategory', array('catid' => $catid));\r
+\r
                // change category for all items to the default category\r
                $query = 'UPDATE '.sql_table('item')." SET icat=$destcatid WHERE icat=$catid";\r
                sql_query($query);\r
@@ -2659,6 +2878,9 @@ class ADMIN {
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function moveOneCategory($catid, $destblogid) {\r
                global $manager, $member;\r
 \r
@@ -2701,7 +2923,7 @@ class ADMIN {
                // update comments table (cblog)\r
                $query = 'SELECT inumber FROM '.sql_table('item').' WHERE icat='.$catid;\r
                $items = sql_query($query);\r
-               while ($oItem = mysql_fetch_object($items)) {\r
+               while ($oItem = sql_fetch_object($items)) {\r
                        sql_query('UPDATE '.sql_table('comment').' SET cblog='.$destblogid.' WHERE citem='.$oItem->inumber);\r
                }\r
 \r
@@ -2724,6 +2946,9 @@ class ADMIN {
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_blogsettingsupdate() {\r
                global $member, $manager;\r
 \r
@@ -2733,16 +2958,16 @@ class ADMIN {
 \r
                $blog =& $manager->getBlog($blogid);\r
 \r
-               $notify                 = trim(postVar('notify'));\r
-               $shortname              = trim(postVar('shortname'));\r
-               $updatefile             = trim(postVar('update'));\r
+               $notify          = trim(postVar('notify'));\r
+               $shortname        = trim(postVar('shortname'));\r
+               $updatefile      = trim(postVar('update'));\r
 \r
-               $notifyComment  = intPostVar('notifyComment');\r
-               $notifyVote             = intPostVar('notifyVote');\r
-               $notifyNewItem  = intPostVar('notifyNewItem');\r
+               $notifyComment  = intPostVar('notifyComment');\r
+               $notifyVote      = intPostVar('notifyVote');\r
+               $notifyNewItem  = intPostVar('notifyNewItem');\r
 \r
                if ($notifyComment == 0)        $notifyComment = 1;\r
-               if ($notifyVote == 0)           $notifyVote = 1;\r
+               if ($notifyVote == 0)      $notifyVote = 1;\r
                if ($notifyNewItem == 0)        $notifyNewItem = 1;\r
 \r
                $notifyType = $notifyComment * $notifyVote * $notifyNewItem;\r
@@ -2777,11 +3002,11 @@ class ADMIN {
                $blog->setDefaultSkin(intPostVar('defskin'));\r
                $blog->setDescription(trim(postVar('desc')));\r
                $blog->setPublic(postVar('public'));\r
-               $blog->setPingUserland(postVar('pinguserland'));\r
                $blog->setConvertBreaks(intPostVar('convertbreaks'));\r
                $blog->setAllowPastPosting(intPostVar('allowpastposting'));\r
                $blog->setDefaultCategory(intPostVar('defcat'));\r
                $blog->setSearchable(intPostVar('searchable'));\r
+               $blog->setEmailRequired(intPostVar('reqemail'));\r
 \r
                $blog->writeSettings();\r
 \r
@@ -2794,6 +3019,9 @@ class ADMIN {
                $this->action_overview(_MSG_SETTINGSCHANGED);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_deleteblog() {\r
                global $member, $CONF, $manager;\r
 \r
@@ -2828,6 +3056,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_deleteblogconfirm() {\r
                global $member, $CONF, $manager;\r
 \r
@@ -2873,6 +3104,9 @@ class ADMIN {
                $this->action_overview(_DELETED_BLOG);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_memberdelete() {\r
                global $member, $manager;\r
 \r
@@ -2886,11 +3120,11 @@ class ADMIN {
                ?>\r
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
 \r
-                       <p><?php echo _CONFIRMTXT_MEMBER?><b><?php echo  $mem->getDisplayName() ?></b>\r
+                       <p><?php echo _CONFIRMTXT_MEMBER?><b><?php echo htmlspecialchars($mem->getDisplayName()) ?></b>\r
                        </p>\r
 \r
                        <p>\r
-                       Please note that media files will <b>NOT</b> be deleted. (At least not in this Nucleus version)\r
+                       <?php echo _WARNINGTXT_NOTDELMEDIAFILES ?>\r
                        </p>\r
 \r
                        <form method="post" action="index.php"><div>\r
@@ -2903,6 +3137,9 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_memberdeleteconfirm() {\r
                global $member;\r
 \r
@@ -2920,7 +3157,10 @@ class ADMIN {
                        $this->action_overview(_DELETED_MEMBER);\r
        }\r
 \r
-       // (static)\r
+       /**\r
+        * @static\r
+        * @todo document this\r
+        */\r
        function deleteOneMember($memberid) {\r
                global $manager;\r
 \r
@@ -2932,6 +3172,13 @@ class ADMIN {
 \r
                $manager->notify('PreDeleteMember', array('member' => &$mem));\r
 \r
+               /* unlink comments from memberid */\r
+               if ($memberid) {\r
+                       $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. sql_real_escape_string($mem->getDisplayName())\r
+                                  .'" WHERE cmember='.$memberid;\r
+                       sql_query($query);\r
+               }\r
+\r
                $query = 'DELETE FROM '.sql_table('member').' WHERE mnumber='.$memberid;\r
                sql_query($query);\r
 \r
@@ -2949,6 +3196,9 @@ class ADMIN {
                return '';\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_createnewlog() {\r
                global $member, $CONF, $manager;\r
 \r
@@ -2961,18 +3211,18 @@ class ADMIN {
                ?>\r
                <h2><?php echo _EBLOG_CREATE_TITLE?></h2>\r
 \r
-               <h3>注意事項</h3>\r
+               <h3><?php echo _ADMIN_NOTABILIA ?></h3>\r
 \r
-               <p>作成にあたって、下記の<strong>注意事項</strong> をまずお読み下さい</p>\r
+               <p><?php echo _ADMIN_PLEASE_READ ?></p>\r
 \r
-               <p>新しいweblogを作成した後に、このblogにアクセスするための方法を紹介しておきます。方法は2つあります:</p>\r
+               <p><?php echo _ADMIN_HOW_TO_ACCESS ?></p>\r
 \r
                <ol>\r
-                       <li><strong>簡単な方法:</strong> <code>index.php</code>の複製を作り、新しいblogを表示するように変更を加えます。 この変更の詳細は、作成後に表示されます。</li>\r
-                       <li><strong>高度な方法:</strong> 現在のblogで使用しているスキンに<code>otherblog</code>というコードを使った記述を加えます。この方法では、同じページ内で複数のblogを展開することが可能となります。</li>\r
+                       <li><?php echo _ADMIN_SIMPLE_WAY ?></li>\r
+                       <li><?php echo _ADMIN_ADVANCED_WAY ?></li>\r
                </ol>\r
 \r
-               <h3>Weblogの作成</h3>\r
+               <h3><?php echo _ADMIN_HOW_TO_CREATE ?></h3>\r
 \r
                <p>\r
                <?php echo _EBLOG_CREATE_TEXT?>\r
@@ -3005,7 +3255,7 @@ class ADMIN {
                                                   . ' FROM '.sql_table('skin_desc');\r
                                        $template['name'] = 'defskin';\r
                                        $template['tabindex'] = 50;\r
-                                       $template['selected'] = $CONF['BaseSkin'];      // set default selected skin to be globally defined base skin\r
+                                       $template['selected'] = $CONF['BaseSkin'];  // set default selected skin to be globally defined base skin\r
                                        showlist($query,'select',$template);\r
                                ?>\r
                        </td>\r
@@ -3017,7 +3267,7 @@ class ADMIN {
                        <td><input name="timeoffset" tabindex="110" size="3" value="0" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_ADMIN?>\r
-                               <?php help('blogadmin'); ?>\r
+                               <?php help('teamadmin'); ?>\r
                        </td>\r
                        <td><?php echo _EBLOG_ADMIN_MSG?></td>\r
                </tr><tr>\r
@@ -3030,17 +3280,20 @@ class ADMIN {
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_addnewlog() {\r
                global $member, $manager, $CONF;\r
 \r
                // Only Super-Admins can do this\r
                $member->isAdmin() or $this->disallow();\r
 \r
-               $bname                  = trim(postVar('name'));\r
-               $bshortname             = trim(postVar('shortname'));\r
+               $bname            = trim(postVar('name'));\r
+               $bshortname      = trim(postVar('shortname'));\r
                $btimeoffset    = postVar('timeoffset');\r
-               $bdesc                  = trim(postVar('desc'));\r
-               $bdefskin               = postVar('defskin');\r
+               $bdesc            = trim(postVar('desc'));\r
+               $bdefskin          = postVar('defskin');\r
 \r
                if (!isValidShortName($bshortname))\r
                        $this->error(_ERROR_BADSHORTBLOGNAME);\r
@@ -3051,31 +3304,35 @@ class ADMIN {
                $manager->notify(\r
                        'PreAddBlog',\r
                        array(\r
-                               'name' => &$bname,\r
-                               'shortname' => &$bshortname,\r
-                               'timeoffset' => &$btimeoffset,\r
-                               'description' => &$bdescription,\r
+                               'name'          => &$bname,\r
+                               'shortname'   => &$bshortname,\r
+                               'timeoffset'  => &$btimeoffset,\r
+                               'description' => &$bdesc,\r
                                'defaultskin' => &$bdefskin\r
                        )\r
                );\r
 \r
 \r
                // add slashes for sql queries\r
-               $bname =                addslashes($bname);\r
-               $bshortname =   addslashes($bshortname);\r
-               $btimeoffset =  addslashes($btimeoffset);\r
-               $bdesc =                addslashes($bdesc);\r
-               $bdefskin =     addslashes($bdefskin);\r
+               $bname     = sql_real_escape_string($bname);\r
+               $bshortname  = sql_real_escape_string($bshortname);\r
+               $btimeoffset = sql_real_escape_string($btimeoffset);\r
+               $bdesc     = sql_real_escape_string($bdesc);\r
+               $bdefskin       = sql_real_escape_string($bdefskin);\r
 \r
                // create blog\r
                $query = 'INSERT INTO '.sql_table('blog')." (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES ('$bname', '$bshortname', '$bdesc', '$btimeoffset', '$bdefskin')";\r
                sql_query($query);\r
-               $blogid = mysql_insert_id();\r
-               $blog   =& $manager->getBlog($blogid);\r
+               $blogid = sql_insert_id();\r
+               $blog   =& $manager->getBlog($blogid);\r
 \r
                // create new category\r
-               sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, 'General','Items that do not fit in other categories')");\r
-               $catid = mysql_insert_id();\r
+               $catdefname = (defined('_EBLOGDEFAULTCATEGORY_NAME') ? _EBLOGDEFAULTCATEGORY_NAME : 'General');\r
+               $catdefdesc = (defined('_EBLOGDEFAULTCATEGORY_DESC') ? _EBLOGDEFAULTCATEGORY_DESC : 'Items that do not fit in other categories');\r
+               $sql = 'INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, "%s", "%s")';\r
+               sql_query(sprintf($sql, sql_table('category'), $blogid, $catdefname, $catdefdesc));\r
+//             sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC)");\r
+               $catid = sql_insert_id();\r
 \r
                // set as default category\r
                $blog->setDefaultCategory($catid);\r
@@ -3085,10 +3342,15 @@ class ADMIN {
                $memberid = $member->getID();\r
                $query = 'INSERT INTO '.sql_table('team')." (tmember, tblog, tadmin) VALUES ($memberid, $blogid, 1)";\r
                sql_query($query);\r
-\r
-\r
-               $blog->additem($blog->getDefaultCategory(),'First Item','これはあなたのweblogにおける最初のアイテムです。自由に削除していただいてかまいません。','',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
-\r
+               \r
+               $itemdeftitle = (defined('_EBLOG_FIRSTITEM_TITLE') ? _EBLOG_FIRSTITEM_TITLE : 'First Item');\r
+               $itemdefbody = (defined('_EBLOG_FIRSTITEM_BODY') ? _EBLOG_FIRSTITEM_BODY : 'This is the first item in your weblog. Feel free to delete it.');\r
+               \r
+               $blog->additem($blog->getDefaultCategory(),$itemdeftitle,$itemdefbody,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               //$blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               \r
+               \r
+               \r
                $manager->notify(\r
                        'PostAddBlog',\r
                        array(\r
@@ -3099,24 +3361,27 @@ class ADMIN {
                $manager->notify(\r
                        'PostAddCategory',\r
                        array(\r
-                               'catid' => $catid\r
+                               'blog'          => &$blog,\r
+                               'name'          => _EBLOGDEFAULTCATEGORY_NAME,\r
+                               'description' => _EBLOGDEFAULTCATEGORY_DESC,\r
+                               'catid'    => $catid\r
                        )\r
                );\r
 \r
                $this->pagehead();\r
                ?>\r
-               <h2>新しいweblogが作成されました</h2>\r
+               <h2><?php echo _BLOGCREATED_TITLE ?></h2>\r
 \r
-               <p>新しいweblog 「<?php echo htmlspecialchars($bname)?>」が作成されました。続けて、これにアクセスするために以下のどちらかの手順に進んでください。</p>\r
+               <p><?php echo sprintf(_BLOGCREATED_ADDEDTXT, htmlspecialchars($bname)) ?></p>\r
 \r
                <ol>\r
-                       <li><a href="#index_php">簡単な方法: 下のコードを貼付けた <code><?php echo htmlspecialchars($bshortname)?>.php</code> というファイルを作成する</a></li>\r
-                       <li><a href="#skins">高度な方法: 現在使用しているスキンに新しいweblogを展開させるための記述を加える</a></li>\r
+                       <li><a href="#index_php"><?php echo sprintf(_BLOGCREATED_SIMPLEWAY, htmlspecialchars($bshortname)) ?></a></li>\r
+                       <li><a href="#skins"><?php echo _BLOGCREATED_ADVANCEDWAY ?></a></li>\r
                </ol>\r
 \r
-               <h3><a id="index_php">方法 1: <code><?php echo htmlspecialchars($bshortname)?>.php</code> というファイルを作成</a></h3>\r
+               <h3><a id="index_php"><?php echo sprintf(_BLOGCREATED_SIMPLEDESC1, htmlspecialchars($bshortname)) ?></a></h3>\r
 \r
-               <p><code><?php echo htmlspecialchars($bshortname)?>.php</code> というファイルを作成して、中身に以下のコードを貼り付ける:</p>\r
+               <p><?php echo sprintf(_BLOGCREATED_SIMPLEDESC2, htmlspecialchars($bshortname)) ?></p>\r
 <pre><code>&lt;?php\r
 \r
 $CONF['Self'] = '<b><?php echo htmlspecialchars($bshortname)?>.php</b>';\r
@@ -3128,10 +3393,9 @@ selector();
 \r
 ?&gt;</code></pre>\r
 \r
-               <p>すでにある<code>index.php</code>と同じディレクトリにアップロードします。</p>\r
-\r
-               <p>新しいweblogの作成を完了するためには、下にこのファイルのURLを入力してください。 (すでに用意した値で合っているとは思いますが保証はしません):</p>\r
+               <p><?php echo _BLOGCREATED_SIMPLEDESC3 ?></p>\r
 \r
+               <p><?php echo _BLOGCREATED_SIMPLEDESC4 ?></p>\r
 \r
                <form action="index.php" method="post"><div>\r
                        <input type="hidden" name="action" value="addnewlog2" />\r
@@ -3146,10 +3410,9 @@ selector();
                        </tr></table>\r
                </div></form>\r
 \r
-               <h3><a id="skins">方法 2: 現在使用しているスキンに新しいweblogを展開する記述を加える</a></h3>\r
-\r
-               <p>新しいweblogの作成を完了するためには、下にURLを入力してください。 (大抵は既存blogと同じURL)</p>\r
+               <h3><a id="skins"><?php echo _BLOGCREATED_ADVANCEDWAY2 ?></a></h3>\r
 \r
+               <p><?php echo _BLOGCREATED_ADVANCEDWAY3 ?></p>\r
 \r
                <form action="index.php" method="post"><div>\r
                        <input type="hidden" name="action" value="addnewlog2" />\r
@@ -3164,17 +3427,20 @@ selector();
                        </tr></table>\r
                </div></form>\r
 \r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_addnewlog2() {\r
                global $member, $manager;\r
 \r
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
-               $burl   = requestVar('url');\r
-               $blogid = intRequestVar('blogid');\r
+               $burl   = requestVar('url');\r
+               $blogid = intRequestVar('blogid');\r
 \r
                $blog =& $manager->getBlog($blogid);\r
                $blog->setURL(trim($burl));\r
@@ -3183,6 +3449,9 @@ selector();
                $this->action_overview(_MSG_NEWBLOG);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinieoverview() {\r
                global $member, $DIR_LIBS, $manager;\r
 \r
@@ -3199,7 +3468,7 @@ selector();
                <h2><?php echo _SKINIE_TITLE_IMPORT?></h2>\r
 \r
                                <p><label for="skinie_import_local"><?php echo _SKINIE_LOCAL?></label>\r
-                               <?php                                   global $DIR_SKINS;\r
+                               <?php                              global $DIR_SKINS;\r
 \r
                                        $candidates = SKINIMPORT::searchForCandidates($DIR_SKINS);\r
 \r
@@ -3210,7 +3479,7 @@ selector();
                                                                <?php $manager->addTicketHidden() ?>\r
                                                                <input type="hidden" name="mode" value="file" />\r
                                                                <select name="skinfile" id="skinie_import_local">\r
-                                                               <?php                                                                   foreach ($candidates as $skinname => $skinfile) {\r
+                                                               <?php                                                              foreach ($candidates as $skinname => $skinfile) {\r
                                                                                $html = htmlspecialchars($skinfile);\r
                                                                                echo '<option value="',$html,'">',$skinname,'</option>';\r
                                                                        }\r
@@ -3218,7 +3487,7 @@ selector();
                                                                </select>\r
                                                                <input type="submit" value="<?php echo _SKINIE_BTN_IMPORT?>" />\r
                                                        </div></form>\r
-                                               <?php                                   } else {\r
+                                               <?php                              } else {\r
                                                echo _SKINIE_NOCANDIDATES;\r
                                        }\r
                                ?>\r
@@ -3246,9 +3515,9 @@ selector();
                        <table><tr>\r
                                <th colspan="2"><?php echo _SKINIE_EXPORT_SKINS?></th>\r
                        </tr><tr>\r
-       <?php           // show list of skins\r
+       <?php      // show list of skins\r
                $res = sql_query('SELECT * FROM '.sql_table('skin_desc'));\r
-               while ($skinObj = mysql_fetch_object($res)) {\r
+               while ($skinObj = sql_fetch_object($res)) {\r
                        $id = 'skinexp' . $skinObj->sdnumber;\r
                        echo '<td><input type="checkbox" name="skin[',$skinObj->sdnumber,']"  id="',$id,'" />';\r
                        echo '<label for="',$id,'">',htmlspecialchars($skinObj->sdname),'</label></td>';\r
@@ -3260,7 +3529,7 @@ selector();
 \r
                // show list of templates\r
                $res = sql_query('SELECT * FROM '.sql_table('template_desc'));\r
-               while ($templateObj = mysql_fetch_object($res)) {\r
+               while ($templateObj = sql_fetch_object($res)) {\r
                        $id = 'templateexp' . $templateObj->tdnumber;\r
                        echo '<td><input type="checkbox" name="template[',$templateObj->tdnumber,']" id="',$id,'" />';\r
                        echo '<label for="',$id,'">',htmlspecialchars($templateObj->tdname),'</label></td>';\r
@@ -3284,6 +3553,9 @@ selector();
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinieimport() {\r
                global $member, $DIR_LIBS, $DIR_SKINS, $manager;\r
 \r
@@ -3293,7 +3565,7 @@ selector();
                include_once($DIR_LIBS . 'skinie.php');\r
 \r
                $skinFileRaw= postVar('skinfile');\r
-               $mode           = postVar('mode');\r
+               $mode      = postVar('mode');\r
 \r
                $importer =& new SKINIMPORT();\r
 \r
@@ -3312,6 +3584,10 @@ selector();
                // read only metadata\r
                $error = $importer->readFile($skinFile, 1);\r
 \r
+               // clashes\r
+               $skinNameClashes = $importer->checkSkinNameClashes();\r
+               $templateNameClashes = $importer->checkTemplateNameClashes();\r
+               $hasNameClashes = (count($skinNameClashes) > 0) || (count($templateNameClashes) > 0);\r
 \r
                if ($error) $this->error($error);\r
 \r
@@ -3325,8 +3601,15 @@ selector();
                        <li><p><strong><?php echo _SKINIE_INFO_GENERAL?></strong> <?php echo htmlspecialchars($importer->getInfo())?></p></li>\r
                        <li><p><strong><?php echo _SKINIE_INFO_SKINS?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->getSkinNames())?></p></li>\r
                        <li><p><strong><?php echo _SKINIE_INFO_TEMPLATES?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->getTemplateNames())?></p></li>\r
-                       <li><p><strong style="color: red;"><?php echo _SKINIE_INFO_SKINCLASH?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->checkSkinNameClashes())?></p></li>\r
-                       <li><p><strong style="color: red;"><?php echo _SKINIE_INFO_TEMPLCLASH?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->checkTemplateNameClashes())?></p></li>\r
+                       <?php\r
+                               if ($hasNameClashes)\r
+                               {\r
+                       ?>\r
+                       <li><p><strong style="color: red;"><?php echo _SKINIE_INFO_SKINCLASH?></strong> <?php echo implode(' <em>'._AND.'</em> ',$skinNameClashes)?></p></li>\r
+                       <li><p><strong style="color: red;"><?php echo _SKINIE_INFO_TEMPLCLASH?></strong> <?php echo implode(' <em>'._AND.'</em> ',$templateNameClashes)?></p></li>\r
+                       <?php\r
+                               } // if (hasNameClashes)\r
+                       ?>\r
                </ul>\r
 \r
                <form method="post" action="index.php"><div>\r
@@ -3335,8 +3618,15 @@ selector();
                        <input type="hidden" name="skinfile" value="<?php echo htmlspecialchars(postVar('skinfile'))?>" />\r
                        <input type="hidden" name="mode" value="<?php echo htmlspecialchars($mode)?>" />\r
                        <input type="submit" value="<?php echo _SKINIE_CONFIRM_IMPORT?>" />\r
+                       <?php\r
+                               if ($hasNameClashes)\r
+                               {\r
+                       ?>\r
                        <br />\r
                        <input type="checkbox" name="overwrite" value="1" id="cb_overwrite" /><label for="cb_overwrite"><?php echo _SKINIE_CONFIRM_OVERWRITE?></label>\r
+                       <?php\r
+                               } // if (hasNameClashes)\r
+                       ?>\r
                </div></form>\r
 \r
 \r
@@ -3344,6 +3634,9 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skiniedoimport() {\r
                global $member, $DIR_LIBS, $DIR_SKINS;\r
 \r
@@ -3353,7 +3646,7 @@ selector();
                include_once($DIR_LIBS . 'skinie.php');\r
 \r
                $skinFileRaw= postVar('skinfile');\r
-               $mode           = postVar('mode');\r
+               $mode      = postVar('mode');\r
 \r
                $allowOverwrite = intPostVar('overwrite');\r
 \r
@@ -3394,10 +3687,13 @@ selector();
                        <li><p><strong><?php echo _SKINIE_INFO_IMPORTEDTEMPLS?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->getTemplateNames())?></p></li>\r
                </ul>\r
 \r
-       <?php           $this->pagefoot();\r
+       <?php      $this->pagefoot();\r
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinieexport() {\r
                global $member, $DIR_LIBS;\r
 \r
@@ -3429,6 +3725,9 @@ selector();
                $exporter->export();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templateoverview() {\r
                global $member, $manager;\r
 \r
@@ -3470,6 +3769,9 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templateedit($msg = '') {\r
                global $member, $manager;\r
 \r
@@ -3478,7 +3780,7 @@ selector();
                $member->isAdmin() or $this->disallow();\r
 \r
                $extrahead = '<script type="text/javascript" src="javascript/templateEdit.js"></script>';\r
-               $extrahead .= '<script type="text/javascript">setTemplateEditText("'.addslashes(_EDITTEMPLATE_EMPTY).'");</script>';\r
+               $extrahead .= '<script type="text/javascript">setTemplateEditText("'.sql_real_escape_string(_EDITTEMPLATE_EMPTY).'");</script>';\r
 \r
                $this->pagehead($extrahead);\r
 \r
@@ -3491,9 +3793,9 @@ selector();
                <a href="index.php?action=templateoverview">(<?php echo _TEMPLATE_BACK?>)</a>\r
                </p>\r
 \r
-               <h2><?php echo _TEMPLATE_EDIT_TITLE?> '<?php echo  $templatename; ?>'</h2>\r
+               <h2><?php echo _TEMPLATE_EDIT_TITLE?> '<?php echo  htmlspecialchars($templatename); ?>'</h2>\r
 \r
-               <?php                                   if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
+               <?php                              if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
                ?>\r
 \r
                <p><?php echo _TEMPLATE_EDIT_MSG?></p>\r
@@ -3556,37 +3858,58 @@ selector();
        $this->_templateEditRow($template, _TEMPLATE_AFOOTER, 'ARCHIVELIST_FOOTER', '', 150);\r
 ?>\r
                </tr><tr>\r
+                       <th colspan="2"><?php echo _TEMPLATE_BLOGLIST?> <?php help('templatebloglists'); ?></th>\r
+<?php  $this->_templateEditRow($template, _TEMPLATE_BLOGHEADER, 'BLOGLIST_HEADER', '', 160);\r
+       $this->_templateEditRow($template, _TEMPLATE_BLOGITEM, 'BLOGLIST_LISTITEM', '', 170);\r
+       $this->_templateEditRow($template, _TEMPLATE_BLOGFOOTER, 'BLOGLIST_FOOTER', '', 180);\r
+?>\r
+               </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_CATEGORYLIST?> <?php help('templatecategorylists'); ?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_CATHEADER, 'CATLIST_HEADER', '', 160);\r
-       $this->_templateEditRow($template, _TEMPLATE_CATITEM, 'CATLIST_LISTITEM', '', 170);\r
-       $this->_templateEditRow($template, _TEMPLATE_CATFOOTER, 'CATLIST_FOOTER', '', 180);\r
+<?php  $this->_templateEditRow($template, _TEMPLATE_CATHEADER, 'CATLIST_HEADER', '', 190);\r
+       $this->_templateEditRow($template, _TEMPLATE_CATITEM, 'CATLIST_LISTITEM', '', 200);\r
+       $this->_templateEditRow($template, _TEMPLATE_CATFOOTER, 'CATLIST_FOOTER', '', 210);\r
 ?>\r
                </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_DATETIME?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_DHEADER, 'DATE_HEADER', 'dateheads', 190);\r
-       $this->_templateEditRow($template, _TEMPLATE_DFOOTER, 'DATE_FOOTER', 'dateheads', 200);\r
-       $this->_templateEditRow($template, _TEMPLATE_DFORMAT, 'FORMAT_DATE', 'datetime', 210);\r
-       $this->_templateEditRow($template, _TEMPLATE_TFORMAT, 'FORMAT_TIME', 'datetime', 220);\r
-       $this->_templateEditRow($template, _TEMPLATE_LOCALE, 'LOCALE', 'locale', 230);\r
+<?php  $this->_templateEditRow($template, _TEMPLATE_DHEADER, 'DATE_HEADER', 'dateheads', 220);\r
+       $this->_templateEditRow($template, _TEMPLATE_DFOOTER, 'DATE_FOOTER', 'dateheads', 230);\r
+       $this->_templateEditRow($template, _TEMPLATE_DFORMAT, 'FORMAT_DATE', 'datetime', 240);\r
+       $this->_templateEditRow($template, _TEMPLATE_TFORMAT, 'FORMAT_TIME', 'datetime', 250);\r
+       $this->_templateEditRow($template, _TEMPLATE_LOCALE, 'LOCALE', 'locale', 260);\r
 ?>\r
                </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_IMAGE?> <?php help('templatepopups'); ?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_PCODE, 'POPUP_CODE', '', 240);\r
-       $this->_templateEditRow($template, _TEMPLATE_ICODE, 'IMAGE_CODE', '', 250);\r
-       $this->_templateEditRow($template, _TEMPLATE_MCODE, 'MEDIA_CODE', '', 260);\r
+<?php  $this->_templateEditRow($template, _TEMPLATE_PCODE, 'POPUP_CODE', '', 270);\r
+       $this->_templateEditRow($template, _TEMPLATE_ICODE, 'IMAGE_CODE', '', 280);\r
+       $this->_templateEditRow($template, _TEMPLATE_MCODE, 'MEDIA_CODE', '', 290);\r
 ?>\r
                </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_SEARCH?></th>\r
-<?php  $this->_templateEditRow($template, _TEMPLATE_SHIGHLIGHT, 'SEARCH_HIGHLIGHT', 'highlight',270);\r
-       $this->_templateEditRow($template, _TEMPLATE_SNOTFOUND, 'SEARCH_NOTHINGFOUND', 'nothingfound',280);\r
+<?php  $this->_templateEditRow($template, _TEMPLATE_SHIGHLIGHT, 'SEARCH_HIGHLIGHT', 'highlight',300);\r
+       $this->_templateEditRow($template, _TEMPLATE_SNOTFOUND, 'SEARCH_NOTHINGFOUND', 'nothingfound',310);\r
+?>\r
+               </tr><tr>\r
+                       <th colspan="2"><?php echo _TEMPLATE_PLUGIN_FIELDS?></th>\r
+<?php\r
+               $tab = 600;\r
+               $pluginfields = array();\r
+               $manager->notify('TemplateExtraFields',array('fields'=>&$pluginfields));\r
+\r
+               foreach ($pluginfields as $pfkey=>$pfvalue) {\r
+                       echo "</tr><tr>\n";\r
+                       echo '<th colspan="2">'.htmlentities($pfkey)."</th>\n";\r
+                       foreach ($pfvalue as $pffield=>$pfdesc) {\r
+                               $this->_templateEditRow($template, $pfdesc, $pffield, '',++$tab,0);\r
+                       }\r
+               }\r
 ?>\r
                </tr><tr>\r
                        <th colspan="2"><?php echo _TEMPLATE_UPDATE?></th>\r
                </tr><tr>\r
                        <td><?php echo _TEMPLATE_UPDATE?></td>\r
                        <td>\r
-                               <input type="submit" tabindex="290" value="<?php echo _TEMPLATE_UPDATE_BTN?>" onclick="return checkSubmit();" />\r
-                               <input type="reset" tabindex="300" value="<?php echo _TEMPLATE_RESET_BTN?>" />\r
+                               <input type="submit" tabindex="800" value="<?php echo _TEMPLATE_UPDATE_BTN?>" onclick="return checkSubmit();" />\r
+                               <input type="reset" tabindex="810" value="<?php echo _TEMPLATE_RESET_BTN?>" />\r
                        </td>\r
                </tr></table>\r
 \r
@@ -3596,17 +3919,24 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function _templateEditRow(&$template, $description, $name, $help = '', $tabindex = 0, $big = 0) {\r
                static $count = 1;\r
+               if (!isset($template[$name])) $template[$name] = '';\r
        ?>\r
                </tr><tr>\r
                        <td><?php echo $description?> <?php if ($help) help('template'.$help); ?></td>\r
                        <td id="td<?php echo $count?>"><textarea class="templateedit" name="<?php echo $name?>" tabindex="<?php echo $tabindex?>" cols="50" rows="<?php echo $big?10:5?>" id="textarea<?php echo $count?>"><?php echo  htmlspecialchars($template[$name]); ?></textarea></td>\r
-       <?php           $count++;\r
+       <?php      $count++;\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templateupdate() {\r
-               global $member;\r
+               global $member, $manager;\r
 \r
                $templateid = intRequestVar('templateid');\r
 \r
@@ -3622,8 +3952,8 @@ selector();
                        $this->error(_ERROR_DUPTEMPLATENAME);\r
 \r
 \r
-               $name = addslashes($name);\r
-               $desc = addslashes($desc);\r
+               $name = sql_real_escape_string($name);\r
+               $desc = sql_real_escape_string($desc);\r
 \r
                // 1. Remove all template parts\r
                $query = 'DELETE FROM '.sql_table('template').' WHERE tdesc=' . $templateid;\r
@@ -3655,6 +3985,9 @@ selector();
                $this->addToTemplate($templateid, 'ARCHIVELIST_HEADER', postVar('ARCHIVELIST_HEADER'));\r
                $this->addToTemplate($templateid, 'ARCHIVELIST_LISTITEM', postVar('ARCHIVELIST_LISTITEM'));\r
                $this->addToTemplate($templateid, 'ARCHIVELIST_FOOTER', postVar('ARCHIVELIST_FOOTER'));\r
+               $this->addToTemplate($templateid, 'BLOGLIST_HEADER', postVar('BLOGLIST_HEADER'));\r
+               $this->addToTemplate($templateid, 'BLOGLIST_LISTITEM', postVar('BLOGLIST_LISTITEM'));\r
+               $this->addToTemplate($templateid, 'BLOGLIST_FOOTER', postVar('BLOGLIST_FOOTER'));\r
                $this->addToTemplate($templateid, 'CATLIST_HEADER', postVar('CATLIST_HEADER'));\r
                $this->addToTemplate($templateid, 'CATLIST_LISTITEM', postVar('CATLIST_LISTITEM'));\r
                $this->addToTemplate($templateid, 'CATLIST_FOOTER', postVar('CATLIST_FOOTER'));\r
@@ -3669,15 +4002,25 @@ selector();
                $this->addToTemplate($templateid, 'MEDIA_CODE', postVar('MEDIA_CODE'));\r
                $this->addToTemplate($templateid, 'IMAGE_CODE', postVar('IMAGE_CODE'));\r
 \r
+               $pluginfields = array();\r
+               $manager->notify('TemplateExtraFields',array('fields'=>&$pluginfields));\r
+               foreach ($pluginfields as $pfkey=>$pfvalue) {\r
+                       foreach ($pfvalue as $pffield=>$pfdesc) {\r
+                               $this->addToTemplate($templateid, $pffield, postVar($pffield));\r
+                       }\r
+               }\r
 \r
                // jump back to template edit\r
                $this->action_templateedit(_TEMPLATE_UPDATED);\r
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function addToTemplate($id, $partname, $content) {\r
-               $partname = addslashes($partname);\r
-               $content = addslashes($content);\r
+               $partname = sql_real_escape_string($partname);\r
+               $content = sql_real_escape_string($content);\r
 \r
                $id = intval($id);\r
 \r
@@ -3686,10 +4029,13 @@ selector();
 \r
                $query = 'INSERT INTO '.sql_table('template')." (tdesc, tpartname, tcontent) "\r
                           . "VALUES ($id, '$partname', '$content')";\r
-               mysql_query($query) or die("Query error: " . mysql_error());\r
-               return mysql_insert_id();\r
+               sql_query($query) or exit(_ADMIN_SQLDIE_QUERYERROR . sql_error());\r
+               return sql_insert_id();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templatedelete() {\r
                global $member, $manager;\r
 \r
@@ -3707,7 +4053,7 @@ selector();
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
 \r
                        <p>\r
-                       <?php echo _CONFIRMTXT_TEMPLATE?><b><?php echo $name?></b> (<?php echo  htmlspecialchars($desc) ?>)\r
+                       <?php echo _CONFIRMTXT_TEMPLATE?><b><?php echo htmlspecialchars($name)?></b> (<?php echo  htmlspecialchars($desc) ?>)\r
                        </p>\r
 \r
                        <form method="post" action="index.php"><div>\r
@@ -3720,6 +4066,9 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templatedeleteconfirm() {\r
                global $member, $manager;\r
 \r
@@ -3740,6 +4089,9 @@ selector();
                $this->action_templateoverview();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templatenew() {\r
                global $member;\r
 \r
@@ -3759,6 +4111,9 @@ selector();
                $this->action_templateoverview();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_templateclone() {\r
                global $member;\r
 \r
@@ -3786,13 +4141,16 @@ selector();
                // 3. create clone\r
                // go through parts of old template and add them to the new one\r
                $res = sql_query('SELECT tpartname, tcontent FROM '.sql_table('template').' WHERE tdesc=' . $templateid);\r
-               while ($o = mysql_fetch_object($res)) {\r
+               while ($o = sql_fetch_object($res)) {\r
                        $this->addToTemplate($newid, $o->tpartname, $o->tcontent);\r
                }\r
 \r
                $this->action_templateoverview();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinoverview() {\r
                global $member, $manager;\r
 \r
@@ -3837,6 +4195,9 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinnew() {\r
                global $member;\r
 \r
@@ -3856,6 +4217,9 @@ selector();
                $this->action_skinoverview();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinedit() {\r
                global $member, $manager;\r
 \r
@@ -3885,7 +4249,33 @@ selector();
                        <li><a tabindex="75" href="index.php?action=skinedittype&amp;skinid=<?php echo  $skinid ?>&amp;type=imagepopup"><?php echo _SKIN_PART_POPUP?></a> <?php help('skinpartimagepopup')?></li>\r
                </ul>\r
 \r
-               <h3><?php echo _SKIN_GENSETTINGS_TITLE?></h3>\r
+               <?php\r
+\r
+               $query = "SELECT stype FROM " . sql_table('skin') . " WHERE stype NOT IN ('index', 'item', 'error', 'search', 'archive', 'archivelist', 'imagepopup', 'member') and sdesc = " . $skinid;\r
+               $res = sql_query($query);\r
+\r
+               echo '<h3>' . _SKIN_PARTS_SPECIAL . '</h3>';\r
+               echo '<form method="get" action="index.php">' . "\r\n";\r
+               echo '<input type="hidden" name="action" value="skinedittype" />' . "\r\n";\r
+               echo '<input type="hidden" name="skinid" value="' . $skinid . '" />' . "\r\n";\r
+               echo '<input name="type" tabindex="89" size="20" maxlength="20" />' . "\r\n";\r
+               echo '<input type="submit" tabindex="140" value="' . _SKIN_CREATE . '" onclick="return checkSubmit();" />' . "\r\n";\r
+               echo '</form>' . "\r\n";\r
+\r
+               if ($res && sql_num_rows($res) > 0) {\r
+                       echo '<ul>';\r
+                       $tabstart = 75;\r
+\r
+                       while ($row = sql_fetch_assoc($res)) {\r
+                               echo '<li><a tabindex="' . ($tabstart++) . '" href="index.php?action=skinedittype&amp;skinid=' . $skinid . '&amp;type=' . htmlspecialchars(strtolower($row['stype'])) . '">' . htmlspecialchars(ucfirst($row['stype'])) . '</a> (<a tabindex="' . ($tabstart++) . '" href="index.php?action=skinremovetype&amp;skinid=' . $skinid . '&amp;type=' . htmlspecialchars(strtolower($row['stype'])) . '">'._LISTS_DELETE.'</a>)</li>';\r
+                       }\r
+\r
+                       echo '</ul>';\r
+               }\r
+\r
+               ?>\r
+\r
+               <h3><?php echo _SKIN_GENSETTINGS_TITLE; ?></h3>\r
                <form method="post" action="index.php">\r
                <div>\r
 \r
@@ -3916,9 +4306,12 @@ selector();
                </form>\r
 \r
 \r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skineditgeneral() {\r
                global $member;\r
 \r
@@ -3951,6 +4344,9 @@ selector();
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinedittype($msg = '') {\r
                global $member, $manager;\r
 \r
@@ -3959,6 +4355,13 @@ selector();
 \r
                $member->isAdmin() or $this->disallow();\r
 \r
+               $type = trim($type);\r
+               $type = strtolower($type);\r
+\r
+               if (!isValidShortName($type)) {\r
+                       $this->error(_ERROR_SKIN_PARTS_SPECIAL_FORMAT);\r
+               }\r
+\r
                $skin =& new SKIN($skinid);\r
 \r
                $friendlyNames = SKIN::getFriendlyNames();\r
@@ -3967,9 +4370,9 @@ selector();
                ?>\r
                <p>(<a href="index.php?action=skinoverview"><?php echo _SKIN_GOBACK?></a>)</p>\r
 \r
-               <h2><?php echo _SKIN_EDITPART_TITLE?> '<?php echo  $skin->getName() ?>': <?php echo  $friendlyNames[$type] ?></h2>\r
+               <h2><?php echo _SKIN_EDITPART_TITLE?> '<?php echo htmlspecialchars($skin->getName()) ?>': <?php echo htmlspecialchars(isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?></h2>\r
 \r
-               <?php                   if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
+               <?php              if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
                ?>\r
 \r
 \r
@@ -3983,8 +4386,12 @@ selector();
 \r
                <input type="submit" value="<?php echo _SKIN_UPDATE_BTN?>" onclick="return checkSubmit();" />\r
                <input type="reset" value="<?php echo _SKIN_RESET_BTN?>" />\r
-               (skin type: <?php echo  $friendlyNames[$type] ?>)\r
-               <?php help('skinpart' . $type);?>\r
+               (skin type: <?php echo htmlspecialchars(isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?>)\r
+               <?php if (in_array($type, array('index', 'item', 'archivelist', 'archive', 'search', 'error', 'member', 'imagepopup'))) {\r
+                       help('skinpart' . $type);\r
+               } else {\r
+                       help('skinpartspecial');\r
+               }?>\r
                <br />\r
 \r
                <textarea class="skinedit" tabindex="10" rows="20" cols="80" name="content"><?php echo  htmlspecialchars($skin->getContent($type)) ?></textarea>\r
@@ -3992,11 +4399,11 @@ selector();
                <br />\r
                <input type="submit" tabindex="20" value="<?php echo _SKIN_UPDATE_BTN?>" onclick="return checkSubmit();" />\r
                <input type="reset" value="<?php echo _SKIN_RESET_BTN?>" />\r
-               (skin type: <?php echo  $friendlyNames[$type] ?>)\r
+               (skin type: <?php echo htmlspecialchars(isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?>)\r
 \r
                <br /><br />\r
                <?php echo _SKIN_ALLOWEDVARS?>\r
-               <?php                   $actions = SKIN::getAllowedActionsForType($type);\r
+               <?php              $actions = SKIN::getAllowedActionsForType($type);\r
 \r
                        sort($actions);\r
 \r
@@ -4009,27 +4416,19 @@ selector();
                                echo helplink('skinvar-' . $current) . "$current</a>";\r
                                if (count($actions) != 0) echo ", ";\r
                        }\r
-               ?>\r
-               <br /><br />\r
-               Short blog names:\r
-               <?php                   $query = 'SELECT bshortname, bname FROM '.sql_table('blog');\r
+               echo '<br /><br />' . _SKINEDIT_ALLOWEDBLOGS;\r
+               $query = 'SELECT bshortname, bname FROM '.sql_table('blog');\r
                        showlist($query,'table',array('content'=>'shortblognames'));\r
-               ?>\r
-\r
-               <br />\r
-               Template names:\r
-               <?php                   $query = 'SELECT tdname as name, tddesc as description FROM '.sql_table('template_desc');\r
+               echo '<br />' . _SKINEDIT_ALLOWEDTEMPLATESS;\r
+               $query = 'SELECT tdname as name, tddesc as description FROM '.sql_table('template_desc');\r
                        showlist($query,'table',array('content'=>'shortnames'));\r
-               ?>\r
-\r
-\r
-               </div>\r
-               </form>\r
-\r
-\r
-               <?php           $this->pagefoot();\r
+               echo '</div></form>';\r
+               $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinupdate() {\r
                global $member;\r
 \r
@@ -4045,6 +4444,9 @@ selector();
                $this->action_skinedittype(_SKIN_UPDATED);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skindelete() {\r
                global $member, $manager, $CONF;\r
 \r
@@ -4059,8 +4461,8 @@ selector();
                // don't allow deletion of default skins for blogs\r
                $query = 'SELECT bname FROM '.sql_table('blog').' WHERE bdefskin=' . $skinid;\r
                $r = sql_query($query);\r
-               if ($o = mysql_fetch_object($r))\r
-                       $this->error(_ERROR_SKINDEFDELETE . $o->bname);\r
+               if ($o = sql_fetch_object($r))\r
+                       $this->error(_ERROR_SKINDEFDELETE . htmlspecialchars($o->bname));\r
 \r
                $this->pagehead();\r
 \r
@@ -4072,7 +4474,7 @@ selector();
                        <h2><?php echo _DELETE_CONFIRM?></h2>\r
 \r
                        <p>\r
-                               <?php echo _CONFIRMTXT_SKIN?><b><?php echo  $name ?></b> (<?php echo  htmlspecialchars($desc)?>)\r
+                               <?php echo _CONFIRMTXT_SKIN?><b><?php echo htmlspecialchars($name) ?></b> (<?php echo  htmlspecialchars($desc)?>)\r
                        </p>\r
 \r
                        <form method="post" action="index.php"><div>\r
@@ -4085,6 +4487,9 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skindeleteconfirm() {\r
                global $member, $CONF, $manager;\r
 \r
@@ -4099,7 +4504,7 @@ selector();
                // don't allow deletion of default skins for blogs\r
                $query = 'SELECT bname FROM '.sql_table('blog').' WHERE bdefskin=' . $skinid;\r
                $r = sql_query($query);\r
-               if ($o = mysql_fetch_object($r))\r
+               if ($o = sql_fetch_object($r))\r
                        $this->error(_ERROR_SKINDEFDELETE .$o->bname);\r
 \r
                $manager->notify('PreDeleteSkin', array('skinid' => $skinid));\r
@@ -4115,6 +4520,83 @@ selector();
                $this->action_skinoverview();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
+       function action_skinremovetype() {\r
+               global $member, $manager, $CONF;\r
+\r
+               $skinid = intRequestVar('skinid');\r
+               $skintype = requestVar('type');\r
+\r
+               if (!isValidShortName($skintype)) {\r
+                       $this->error(_ERROR_SKIN_PARTS_SPECIAL_DELETE);\r
+               }\r
+\r
+               $member->isAdmin() or $this->disallow();\r
+\r
+               // don't allow default skinparts to be deleted\r
+               if (in_array($skintype, array('index', 'item', 'archivelist', 'archive', 'search', 'error', 'member', 'imagepopup'))) {\r
+                       $this->error(_ERROR_SKIN_PARTS_SPECIAL_DELETE);\r
+               }\r
+\r
+               $this->pagehead();\r
+\r
+               $skin =& new SKIN($skinid);\r
+               $name = $skin->getName();\r
+               $desc = $skin->getDescription();\r
+\r
+               ?>\r
+                       <h2><?php echo _DELETE_CONFIRM?></h2>\r
+\r
+                       <p>\r
+                               <?php echo _CONFIRMTXT_SKIN_PARTS_SPECIAL; ?> <b><?php echo htmlspecialchars($skintype); ?> (<?php echo htmlspecialchars($name); ?>)</b> (<?php echo  htmlspecialchars($desc)?>)\r
+                       </p>\r
+\r
+                       <form method="post" action="index.php"><div>\r
+                               <input type="hidden" name="action" value="skinremovetypeconfirm" />\r
+                               <?php $manager->addTicketHidden() ?>\r
+                               <input type="hidden" name="skinid" value="<?php echo $skinid; ?>" />\r
+                               <input type="hidden" name="type" value="<?php echo htmlspecialchars($skintype); ?>" />\r
+                               <input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />\r
+                       </div></form>\r
+               <?php\r
+               $this->pagefoot();\r
+       }\r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
+       function action_skinremovetypeconfirm() {\r
+               global $member, $CONF, $manager;\r
+\r
+               $skinid = intRequestVar('skinid');\r
+               $skintype = requestVar('type');\r
+\r
+               if (!isValidShortName($skintype)) {\r
+                       $this->error(_ERROR_SKIN_PARTS_SPECIAL_DELETE);\r
+               }\r
+\r
+               $member->isAdmin() or $this->disallow();\r
+\r
+               // don't allow default skinparts to be deleted\r
+               if (in_array($skintype, array('index', 'item', 'archivelist', 'archive', 'search', 'error', 'member', 'imagepopup'))) {\r
+                       $this->error(_ERROR_SKIN_PARTS_SPECIAL_DELETE);\r
+               }\r
+\r
+               $manager->notify('PreDeleteSkinPart', array('skinid' => $skinid, 'skintype' => $skintype));\r
+\r
+               // delete part\r
+               sql_query('DELETE FROM '.sql_table('skin').' WHERE sdesc=' . $skinid . ' AND stype=\'' . $skintype . '\'');\r
+\r
+               $manager->notify('PostDeleteSkinPart', array('skinid' => $skinid, 'skintype' => $skintype));\r
+\r
+               $this->action_skinedit();\r
+       }\r
+\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_skinclone() {\r
                global $member;\r
 \r
@@ -4146,6 +4628,7 @@ selector();
 \r
 \r
                // 3. clone\r
+               /*\r
                $this->skinclonetype($skin, $newid, 'index');\r
                $this->skinclonetype($skin, $newid, 'item');\r
                $this->skinclonetype($skin, $newid, 'archivelist');\r
@@ -4154,20 +4637,33 @@ selector();
                $this->skinclonetype($skin, $newid, 'error');\r
                $this->skinclonetype($skin, $newid, 'member');\r
                $this->skinclonetype($skin, $newid, 'imagepopup');\r
+               */\r
+\r
+               $query = "SELECT stype FROM " . sql_table('skin') . " WHERE sdesc = " . $skinid;\r
+               $res = sql_query($query);\r
+               while ($row = sql_fetch_assoc($res)) {\r
+                       $this->skinclonetype($skin, $newid, $row['stype']);\r
+               }\r
 \r
                $this->action_skinoverview();\r
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function skinclonetype($skin, $newid, $type) {\r
                $newid = intval($newid);\r
                $content = $skin->getContent($type);\r
                if ($content) {\r
-                       $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". addslashes($content)."', '". addslashes($type)."')";\r
+                       $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". sql_real_escape_string($content)."', '". sql_real_escape_string($type)."')";\r
                        sql_query($query);\r
                }\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_settingsedit() {\r
                global $member, $manager, $CONF, $DIR_NUCLEUS, $DIR_MEDIA;\r
 \r
@@ -4239,15 +4735,21 @@ selector();
                        <td>\r
 \r
                                <select name="Language" tabindex="10050">\r
-                               <?php                           // show a dropdown list of all available languages\r
+                               <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle) )\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg("^(.*)\.php$",$filename,$matches)\r
+                                       if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
-                                               echo "<option value='$name'";\r
+                                               echo "<option value=\"$name\"";\r
                                                if ($name == $CONF['Language'])\r
-                                                       echo " selected='selected'";\r
+                                               {\r
+                                                       echo " selected=\"selected\"";\r
+                                               }\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
@@ -4262,7 +4764,7 @@ selector();
                        </td>\r
                        <td><?php $this->input_yesno('DisableSite',$CONF['DisableSite'],10060); ?>\r
                                        <br />\r
-                               URL: <input name="DisableSiteURL" tabindex="10070" size="40" value="<?php echo  htmlspecialchars($CONF['DisableSiteURL'])?>" />\r
+                               <?php echo _SETTINGS_DISABLESITEURL ?> <input name="DisableSiteURL" tabindex="10070" size="40" value="<?php echo  htmlspecialchars($CONF['DisableSiteURL'])?>" />\r
                        </td>\r
                </tr><tr>\r
                        <td><?php echo _SETTINGS_DIRS?></td>\r
@@ -4289,7 +4791,7 @@ selector();
                        </td>\r
                        <td><?php /* $this->input_yesno('DisableJsTools',$CONF['DisableJsTools'],10075); */?>\r
                                <select name="DisableJsTools" tabindex="10075">\r
-                       <?php                                   $extra = ($CONF['DisableJsTools'] == 1) ? 'selected="selected"' : '';\r
+                       <?php                              $extra = ($CONF['DisableJsTools'] == 1) ? 'selected="selected"' : '';\r
                                        echo "<option $extra value='1'>",_SETTINGS_JSTOOLBAR_NONE,"</option>";\r
                                        $extra = ($CONF['DisableJsTools'] == 2) ? 'selected="selected"' : '';\r
                                        echo "<option $extra value='2'>",_SETTINGS_JSTOOLBAR_SIMPLE,"</option>";\r
@@ -4311,12 +4813,32 @@ selector();
 \r
                                           </td>\r
                </tr><tr>\r
+                       <td><?php echo _SETTINGS_DEBUGVARS?> <?php help('debugvars');?></td>\r
+                                          <td><?php\r
+\r
+                                               $this->input_yesno('DebugVars',$CONF['DebugVars'],10078);\r
+\r
+                                                        ?>\r
+\r
+                                          </td>\r
+               </tr><tr>\r
+                       <td><?php echo _SETTINGS_DEFAULTLISTSIZE?> <?php help('defaultlistsize');?></td>\r
+                       <td>\r
+                       <?php\r
+                               if (!array_key_exists('DefaultListSize',$CONF)) {\r
+                                       sql_query("INSERT INTO ".sql_table('config')." VALUES ('DefaultListSize', '10')");\r
+                                       $CONF['DefaultListSize'] = 10;\r
+                               }\r
+                       ?>\r
+                               <input name="DefaultListSize" tabindex="10079" size="40" value="<?php echo  htmlspecialchars((intval($CONF['DefaultListSize']) < 1 ? '10' : $CONF['DefaultListSize'])) ?>" />\r
+                       </td>\r
+               </tr><tr>\r
                        <th colspan="2"><?php echo _SETTINGS_MEDIA?> <?php help('media'); ?></th>\r
                </tr><tr>\r
                        <td><?php echo _SETTINGS_MEDIADIR?></td>\r
                        <td><?php echo  htmlspecialchars($DIR_MEDIA) ?>\r
                                <i><?php echo _SETTINGS_SEECONFIGPHP?></i>\r
-                               <?php                           if (!is_dir($DIR_MEDIA))\r
+                               <?php                              if (!is_dir($DIR_MEDIA))\r
                                                echo "<br /><b>" . _WARNING_NOTADIR . "</b>";\r
                                        if (!is_readable($DIR_MEDIA))\r
                                                echo "<br /><b>" . _WARNING_NOTREADABLE . "</b>";\r
@@ -4430,6 +4952,9 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_settingsupdate() {\r
                global $member, $CONF;\r
 \r
@@ -4441,37 +4966,39 @@ selector();
 \r
 \r
                // save settings\r
-               $this->updateConfig('DefaultBlog',              postVar('DefaultBlog'));\r
-               $this->updateConfig('BaseSkin',                 postVar('BaseSkin'));\r
-               $this->updateConfig('IndexURL',                 postVar('IndexURL'));\r
-               $this->updateConfig('AdminURL',                 postVar('AdminURL'));\r
+               $this->updateConfig('DefaultBlog',        postVar('DefaultBlog'));\r
+               $this->updateConfig('BaseSkin',          postVar('BaseSkin'));\r
+               $this->updateConfig('IndexURL',          postVar('IndexURL'));\r
+               $this->updateConfig('AdminURL',          postVar('AdminURL'));\r
                $this->updateConfig('PluginURL',                postVar('PluginURL'));\r
-               $this->updateConfig('SkinsURL',                 postVar('SkinsURL'));\r
+               $this->updateConfig('SkinsURL',          postVar('SkinsURL'));\r
                $this->updateConfig('ActionURL',                postVar('ActionURL'));\r
-               $this->updateConfig('Language',                 postVar('Language'));\r
-               $this->updateConfig('AdminEmail',               postVar('AdminEmail'));\r
+               $this->updateConfig('Language',          postVar('Language'));\r
+               $this->updateConfig('AdminEmail',          postVar('AdminEmail'));\r
                $this->updateConfig('SessionCookie',    postVar('SessionCookie'));\r
                $this->updateConfig('AllowMemberCreate',postVar('AllowMemberCreate'));\r
-               $this->updateConfig('AllowMemberMail',  postVar('AllowMemberMail'));\r
+               $this->updateConfig('AllowMemberMail',  postVar('AllowMemberMail'));\r
                $this->updateConfig('NonmemberMail',    postVar('NonmemberMail'));\r
-               $this->updateConfig('ProtectMemNames',  postVar('ProtectMemNames'));\r
-               $this->updateConfig('SiteName',                 postVar('SiteName'));\r
+               $this->updateConfig('ProtectMemNames',  postVar('ProtectMemNames'));\r
+               $this->updateConfig('SiteName',          postVar('SiteName'));\r
                $this->updateConfig('NewMemberCanLogon',postVar('NewMemberCanLogon'));\r
-               $this->updateConfig('DisableSite',              postVar('DisableSite'));\r
-               $this->updateConfig('DisableSiteURL',   postVar('DisableSiteURL'));\r
+               $this->updateConfig('DisableSite',        postVar('DisableSite'));\r
+               $this->updateConfig('DisableSiteURL',   postVar('DisableSiteURL'));\r
                $this->updateConfig('LastVisit',                postVar('LastVisit'));\r
-               $this->updateConfig('MediaURL',                 postVar('MediaURL'));\r
-               $this->updateConfig('AllowedTypes',             postVar('AllowedTypes'));\r
-               $this->updateConfig('AllowUpload',              postVar('AllowUpload'));\r
+               $this->updateConfig('MediaURL',          postVar('MediaURL'));\r
+               $this->updateConfig('AllowedTypes',      postVar('AllowedTypes'));\r
+               $this->updateConfig('AllowUpload',        postVar('AllowUpload'));\r
                $this->updateConfig('MaxUploadSize',    postVar('MaxUploadSize'));\r
-               $this->updateConfig('MediaPrefix',              postVar('MediaPrefix'));\r
-               $this->updateConfig('AllowLoginEdit',   postVar('AllowLoginEdit'));\r
-               $this->updateConfig('DisableJsTools',   postVar('DisableJsTools'));\r
-               $this->updateConfig('CookieDomain',             postVar('CookieDomain'));\r
-               $this->updateConfig('CookiePath',               postVar('CookiePath'));\r
-               $this->updateConfig('CookieSecure',             postVar('CookieSecure'));\r
-               $this->updateConfig('URLMode',                  postVar('URLMode'));\r
-               $this->updateConfig('CookiePrefix',             postVar('CookiePrefix'));\r
+               $this->updateConfig('MediaPrefix',        postVar('MediaPrefix'));\r
+               $this->updateConfig('AllowLoginEdit',   postVar('AllowLoginEdit'));\r
+               $this->updateConfig('DisableJsTools',   postVar('DisableJsTools'));\r
+               $this->updateConfig('CookieDomain',      postVar('CookieDomain'));\r
+               $this->updateConfig('CookiePath',          postVar('CookiePath'));\r
+               $this->updateConfig('CookieSecure',      postVar('CookieSecure'));\r
+               $this->updateConfig('URLMode',            postVar('URLMode'));\r
+               $this->updateConfig('CookiePrefix',      postVar('CookiePrefix'));\r
+               $this->updateConfig('DebugVars',                postVar('DebugVars'));\r
+               $this->updateConfig('DefaultListSize',  postVar('DefaultListSize'));\r
 \r
                // load new config and redirect (this way, the new language will be used is necessary)\r
                // note that when changing cookie settings, this redirect might cause the user\r
@@ -4482,40 +5009,188 @@ selector();
 \r
        }\r
 \r
+       /**\r
+        *  Give an overview over the used system\r
+        */\r
+       function action_systemoverview() {\r
+               global $member, $nucleus, $CONF;\r
+\r
+               $this->pagehead();\r
+\r
+               echo '<h2>' . _ADMIN_SYSTEMOVERVIEW_HEADING . "</h2>\n";\r
+\r
+               if ($member->isLoggedIn() && $member->isAdmin()) {\r
+\r
+                       // Information about the used PHP and MySQL installation\r
+                       echo '<h3>' . _ADMIN_SYSTEMOVERVIEW_PHPANDMYSQL . "</h3>\n";\r
+\r
+                       // Version of PHP MySQL\r
+                       echo "<table>\n";\r
+                       echo "\t<tr>\n";\r
+                       echo "\t\t" . '<th colspan="2">' . _ADMIN_SYSTEMOVERVIEW_VERSIONS . "</th>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td width="50%">' . _ADMIN_SYSTEMOVERVIEW_PHPVERSION . "</td>\n";\r
+                       echo "\t\t" . '<td>' . phpversion() . "</td>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td>' . _ADMIN_SYSTEMOVERVIEW_MYSQLVERSION . "</td>\n";\r
+                       echo "\t\t" . '<td>' . sql_get_server_info() . ' (' . sql_get_client_info() . ')' . "</td>\n";\r
+                       echo "\t</tr>";\r
+                       echo "</table>\n";\r
+\r
+                       // Important PHP settings\r
+                       echo "<table>\n";\r
+                       echo "\t<tr>\n";\r
+                       echo "\t\t" . '<th colspan="2">' . _ADMIN_SYSTEMOVERVIEW_SETTINGS . "</th>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td width="50%">magic_quotes_gpc' . "</td>\n";\r
+                       $mqg = get_magic_quotes_gpc() ? 'On' : 'Off';\r
+                       echo "\t\t" . '<td>' . $mqg . "</td>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td>magic_quotes_runtime' . "</td>\n";\r
+                       $mqr = get_magic_quotes_runtime() ? 'On' : 'Off';\r
+                       echo "\t\t" . '<td>' . $mqr . "</td>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td>register_globals' . "</td>\n";\r
+                       $rg = ini_get('register_globals') ? 'On' : 'Off';\r
+                       echo "\t\t" . '<td>' . $rg . "</td>\n";\r
+                       echo "\t</tr>";\r
+                       echo "</table>\n";\r
+\r
+                       // Information about GD library\r
+                       $gdinfo = gd_info();\r
+                       echo "<table>\n";\r
+                       echo "\t<tr>";\r
+                       echo "\t\t" . '<th colspan="2">' . _ADMIN_SYSTEMOVERVIEW_GDLIBRALY . "</th>\n";\r
+                       echo "\t</tr>\n";\r
+                       foreach ($gdinfo as $key=>$value) {\r
+                               if (is_bool($value)) {\r
+                                       $value = $value ? _ADMIN_SYSTEMOVERVIEW_ENABLE : _ADMIN_SYSTEMOVERVIEW_DISABLE;\r
+                               } else {\r
+                                       $value = htmlspecialchars($value, ENT_QUOTES);\r
+                               }\r
+                               echo "\t<tr>";\r
+                               echo "\t\t" . '<td width="50%">' . $key . "</td>\n";\r
+                               echo "\t\t" . '<td>' . $value . "</td>\n";\r
+                               echo "\t</tr>\n";\r
+                       }\r
+                       echo "</table>\n";\r
+\r
+                       // Check if special modules are loaded\r
+                       ob_start();\r
+                       phpinfo(INFO_MODULES);\r
+                       $im = ob_get_contents();\r
+                       ob_clean();\r
+                       echo "<table>\n";\r
+                       echo "\t<tr>";\r
+                       echo "\t\t" . '<th colspan="2">' . _ADMIN_SYSTEMOVERVIEW_MODULES . "</th>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td width="50%">mod_rewrite' . "</td>\n";\r
+                       $modrewrite = (strstr($im, 'mod_rewrite') != '') ?\r
+                                               _ADMIN_SYSTEMOVERVIEW_ENABLE :\r
+                                               _ADMIN_SYSTEMOVERVIEW_DISABLE;\r
+                       echo "\t\t" . '<td>' . $modrewrite . "</td>\n";\r
+                       echo "\t</tr>\n";\r
+                       echo "</table>\n";\r
+\r
+                       // Information about the used Nucleus CMS\r
+                       echo '<h3>' . _ADMIN_SYSTEMOVERVIEW_NUCLEUSSYSTEM . "</h3>\n";\r
+                       global $nucleus;\r
+                       $nv = getNucleusVersion() / 100 . '(' . $nucleus['version'] . ')';\r
+                       $np = getNucleusPatchLevel();\r
+                       echo "<table>\n";\r
+                       echo "\t<tr>";\r
+                       echo "\t\t" . '<th colspan="2">Nucleus CMS' . "</th>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td width="50%">' . _ADMIN_SYSTEMOVERVIEW_NUCLEUSVERSION . "</td>\n";\r
+                       echo "\t\t" . '<td>' . $nv . "</td>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td width="50%">' . _ADMIN_SYSTEMOVERVIEW_NUCLEUSPATCHLEVEL . "</td>\n";\r
+                       echo "\t\t" . '<td>' . $np . "</td>\n";\r
+                       echo "\t</tr>\n";\r
+                       echo "</table>\n";\r
+\r
+                       // Important settings of the installation\r
+                       echo "<table>\n";\r
+                       echo "\t<tr>";\r
+                       echo "\t\t" . '<th colspan="2">' . _ADMIN_SYSTEMOVERVIEW_NUCLEUSSETTINGS . "</th>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td width="50%">' . '$CONF[' . "'Self']</td>\n";\r
+                       echo "\t\t" . '<td>' . $CONF['Self'] . "</td>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td width="50%">' . '$CONF[' . "'ItemURL']</td>\n";\r
+                       echo "\t\t" . '<td>' . $CONF['ItemURL'] . "</td>\n";\r
+                       echo "\t</tr><tr>\n";\r
+                       echo "\t\t" . '<td width="50%">' . '$CONF[' . "'alertOnHeadersSent']</td>\n";\r
+                       $ohs = $CONF['alertOnHeadersSent'] ?\r
+                                               _ADMIN_SYSTEMOVERVIEW_ENABLE :\r
+                                               _ADMIN_SYSTEMOVERVIEW_DISABLE;\r
+                       echo "\t\t" . '<td>' . $ohs . "</td>\n";\r
+                       echo "\t</tr>\n";\r
+                       echo "</table>\n";\r
+\r
+                       // Link to the online version test at the Nucleus CMS website\r
+                       echo '<h3>' . _ADMIN_SYSTEMOVERVIEW_VERSIONCHECK . "</h3>\n";\r
+                       if ($nucleus['codename'] != '') {\r
+                               $codenamestring = ' &quot;' . $nucleus['codename'] . '&quot;';\r
+                       } else {\r
+                               $codenamestring = '';\r
+                       }\r
+                       echo _ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_TXT;\r
+                       $checkURL = sprintf(_ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_URL, getNucleusVersion(), getNucleusPatchLevel());\r
+                       echo '<a href="' . $checkURL . '" title="' . _ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_TITLE . '">';\r
+                       echo 'Nucleus CMS ' . $nv . $codenamestring;\r
+                       echo '</a>';\r
+               //echo '<br />';\r
+               }\r
+               else {\r
+                       echo _ADMIN_SYSTEMOVERVIEW_NOT_ADMIN;\r
+               }\r
+\r
+               $this->pagefoot();\r
+       }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function updateConfig($name, $val) {\r
-               $name = addslashes($name);\r
-               $val = trim(addslashes($val));\r
+               $name = sql_real_escape_string($name);\r
+               $val = trim(sql_real_escape_string($val));\r
 \r
                $query = 'UPDATE '.sql_table('config')\r
                           . " SET value='$val'"\r
                           . " WHERE name='$name'";\r
 \r
-               mysql_query($query) or die("Query error: " . mysql_error());\r
-               return mysql_insert_id();\r
+               sql_query($query) or die(_ADMIN_SQLDIE_QUERYERROR . sql_error());\r
+               return sql_insert_id();\r
        }\r
 \r
        /**\r
-         * Error message\r
-         */\r
+        * Error message\r
+        * @param string $msg message that will be shown\r
+        */\r
        function error($msg) {\r
                $this->pagehead();\r
                ?>\r
                <h2>Error!</h2>\r
-               <?php           echo $msg;\r
+               <?php      echo $msg;\r
                echo "<br />";\r
                echo "<a href='index.php' onclick='history.back()'>"._BACK."</a>";\r
                $this->pagefoot();\r
                exit;\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function disallow() {\r
                ACTIONLOG::add(WARNING, _ACTIONLOG_DISALLOWED . serverVar('REQUEST_URI'));\r
 \r
                $this->error(_ERROR_DISALLOWED);\r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function pagehead($extrahead = '') {\r
                global $member, $nucleus, $CONF, $manager;\r
 \r
@@ -4531,8 +5206,9 @@ selector();
 \r
                ?>\r
                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r
-               <html xmlns="http://www.w3.org/1999/xhtml">\r
+               <html <?php echo _HTML_XML_NAME_SPACE_AND_LANG_CODE; ?>>\r
                <head>\r
+                       <meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET ?>" />\r
                        <title><?php echo htmlspecialchars($CONF['SiteName'])?> - Admin</title>\r
                        <link rel="stylesheet" title="Nucleus Admin Default" type="text/css" href="<?php echo $baseUrl?>styles/admin.css" />\r
                        <link rel="stylesheet" title="Nucleus Admin Default" type="text/css"\r
@@ -4549,13 +5225,14 @@ selector();
                        <?php echo $extrahead?>\r
                </head>\r
                <body>\r
+               <div id="adminwrapper">\r
                <div class="header">\r
                <h1><?php echo htmlspecialchars($CONF['SiteName'])?></h1>\r
                </div>\r
                <div id="container">\r
                <div id="content">\r
                <div class="loginname">\r
-               <?php                   if ($member->isLoggedIn())\r
+               <?php              if ($member->isLoggedIn())\r
                                echo _LOGGEDINAS . ' ' . $member->getDisplayName()\r
                                        ." - <a href='index.php?action=logout'>" . _LOGOUT. "</a>"\r
                                        . "<br /><a href='index.php?action=overview'>" . _ADMINHOME . "</a> - ";\r
@@ -4566,14 +5243,28 @@ selector();
 \r
                        echo '<br />(';\r
 \r
-                       if ($member->isLoggedIn() && $member->isAdmin())\r
-                               echo '<a href="http://nucleuscms.org/version.php?v=',getNucleusVersion(),'&amp;pl=',getNucleusPatchLevel(),'" title="Check for upgrade">Nucleus CMS ', $nucleus['version'], '</a>';\r
-                       else\r
-                               echo 'Nucleus CMS ' , $nucleus['version'];\r
+                       $codenamestring = ($nucleus['codename']!='')? ' &quot;'.$nucleus['codename'].'&quot;':'';\r
+\r
+                       if ($member->isLoggedIn() && $member->isAdmin()) {\r
+                               $checkURL = sprintf(_ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_URL, getNucleusVersion(), getNucleusPatchLevel());\r
+                               echo '<a href="' . $checkURL . '" title="' . _ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_TITLE . '">Nucleus CMS ' . $nucleus['version'] . $codenamestring . '</a>';\r
+                               $newestVersion = getLatestVersion();\r
+                               $newestCompare = str_replace('/','.',$newestVersion);\r
+                               $newestCompare = intval($newestCompare);\r
+                               $currentVersion = str_replace(array('/','v'),array('.',''),$nucleus['version']);\r
+                               if ($newestVersion && version_compare($newestCompare,$currentVersion) > 0) {\r
+                                       echo '<br /><a style="color:red" href="http://nucleuscms.org/upgrade.php" title="'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TITLE.'">'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TEXT.$newestVersion.'</a>';\r
+                               }\r
+                       } else {\r
+                               echo 'Nucleus CMS ' . $nucleus['version'] . $codenamestring;\r
+                       }\r
                        echo ')';\r
                echo '</div>';\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function pagefoot() {\r
                global $action, $member, $manager;\r
 \r
@@ -4591,19 +5282,19 @@ selector();
                                <li><a href="index.php?action=overview"><?php echo  _BACKHOME?></a></li>\r
                                <li><a href='index.php?action=logout'><?php echo  _LOGOUT?></a></li>\r
                        </ul>\r
-                       <?php           }\r
+                       <?php      }\r
                ?>\r
                        <div class="foot">\r
-                               <a href="http://nucleuscms.org/">Nucleus CMS</a> &copy; 2002-2005 The Nucleus Group\r
+                               <a href="<?php echo _ADMINPAGEFOOT_OFFICIALURL ?>">Nucleus CMS</a> &copy; 2002-<?php echo date('Y') . ' ' . _ADMINPAGEFOOT_COPYRIGHT; ?>\r
                                -\r
-                               <a href="http://nucleuscms.org/donate.php">Donate!</a>\r
+                               <a href="<?php echo _ADMINPAGEFOOT_DONATEURL ?>"><?php echo _ADMINPAGEFOOT_DONATE ?></a>\r
                        </div>\r
 \r
                        </div><!-- content -->\r
 \r
                        <div id="quickmenu">\r
 \r
-                               <?php                           // ---- user settings ----\r
+                               <?php                      // ---- user settings ----\r
                                if (($action != 'showlogin') && ($member->isLoggedIn())) {\r
                                        echo '<ul>';\r
                                        echo '<li><a href="index.php?action=overview">',_QMENU_HOME,'</a></li>';\r
@@ -4638,9 +5329,9 @@ selector();
 \r
                                        echo '<h2>' . $member->getDisplayName(). '</h2>';\r
                                        echo '<ul>';\r
-                                       echo '<li><a href="index.php?action=editmembersettings">',_QMENU_USER_SETTINGS,'</a></li>';\r
-                                       echo '<li><a href="index.php?action=browseownitems">',_QMENU_USER_ITEMS,'</a></li>';\r
-                                       echo '<li><a href="index.php?action=browseowncomments">',_QMENU_USER_COMMENTS,'</a></li>';\r
+                                       echo '<li><a href="index.php?action=editmembersettings">' . _QMENU_USER_SETTINGS . '</a></li>';\r
+                                       echo '<li><a href="index.php?action=browseownitems">' . _QMENU_USER_ITEMS . '</a></li>';\r
+                                       echo '<li><a href="index.php?action=browseowncomments">' . _QMENU_USER_COMMENTS . '</a></li>';\r
                                        echo '</ul>';\r
 \r
 \r
@@ -4652,19 +5343,20 @@ selector();
                                                echo '<h2>',_QMENU_MANAGE,'</h2>';\r
 \r
                                                echo '<ul>';\r
-                                               echo '<li><a href="index.php?action=actionlog">',_QMENU_MANAGE_LOG,'</a></li>';\r
-                                               echo '<li><a href="index.php?action=settingsedit">',_QMENU_MANAGE_SETTINGS,'</a></li>';\r
-                                               echo '<li><a href="index.php?action=usermanagement">',_QMENU_MANAGE_MEMBERS,'</a></li>';\r
-                                               echo '<li><a href="index.php?action=createnewlog">',_QMENU_MANAGE_NEWBLOG,'</a></li>';\r
-                                               echo '<li><a href="index.php?action=backupoverview">',_QMENU_MANAGE_BACKUPS,'</a></li>';\r
-                                               echo '<li><a href="index.php?action=pluginlist">',_QMENU_MANAGE_PLUGINS,'</a></li>';\r
+                                               echo '<li><a href="index.php?action=actionlog">' . _QMENU_MANAGE_LOG . '</a></li>';\r
+                                               echo '<li><a href="index.php?action=settingsedit">' . _QMENU_MANAGE_SETTINGS . '</a></li>';\r
+                                               echo '<li><a href="index.php?action=systemoverview">' . _QMENU_MANAGE_SYSTEM . '</a></li>';\r
+                                               echo '<li><a href="index.php?action=usermanagement">' . _QMENU_MANAGE_MEMBERS . '</a></li>';\r
+                                               echo '<li><a href="index.php?action=createnewlog">' . _QMENU_MANAGE_NEWBLOG . '</a></li>';\r
+                                               echo '<li><a href="index.php?action=backupoverview">' . _QMENU_MANAGE_BACKUPS . '</a></li>';\r
+                                               echo '<li><a href="index.php?action=pluginlist">' . _QMENU_MANAGE_PLUGINS . '</a></li>';\r
                                                echo '</ul>';\r
 \r
                                                echo '<h2>',_QMENU_LAYOUT,'</h2>';\r
                                                echo '<ul>';\r
-                                               echo '<li><a href="index.php?action=skinoverview">',_QMENU_LAYOUT_SKINS,'</a></li>';\r
-                                               echo '<li><a href="index.php?action=templateoverview">',_QMENU_LAYOUT_TEMPL,'</a></li>';\r
-                                               echo '<li><a href="index.php?action=skinieoverview">',_QMENU_LAYOUT_IEXPORT,'</a></li>';\r
+                                               echo '<li><a href="index.php?action=skinoverview">' . _QMENU_LAYOUT_SKINS . '</a></li>';\r
+                                               echo '<li><a href="index.php?action=templateoverview">' . _QMENU_LAYOUT_TEMPL . '</a></li>';\r
+                                               echo '<li><a href="index.php?action=skinieoverview">' . _QMENU_LAYOUT_IEXPORT . '</a></li>';\r
                                                echo '</ul>';\r
 \r
                                        }\r
@@ -4698,14 +5390,18 @@ selector();
                        </div>\r
 \r
                        <!-- content / quickmenu container -->\r
+                       <div class="clear"></div>       <!-- new -->\r
                        </div>\r
 \r
-\r
+                       <!-- adminwrapper -->   <!-- new -->\r
+                       </div>   <!-- new -->\r
                        </body>\r
                        </html>\r
-               <?php   }\r
-\r
+               <?php   }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_regfile() {\r
                global $member, $CONF;\r
 \r
@@ -4716,7 +5412,7 @@ selector();
                // header-code stolen from phpMyAdmin\r
                // REGEDIT and bookmarklet code stolen from GreyMatter\r
 \r
-               $sjisBlogName = getBlogNameFromID($blogid);\r
+               $sjisBlogName = sprintf(_WINREGFILE_TEXT, getBlogNameFromID($blogid));\r
                $sjisBlogName = mb_convert_encoding($sjisBlogName, "SJIS", "auto");\r
 \r
                header('Content-Type: application/octetstream');\r
@@ -4725,11 +5421,14 @@ selector();
                header('Expires: 0');\r
 \r
                echo "REGEDIT4\n";\r
-               echo "[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\MenuExt\\Post To &Nucleus (".$sjisBlogName.")]\n";\r
+               echo "[HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\MenuExt\\" . $sjisBlogName . "]\n";\r
                echo '@="' . $CONF['AdminURL'] . "bookmarklet.php?action=contextmenucode&blogid=".intval($blogid)."\"\n";\r
                echo '"contexts"=hex:31';\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_bookmarklet() {\r
                global $member, $manager;\r
 \r
@@ -4746,48 +5445,48 @@ selector();
 \r
                ?>\r
 \r
-               <h2>Bookmarklet<!-- and Right Click Menu --></h2>\r
+               <h2><?php echo _BOOKMARKLET_TITLE ?></h2>\r
 \r
                <p>\r
-               Bookmarklet とは、クリック1回で記事の投稿ができるシステムです。 この Bookmarklet をインストールすると、ブラウザのツールバーの'add to weblog'ボタンが利用可能となり、Nucleusの新規アイテムの追加ウィンドウがポップアップします。任意のWebページを開いた状態でこのボタンを押せば、そのWebページのタイトルと、そのページへのリンクタグがすでに埋め込まれた状態でアイテム追加ウィンドウが開き、さらに、そのページ内に引用したい文を選択した状態であればその引用文も自動的に引用します。\r
+               <?php echo _BOOKMARKLET_DESC1 . _BOOKMARKLET_DESC2 . _BOOKMARKLET_DESC3 . _BOOKMARKLET_DESC4 . _BOOKMARKLET_DESC5 ?>\r
                </p>\r
 \r
-               <h3>Bookmarklet</h3>\r
+               <h3><?php echo _BOOKMARKLET_BOOKARKLET ?></h3>\r
                <p>\r
-                       下のリンク部分を「お気に入り」もしくはツールバーにドラッグできます。<small>(その前にテストしてみたい場合は単純に下のリンクをクリックしてみてください)</small>\r
+                       <?php echo _BOOKMARKLET_BMARKTEXT ?><small><?php echo _BOOKMARKLET_BMARKTEST ?></small>\r
                        <br />\r
                        <br />\r
-                       <a href="<?php echo htmlspecialchars($bm)?>">Add to <?php echo $blog->getShortName()?></a> (ほとんどのブラウザで動作します)\r
+                       <?php echo '<a href="' . htmlspecialchars($bm, ENT_QUOTES) . '">' . sprintf(_BOOKMARKLET_ANCHOR, htmlspecialchars($blog->getName(), ENT_QUOTES)) . '</a>' . _BOOKMARKLET_BMARKFOLLOW; ?>\r
                </p>\r
 \r
-               <h3>右クリックメニューにインストール (WindowsでIE使用時)</h3>\r
+               <h3><?php echo _BOOKMARKLET_RIGHTCLICK ?></h3>\r
                <p>\r
                        <?php\r
                                $url = 'index.php?action=regfile&blogid=' . intval($blogid);\r
                                $url = $manager->addTicketToUrl($url);\r
                        ?>\r
-                       あるいは<a href="<?php echo htmlspecialchars($url) ?>">右クリックメニュー</a>にインストールすることもできます (「開く」を選択すれば直接レジストリに登録します)\r
+                       <?php echo _BOOKMARKLET_RIGHTTEXT1 . '<a href="' . htmlspecialchars($url, ENT_QUOTES, "SJIS") . '">' . _BOOKMARKLET_RIGHTLABEL . '</a>' . _BOOKMARKLET_RIGHTTEXT2; ?>\r
                </p>\r
 \r
                <p>\r
-                       このインストールした右クリックメニューを表示するためにはIEの再起動が必要です。\r
+                       <?php echo _BOOKMARKLET_RIGHTTEXT3 ?>\r
                </p>\r
 \r
-               <h3>アンインストール</h3>\r
+               <h3><?php echo _BOOKMARKLET_UNINSTALLTT ?></h3>\r
                <p>\r
-                       「お気に入り」もしくはツールバーから消すには、単に削除するだけです。\r
+                       <?php echo _BOOKMARKLET_DELETEBAR ?>\r
                </p>\r
-               \r
+\r
                <p>\r
-                       右クリックメニューから消したい時は、以下の手順を踏んでください:\r
+                       <?php echo _BOOKMARKLET_DELETERIGHTT ?>\r
                </p>\r
 \r
                <ol>\r
-                       <li>スタートメニューから「ファイルを指定して実行...」を選択</li>\r
-                       <li>"regedit" と入力</li>\r
-                       <li>"OK" ボタンを押す</li>\r
-                       <li>"\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt" をツリーの中から検索</li>\r
-                       <li>"add to weblog" エントリを削除</li>                          \r
+                       <li><?php echo _BOOKMARKLET_DELETERIGHT1 ?></li>\r
+                       <li><?php echo _BOOKMARKLET_DELETERIGHT2 ?></li>\r
+                       <li><?php echo _BOOKMARKLET_DELETERIGHT3 ?></li>\r
+                       <li><?php echo _BOOKMARKLET_DELETERIGHT4 ?></li>\r
+                       <li><?php echo _BOOKMARKLET_DELETERIGHT5 ?></li>\r
                </ol>\r
 \r
                <?php\r
@@ -4795,7 +5494,9 @@ selector();
 \r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_actionlog() {\r
                global $member, $manager;\r
 \r
@@ -4821,7 +5522,9 @@ selector();
 \r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_banlist() {\r
                global $member, $manager;\r
 \r
@@ -4852,7 +5555,9 @@ selector();
 \r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_banlistdelete() {\r
                global $member, $manager;\r
 \r
@@ -4862,6 +5567,7 @@ selector();
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
                $blog =& $manager->getBlog($blogid);\r
+               $banBlogName =  htmlspecialchars($blog->getName(), ENT_QUOTES);\r
 \r
                $this->pagehead();\r
                ?>\r
@@ -4880,7 +5586,8 @@ selector();
 \r
                        <div>\r
                                <input type="hidden" name="blogid" value="<?php echo $blogid?>" />\r
-                               <input name="allblogs" type="radio" value="0" id="allblogs_one" /><label for="allblogs_one">Only blog '<?php echo htmlspecialchars($blog->getName())?>'</label>\r
+                               <input name="allblogs" type="radio" value="0" id="allblogs_one" />\r
+                               <label for="allblogs_one"><?php echo sprintf(_BAN_BANBLOGNAME, $banBlogName) ?></label>\r
                                <br />\r
                                <input name="allblogs" type="radio" value="1" checked="checked" id="allblogs_all" /><label for="allblogs_all"><?php echo _BAN_ALLBLOGS?></label>\r
                        </div>\r
@@ -4898,6 +5605,9 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_banlistdeleteconfirm() {\r
                global $member, $manager;\r
 \r
@@ -4941,10 +5651,16 @@ selector();
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_banlistnewfromitem() {\r
                $this->action_banlistnew(getBlogIDFromItemID(intRequestVar('itemid')));\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_banlistnew($blogid = '') {\r
                global $member, $manager;\r
 \r
@@ -4969,16 +5685,23 @@ selector();
                <p><?php echo _BAN_IPRANGE_TEXT?></p>\r
 \r
                <div class="note">\r
-               <b>An example</b>: "134.58.253.193" will only block one computer, while "134.58.253" will block 256 IP addresses, including the one from the first example.\r
+                       <strong><?php echo _BAN_EXAMPLE_TITLE ?></strong>\r
+                       <?php echo _BAN_EXAMPLE_TEXT ?>\r
                </div>\r
 \r
                <div>\r
-               <?php                   if ($ip) {\r
+               <?php\r
+               if ($ip) {\r
+                       $iprangeVal = htmlspecialchars($ip, ENT_QUOTES);\r
                ?>\r
-                       <input name="iprange" type="radio" value="<?php echo htmlspecialchars($ip)?>" checked="checked" id="ip_fixed" /><label for="ip_fixed"><?php echo htmlspecialchars($ip)?></label>\r
+                       <input name="iprange" type="radio" value="<?php echo $iprangeVal ?>" checked="checked" id="ip_fixed" />\r
+                       <label for="ip_fixed"><?php echo $iprangeVal ?></label>\r
                        <br />\r
-                       <input name="iprange" type="radio" value="custom" id="ip_custom" /><label for="ip_custom">Custom: </label><input name='customiprange' value='<?php echo htmlspecialchars($ip)?>' maxlength='15' size='15' />\r
-               <?php   } else {\r
+                       <input name="iprange" type="radio" value="custom" id="ip_custom" />\r
+                       <label for="ip_custom"><?php echo _BAN_IP_CUSTOM ?></label>\r
+                       <input name='customiprange' value='<?php echo $iprangeVal ?>' maxlength='15' size='15' />\r
+               <?php\r
+               } else {\r
                                echo "<input name='iprange' value='custom' type='hidden' />";\r
                                echo "<input name='customiprange' value='' maxlength='15' size='15' />";\r
                        }\r
@@ -5012,18 +5735,21 @@ selector();
 \r
                </form>\r
 \r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_banlistadd() {\r
                global $member;\r
 \r
-               $blogid =               intPostVar('blogid');\r
-               $allblogs =     postVar('allblogs');\r
-               $iprange =              postVar('iprange');\r
+               $blogid =          intPostVar('blogid');\r
+               $allblogs =      postVar('allblogs');\r
+               $iprange =        postVar('iprange');\r
                if ($iprange == "custom")\r
                        $iprange = postVar('customiprange');\r
-               $reason =               postVar('reason');\r
+               $reason =          postVar('reason');\r
 \r
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
@@ -5048,6 +5774,9 @@ selector();
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_clearactionlog() {\r
                global $member;\r
 \r
@@ -5058,6 +5787,9 @@ selector();
                $this->action_manage(_MSG_ACTIONLOGCLEARED);\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_backupoverview() {\r
                global $member, $manager;\r
 \r
@@ -5104,9 +5836,12 @@ selector();
                        <br /><?php echo _RESTORE_WARNING?>\r
                </p></form>\r
 \r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_backupcreate() {\r
                global $member, $DIR_LIBS;\r
 \r
@@ -5121,11 +5856,14 @@ selector();
                // (creating/restoring dumps might take a while)\r
                @set_time_limit(1200);\r
 \r
-               do_backup($useGzip);\r
+               $bu = new Backup();\r
+               $bu->do_backup($useGzip);\r
                exit;\r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_backuprestore() {\r
                global $member, $DIR_LIBS;\r
 \r
@@ -5140,18 +5878,21 @@ selector();
                // (creating/restoring dumps might take a while)\r
                @set_time_limit(1200);\r
 \r
-               $message = do_restore();\r
+               $bu = new Backup();\r
+               $message = $bu->do_restore();\r
                if ($message != '')\r
                        $this->error($message);\r
 \r
                $this->pagehead();\r
                ?>\r
                <h2><?php echo _RESTORE_COMPLETE?></h2>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
 \r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_pluginlist() {\r
                global $member, $manager;\r
 \r
@@ -5164,7 +5905,7 @@ selector();
 \r
                echo '<h2>' , _PLUGS_TITLE_MANAGE , ' ', help('plugins'), '</h2>';\r
 \r
-               echo '<h3>' , _PLUGS_TITLE_INSTALLED , '</h3>';\r
+               echo '<h3>' , _PLUGS_TITLE_INSTALLED , ' &nbsp;&nbsp;<span style="font-size:smaller">', helplink('getplugins'), _PLUGS_TITLE_GETPLUGINS, '</a></span></h3>';\r
 \r
 \r
                $query =  'SELECT * FROM '.sql_table('plugin').' ORDER BY porder ASC';\r
@@ -5185,22 +5926,31 @@ selector();
                        </div></form>\r
 \r
                        <h3><?php echo _PLUGS_TITLE_NEW?></h3>\r
-\r
-                       <?php                           // find a list of possibly non-installed plugins\r
+                       \r
+                       <?php\r
+                       // find a list of possibly non-installed plugins\r
                                $candidates = array();\r
                                global $DIR_PLUGINS;\r
                                $dirhandle = opendir($DIR_PLUGINS);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg('^NP_(.*)\.php$',$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle) )\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg('^NP_(.*)\.php$',$filename,$matches)\r
+                                       if (preg_match('#^NP_(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
                                                // only show in list when not yet installed\r
-                                               if (mysql_num_rows(sql_query('SELECT * FROM '.sql_table('plugin').' WHERE pfile="NP_'.addslashes($name).'"')) == 0)\r
-                                                       array_push($candidates,$name);\r
+                                               $res = sql_query('SELECT * FROM ' . sql_table('plugin') . ' WHERE `pfile` = "NP_' . sql_real_escape_string($name) . '"');\r
+                                               if (sql_num_rows($res) == 0)\r
+                                               {\r
+                                                       array_push($candidates, $name);\r
+                                               }\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
-\r
-                               if (sizeof($candidates) > 0) {\r
+                               \r
+                               if (sizeof($candidates) > 0)\r
+                               {\r
                        ?>\r
 \r
                        <p><?php echo _PLUGS_ADD_TEXT?></p>\r
@@ -5210,20 +5960,29 @@ selector();
                                <input type='hidden' name='action' value='pluginadd' />\r
                                <?php $manager->addTicketHidden() ?>\r
                                <select name="filename" tabindex="30">\r
-                               <?php                                   foreach($candidates as $name)\r
-                                               echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+                               <?php   \r
+                               foreach($candidates as $name)\r
+                               {\r
+                                       echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+                               }\r
                                ?>\r
                                </select>\r
                                <input type='submit' tabindex="40" value='<?php echo _PLUGS_BTN_INSTALL?>' />\r
                        </div></form>\r
 \r
-               <?php                   } else {        // sizeof(candidates) == 0\r
+               <?php\r
+                               }\r
+                               else\r
+                               {\r
                                echo '<p>',_PLUGS_NOCANDIDATES,'</p>';\r
                        }\r
 \r
                $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_pluginhelp() {\r
                global $member, $manager, $DIR_PLUGINS, $CONF;\r
 \r
@@ -5257,7 +6016,9 @@ selector();
                $this->pagefoot();\r
        }\r
 \r
-\r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_pluginadd() {\r
                global $member, $manager, $DIR_PLUGINS;\r
 \r
@@ -5269,26 +6030,11 @@ selector();
                if ($manager->pluginInstalled($name))\r
                        $this->error(_ERROR_DUPPLUGIN);\r
                if (!checkPlugin($name))\r
-                       $this->error(_ERROR_PLUGFILEERROR . ' (' . $name . ')');\r
-\r
-               // check if the plugin dependency is met\r
-               $plugin =& $manager->getPlugin($name);\r
-               $pluginList = $plugin->getPluginDep();\r
-               foreach ($pluginList as $pluginName)\r
-               {\r
-\r
-                       $res = sql_query('SELECT * FROM '.sql_table('plugin') . ' WHERE pfile="' . $pluginName . '"');\r
-                       if (mysql_num_rows($res) == 0)\r
-                       {\r
-                               // uninstall plugin again...\r
-                               $this->deleteOnePlugin($plugin->getID());\r
-\r
-                               $this->error(_ERROR_INSREQPLUGIN . $pluginName);\r
-                       }\r
-               }\r
+                       $this->error(_ERROR_PLUGFILEERROR . ' (' . htmlspecialchars($name) . ')');\r
 \r
                // get number of currently installed plugins\r
-               $numCurrent = mysql_num_rows(sql_query('SELECT * FROM '.sql_table('plugin')));\r
+               $res = sql_query('SELECT * FROM '.sql_table('plugin'));\r
+               $numCurrent = sql_num_rows($res);\r
 \r
                // plugin will be added as last one in the list\r
                $newOrder = $numCurrent + 1;\r
@@ -5301,21 +6047,21 @@ selector();
                );\r
 \r
                // do this before calling getPlugin (in case the plugin id is used there)\r
-               $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.addslashes($name).'")';\r
+               $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.sql_real_escape_string($name).'")';\r
                sql_query($query);\r
-               $iPid = mysql_insert_id();\r
-\r
-               // need to update the plugin object's pid since we didn't have it above when it's first create....\r
-               $plugin->plugid = $iPid;\r
+               $iPid = sql_insert_id();\r
 \r
                $manager->clearCachedInfo('installedPlugins');\r
 \r
-               // call the install method of the plugin\r
+               // Load the plugin for condition checking and instalation\r
+               $plugin =& $manager->getPlugin($name);\r
+\r
+               // check if it got loaded (could have failed)\r
                if (!$plugin)\r
                {\r
                        sql_query('DELETE FROM ' . sql_table('plugin') . ' WHERE pid='. intval($iPid));\r
                        $manager->clearCachedInfo('installedPlugins');\r
-                       $this->error('Plugin could not be loaded, or does not support certain features that are required for it to run on your Nucleus installation (you might want to check the <a href="?action=actionlog">actionlog</a> for more info)');\r
+                       $this->error(_ERROR_PLUGIN_LOAD);\r
                }\r
 \r
                // check if plugin needs a newer Nucleus version\r
@@ -5325,7 +6071,7 @@ selector();
                        $this->deleteOnePlugin($plugin->getID());\r
 \r
                        // ...and show error\r
-                       $this->error(_ERROR_NUCLEUSVERSIONREQ . $plugin->getMinNucleusVersion());\r
+                       $this->error(_ERROR_NUCLEUSVERSIONREQ . htmlspecialchars($plugin->getMinNucleusVersion()));\r
                }\r
 \r
                // check if plugin needs a newer Nucleus version\r
@@ -5335,9 +6081,24 @@ selector();
                        $this->deleteOnePlugin($plugin->getID());\r
 \r
                        // ...and show error\r
-                       $this->error(_ERROR_NUCLEUSVERSIONREQ . $plugin->getMinNucleusVersion() . ' patch ' . $plugin->getMinNucleusPatchLevel());\r
+                       $this->error(_ERROR_NUCLEUSVERSIONREQ . htmlspecialchars( $plugin->getMinNucleusVersion() . ' patch ' . $plugin->getMinNucleusPatchLevel() ) );\r
                }\r
 \r
+               $pluginList = $plugin->getPluginDep();\r
+               foreach ($pluginList as $pluginName)\r
+               {\r
+\r
+                       $res = sql_query('SELECT * FROM '.sql_table('plugin') . ' WHERE pfile="' . $pluginName . '"');\r
+                       if (sql_num_rows($res) == 0)\r
+                       {\r
+                               // uninstall plugin again...\r
+                               $this->deleteOnePlugin($plugin->getID());\r
+\r
+                               $this->error(sprintf(_ERROR_INSREQPLUGIN, htmlspecialchars($pluginName, ENT_QUOTES)));\r
+                       }\r
+               }\r
+\r
+               // call the install method of the plugin\r
                $plugin->install();\r
 \r
                $manager->notify(\r
@@ -5351,8 +6112,11 @@ selector();
                $this->action_pluginupdate();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_pluginupdate() {\r
-               global $member, $manager;\r
+               global $member, $manager, $CONF;\r
 \r
                // check if allowed\r
                $member->isAdmin() or $this->disallow();\r
@@ -5362,20 +6126,24 @@ selector();
 \r
                // loop over all installed plugins\r
                $res = sql_query('SELECT pid, pfile FROM '.sql_table('plugin'));\r
-               while($o = mysql_fetch_object($res)) {\r
+               while($o = sql_fetch_object($res)) {\r
                        $pid = $o->pid;\r
                        $plug =& $manager->getPlugin($o->pfile);\r
                        if ($plug)\r
                        {\r
                                $eventList = $plug->getEventList();\r
                                foreach ($eventList as $eventName)\r
-                                       sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.addslashes($eventName).'\')');\r
+                                       sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.sql_real_escape_string($eventName).'\')');\r
                        }\r
                }\r
 \r
-               $this->action_pluginlist();\r
+               redirect($CONF['AdminURL'] . '?action=pluginlist');\r
+//             $this->action_pluginlist();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_plugindelete() {\r
                global $member, $manager;\r
 \r
@@ -5399,11 +6167,15 @@ selector();
                        <input type="hidden" name="plugid" value="<?php echo $pid; ?>" />\r
                        <input type="submit" tabindex="10" value="<?php echo _DELETE_CONFIRM_BTN?>" />\r
                        </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php\r
+               $this->pagefoot();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_plugindeleteconfirm() {\r
-               global $member, $manager;\r
+               global $member, $manager, $CONF;\r
 \r
                // check if allowed\r
                $member->isAdmin() or $this->disallow();\r
@@ -5415,9 +6187,13 @@ selector();
                        $this->error($error);\r
                }\r
 \r
-               $this->action_pluginlist();\r
+               redirect($CONF['AdminURL'] . '?action=pluginlist');\r
+//             $this->action_pluginlist();\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function deleteOnePlugin($pid, $callUninstall = 0) {\r
                global $manager;\r
 \r
@@ -5428,15 +6204,15 @@ selector();
 \r
                $name = quickQuery('SELECT pfile as result FROM '.sql_table('plugin').' WHERE pid='.$pid);\r
 \r
-               // call the unInstall method of the plugin\r
+/*             // call the unInstall method of the plugin\r
                if ($callUninstall) {\r
                        $plugin =& $manager->getPlugin($name);\r
                        if ($plugin) $plugin->unInstall();\r
-               }\r
+               }*/\r
 \r
                // check dependency before delete\r
                $res = sql_query('SELECT pfile FROM '.sql_table('plugin'));\r
-               while($o = mysql_fetch_object($res)) {\r
+               while($o = sql_fetch_object($res)) {\r
                        $plug =& $manager->getPlugin($o->pfile);\r
                        if ($plug)\r
                        {\r
@@ -5445,7 +6221,7 @@ selector();
                                {\r
                                        if ($name == $depName)\r
                                        {\r
-                                               return _ERROR_DELREQPLUGIN . $o->pfile;\r
+                                               return sprintf(_ERROR_DELREQPLUGIN, $o->pfile);\r
                                        }\r
                                }\r
                        }\r
@@ -5453,6 +6229,12 @@ selector();
 \r
                $manager->notify('PreDeletePlugin', array('plugid' => $pid));\r
 \r
+               // call the unInstall method of the plugin\r
+               if ($callUninstall) {\r
+                       $plugin =& $manager->getPlugin($name);\r
+                       if ($plugin) $plugin->unInstall();\r
+               }\r
+\r
                // delete all subscriptions\r
                sql_query('DELETE FROM '.sql_table('plugin_event').' WHERE pid=' . $pid);\r
 \r
@@ -5460,7 +6242,7 @@ selector();
                // get OIDs from plugin_option_desc\r
                $res = sql_query('SELECT oid FROM ' . sql_table('plugin_option_desc') . ' WHERE opid=' . $pid);\r
                $aOIDs = array();\r
-               while ($o = mysql_fetch_object($res)) {\r
+               while ($o = sql_fetch_object($res)) {\r
                        array_push($aOIDs, $o->oid);\r
                }\r
 \r
@@ -5470,7 +6252,8 @@ selector();
                        sql_query('DELETE FROM '.sql_table('plugin_option').' WHERE oid in ('.implode(',',$aOIDs).')');\r
 \r
                // update order numbers\r
-               $o = mysql_fetch_object(sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid=' . $pid));\r
+               $res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid=' . $pid);\r
+               $o = sql_fetch_object($res);\r
                sql_query('UPDATE '.sql_table('plugin').' SET porder=(porder - 1) WHERE porder>'.$o->porder);\r
 \r
                // delete row\r
@@ -5482,8 +6265,11 @@ selector();
                return '';\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_pluginup() {\r
-               global $member, $manager;\r
+               global $member, $manager, $CONF;\r
 \r
                // check if allowed\r
                $member->isAdmin() or $this->disallow();\r
@@ -5494,7 +6280,8 @@ selector();
                        $this->error(_ERROR_NOSUCHPLUGIN);\r
 \r
                // 1. get old order number\r
-               $o = mysql_fetch_object(sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid='.$plugid));\r
+               $res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid='.$plugid);\r
+               $o = sql_fetch_object($res);\r
                $oldOrder = $o->porder;\r
 \r
                // 2. calculate new order number\r
@@ -5504,11 +6291,16 @@ selector();
                sql_query('UPDATE '.sql_table('plugin').' SET porder='.$oldOrder.' WHERE porder='.$newOrder);\r
                sql_query('UPDATE '.sql_table('plugin').' SET porder='.$newOrder.' WHERE pid='.$plugid);\r
 \r
-               $this->action_pluginlist();\r
+               //$this->action_pluginlist();\r
+               // To avoid showing ticket in the URL, redirect to pluginlist, instead.\r
+               redirect($CONF['AdminURL'] . '?action=pluginlist');\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_plugindown() {\r
-               global $member, $manager;\r
+               global $member, $manager, $CONF;\r
 \r
                // check if allowed\r
                $member->isAdmin() or $this->disallow();\r
@@ -5518,10 +6310,12 @@ selector();
                        $this->error(_ERROR_NOSUCHPLUGIN);\r
 \r
                // 1. get old order number\r
-               $o = mysql_fetch_object(sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid='.$plugid));\r
+               $res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid='.$plugid);\r
+               $o = sql_fetch_object($res);\r
                $oldOrder = $o->porder;\r
 \r
-               $maxOrder = mysql_num_rows(sql_query('SELECT * FROM '.sql_table('plugin')));\r
+               $res = sql_query('SELECT * FROM '.sql_table('plugin'));\r
+               $maxOrder = sql_num_rows($res);\r
 \r
                // 2. calculate new order number\r
                $newOrder = ($oldOrder < $maxOrder) ? ($oldOrder + 1) : $maxOrder;\r
@@ -5530,9 +6324,14 @@ selector();
                sql_query('UPDATE '.sql_table('plugin').' SET porder='.$oldOrder.' WHERE porder='.$newOrder);\r
                sql_query('UPDATE '.sql_table('plugin').' SET porder='.$newOrder.' WHERE pid='.$plugid);\r
 \r
-               $this->action_pluginlist();\r
+               //$this->action_pluginlist();\r
+               // To avoid showing ticket in the URL, redirect to pluginlist, instead.\r
+               redirect($CONF['AdminURL'] . '?action=pluginlist');\r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_pluginoptions($message = '') {\r
                global $member, $manager;\r
 \r
@@ -5544,12 +6343,13 @@ selector();
                        $this->error(_ERROR_NOSUCHPLUGIN);\r
 \r
                $extrahead = '<script type="text/javascript" src="javascript/numbercheck.js"></script>';\r
+               $pluginName = htmlspecialchars(getPluginNameFromPid($pid), ENT_QUOTES);\r
                $this->pagehead($extrahead);\r
 \r
                ?>\r
                        <p><a href="index.php?action=pluginlist">(<?php echo _PLUGS_BACK?>)</a></p>\r
 \r
-                       <h2>Options for <?php echo htmlspecialchars(getPluginNameFromPid($pid))?></h2>\r
+                       <h2><?php echo sprintf(_PLUGIN_OPTIONS_TITLE, $pluginName) ?></h2>\r
 \r
                        <?php if  ($message) echo $message?>\r
 \r
@@ -5566,7 +6366,7 @@ selector();
                $aOIDs = array();\r
                $query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ' WHERE ocontext=\'global\' and opid=' . $pid . ' ORDER BY oid ASC';\r
                $r = sql_query($query);\r
-               while ($o = mysql_fetch_object($r)) {\r
+               while ($o = sql_fetch_object($r)) {\r
                        array_push($aOIDs, $o->oid);\r
                        $aOptions[$o->oid] = array(\r
                                                'oid' => $o->oid,\r
@@ -5581,7 +6381,7 @@ selector();
                // fill out actual values\r
                if (count($aOIDs) > 0) {\r
                        $r = sql_query('SELECT oid, ovalue FROM ' . sql_table('plugin_option') . ' WHERE oid in ('.implode(',',$aOIDs).')');\r
-                       while ($o = mysql_fetch_object($r))\r
+                       while ($o = sql_fetch_object($r))\r
                                $aOptions[$o->oid]['value'] = $o->ovalue;\r
                }\r
 \r
@@ -5596,12 +6396,15 @@ selector();
                ?>\r
                        </div>\r
                        </form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
 \r
 \r
 \r
        }\r
 \r
+       /**\r
+        * @todo document this\r
+        */\r
        function action_pluginoptionsupdate() {\r
                global $member, $manager;\r
 \r
@@ -5621,23 +6424,24 @@ selector();
        }\r
 \r
        /**\r
-         * @static\r
-         */\r
+        * @static\r
+        * @todo document this\r
+        */\r
        function _insertPluginOptions($context, $contextid = 0) {\r
                // get all current values for this contextid\r
                // (note: this might contain doubles for overlapping contextids)\r
                $aIdToValue = array();\r
                $res = sql_query('SELECT oid, ovalue FROM ' . sql_table('plugin_option') . ' WHERE ocontextid=' . intval($contextid));\r
-               while ($o = mysql_fetch_object($res)) {\r
+               while ($o = sql_fetch_object($res)) {\r
                        $aIdToValue[$o->oid] = $o->ovalue;\r
                }\r
 \r
                // get list of oids per pid\r
                $query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ',' . sql_table('plugin')\r
-                          . ' WHERE opid=pid and ocontext=\''.addslashes($context).'\' ORDER BY porder, oid ASC';\r
+                          . ' WHERE opid=pid and ocontext=\''.sql_real_escape_string($context).'\' ORDER BY porder, oid ASC';\r
                $res = sql_query($query);\r
                $aOptions = array();\r
-               while ($o = mysql_fetch_object($res)) {\r
+               while ($o = sql_fetch_object($res)) {\r
                        if (in_array($o->oid, array_keys($aIdToValue)))\r
                                $value = $aIdToValue[$o->oid];\r
                        else\r
@@ -5667,906 +6471,54 @@ selector();
                        // new plugin?\r
                        if ($iPrevPid != $aOption['pid']) {\r
                                $iPrevPid = $aOption['pid'];\r
-\r
-                               echo '<tr><th colspan="2">Options for ', htmlspecialchars($aOption['pfile']),'</th></tr>';\r
+                               if (!defined('_PLUGIN_OPTIONS_TITLE')) {\r
+                                       define('_PLUGIN_OPTIONS_TITLE', 'Options for %s');\r
+                               }\r
+                               echo '<tr><th colspan="2">'.sprintf(_PLUGIN_OPTIONS_TITLE, htmlspecialchars($aOption['pfile'], ENT_QUOTES)).'</th></tr>';\r
+                       }\r
+                       \r
+                       $meta = NucleusPlugin::getOptionMeta($aOption['typeinfo']);\r
+                       if (@$meta['access'] != 'hidden') {\r
+                               echo '<tr>';\r
+                               listplug_plugOptionRow($aOption);\r
+                               echo '</tr>';\r
                        }\r
-\r
-                       echo '<tr>';\r
-                       listplug_plugOptionRow($aOption);\r
-                       echo '</tr>';\r
-\r
                }\r
-\r
-\r
        }\r
 \r
-       /* helper functions to create option forms etc. */\r
-       function input_yesno($name, $checkedval,$tabindex = 0, $value1 = 1, $value2 = 0, $yesval = _YES, $noval = _NO) {\r
+       /**\r
+        * Helper functions to create option forms etc.\r
+        * @todo document parameters\r
+        */\r
+       function input_yesno($name, $checkedval,$tabindex = 0, $value1 = 1, $value2 = 0, $yesval = _YES, $noval = _NO, $isAdmin = 0) {\r
                $id = htmlspecialchars($name);\r
                $id = str_replace('[','-',$id);\r
                $id = str_replace(']','-',$id);\r
                $id1 = $id . htmlspecialchars($value1);\r
                $id2 = $id . htmlspecialchars($value2);\r
 \r
-               echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';\r
+               if ($name=="admin") {\r
+                       echo '<input onclick="selectCanLogin(true);" type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';\r
+               } else {\r
+                       echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';\r
+               }\r
+\r
                        if ($checkedval == $value1)\r
                                echo "tabindex='$tabindex' checked='checked'";\r
                        echo ' id="'.$id1.'" /><label for="'.$id1.'">' . $yesval . '</label>';\r
                echo ' ';\r
-               echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value2),'" ';\r
+               if ($name=="admin") {\r
+                       echo '<input onclick="selectCanLogin(false);" type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value2),'" ';\r
+               } else {\r
+                       echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value2),'" ';\r
+               }\r
                        if ($checkedval != $value1)\r
                                echo "tabindex='$tabindex' checked='checked'";\r
+                       if ($isAdmin && $name=="canlogin")\r
+                               echo ' disabled="disabled"';\r
                        echo ' id="'.$id2.'" /><label for="'.$id2.'">' . $noval . '</label>';\r
        }\r
 \r
-\r
-\r
 } // class ADMIN\r
 \r
-class ENCAPSULATE {\r
-       /**\r
-         * Uses $call to call a function using parameters $params\r
-         * This function should return the amount of entries shown.\r
-         * When entries are show, batch operation handlers are shown too.\r
-         * When no entries were shown, $errormsg is used to display an error\r
-         *\r
-         * Passes on the amount of results found (for further encapsulation)\r
-         */\r
-       function doEncapsulate($call, $params, $errorMessage = 'No entries') {\r
-               // start output buffering\r
-               ob_start();\r
-\r
-               $nbOfRows = call_user_func_array($call, $params);\r
-\r
-               // get list contents and stop buffering\r
-               $list = ob_get_contents();\r
-               ob_end_clean();\r
-\r
-               if ($nbOfRows > 0) {\r
-                       $this->showHead();\r
-                       echo $list;\r
-                       $this->showFoot();\r
-               } else {\r
-                       echo $errorMessage;\r
-               }\r
-\r
-               return $nbOfRows;\r
-       }\r
-}\r
-\r
-\r
-/**\r
-  * A class used to encapsulate a list of some sort inside next/prev buttons\r
-  */\r
-class NAVLIST extends ENCAPSULATE {\r
-\r
-       function NAVLIST($action, $start, $amount, $minamount, $maxamount, $blogid, $search, $itemid) {\r
-               $this->action = $action;\r
-               $this->start = $start;\r
-               $this->amount = $amount;\r
-               $this->minamount = $minamount;\r
-               $this->maxamount = $maxamount;\r
-               $this->blogid = $blogid;\r
-               $this->search = $search;\r
-               $this->itemid = $itemid;\r
-       }\r
-\r
-       function showBatchList($batchtype, $query, $type, $template, $errorMessage = _LISTS_NOMORE) {\r
-               $batch =& new BATCH($batchtype);\r
-\r
-               $this->doEncapsulate(\r
-                               array(&$batch, 'showlist'),\r
-                               array(&$query, $type, $template),\r
-                               $errorMessage\r
-               );\r
-\r
-       }\r
-\r
-\r
-       function showHead() {\r
-               $this->showNavigation();\r
-       }\r
-       function showFoot() {\r
-               $this->showNavigation();\r
-       }\r
-\r
-       /**\r
-         * Displays a next/prev bar for long tables\r
-         */\r
-       function showNavigation() {\r
-               $action = $this->action;\r
-               $start = $this->start;\r
-               $amount = $this->amount;\r
-               $minamount = $this->minamount;\r
-               $maxamount = $this->maxamount;\r
-               $blogid = $this->blogid;\r
-               $search = $this->search;\r
-               $itemid = $this->itemid;\r
-\r
-               $prev = $start - $amount;\r
-               if ($prev < $minamount) $prev=$minamount;\r
-\r
-               // maxamount not used yet\r
-       //      if ($start + $amount <= $maxamount)\r
-                       $next = $start + $amount;\r
-       //      else\r
-       //              $next = $start;\r
-\r
-       ?>\r
-       <table class="navigation">\r
-       <tr><td>\r
-               <form method="post" action="index.php"><div>\r
-               <input type="submit" value="&lt;&lt; <?php echo  _LISTS_PREV?>" />\r
-               <input type="hidden" name="blogid" value="<?php echo  $blogid; ?>" />\r
-               <input type="hidden" name="itemid" value="<?php echo  $itemid; ?>" />\r
-               <input type="hidden" name="action" value="<?php echo  $action; ?>" />\r
-               <input type="hidden" name="amount" value="<?php echo  $amount; ?>" />\r
-               <input type="hidden" name="search" value="<?php echo  $search; ?>" />\r
-               <input type="hidden" name="start" value="<?php echo  $prev; ?>" />\r
-               </div></form>\r
-       </td><td>\r
-               <form method="post" action="index.php"><div>\r
-               <input type="hidden" name="blogid" value="<?php echo  $blogid; ?>" />\r
-               <input type="hidden" name="itemid" value="<?php echo  $itemid; ?>" />\r
-               <input type="hidden" name="action" value="<?php echo  $action; ?>" />\r
-               <input name="amount" size="3" value="<?php echo  $amount; ?>" /> <?php echo _LISTS_PERPAGE?>\r
-               <input type="hidden" name="start" value="<?php echo  $start; ?>" />\r
-               <input type="hidden" name="search" value="<?php echo  $search; ?>" />\r
-               <input type="submit" value="&gt; <?php echo _LISTS_CHANGE?>" />\r
-               </div></form>\r
-       </td><td>\r
-               <form method="post" action="index.php"><div>\r
-               <input type="hidden" name="blogid" value="<?php echo  $blogid; ?>" />\r
-               <input type="hidden" name="itemid" value="<?php echo  $itemid; ?>" />\r
-               <input type="hidden" name="action" value="<?php echo  $action; ?>" />\r
-               <input type="hidden" name="amount" value="<?php echo  $amount; ?>" />\r
-               <input type="hidden" name="start" value="0" />\r
-               <input type="text" name="search" value="<?php echo  $search; ?>" size="7" />\r
-               <input type="submit" value="&gt; <?php echo  _LISTS_SEARCH?>" />\r
-               </div></form>\r
-       </td><td>\r
-               <form method="post" action="index.php"><div>\r
-               <input type="submit" value="<?php echo _LISTS_NEXT?> &gt; &gt;" />\r
-               <input type="hidden" name="search" value="<?php echo  $search; ?>" />\r
-               <input type="hidden" name="blogid" value="<?php echo  $blogid; ?>" />\r
-               <input type="hidden" name="itemid" value="<?php echo  $itemid; ?>" />\r
-               <input type="hidden" name="action" value="<?php echo  $action; ?>" />\r
-               <input type="hidden" name="amount" value="<?php echo  $amount; ?>" />\r
-               <input type="hidden" name="start" value="<?php echo  $next; ?>" />\r
-               </div></form>\r
-       </td></tr>\r
-       </table>\r
-       <?php   }\r
-\r
-\r
-}\r
-\r
-/**\r
- * A class used to encapsulate a list of some sort in a batch selection\r
- */\r
-class BATCH extends ENCAPSULATE {\r
-       function BATCH($type) {\r
-               $this->type = $type;\r
-       }\r
-\r
-       function showHead() {\r
-               ?>\r
-                       <form method="post" action="index.php">\r
-               <?php\r
-// TODO: get a list op operations above the list too\r
-// (be careful not to use the same names for the select...)\r
-//             $this->showOperationList();\r
-       }\r
-\r
-       function showFoot() {\r
-               $this->showOperationList();\r
-               ?>\r
-                       </form>\r
-               <?php   }\r
-\r
-       function showOperationList() {\r
-               global $manager;\r
-               ?>\r
-               <div class="batchoperations">\r
-                       <?php echo _BATCH_WITH_SEL ?>\r
-                       <select name="batchaction">\r
-                       <?php                           $options = array();\r
-                               switch($this->type) {\r
-                                       case 'item':\r
-                                               $options = array(\r
-                                                       'delete'        => _BATCH_ITEM_DELETE,\r
-                                                       'move'          => _BATCH_ITEM_MOVE\r
-                                               );\r
-                                               break;\r
-                                       case 'member':\r
-                                               $options = array(\r
-                                                       'delete'        => _BATCH_MEMBER_DELETE,\r
-                                                       'setadmin'      => _BATCH_MEMBER_SET_ADM,\r
-                                                       'unsetadmin' => _BATCH_MEMBER_UNSET_ADM\r
-                                               );\r
-                                               break;\r
-                                       case 'team':\r
-                                               $options = array(\r
-                                                       'delete'        => _BATCH_TEAM_DELETE,\r
-                                                       'setadmin'      => _BATCH_TEAM_SET_ADM,\r
-                                                       'unsetadmin' => _BATCH_TEAM_UNSET_ADM,\r
-                                               );\r
-                                               break;\r
-                                       case 'category':\r
-                                               $options = array(\r
-                                                       'delete'        => _BATCH_CAT_DELETE,\r
-                                                       'move'          => _BATCH_CAT_MOVE,\r
-                                               );\r
-                                               break;\r
-                                       case 'comment':\r
-                                               $options = array(\r
-                                                       'delete'        => _BATCH_COMMENT_DELETE,\r
-                                               );\r
-                                       break;\r
-                               }\r
-                               foreach ($options as $option => $label) {\r
-                                       echo '<option value="',$option,'">',$label,'</option>';\r
-                               }\r
-                       ?>\r
-                       </select>\r
-                       <input type="hidden" name="action" value="batch<?php echo $this->type?>" />\r
-                       <?php\r
-                               $manager->addTicketHidden();\r
-\r
-                               // add hidden fields for 'team' and 'comment' batchlists\r
-                               if ($this->type == 'team')\r
-                               {\r
-                                       echo '<input type="hidden" name="blogid" value="',intRequestVar('blogid'),'" />';\r
-                               }\r
-                               if ($this->type == 'comment')\r
-                               {\r
-                                       echo '<input type="hidden" name="itemid" value="',intRequestVar('itemid'),'" />';\r
-                               }\r
-\r
-                               echo '<input type="submit" value="',_BATCH_EXEC,'" />';\r
-                       ?>(\r
-                        <a href="" onclick="if (event &amp;&amp; event.preventDefault) event.preventDefault(); return batchSelectAll(1); "><?php echo _BATCH_SELECTALL?></a> -\r
-                        <a href="" onclick="if (event &amp;&amp; event.preventDefault) event.preventDefault(); return batchSelectAll(0); "><?php echo _BATCH_DESELECTALL?></a>\r
-                       )\r
-               </div>\r
-               <?php   }\r
-\r
-       // shortcut :)\r
-       function showList($query, $type, $template, $errorMessage = _LISTS_NOMORE) {\r
-               return $this->doEncapsulate(    'showlist',\r
-                                                                       array($query, $type, $template),\r
-                                                                       $errorMessage\r
-                                                               );\r
-       }\r
-\r
-}\r
-\r
-\r
-\r
-// can take either an array of objects, or an SQL query\r
-function showlist($query, $type, $template) {\r
-\r
-       if (is_array($query)) {\r
-               if (sizeof($query) == 0)\r
-                       return 0;\r
-\r
-               call_user_func('listplug_' . $type, $template, 'HEAD');\r
-\r
-               foreach ($query as $currentObj) {\r
-                       $template['current'] = $currentObj;\r
-                       call_user_func('listplug_' . $type, $template, 'BODY');\r
-               }\r
-\r
-               call_user_func('listplug_' . $type, $template, 'FOOT');\r
-\r
-               return sizeof($query);\r
-\r
-       } else {\r
-               $res = sql_query($query);\r
-\r
-               // don't do anything if there are no results\r
-               $numrows = mysql_num_rows($res);\r
-               if ($numrows == 0)\r
-                       return 0;\r
-\r
-               call_user_func('listplug_' . $type, $template, 'HEAD');\r
-\r
-               while($template['current'] = mysql_fetch_object($res))\r
-                       call_user_func('listplug_' . $type, $template, 'BODY');\r
-\r
-               call_user_func('listplug_' . $type, $template, 'FOOT');\r
-\r
-               mysql_free_result($res);\r
-\r
-               // return amount of results\r
-               return $numrows;\r
-       }\r
-}\r
-\r
-function listplug_select($template, $type) {\r
-       switch($type) {\r
-               case 'HEAD':\r
-                       echo '<select name="'.$template['name'].'" tabindex="'.$template['tabindex'].'" '.$template['javascript'].'>';\r
-\r
-                       // add extra row if needed\r
-                       if ($template['extra']) {\r
-                               echo '<option value="',$template['extraval'],'">',$template['extra'],'</option>';\r
-                       }\r
-\r
-                       break;\r
-               case 'BODY':\r
-                       $current = $template['current'];\r
-\r
-                       echo '<option value="' . htmlspecialchars($current->value) . '"';\r
-                       if ($template['selected'] == $current->value)\r
-                               echo ' selected="selected" ';\r
-                       if ($template['shorten'] > 0) {\r
-                               echo ' title="'. htmlspecialchars($current->text).'"';\r
-                               $current->text = shorten($current->text, $template['shorten'], $template['shortenel']);\r
-                       }\r
-                       echo '>' . htmlspecialchars($current->text) . '</option>';\r
-                       break;\r
-               case 'FOOT':\r
-                       echo '</select>';\r
-                       break;\r
-       }\r
-}\r
-\r
-function listplug_table($template, $type) {\r
-       switch($type) {\r
-               case 'HEAD':\r
-                       echo "<table>";\r
-                       echo "<thead><tr>";\r
-                       // print head\r
-                       call_user_func("listplug_table_" . $template['content'] , $template, 'HEAD');\r
-                       echo "</tr></thead><tbody>";\r
-                       break;\r
-               case 'BODY':\r
-                       // print tabletype specific thingies\r
-                       echo "<tr onmouseover='focusRow(this);' onmouseout='blurRow(this);'>";\r
-                       call_user_func("listplug_table_" . $template['content'] , $template,  'BODY');\r
-                       echo "</tr>";\r
-                       break;\r
-               case 'FOOT':\r
-                       call_user_func("listplug_table_" . $template['content'] , $template,  'FOOT');\r
-                       echo "</tbody></table>";\r
-                       break;\r
-       }\r
-}\r
-\r
-function listplug_table_memberlist($template, $type) {\r
-       switch($type) {