OSDN Git Service

Add some codes from 3.61. Currently files under /nucleus/libs and /nucleus/libs/sql...
[nucleus-jp/nucleus-jp-ancient.git] / utf8 / nucleus / libs / ADMIN.php
index 6666ecc..6b6e536 100755 (executable)
@@ -1,7 +1,7 @@
 <?php\r
 /*\r
  * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)\r
- * Copyright (C) 2002-2009 The Nucleus Group\r
+ * Copyright (C) 2002-2010 The Nucleus Group\r
  *\r
  * This program is free software; you can redistribute it and/or\r
  * modify it under the terms of the GNU General Public License\r
@@ -13,7 +13,7 @@
  * The code for the Nucleus admin area\r
  *\r
  * @license http://nucleuscms.org/license.txt GNU General Public License\r
- * @copyright Copyright (C) 2002-2009 The Nucleus Group\r
+ * @copyright Copyright (C) 2002-2010 The Nucleus Group\r
  * @version $Id$\r
  * @version $NucleusJP: ADMIN.php,v 1.21.2.4 2007/10/30 19:04:24 kmorimatsu Exp $\r
  */\r
@@ -115,7 +115,7 @@ class ADMIN {
                );\r
 /*\r
                // the rest of the actions needs to be checked\r
-               $aActionsToCheck = array('additem', 'itemupdate', 'itemmoveto', 'categoryupdate', 'categorydeleteconfirm', 'itemdeleteconfirm', 'commentdeleteconfirm', 'teamdeleteconfirm', 'memberdeleteconfirm', 'templatedeleteconfirm', 'skindeleteconfirm', 'banlistdeleteconfirm', 'plugindeleteconfirm', 'batchitem', 'batchcomment', 'batchmember', 'batchcategory', 'batchteam', 'regfile', 'commentupdate', 'banlistadd', 'changemembersettings', 'clearactionlog', 'settingsupdate', 'blogsettingsupdate', 'categorynew', 'teamchangeadmin', 'teamaddmember', 'memberadd', 'addnewlog', 'addnewlog2', 'backupcreate', 'backuprestore', 'pluginup', 'plugindown', 'pluginupdate', 'pluginadd', 'pluginoptionsupdate', 'skinupdate', 'skinclone', 'skineditgeneral', 'templateclone', 'templatenew', 'templateupdate', 'skinieimport', 'skinieexport', 'skiniedoimport', 'skinnew', 'deleteblogconfirm', 'sendping', 'rawping', 'activatesetpwd');\r
+               $aActionsToCheck = array('additem', 'itemupdate', 'itemmoveto', 'categoryupdate', 'categorydeleteconfirm', 'itemdeleteconfirm', 'commentdeleteconfirm', 'teamdeleteconfirm', 'memberdeleteconfirm', 'templatedeleteconfirm', 'skindeleteconfirm', 'banlistdeleteconfirm', 'plugindeleteconfirm', 'batchitem', 'batchcomment', 'batchmember', 'batchcategory', 'batchteam', 'regfile', 'commentupdate', 'banlistadd', 'changemembersettings', 'clearactionlog', 'settingsupdate', 'blogsettingsupdate', 'categorynew', 'teamchangeadmin', 'teamaddmember', 'memberadd', 'addnewlog', 'addnewlog2', 'backupcreate', 'backuprestore', 'pluginup', 'plugindown', 'pluginupdate', 'pluginadd', 'pluginoptionsupdate', 'skinupdate', 'skinclone', 'skineditgeneral', 'templateclone', 'templatenew', 'templateupdate', 'skinieimport', 'skinieexport', 'skiniedoimport', 'skinnew', 'deleteblogconfirm', 'activatesetpwd');\r
 */\r
                if (!in_array($this->action, $aActionsNotToCheck))\r
                {\r
@@ -169,7 +169,7 @@ class ADMIN {
                        <input type="checkbox" value="1" name="shared" tabindex="40" id="shared" /><label for="shared"><?php echo _LOGIN_SHARED?></label>\r
                        <br /><a href="forgotpassword.html"><?php echo _LOGIN_FORGOT?></a>\r
                </small>\r
-               <?php                   // pass through vars\r
+               <?php              // pass through vars\r
 \r
                        $oldaction = postVar('oldaction');\r
                        if (  ($oldaction != 'logout')  && ($oldaction != 'login')  && $passvars ) {\r
@@ -179,7 +179,7 @@ class ADMIN {
 \r
                ?>\r
                </p></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
 \r
@@ -341,12 +341,12 @@ class ADMIN {
 \r
                $search = postVar('search');    // search through items\r
 \r
-               $query =  'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime'\r
+               $query =  'SELECT bshortname, cname, mname, ititle, ibody, inumber, idraft, itime, bnumber, catid'\r
                           . ' FROM ' . sql_table('item') . ', ' . sql_table('blog') . ', ' . sql_table('member') . ', ' . sql_table('category')\r
                           . ' WHERE iblog=bnumber and iauthor=mnumber and icat=catid and iblog=' . $blogid;\r
 \r
                if ($search)\r
-                       $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+                       $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
 \r
                // non-blog-admins can only edit/delete their own items\r
                if (!$member->blogAdminRights($blogid))\r
@@ -534,7 +534,7 @@ class ADMIN {
                                case 'unsetadmin':\r
                                        // there should always remain at least one super-admin\r
                                        $r = sql_query('SELECT * FROM '.sql_table('member'). ' WHERE madmin=1 and mcanlogin=1');\r
-                                       if (mysql_num_rows($r) < 2)\r
+                                       if (sql_num_rows($r) < 2)\r
                                                $error = _ERROR_ATLEASTONEADMIN;\r
                                        else\r
                                                sql_query('UPDATE ' . sql_table('member') .' SET madmin=0 WHERE mnumber='.$memberid);\r
@@ -604,7 +604,7 @@ class ADMIN {
                                case 'unsetadmin':\r
                                        // there should always remain at least one admin\r
                                        $r = sql_query('SELECT * FROM '.sql_table('team').' WHERE tadmin=1 and tblog='.$blogid);\r
-                                       if (mysql_num_rows($r) < 2)\r
+                                       if (sql_num_rows($r) < 2)\r
                                                $error = _ERROR_ATLEASTONEBLOGADMIN;\r
                                        else\r
                                                sql_query('UPDATE '.sql_table('team').' SET tadmin=0 WHERE tblog='.$blogid.' and tmember='.$memberid);\r
@@ -677,7 +677,7 @@ class ADMIN {
                                        $error = _BATCH_UNKNOWN . htmlspecialchars($action);\r
                        }\r
 \r
-                       echo '<b>',($error ? 'Error: '.$error : _BATCH_SUCCESS),'</b>';\r
+                       echo '<b>',($error ? _ERROR . ': '.$error : _BATCH_SUCCESS),'</b>';\r
                        echo '</li>';\r
                }\r
 \r
@@ -717,7 +717,7 @@ class ADMIN {
                        <input type="submit" value="<?php echo _MOVE_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
 \r
@@ -750,7 +750,7 @@ class ADMIN {
                        <input type="submit" value="<?php echo _MOVECAT_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
 \r
@@ -769,7 +769,7 @@ class ADMIN {
                        <?php $manager->addTicketHidden() ?>\r
                        <input type="hidden" name="batchaction" value="delete" />\r
                        <input type="hidden" name="confirmation" value="yes" />\r
-                       <?php                           // insert selected item numbers\r
+                       <?php                      // insert selected item numbers\r
                                $idx = 0;\r
                                foreach ($ids as $id)\r
                                        echo '<input type="hidden" name="batch[',($idx++),']" value="',intval($id),'" />';\r
@@ -789,7 +789,7 @@ class ADMIN {
                        <input type="submit" value="<?php echo _BATCH_DELETE_CONFIRM_BTN?>" onclick="return checkSubmit();" />\r
 \r
                </div></form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
                exit;\r
        }\r
 \r
@@ -805,12 +805,12 @@ class ADMIN {
 \r
        /**\r
         * Inserts a HTML select element with choices for all blogs to which the user has access\r
-        *              mode = 'blog' => shows blognames and values are blogids\r
-        *              mode = 'category' => show category names and values are catids\r
+        *        mode = 'blog' => shows blognames and values are blogids\r
+        *        mode = 'category' => show category names and values are catids\r
         *\r
         * @param $iForcedBlogInclude\r
-        *              ID of a blog that always needs to be included, without checking if the\r
-        *              member is on the blog team (-1 = none)\r
+        *        ID of a blog that always needs to be included, without checking if the\r
+        *        member is on the blog team (-1 = none)\r
         * @todo document parameters\r
         */\r
        function selectBlog($name, $mode='blog', $selected = 0, $tabindex = 0, $showNewCat = 0, $iForcedBlogInclude = -1) {\r
@@ -826,7 +826,7 @@ class ADMIN {
                else\r
                        $queryBlogs =  'SELECT bnumber FROM '.sql_table('blog').', '.sql_table('team').' WHERE tblog=bnumber and tmember=' . $member->getID();\r
                $rblogids = sql_query($queryBlogs);\r
-               while ($o = mysql_fetch_object($rblogids))\r
+               while ($o = sql_fetch_object($rblogids))\r
                        if ($o->bnumber != $iForcedBlogInclude)\r
                                $aBlogIds[] = intval($o->bnumber);\r
 \r
@@ -840,10 +840,10 @@ class ADMIN {
                $queryBlogs =  'SELECT bnumber, bname FROM '.sql_table('blog').' WHERE bnumber in ('.implode(',',$aBlogIds).') ORDER BY bname';\r
                $blogs = sql_query($queryBlogs);\r
                if ($mode == 'category') {\r
-                       if (mysql_num_rows($blogs) > 1)\r
+                       if (sql_num_rows($blogs) > 1)\r
                                $multipleBlogs = 1;\r
 \r
-                       while ($oBlog = mysql_fetch_object($blogs)) {\r
+                       while ($oBlog = sql_fetch_object($blogs)) {\r
                                if ($multipleBlogs)\r
                                        echo '<optgroup label="',htmlspecialchars($oBlog->bname),'">';\r
 \r
@@ -856,7 +856,7 @@ class ADMIN {
 \r
                                // 2. for each category in that blog\r
                                $categories = sql_query('SELECT cname, catid FROM '.sql_table('category').' WHERE cblog=' . $oBlog->bnumber . ' ORDER BY cname ASC');\r
-                               while ($oCat = mysql_fetch_object($categories)) {\r
+                               while ($oCat = sql_fetch_object($categories)) {\r
                                        if ($oCat->catid == $selected)\r
                                                $selectText = ' selected="selected" ';\r
                                        else\r
@@ -869,7 +869,7 @@ class ADMIN {
                        }\r
                } else {\r
                        // blog mode\r
-                       while ($oBlog = mysql_fetch_object($blogs)) {\r
+                       while ($oBlog = sql_fetch_object($blogs)) {\r
                                echo '<option value="',$oBlog->bnumber,'"';\r
                                if ($oBlog->bnumber == $selected)\r
                                        echo ' selected="selected"';\r
@@ -913,7 +913,7 @@ class ADMIN {
                           . ' WHERE iauthor='. $member->getID() .' and iauthor=mnumber and iblog=bnumber and icat=catid';\r
 \r
                if ($search)\r
-                       $query .= ' and ((ititle LIKE "%' . addslashes($search) . '%") or (ibody LIKE "%' . addslashes($search) . '%") or (imore LIKE "%' . addslashes($search) . '%"))';\r
+                       $query .= ' and ((ititle LIKE "%' . sql_real_escape_string($search) . '%") or (ibody LIKE "%' . sql_real_escape_string($search) . '%") or (imore LIKE "%' . sql_real_escape_string($search) . '%"))';\r
 \r
                $query .= ' ORDER BY itime DESC'\r
                                . " LIMIT $start,$amount";\r
@@ -969,7 +969,7 @@ class ADMIN {
                $query = 'SELECT cbody, cuser, cmail, cemail, mname, ctime, chost, cnumber, cip, citem FROM ' . sql_table('comment') . ' LEFT OUTER JOIN ' . sql_table('member') . ' ON mnumber = cmember WHERE citem = ' . $itemid;\r
 \r
                if ($search)\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
                $query .= ' ORDER BY ctime ASC'\r
                                . " LIMIT $start,$amount";\r
@@ -1011,7 +1011,7 @@ class ADMIN {
                $query =  'SELECT cbody, cuser, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cmember=' . $member->getID();\r
 \r
                if ($search)\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
                $query .= ' ORDER BY ctime DESC'\r
                                . " LIMIT $start,$amount";\r
@@ -1022,7 +1022,7 @@ class ADMIN {
                echo '<h2>', _COMMENTS_YOUR ,'</h2>';\r
 \r
                $template['content'] = 'commentlist';\r
-               $template['canAddBan'] = 0;     // doesn't make sense to allow banning yourself\r
+               $template['canAddBan'] = 0; // doesn't make sense to allow banning yourself\r
 \r
                $manager->loadClass("ENCAPSULATE");\r
                $navList =& new NAVLIST('browseowncomments', $start, $amount, 0, 1000, 0, $search, 0);\r
@@ -1067,7 +1067,7 @@ class ADMIN {
                $query =  'SELECT cbody, cuser, cemail, cmail, mname, ctime, chost, cnumber, cip, citem FROM '.sql_table('comment').' LEFT OUTER JOIN '.sql_table('member').' ON mnumber=cmember WHERE cblog=' . intval($blogid);\r
 \r
                if ($search != '')\r
-                       $query .= ' and cbody LIKE "%' . addslashes($search) . '%"';\r
+                       $query .= ' and cbody LIKE "%' . sql_real_escape_string($search) . '%"';\r
 \r
 \r
                $query .= ' ORDER BY ctime DESC'\r
@@ -1163,9 +1163,9 @@ class ADMIN {
                        return;\r
                }\r
 \r
-               $body   = postVar('body');\r
-               $title  = postVar('title');\r
-               $more   = postVar('more');\r
+               $body   = postVar('body');\r
+               $title  = postVar('title');\r
+               $more   = postVar('more');\r
                $closed = intPostVar('closed');\r
                $draftid = intPostVar('draftid');\r
 \r
@@ -1199,41 +1199,6 @@ class ADMIN {
                                $wasdraft: set to 1 when the item used to be a draft item\r
                                $publish: set to 1 when the edited item is not a draft\r
                */\r
-/*<del by shizuki>\r
-               switch ($actiontype) {\r
-                       case 'adddraft':\r
-                               $publish = 0;\r
-                               $wasdraft = 1;\r
-                               $timestamp = 0;\r
-                               break;\r
-                       case 'addfuture':\r
-                               $wasdraft = 1;\r
-                               $publish = 1;\r
-                               $timestamp = mktime(intPostVar('hour'), intPostVar('minutes'), 0, intPostVar('month'), intPostVar('day'), intPostVar('year'));\r
-                               break;\r
-                       case 'addnow':\r
-                               $wasdraft = 1;\r
-                               $publish = 1;\r
-                               $timestamp = 0;\r
-                               break;\r
-                       case 'changedate':\r
-                               $timestamp = mktime(intPostVar('hour'), intPostVar('minutes'), 0, intPostVar('month'), intPostVar('day'), intPostVar('year'));\r
-                               $publish = 1;\r
-                               $wasdraft = 0;\r
-                               break;\r
-                       case 'backtodrafts':\r
-                               $wasdraft = 0;\r
-                               $publish = 0;\r
-                               $timestamp = 0;\r
-                               break;\r
-                       case 'edit':\r
-                       default:\r
-                               $publish = 1;\r
-                               $wasdraft = 0;\r
-                               $timestamp = 0;\r
-               }\r
-</del by shizuki>*/\r
-// <add by shizuki>\r
                $blogid =  getBlogIDFromItemID($itemid);\r
                $blog   =& $manager->getBlog($blogid);\r
 \r
@@ -1245,22 +1210,10 @@ class ADMIN {
                } else {\r
                        $timestamp =0;\r
                }\r
-               $doping = ($publish && $timestamp < $blog->getCorrectTime() && postVar('dosendping')) ? 1 : 0;\r
-// </add by shizuki>\r
 \r
                // edit the item for real\r
                ITEM::update($itemid, $catid, $title, $body, $more, $closed, $wasdraft, $publish, $timestamp);\r
 \r
-/* <del by shizuki>\r
-               $blogid = getBlogIDFromItemID($itemid);\r
-               $blog =& $manager->getBlog($blogid);\r
-\r
-               $isFuture = 0;\r
-               if ($timestamp > $blog->getCorrectTime(time())) {\r
-                       $isFuture = 1;\r
-               }\r
-\r
-</del by shizuki>*/\r
                $this->updateFuturePosted($blogid);\r
 \r
                if ($draftid > 0) {\r
@@ -1268,12 +1221,6 @@ class ADMIN {
                        ITEM::delete($draftid);\r
                }\r
 \r
-//             if (!$closed && $publish && $wasdraft && $blog->sendPing() && numberOfEventSubscriber('SendPing') > 0 && !$isFuture) {\r
-               if (!$closed && $doping && $blog->sendPing() && numberOfEventSubscriber('SendPing') > 0) {              //<mod by shizuki />\r
-                       $this->action_sendping($blogid);\r
-                       return;\r
-               }\r
-\r
                // show category edit window when we created a new category\r
                // ($catid will then be a new category ID, while postVar('catid') will be 'newcat-x')\r
                if ($catid != intPostVar('catid')) {\r
@@ -1381,7 +1328,7 @@ class ADMIN {
                $currenttime = $blog->getCorrectTime(time());\r
                $result = sql_query("SELECT * FROM ".sql_table('item').\r
                        " WHERE iblog='".$blogid."' AND iposted=0 AND itime>".mysqldate($currenttime));\r
-               if (mysql_num_rows($result) > 0) {\r
+               if (sql_num_rows($result) > 0) {\r
                                $blog->setFuturePost();\r
                }\r
                else {\r
@@ -1483,7 +1430,7 @@ class ADMIN {
         * Adds a item to the chosen blog\r
         */\r
        function action_additem() {\r
-               global $member, $manager, $CONF;\r
+               global $manager, $CONF;\r
 \r
                $manager->loadClass('ITEM');\r
 \r
@@ -1494,99 +1441,16 @@ class ADMIN {
 \r
                $blogid = getBlogIDFromItemID($result['itemid']);\r
                $blog =& $manager->getBlog($blogid);\r
-/* <del by shizuki>\r
-               $pingUrl = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=sendping&blogid=' . intval($blogid));\r
-\r
-               if ($result['status'] == 'newcategory')\r
-                       $this->action_categoryedit(\r
-                               $result['catid'],\r
-                               $blogid,\r
-                               $blog->sendPing() && numberOfEventSubscriber('SendPing') > 0 ? $pingUrl : ''\r
-                       );\r
-               elseif ((postVar('actiontype') == 'addnow') && $blog->sendPing() && numberOfEventSubscriber('SendPing') > 0)\r
-                       $this->action_sendping($blogid);\r
-               else\r
-                       $this->action_itemlist($blogid);\r
-</del by shizuki>*/\r
-// <add by shizuki>\r
                $btimestamp = $blog->getCorrectTime();\r
-               $bPingInfo  = ($blog->sendPing() && numberOfEventSubscriber('SendPing') > 0);\r
-               $item       = $manager->getItem(intval($result['itemid']), 1, 1);\r
-               $iPingInfo  = (!$item['draft'] && postVar('dosendping') && $item['timestamp'] <= $btimestamp);\r
-               if ($iPingInfo && $bPingInfo) {\r
-                       $nextAction = 'sendping';\r
-               } else {\r
-                       $nextAction = 'itemlist';\r
-               }\r
+               $item      = $manager->getItem(intval($result['itemid']), 1, 1);\r
+\r
                if ($result['status'] == 'newcategory') {\r
-//                     $distURI = ($nextAction == 'sendping') ? $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action='\r
-//                                      . $nextAction . '&blogid=' . intval($blogid)) :\r
-//                                        '';\r
-                       $distURI = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=' . $nextAction . '&blogid=' . intval($blogid));\r
+                       $distURI = $manager->addTicketToUrl($CONF['AdminURL'] . 'index.php?action=itemList&blogid=' . intval($blogid));\r
                        $this->action_categoryedit($result['catid'], $blogid, $distURI);\r
                } else {\r
-                       $methodName = 'action_' . $nextAction;\r
+                       $methodName = 'action_itemList';\r
                        call_user_func(array(&$this, $methodName), $blogid);\r
                }\r
-//</add by shizuki>\r
-       }\r
-\r
-       /**\r
-        * Shows a window that says we're about to ping.\r
-        * immediately refresh to the real pinging page, which will\r
-        * show an error, or redirect to the blog.\r
-        *\r
-        * @param int $blogid ID of blog for which ping needs to be sent out\r
-        */\r
-       function action_sendping($blogid = -1) {\r
-               global $member, $manager;\r
-\r
-               if ($blogid == -1)\r
-                       $blogid = intRequestVar('blogid');\r
-\r
-               $member->isLoggedIn() or $this->disallow();\r
-\r
-               $rawPingUrl = $manager->addTicketToUrl('index.php?action=rawping&blogid=' . intval($blogid));\r
-\r
-               $this->pagehead('<meta http-equiv="refresh" content="1; url='.htmlspecialchars($rawPingUrl).'" />');\r
-               echo _UPDATEDPING_MESSAGE;\r
-               ?>\r
-               <a href="index.php?action=rawping&amp;blogid=<?php echo $blogid?>"><?php echo _UPDATEDPING_GOPINGPAGE ?></a>\r
-               </p>\r
-               <?php\r
-               $this->pagefoot();\r
-       }\r
-\r
-       /**\r
-        * Sends the real ping (can take up to 10 seconds!)\r
-        */\r
-       function action_rawping() {\r
-               global $manager;\r
-               // TODO: checks?\r
-\r
-               $blogid = intRequestVar('blogid');\r
-               $blog =& $manager->getBlog($blogid);\r
-\r
-               $this->pagehead();\r
-\r
-               ?>\r
-\r
-               <h2><?php echo _UPDATEDPING_PINGING ?></h2>\r
-               <div class='note'>\r
-                <?php\r
-\r
-               // send sendPing event\r
-               $manager->notify('SendPing', array('blogid' => $blogid));\r
-\r
-                ?>\r
-                </div>\r
-\r
-               <ul>\r
-                       <li><a href="index.php?action=itemlist&amp;blogid=<?php echo $blog->getID()?>"><?php echo _UPDATEDPING_VIEWITEM . htmlspecialchars($blog->getName())?></a></li>\r
-                       <li><a href="<?php echo $blog->getURL()?>"><?php echo _UPDATEDPING_VISITOWNSITE ?></a></li>\r
-               </ul>\r
-\r
-               <?php           $this->pagefoot();\r
        }\r
 \r
        /**\r
@@ -1605,9 +1469,11 @@ class ADMIN {
 \r
                // change <br /> to \n\r
                $comment['body'] = str_replace('<br />','',$comment['body']);\r
-\r
-               $comment['body'] = eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>","\\1",$comment['body']);\r
-\r
+               \r
+               // replaced eregi_replace() below with preg_replace(). ereg* functions are deprecated in PHP 5.3.0\r
+               /* original eregi_replace: eregi_replace("<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>", "\\1", $comment['body']) */\r
+               $comment['body'] = preg_replace("#<a href=['\"]([^'\"]+)['\"]( rel=\"nofollow\")?>[^<]*</a>#I", "\\1", $comment['body']);\r
+               \r
                $this->pagehead();\r
 \r
                ?>\r
@@ -1623,7 +1489,7 @@ class ADMIN {
                </tr><tr>\r
                        <td><?php echo _EDITC_WHO?></td>\r
                        <td>\r
-                       <?php                           if ($comment['member'])\r
+                       <?php                      if ($comment['member'])\r
                                        echo $comment['member'] . " (" . _EDITC_MEMBER . ")";\r
                                else\r
                                        echo $comment['user'] . " (" . _EDITC_NONMEMBER . ")";\r
@@ -1647,7 +1513,7 @@ class ADMIN {
                <tr>\r
                        <td><?php echo _EDITC_TEXT?></td>\r
                        <td>\r
-                               <textarea name="body" tabindex="10" rows="10" cols="50"><?php                                   // htmlspecialchars not needed (things should be escaped already)\r
+                               <textarea name="body" tabindex="10" rows="10" cols="50"><?php                              // htmlspecialchars not needed (things should be escaped already)\r
                                        echo $comment['body'];\r
                                ?></textarea>\r
                        </td>\r
@@ -1674,18 +1540,25 @@ class ADMIN {
                $url = postVar('url');\r
                $email = postVar('email');\r
                $body = postVar('body');\r
-\r
+               \r
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+               # original eregi: eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}", $body) != FALSE\r
+               # important note that '\' must be matched with '\\\\' in preg* expressions\r
                // intercept words that are too long\r
-               if (eregi("[a-zA-Z0-9|\.,;:!\?=\/\\]{90,90}",$body) != false)\r
+               if (preg_match('#[a-zA-Z0-9|\.,;:!\?=\/\\\\]{90,90}#', $body) != FALSE)\r
+               {\r
                        $this->error(_ERROR_COMMENT_LONGWORD);\r
-\r
+               }\r
+               \r
                // check length\r
-               if (strlen($body)<3)\r
+               if (strlen($body) < 3) {\r
                        $this->error(_ERROR_COMMENT_NOCOMMENT);\r
+               }\r
                if (strlen($body)>5000)\r
+               {\r
                        $this->error(_ERROR_COMMENT_TOOLONG);\r
-\r
-\r
+               }\r
+               \r
                // prepare body\r
                $body = COMMENT::prepareBody($body);\r
 \r
@@ -1693,13 +1566,13 @@ class ADMIN {
                $manager->notify('PreUpdateComment',array('body' => &$body));\r
 \r
                $query =  'UPDATE '.sql_table('comment')\r
-                          . " SET cmail = '" . addslashes($url) . "', cemail = '" . addslashes($email) . "', cbody = '" . addslashes($body) . "'"\r
+                          . " SET cmail = '" . sql_real_escape_string($url) . "', cemail = '" . sql_real_escape_string($email) . "', cbody = '" . sql_real_escape_string($body) . "'"\r
                           . " WHERE cnumber=" . $commentid;\r
                sql_query($query);\r
 \r
                // get itemid\r
                $res = sql_query('SELECT citem FROM '.sql_table('comment').' WHERE cnumber=' . $commentid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                $itemid = $o->citem;\r
 \r
                if ($member->canAlterItem($itemid))\r
@@ -1762,7 +1635,7 @@ class ADMIN {
 \r
                // get item id first\r
                $res = sql_query('SELECT citem FROM '.sql_table('comment') .' WHERE cnumber=' . $commentid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                $itemid = $o->citem;\r
 \r
                $error = $this->deleteOneComment($commentid);\r
@@ -1838,7 +1711,7 @@ class ADMIN {
                                <td><?php echo _MEMBERS_DISPLAY?> <?php help('shortnames');?>\r
                                <br /><small><?php echo _MEMBERS_DISPLAY_INFO?></small>\r
                                </td>\r
-                               <td><input tabindex="10010" name="name" size="16" maxlength="16" /></td>\r
+                               <td><input tabindex="10010" name="name" size="32" maxlength="32" /></td>\r
                        </tr><tr>\r
                                <td><?php echo _MEMBERS_REALNAME?></td>\r
                                <td><input name="realname" tabindex="10020" size="40" maxlength="60" /></td>\r
@@ -1920,7 +1793,7 @@ class ADMIN {
                        </td>\r
                        <td>\r
                        <?php if ($CONF['AllowLoginEdit'] || $member->isAdmin()) { ?>\r
-                               <input name="name" tabindex="10" maxlength="16" size="16" value="<?php echo  htmlspecialchars($mem->getDisplayName()); ?>" />\r
+                               <input name="name" tabindex="10" maxlength="32" size="32" value="<?php echo  htmlspecialchars($mem->getDisplayName()); ?>" />\r
                        <?php } else {\r
                                echo htmlspecialchars($member->getDisplayName());\r
                           }\r
@@ -1966,20 +1839,26 @@ class ADMIN {
 \r
                                <select name="deflang" tabindex="85">\r
                                        <option value=""><?php echo _MEMBERS_USESITELANG?></option>\r
-                               <?php                           // show a dropdown list of all available languages\r
+                               <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle))\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg("^(.*)\.php$", $filename, $matches)\r
+                                       if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
-                                               echo "<option value='$name'";\r
-                                               if ($name == $mem->getLanguage())\r
-                                                       echo " selected='selected'";\r
+                                               echo "<option value=\"$name\"";\r
+                                               if ($name == $mem->getLanguage() )\r
+                                               {\r
+                                                       echo " selected=\"selected\"";\r
+                                               }\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
-\r
+                               \r
                                ?>\r
                                </select>\r
 \r
@@ -2026,20 +1905,23 @@ class ADMIN {
                // check if allowed\r
                ($member->getID() == $memberid) or $member->isAdmin() or $this->disallow();\r
 \r
-               $name                   = trim(strip_tags(postVar('name')));\r
-               $realname               = trim(strip_tags(postVar('realname')));\r
-               $password               = postVar('password');\r
-               $repeatpassword = postVar('repeatpassword');\r
-               $email                  = strip_tags(postVar('email'));\r
+               $name              = trim(strip_tags(postVar('name')));\r
+               $realname          = trim(strip_tags(postVar('realname')));\r
+               $password          = postVar('password');\r
+               $repeatpassword = postVar('repeatpassword');\r
+               $email            = strip_tags(postVar('email'));\r
                $url                    = strip_tags(postVar('url'));\r
 \r
-               // Sometimes user didn't prefix the URL with http://, this cause a malformed URL. Let's fix it.\r
-               if (!eregi("^https?://", $url))\r
-                       $url = "http://".$url;\r
-\r
-               $admin                  = postVar('admin');\r
-               $canlogin               = postVar('canlogin');\r
-               $notes                  = strip_tags(postVar('notes'));\r
+               # replaced eregi() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+               # original eregi: !eregi("^https?://", $url)\r
+               // begin if: sometimes user didn't prefix the URL with http:// or https://, this cause a malformed URL. Let's fix it.\r
+               if (!preg_match('#^https?://#', $url) )\r
+               {\r
+                       $url = "http://" . $url;\r
+               }\r
+               $admin            = postVar('admin');\r
+               $canlogin          = postVar('canlogin');\r
+               $notes            = strip_tags(postVar('notes'));\r
                $deflang                = postVar('deflang');\r
 \r
                $mem = MEMBER::createFromID($memberid);\r
@@ -2057,6 +1939,15 @@ class ADMIN {
 \r
                        if ($password && (strlen($password) < 6))\r
                                $this->error(_ERROR_PASSWORDTOOSHORT);\r
+\r
+                       if ($password) {\r
+                               $pwdvalid = true;\r
+                               $pwderror = '';\r
+                               $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+                               if (!$pwdvalid) {\r
+                                       $this->error($pwderror);\r
+                               }\r
+                       }\r
                }\r
 \r
                if (!isValidMailAddress($email))\r
@@ -2071,12 +1962,12 @@ class ADMIN {
 \r
                // check if there will remain at least one site member with both the logon and admin rights\r
                // (check occurs when taking away one of these rights from such a member)\r
-               if (    (!$admin && $mem->isAdmin() && $mem->canLogin())\r
+               if (    (!$admin && $mem->isAdmin() && $mem->canLogin())\r
                         || (!$canlogin && $mem->isAdmin() && $mem->canLogin())\r
                   )\r
                {\r
                        $r = sql_query('SELECT * FROM '.sql_table('member').' WHERE madmin=1 and mcanlogin=1');\r
-                       if (mysql_num_rows($r) < 2)\r
+                       if (sql_num_rows($r) < 2)\r
                                $this->error(_ERROR_ATLEASTONEADMIN);\r
                }\r
 \r
@@ -2276,7 +2167,7 @@ class ADMIN {
         * @author dekarma\r
         */\r
        function action_activatesetpwd() {\r
-\r
+               \r
                $key = postVar('key');\r
 \r
                // clean up old activation keys\r
@@ -2293,17 +2184,25 @@ class ADMIN {
                if (!$mem)\r
                        return $this->_showActivationPage($key, _ERROR_ACTIVATE);\r
 \r
-               $password               = postVar('password');\r
-               $repeatpassword = postVar('repeatpassword');\r
+               $password          = postVar('password');\r
+               $repeatpassword = postVar('repeatpassword');\r
 \r
                if ($password != $repeatpassword)\r
                        return $this->_showActivationPage($key, _ERROR_PASSWORDMISMATCH);\r
 \r
                if ($password && (strlen($password) < 6))\r
                        return $this->_showActivationPage($key, _ERROR_PASSWORDTOOSHORT);\r
-\r
+               \r
+               if ($password) {\r
+                       $pwdvalid = true;\r
+                       $pwderror = '';\r
+                       global $manager;\r
+                       $manager->notify('PrePasswordSet',array('password' => $password, 'errormessage' => &$pwderror, 'valid' => &$pwdvalid));\r
+                       if (!$pwdvalid) {\r
+                               return $this->_showActivationPage($key,$pwderror);\r
+                       }\r
+               }\r
                $error = '';\r
-               global $manager;\r
                $manager->notify('ValidateForm', array('type' => 'activation', 'member' => $mem, 'error' => &$error));\r
                if ($error != '')\r
                        return $this->_showActivationPage($key, $error);\r
@@ -2365,7 +2264,7 @@ class ADMIN {
 \r
                        <table><tr>\r
                                <td><?php echo _TEAM_CHOOSEMEMBER?></td>\r
-                               <td><?php                                       // TODO: try to make it so only non-team-members are listed\r
+                               <td><?php                                  // TODO: try to make it so only non-team-members are listed\r
                                        $query =  'SELECT mname as text, mnumber as value'\r
                                                   . ' FROM '.sql_table('member');\r
 \r
@@ -2472,7 +2371,7 @@ class ADMIN {
                        return _ERROR_DISALLOWED;\r
 \r
                // check if: - there remains at least one blog admin\r
-               //           - (there remains at least one team member)\r
+               //                 - (there remains at least one team member)\r
                $tmem = MEMBER::createFromID($memberid);\r
 \r
                $manager->notify('PreDeleteTeamMember', array('member' => &$tmem, 'blogid' => $blogid));\r
@@ -2482,7 +2381,7 @@ class ADMIN {
                        // (check for at least two admins before deletion)\r
                        $query = 'SELECT * FROM '.sql_table('team') . ' WHERE tblog='.$blogid.' and tadmin=1';\r
                        $r = sql_query($query);\r
-                       if (mysql_num_rows($r) < 2)\r
+                       if (sql_num_rows($r) < 2)\r
                                return _ERROR_ATLEASTONEBLOGADMIN;\r
                }\r
 \r
@@ -2511,7 +2410,7 @@ class ADMIN {
                // don't allow when there is only one admin at this moment\r
                if ($mem->isBlogAdmin($blogid)) {\r
                        $r = sql_query('SELECT * FROM '.sql_table('team') . " WHERE tblog=$blogid and tadmin=1");\r
-                       if (mysql_num_rows($r) == 1)\r
+                       if (sql_num_rows($r) == 1)\r
                                $this->error(_ERROR_ATLEASTONEBLOGADMIN);\r
                }\r
 \r
@@ -2556,7 +2455,7 @@ class ADMIN {
                <?php\r
                        $res = sql_query('SELECT mname, mrealname FROM ' . sql_table('member') . ',' . sql_table('team') . ' WHERE mnumber=tmember AND tblog=' . intval($blogid));\r
                        $aMemberNames = array();\r
-                       while ($o = mysql_fetch_object($res))\r
+                       while ($o = sql_fetch_object($res))\r
                                array_push($aMemberNames, htmlspecialchars($o->mname) . ' (' . htmlspecialchars($o->mrealname). ')');\r
                        echo implode(',', $aMemberNames);\r
                ?>\r
@@ -2626,7 +2525,7 @@ class ADMIN {
                 <td><?php $this->input_yesno('reqemail',$blog->emailRequired(),72); ?></td>\r
          </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY?> <?php help('blognotify'); ?></td>\r
-                       <td><input name="notify" tabindex="80" maxlength="60" size="40" value="<?php echo  htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
+                       <td><input name="notify" tabindex="80" maxlength="128" size="40" value="<?php echo  htmlspecialchars($blog->getNotifyAddress()); ?>" /></td>\r
                </tr><tr>\r
                        <td><?php echo _EBLOG_NOTIFY_ON?></td>\r
                        <td>\r
@@ -2643,15 +2542,6 @@ class ADMIN {
                                /><label for="notifyNewItem"><?php echo _EBLOG_NOTIFY_ITEM?></label>\r
                        </td>\r
                </tr><tr>\r
-               <?php\r
-               if (numberOfEventSubscriber('SendPing') > 0) {\r
-               ?>\r
-                       <td><?php echo _EBLOG_PING?> <?php help('sendping'); ?></td>\r
-                       <td><?php $this->input_yesno('sendping',$blog->sendPing(),85); ?></td>\r
-               </tr><tr>\r
-               <?php\r
-               }\r
-               ?>\r
                        <td><?php echo _EBLOG_MAXCOMMENTS?> <?php help('blogmaxcomments'); ?></td>\r
                        <td><input name="maxcomments" tabindex="90" size="3" value="<?php echo  htmlspecialchars($blog->getMaxComments()); ?>" /></td>\r
                </tr><tr>\r
@@ -2758,13 +2648,13 @@ class ADMIN {
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
 \r
-               $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid);\r
+               $query = 'SELECT * FROM '.sql_table('category') . ' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid);\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) > 0)\r
+               if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
 \r
-               $blog           =& $manager->getBlog($blogid);\r
-               $newCatID       =  $blog->createNewCategory($cname, $cdesc);\r
+               $blog      =& $manager->getBlog($blogid);\r
+               $newCatID   =  $blog->createNewCategory($cname, $cdesc);\r
 \r
                $this->action_blogsettings();\r
        }\r
@@ -2787,7 +2677,7 @@ class ADMIN {
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
                $res = sql_query('SELECT * FROM '.sql_table('category')." WHERE cblog=$blogid AND catid=$catid");\r
-               $obj = mysql_fetch_object($res);\r
+               $obj = sql_fetch_object($res);\r
 \r
                $cname = $obj->cname;\r
                $cdesc = $obj->cdesc;\r
@@ -2848,14 +2738,14 @@ class ADMIN {
                if (!isValidCategoryName($cname))\r
                        $this->error(_ERROR_BADCATEGORYNAME);\r
 \r
-               $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . addslashes($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
+               $query = 'SELECT * FROM '.sql_table('category').' WHERE cname=\'' . sql_real_escape_string($cname).'\' and cblog=' . intval($blogid) . " and not(catid=$catid)";\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) > 0)\r
+               if (sql_num_rows($res) > 0)\r
                        $this->error(_ERROR_DUPCATEGORYNAME);\r
 \r
                $query =  'UPDATE '.sql_table('category').' SET'\r
-                          . " cname='" . addslashes($cname) . "',"\r
-                          . " cdesc='" . addslashes($cdesc) . "'"\r
+                          . " cname='" . sql_real_escape_string($cname) . "',"\r
+                          . " cdesc='" . sql_real_escape_string($cdesc) . "'"\r
                           . " WHERE catid=" . $catid;\r
 \r
                sql_query($query);\r
@@ -2898,7 +2788,7 @@ class ADMIN {
                // check if catid is the only category left for blogid\r
                $query = 'SELECT catid FROM '.sql_table('category').' WHERE cblog=' . $blogid;\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) == 1)\r
+               if (sql_num_rows($res) == 1)\r
                        $this->error(_ERROR_DELETELASTCATEGORY);\r
 \r
 \r
@@ -2947,8 +2837,6 @@ class ADMIN {
 \r
                $catid = intval($catid);\r
 \r
-               $manager->notify('PreDeleteCategory', array('catid' => $catid));\r
-\r
                $blogid = getBlogIDFromCatID($catid);\r
 \r
                if (!$member->blogAdminRights($blogid))\r
@@ -2970,9 +2858,11 @@ class ADMIN {
                // check if catid is the only category left for blogid\r
                $query = 'SELECT catid FROM '.sql_table('category').' WHERE cblog=' . $blogid;\r
                $res = sql_query($query);\r
-               if (mysql_num_rows($res) == 1)\r
+               if (sql_num_rows($res) == 1)\r
                        return _ERROR_DELETELASTCATEGORY;\r
 \r
+               $manager->notify('PreDeleteCategory', array('catid' => $catid));\r
+\r
                // change category for all items to the default category\r
                $query = 'UPDATE '.sql_table('item')." SET icat=$destcatid WHERE icat=$catid";\r
                sql_query($query);\r
@@ -3033,7 +2923,7 @@ class ADMIN {
                // update comments table (cblog)\r
                $query = 'SELECT inumber FROM '.sql_table('item').' WHERE icat='.$catid;\r
                $items = sql_query($query);\r
-               while ($oItem = mysql_fetch_object($items)) {\r
+               while ($oItem = sql_fetch_object($items)) {\r
                        sql_query('UPDATE '.sql_table('comment').' SET cblog='.$destblogid.' WHERE citem='.$oItem->inumber);\r
                }\r
 \r
@@ -3068,16 +2958,16 @@ class ADMIN {
 \r
                $blog =& $manager->getBlog($blogid);\r
 \r
-               $notify                 = trim(postVar('notify'));\r
-               $shortname              = trim(postVar('shortname'));\r
-               $updatefile             = trim(postVar('update'));\r
+               $notify          = trim(postVar('notify'));\r
+               $shortname        = trim(postVar('shortname'));\r
+               $updatefile      = trim(postVar('update'));\r
 \r
-               $notifyComment  = intPostVar('notifyComment');\r
-               $notifyVote             = intPostVar('notifyVote');\r
-               $notifyNewItem  = intPostVar('notifyNewItem');\r
+               $notifyComment  = intPostVar('notifyComment');\r
+               $notifyVote      = intPostVar('notifyVote');\r
+               $notifyNewItem  = intPostVar('notifyNewItem');\r
 \r
                if ($notifyComment == 0)        $notifyComment = 1;\r
-               if ($notifyVote == 0)           $notifyVote = 1;\r
+               if ($notifyVote == 0)      $notifyVote = 1;\r
                if ($notifyNewItem == 0)        $notifyNewItem = 1;\r
 \r
                $notifyType = $notifyComment * $notifyVote * $notifyNewItem;\r
@@ -3112,7 +3002,6 @@ class ADMIN {
                $blog->setDefaultSkin(intPostVar('defskin'));\r
                $blog->setDescription(trim(postVar('desc')));\r
                $blog->setPublic(postVar('public'));\r
-               $blog->setPingUserland(postVar('sendping'));\r
                $blog->setConvertBreaks(intPostVar('convertbreaks'));\r
                $blog->setAllowPastPosting(intPostVar('allowpastposting'));\r
                $blog->setDefaultCategory(intPostVar('defcat'));\r
@@ -3285,7 +3174,7 @@ class ADMIN {
 \r
                /* unlink comments from memberid */\r
                if ($memberid) {\r
-                       $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. addslashes($mem->getDisplayName())\r
+                       $query = 'UPDATE ' . sql_table('comment') . ' SET cmember="0", cuser="'. sql_real_escape_string($mem->getDisplayName())\r
                                   .'" WHERE cmember='.$memberid;\r
                        sql_query($query);\r
                }\r
@@ -3366,7 +3255,7 @@ class ADMIN {
                                                   . ' FROM '.sql_table('skin_desc');\r
                                        $template['name'] = 'defskin';\r
                                        $template['tabindex'] = 50;\r
-                                       $template['selected'] = $CONF['BaseSkin'];      // set default selected skin to be globally defined base skin\r
+                                       $template['selected'] = $CONF['BaseSkin'];  // set default selected skin to be globally defined base skin\r
                                        showlist($query,'select',$template);\r
                                ?>\r
                        </td>\r
@@ -3400,11 +3289,11 @@ class ADMIN {
                // Only Super-Admins can do this\r
                $member->isAdmin() or $this->disallow();\r
 \r
-               $bname                  = trim(postVar('name'));\r
-               $bshortname             = trim(postVar('shortname'));\r
+               $bname            = trim(postVar('name'));\r
+               $bshortname      = trim(postVar('shortname'));\r
                $btimeoffset    = postVar('timeoffset');\r
-               $bdesc                  = trim(postVar('desc'));\r
-               $bdefskin               = postVar('defskin');\r
+               $bdesc            = trim(postVar('desc'));\r
+               $bdefskin          = postVar('defskin');\r
 \r
                if (!isValidShortName($bshortname))\r
                        $this->error(_ERROR_BADSHORTBLOGNAME);\r
@@ -3415,7 +3304,7 @@ class ADMIN {
                $manager->notify(\r
                        'PreAddBlog',\r
                        array(\r
-                               'name'        => &$bname,\r
+                               'name'          => &$bname,\r
                                'shortname'   => &$bshortname,\r
                                'timeoffset'  => &$btimeoffset,\r
                                'description' => &$bdesc,\r
@@ -3425,23 +3314,25 @@ class ADMIN {
 \r
 \r
                // add slashes for sql queries\r
-               $bname       = addslashes($bname);\r
-               $bshortname  = addslashes($bshortname);\r
-               $btimeoffset = addslashes($btimeoffset);\r
-               $bdesc       = addslashes($bdesc);\r
-               $bdefskin    = addslashes($bdefskin);\r
+               $bname     = sql_real_escape_string($bname);\r
+               $bshortname  = sql_real_escape_string($bshortname);\r
+               $btimeoffset = sql_real_escape_string($btimeoffset);\r
+               $bdesc     = sql_real_escape_string($bdesc);\r
+               $bdefskin       = sql_real_escape_string($bdefskin);\r
 \r
                // create blog\r
                $query = 'INSERT INTO '.sql_table('blog')." (bname, bshortname, bdesc, btimeoffset, bdefskin) VALUES ('$bname', '$bshortname', '$bdesc', '$btimeoffset', '$bdefskin')";\r
                sql_query($query);\r
-               $blogid = mysql_insert_id();\r
-               $blog   =& $manager->getBlog($blogid);\r
+               $blogid = sql_insert_id();\r
+               $blog   =& $manager->getBlog($blogid);\r
 \r
                // create new category\r
+               $catdefname = (defined('_EBLOGDEFAULTCATEGORY_NAME') ? _EBLOGDEFAULTCATEGORY_NAME : 'General');\r
+               $catdefdesc = (defined('_EBLOGDEFAULTCATEGORY_DESC') ? _EBLOGDEFAULTCATEGORY_DESC : 'Items that do not fit in other categories');\r
                $sql = 'INSERT INTO %s (cblog, cname, cdesc) VALUES (%d, "%s", "%s")';\r
-               sql_query(sprintf($sql, sql_table('category'), $blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC));\r
+               sql_query(sprintf($sql, sql_table('category'), $blogid, $catdefname, $catdefdesc));\r
 //             sql_query('INSERT INTO '.sql_table('category')." (cblog, cname, cdesc) VALUES ($blogid, _EBLOGDEFAULTCATEGORY_NAME, _EBLOGDEFAULTCATEGORY_DESC)");\r
-               $catid = mysql_insert_id();\r
+               $catid = sql_insert_id();\r
 \r
                // set as default category\r
                $blog->setDefaultCategory($catid);\r
@@ -3451,10 +3342,15 @@ class ADMIN {
                $memberid = $member->getID();\r
                $query = 'INSERT INTO '.sql_table('team')." (tmember, tblog, tadmin) VALUES ($memberid, $blogid, 1)";\r
                sql_query($query);\r
-\r
-\r
-               $blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
-\r
+               \r
+               $itemdeftitle = (defined('_EBLOG_FIRSTITEM_TITLE') ? _EBLOG_FIRSTITEM_TITLE : 'First Item');\r
+               $itemdefbody = (defined('_EBLOG_FIRSTITEM_BODY') ? _EBLOG_FIRSTITEM_BODY : 'This is the first item in your weblog. Feel free to delete it.');\r
+               \r
+               $blog->additem($blog->getDefaultCategory(),$itemdeftitle,$itemdefbody,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               //$blog->additem($blog->getDefaultCategory(),_EBLOG_FIRSTITEM_TITLE,_EBLOG_FIRSTITEM_BODY,'',$blogid, $memberid,$blog->getCorrectTime(),0,0,0);\r
+               \r
+               \r
+               \r
                $manager->notify(\r
                        'PostAddBlog',\r
                        array(\r
@@ -3465,10 +3361,10 @@ class ADMIN {
                $manager->notify(\r
                        'PostAddCategory',\r
                        array(\r
-                               'blog'        => &$blog,\r
-                               'name'        => _EBLOGDEFAULTCATEGORY_NAME,\r
+                               'blog'          => &$blog,\r
+                               'name'          => _EBLOGDEFAULTCATEGORY_NAME,\r
                                'description' => _EBLOGDEFAULTCATEGORY_DESC,\r
-                               'catid'       => $catid\r
+                               'catid'    => $catid\r
                        )\r
                );\r
 \r
@@ -3531,7 +3427,7 @@ selector();
                        </tr></table>\r
                </div></form>\r
 \r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
 \r
        }\r
 \r
@@ -3543,8 +3439,8 @@ selector();
 \r
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
-               $burl   = requestVar('url');\r
-               $blogid = intRequestVar('blogid');\r
+               $burl   = requestVar('url');\r
+               $blogid = intRequestVar('blogid');\r
 \r
                $blog =& $manager->getBlog($blogid);\r
                $blog->setURL(trim($burl));\r
@@ -3572,7 +3468,7 @@ selector();
                <h2><?php echo _SKINIE_TITLE_IMPORT?></h2>\r
 \r
                                <p><label for="skinie_import_local"><?php echo _SKINIE_LOCAL?></label>\r
-                               <?php                                   global $DIR_SKINS;\r
+                               <?php                              global $DIR_SKINS;\r
 \r
                                        $candidates = SKINIMPORT::searchForCandidates($DIR_SKINS);\r
 \r
@@ -3583,7 +3479,7 @@ selector();
                                                                <?php $manager->addTicketHidden() ?>\r
                                                                <input type="hidden" name="mode" value="file" />\r
                                                                <select name="skinfile" id="skinie_import_local">\r
-                                                               <?php                                                                   foreach ($candidates as $skinname => $skinfile) {\r
+                                                               <?php                                                              foreach ($candidates as $skinname => $skinfile) {\r
                                                                                $html = htmlspecialchars($skinfile);\r
                                                                                echo '<option value="',$html,'">',$skinname,'</option>';\r
                                                                        }\r
@@ -3591,7 +3487,7 @@ selector();
                                                                </select>\r
                                                                <input type="submit" value="<?php echo _SKINIE_BTN_IMPORT?>" />\r
                                                        </div></form>\r
-                                               <?php                                   } else {\r
+                                               <?php                              } else {\r
                                                echo _SKINIE_NOCANDIDATES;\r
                                        }\r
                                ?>\r
@@ -3619,9 +3515,9 @@ selector();
                        <table><tr>\r
                                <th colspan="2"><?php echo _SKINIE_EXPORT_SKINS?></th>\r
                        </tr><tr>\r
-       <?php           // show list of skins\r
+       <?php      // show list of skins\r
                $res = sql_query('SELECT * FROM '.sql_table('skin_desc'));\r
-               while ($skinObj = mysql_fetch_object($res)) {\r
+               while ($skinObj = sql_fetch_object($res)) {\r
                        $id = 'skinexp' . $skinObj->sdnumber;\r
                        echo '<td><input type="checkbox" name="skin[',$skinObj->sdnumber,']"  id="',$id,'" />';\r
                        echo '<label for="',$id,'">',htmlspecialchars($skinObj->sdname),'</label></td>';\r
@@ -3633,7 +3529,7 @@ selector();
 \r
                // show list of templates\r
                $res = sql_query('SELECT * FROM '.sql_table('template_desc'));\r
-               while ($templateObj = mysql_fetch_object($res)) {\r
+               while ($templateObj = sql_fetch_object($res)) {\r
                        $id = 'templateexp' . $templateObj->tdnumber;\r
                        echo '<td><input type="checkbox" name="template[',$templateObj->tdnumber,']" id="',$id,'" />';\r
                        echo '<label for="',$id,'">',htmlspecialchars($templateObj->tdname),'</label></td>';\r
@@ -3669,7 +3565,7 @@ selector();
                include_once($DIR_LIBS . 'skinie.php');\r
 \r
                $skinFileRaw= postVar('skinfile');\r
-               $mode           = postVar('mode');\r
+               $mode      = postVar('mode');\r
 \r
                $importer =& new SKINIMPORT();\r
 \r
@@ -3691,7 +3587,7 @@ selector();
                // clashes\r
                $skinNameClashes = $importer->checkSkinNameClashes();\r
                $templateNameClashes = $importer->checkTemplateNameClashes();\r
-               $hasNameClashes = (count($skinNameClashes) > 0) || (count($templateNameClashes) > 0);\r
+               $hasNameClashes = (count($skinNameClashes) > 0) || (count($templateNameClashes) > 0);\r
 \r
                if ($error) $this->error($error);\r
 \r
@@ -3750,7 +3646,7 @@ selector();
                include_once($DIR_LIBS . 'skinie.php');\r
 \r
                $skinFileRaw= postVar('skinfile');\r
-               $mode           = postVar('mode');\r
+               $mode      = postVar('mode');\r
 \r
                $allowOverwrite = intPostVar('overwrite');\r
 \r
@@ -3791,7 +3687,7 @@ selector();
                        <li><p><strong><?php echo _SKINIE_INFO_IMPORTEDTEMPLS?></strong> <?php echo implode(' <em>'._AND.'</em> ',$importer->getTemplateNames())?></p></li>\r
                </ul>\r
 \r
-       <?php           $this->pagefoot();\r
+       <?php      $this->pagefoot();\r
 \r
        }\r
 \r
@@ -3884,7 +3780,7 @@ selector();
                $member->isAdmin() or $this->disallow();\r
 \r
                $extrahead = '<script type="text/javascript" src="javascript/templateEdit.js"></script>';\r
-               $extrahead .= '<script type="text/javascript">setTemplateEditText("'.addslashes(_EDITTEMPLATE_EMPTY).'");</script>';\r
+               $extrahead .= '<script type="text/javascript">setTemplateEditText("'.sql_real_escape_string(_EDITTEMPLATE_EMPTY).'");</script>';\r
 \r
                $this->pagehead($extrahead);\r
 \r
@@ -3899,7 +3795,7 @@ selector();
 \r
                <h2><?php echo _TEMPLATE_EDIT_TITLE?> '<?php echo  htmlspecialchars($templatename); ?>'</h2>\r
 \r
-               <?php                                   if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
+               <?php                              if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
                ?>\r
 \r
                <p><?php echo _TEMPLATE_EDIT_MSG?></p>\r
@@ -4033,7 +3929,7 @@ selector();
                </tr><tr>\r
                        <td><?php echo $description?> <?php if ($help) help('template'.$help); ?></td>\r
                        <td id="td<?php echo $count?>"><textarea class="templateedit" name="<?php echo $name?>" tabindex="<?php echo $tabindex?>" cols="50" rows="<?php echo $big?10:5?>" id="textarea<?php echo $count?>"><?php echo  htmlspecialchars($template[$name]); ?></textarea></td>\r
-       <?php           $count++;\r
+       <?php      $count++;\r
        }\r
 \r
        /**\r
@@ -4056,8 +3952,8 @@ selector();
                        $this->error(_ERROR_DUPTEMPLATENAME);\r
 \r
 \r
-               $name = addslashes($name);\r
-               $desc = addslashes($desc);\r
+               $name = sql_real_escape_string($name);\r
+               $desc = sql_real_escape_string($desc);\r
 \r
                // 1. Remove all template parts\r
                $query = 'DELETE FROM '.sql_table('template').' WHERE tdesc=' . $templateid;\r
@@ -4123,8 +4019,8 @@ selector();
         * @todo document this\r
         */\r
        function addToTemplate($id, $partname, $content) {\r
-               $partname = addslashes($partname);\r
-               $content = addslashes($content);\r
+               $partname = sql_real_escape_string($partname);\r
+               $content = sql_real_escape_string($content);\r
 \r
                $id = intval($id);\r
 \r
@@ -4133,8 +4029,8 @@ selector();
 \r
                $query = 'INSERT INTO '.sql_table('template')." (tdesc, tpartname, tcontent) "\r
                           . "VALUES ($id, '$partname', '$content')";\r
-               sql_query($query) or exit(_ADMIN_SQLDIE_QUERYERROR . mysql_error());\r
-               return mysql_insert_id();\r
+               sql_query($query) or exit(_ADMIN_SQLDIE_QUERYERROR . sql_error());\r
+               return sql_insert_id();\r
        }\r
 \r
        /**\r
@@ -4245,7 +4141,7 @@ selector();
                // 3. create clone\r
                // go through parts of old template and add them to the new one\r
                $res = sql_query('SELECT tpartname, tcontent FROM '.sql_table('template').' WHERE tdesc=' . $templateid);\r
-               while ($o = mysql_fetch_object($res)) {\r
+               while ($o = sql_fetch_object($res)) {\r
                        $this->addToTemplate($newid, $o->tpartname, $o->tcontent);\r
                }\r
 \r
@@ -4366,12 +4262,12 @@ selector();
                echo '<input type="submit" tabindex="140" value="' . _SKIN_CREATE . '" onclick="return checkSubmit();" />' . "\r\n";\r
                echo '</form>' . "\r\n";\r
 \r
-               if ($res && mysql_num_rows($res) > 0) {\r
+               if ($res && sql_num_rows($res) > 0) {\r
                        echo '<ul>';\r
                        $tabstart = 75;\r
 \r
-                       while ($row = mysql_fetch_assoc($res)) {\r
-                               echo '<li><a tabindex="' . ($tabstart++) . '" href="index.php?action=skinedittype&amp;skinid=' . $skinid . '&amp;type=' . htmlspecialchars(strtolower($row['stype'])) . '">' . htmlspecialchars(ucfirst($row['stype'])) . '</a> (<a tabindex="' . ($tabstart++) . '" href="index.php?action=skinremovetype&amp;skinid=' . $skinid . '&amp;type=' . htmlspecialchars(strtolower($row['stype'])) . '">remove</a>)</li>';\r
+                       while ($row = sql_fetch_assoc($res)) {\r
+                               echo '<li><a tabindex="' . ($tabstart++) . '" href="index.php?action=skinedittype&amp;skinid=' . $skinid . '&amp;type=' . htmlspecialchars(strtolower($row['stype'])) . '">' . htmlspecialchars(ucfirst($row['stype'])) . '</a> (<a tabindex="' . ($tabstart++) . '" href="index.php?action=skinremovetype&amp;skinid=' . $skinid . '&amp;type=' . htmlspecialchars(strtolower($row['stype'])) . '">'._LISTS_DELETE.'</a>)</li>';\r
                        }\r
 \r
                        echo '</ul>';\r
@@ -4410,7 +4306,7 @@ selector();
                </form>\r
 \r
 \r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
        /**\r
@@ -4476,7 +4372,7 @@ selector();
 \r
                <h2><?php echo _SKIN_EDITPART_TITLE?> '<?php echo htmlspecialchars($skin->getName()) ?>': <?php echo htmlspecialchars(isset($friendlyNames[$type]) ? $friendlyNames[$type] : ucfirst($type)); ?></h2>\r
 \r
-               <?php                   if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
+               <?php              if ($msg) echo "<p>"._MESSAGE.": $msg</p>";\r
                ?>\r
 \r
 \r
@@ -4507,7 +4403,7 @@ selector();
 \r
                <br /><br />\r
                <?php echo _SKIN_ALLOWEDVARS?>\r
-               <?php                   $actions = SKIN::getAllowedActionsForType($type);\r
+               <?php              $actions = SKIN::getAllowedActionsForType($type);\r
 \r
                        sort($actions);\r
 \r
@@ -4565,7 +4461,7 @@ selector();
                // don't allow deletion of default skins for blogs\r
                $query = 'SELECT bname FROM '.sql_table('blog').' WHERE bdefskin=' . $skinid;\r
                $r = sql_query($query);\r
-               if ($o = mysql_fetch_object($r))\r
+               if ($o = sql_fetch_object($r))\r
                        $this->error(_ERROR_SKINDEFDELETE . htmlspecialchars($o->bname));\r
 \r
                $this->pagehead();\r
@@ -4608,7 +4504,7 @@ selector();
                // don't allow deletion of default skins for blogs\r
                $query = 'SELECT bname FROM '.sql_table('blog').' WHERE bdefskin=' . $skinid;\r
                $r = sql_query($query);\r
-               if ($o = mysql_fetch_object($r))\r
+               if ($o = sql_fetch_object($r))\r
                        $this->error(_ERROR_SKINDEFDELETE .$o->bname);\r
 \r
                $manager->notify('PreDeleteSkin', array('skinid' => $skinid));\r
@@ -4745,7 +4641,7 @@ selector();
 \r
                $query = "SELECT stype FROM " . sql_table('skin') . " WHERE sdesc = " . $skinid;\r
                $res = sql_query($query);\r
-               while ($row = mysql_fetch_assoc($res)) {\r
+               while ($row = sql_fetch_assoc($res)) {\r
                        $this->skinclonetype($skin, $newid, $row['stype']);\r
                }\r
 \r
@@ -4760,7 +4656,7 @@ selector();
                $newid = intval($newid);\r
                $content = $skin->getContent($type);\r
                if ($content) {\r
-                       $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". addslashes($content)."', '". addslashes($type)."')";\r
+                       $query = 'INSERT INTO '.sql_table('skin')." (sdesc, scontent, stype) VALUES ($newid,'". sql_real_escape_string($content)."', '". sql_real_escape_string($type)."')";\r
                        sql_query($query);\r
                }\r
        }\r
@@ -4839,15 +4735,21 @@ selector();
                        <td>\r
 \r
                                <select name="Language" tabindex="10050">\r
-                               <?php                           // show a dropdown list of all available languages\r
+                               <?php                      // show a dropdown list of all available languages\r
                                global $DIR_LANG;\r
                                $dirhandle = opendir($DIR_LANG);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg("^(.*)\.php$",$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle) )\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg("^(.*)\.php$",$filename,$matches)\r
+                                       if (preg_match('#^(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
-                                               echo "<option value='$name'";\r
+                                               echo "<option value=\"$name\"";\r
                                                if ($name == $CONF['Language'])\r
-                                                       echo " selected='selected'";\r
+                                               {\r
+                                                       echo " selected=\"selected\"";\r
+                                               }\r
                                                echo ">$name</option>";\r
                                        }\r
                                }\r
@@ -4889,7 +4791,7 @@ selector();
                        </td>\r
                        <td><?php /* $this->input_yesno('DisableJsTools',$CONF['DisableJsTools'],10075); */?>\r
                                <select name="DisableJsTools" tabindex="10075">\r
-                       <?php                                   $extra = ($CONF['DisableJsTools'] == 1) ? 'selected="selected"' : '';\r
+                       <?php                              $extra = ($CONF['DisableJsTools'] == 1) ? 'selected="selected"' : '';\r
                                        echo "<option $extra value='1'>",_SETTINGS_JSTOOLBAR_NONE,"</option>";\r
                                        $extra = ($CONF['DisableJsTools'] == 2) ? 'selected="selected"' : '';\r
                                        echo "<option $extra value='2'>",_SETTINGS_JSTOOLBAR_SIMPLE,"</option>";\r
@@ -4936,7 +4838,7 @@ selector();
                        <td><?php echo _SETTINGS_MEDIADIR?></td>\r
                        <td><?php echo  htmlspecialchars($DIR_MEDIA) ?>\r
                                <i><?php echo _SETTINGS_SEECONFIGPHP?></i>\r
-                               <?php                           if (!is_dir($DIR_MEDIA))\r
+                               <?php                              if (!is_dir($DIR_MEDIA))\r
                                                echo "<br /><b>" . _WARNING_NOTADIR . "</b>";\r
                                        if (!is_readable($DIR_MEDIA))\r
                                                echo "<br /><b>" . _WARNING_NOTREADABLE . "</b>";\r
@@ -5064,39 +4966,39 @@ selector();
 \r
 \r
                // save settings\r
-               $this->updateConfig('DefaultBlog',              postVar('DefaultBlog'));\r
-               $this->updateConfig('BaseSkin',                 postVar('BaseSkin'));\r
-               $this->updateConfig('IndexURL',                 postVar('IndexURL'));\r
-               $this->updateConfig('AdminURL',                 postVar('AdminURL'));\r
+               $this->updateConfig('DefaultBlog',        postVar('DefaultBlog'));\r
+               $this->updateConfig('BaseSkin',          postVar('BaseSkin'));\r
+               $this->updateConfig('IndexURL',          postVar('IndexURL'));\r
+               $this->updateConfig('AdminURL',          postVar('AdminURL'));\r
                $this->updateConfig('PluginURL',                postVar('PluginURL'));\r
-               $this->updateConfig('SkinsURL',                 postVar('SkinsURL'));\r
+               $this->updateConfig('SkinsURL',          postVar('SkinsURL'));\r
                $this->updateConfig('ActionURL',                postVar('ActionURL'));\r
-               $this->updateConfig('Language',                 postVar('Language'));\r
-               $this->updateConfig('AdminEmail',               postVar('AdminEmail'));\r
+               $this->updateConfig('Language',          postVar('Language'));\r
+               $this->updateConfig('AdminEmail',          postVar('AdminEmail'));\r
                $this->updateConfig('SessionCookie',    postVar('SessionCookie'));\r
                $this->updateConfig('AllowMemberCreate',postVar('AllowMemberCreate'));\r
-               $this->updateConfig('AllowMemberMail',  postVar('AllowMemberMail'));\r
+               $this->updateConfig('AllowMemberMail',  postVar('AllowMemberMail'));\r
                $this->updateConfig('NonmemberMail',    postVar('NonmemberMail'));\r
-               $this->updateConfig('ProtectMemNames',  postVar('ProtectMemNames'));\r
-               $this->updateConfig('SiteName',                 postVar('SiteName'));\r
+               $this->updateConfig('ProtectMemNames',  postVar('ProtectMemNames'));\r
+               $this->updateConfig('SiteName',          postVar('SiteName'));\r
                $this->updateConfig('NewMemberCanLogon',postVar('NewMemberCanLogon'));\r
-               $this->updateConfig('DisableSite',              postVar('DisableSite'));\r
-               $this->updateConfig('DisableSiteURL',   postVar('DisableSiteURL'));\r
+               $this->updateConfig('DisableSite',        postVar('DisableSite'));\r
+               $this->updateConfig('DisableSiteURL',   postVar('DisableSiteURL'));\r
                $this->updateConfig('LastVisit',                postVar('LastVisit'));\r
-               $this->updateConfig('MediaURL',                 postVar('MediaURL'));\r
-               $this->updateConfig('AllowedTypes',             postVar('AllowedTypes'));\r
-               $this->updateConfig('AllowUpload',              postVar('AllowUpload'));\r
+               $this->updateConfig('MediaURL',          postVar('MediaURL'));\r
+               $this->updateConfig('AllowedTypes',      postVar('AllowedTypes'));\r
+               $this->updateConfig('AllowUpload',        postVar('AllowUpload'));\r
                $this->updateConfig('MaxUploadSize',    postVar('MaxUploadSize'));\r
-               $this->updateConfig('MediaPrefix',              postVar('MediaPrefix'));\r
-               $this->updateConfig('AllowLoginEdit',   postVar('AllowLoginEdit'));\r
-               $this->updateConfig('DisableJsTools',   postVar('DisableJsTools'));\r
-               $this->updateConfig('CookieDomain',             postVar('CookieDomain'));\r
-               $this->updateConfig('CookiePath',               postVar('CookiePath'));\r
-               $this->updateConfig('CookieSecure',             postVar('CookieSecure'));\r
-               $this->updateConfig('URLMode',                  postVar('URLMode'));\r
-               $this->updateConfig('CookiePrefix',             postVar('CookiePrefix'));\r
+               $this->updateConfig('MediaPrefix',        postVar('MediaPrefix'));\r
+               $this->updateConfig('AllowLoginEdit',   postVar('AllowLoginEdit'));\r
+               $this->updateConfig('DisableJsTools',   postVar('DisableJsTools'));\r
+               $this->updateConfig('CookieDomain',      postVar('CookieDomain'));\r
+               $this->updateConfig('CookiePath',          postVar('CookiePath'));\r
+               $this->updateConfig('CookieSecure',      postVar('CookieSecure'));\r
+               $this->updateConfig('URLMode',            postVar('URLMode'));\r
+               $this->updateConfig('CookiePrefix',      postVar('CookiePrefix'));\r
                $this->updateConfig('DebugVars',                postVar('DebugVars'));\r
-               $this->updateConfig('DefaultListSize',  postVar('DefaultListSize'));\r
+               $this->updateConfig('DefaultListSize',  postVar('DefaultListSize'));\r
 \r
                // load new config and redirect (this way, the new language will be used is necessary)\r
                // note that when changing cookie settings, this redirect might cause the user\r
@@ -5131,7 +5033,7 @@ selector();
                        echo "\t\t" . '<td>' . phpversion() . "</td>\n";\r
                        echo "\t</tr><tr>\n";\r
                        echo "\t\t" . '<td>' . _ADMIN_SYSTEMOVERVIEW_MYSQLVERSION . "</td>\n";\r
-                       echo "\t\t" . '<td>' . mysql_get_server_info() . ' (' . mysql_get_client_info() . ')' . "</td>\n";\r
+                       echo "\t\t" . '<td>' . sql_get_server_info() . ' (' . sql_get_client_info() . ')' . "</td>\n";\r
                        echo "\t</tr>";\r
                        echo "</table>\n";\r
 \r
@@ -5251,15 +5153,15 @@ selector();
         * @todo document this\r
         */\r
        function updateConfig($name, $val) {\r
-               $name = addslashes($name);\r
-               $val = trim(addslashes($val));\r
+               $name = sql_real_escape_string($name);\r
+               $val = trim(sql_real_escape_string($val));\r
 \r
                $query = 'UPDATE '.sql_table('config')\r
                           . " SET value='$val'"\r
                           . " WHERE name='$name'";\r
 \r
-               sql_query($query) or die("Query error: " . mysql_error());\r
-               return mysql_insert_id();\r
+               sql_query($query) or die(_ADMIN_SQLDIE_QUERYERROR . sql_error());\r
+               return sql_insert_id();\r
        }\r
 \r
        /**\r
@@ -5270,7 +5172,7 @@ selector();
                $this->pagehead();\r
                ?>\r
                <h2>Error!</h2>\r
-               <?php           echo $msg;\r
+               <?php      echo $msg;\r
                echo "<br />";\r
                echo "<a href='index.php' onclick='history.back()'>"._BACK."</a>";\r
                $this->pagefoot();\r
@@ -5323,13 +5225,14 @@ selector();
                        <?php echo $extrahead?>\r
                </head>\r
                <body>\r
+               <div id="adminwrapper">\r
                <div class="header">\r
                <h1><?php echo htmlspecialchars($CONF['SiteName'])?></h1>\r
                </div>\r
                <div id="container">\r
                <div id="content">\r
                <div class="loginname">\r
-               <?php                   if ($member->isLoggedIn())\r
+               <?php              if ($member->isLoggedIn())\r
                                echo _LOGGEDINAS . ' ' . $member->getDisplayName()\r
                                        ." - <a href='index.php?action=logout'>" . _LOGOUT. "</a>"\r
                                        . "<br /><a href='index.php?action=overview'>" . _ADMINHOME . "</a> - ";\r
@@ -5345,6 +5248,13 @@ selector();
                        if ($member->isLoggedIn() && $member->isAdmin()) {\r
                                $checkURL = sprintf(_ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_URL, getNucleusVersion(), getNucleusPatchLevel());\r
                                echo '<a href="' . $checkURL . '" title="' . _ADMIN_SYSTEMOVERVIEW_VERSIONCHECK_TITLE . '">Nucleus CMS ' . $nucleus['version'] . $codenamestring . '</a>';\r
+                               $newestVersion = getLatestVersion();\r
+                               $newestCompare = str_replace('/','.',$newestVersion);\r
+                               $newestCompare = intval($newestCompare);\r
+                               $currentVersion = str_replace(array('/','v'),array('.',''),$nucleus['version']);\r
+                               if ($newestVersion && version_compare($newestCompare,$currentVersion) > 0) {\r
+                                       echo '<br /><a style="color:red" href="http://nucleuscms.org/upgrade.php" title="'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TITLE.'">'._ADMIN_SYSTEMOVERVIEW_LATESTVERSION_TEXT.$newestVersion.'</a>';\r
+                               }\r
                        } else {\r
                                echo 'Nucleus CMS ' . $nucleus['version'] . $codenamestring;\r
                        }\r
@@ -5372,7 +5282,7 @@ selector();
                                <li><a href="index.php?action=overview"><?php echo  _BACKHOME?></a></li>\r
                                <li><a href='index.php?action=logout'><?php echo  _LOGOUT?></a></li>\r
                        </ul>\r
-                       <?php           }\r
+                       <?php      }\r
                ?>\r
                        <div class="foot">\r
                                <a href="<?php echo _ADMINPAGEFOOT_OFFICIALURL ?>">Nucleus CMS</a> &copy; 2002-<?php echo date('Y') . ' ' . _ADMINPAGEFOOT_COPYRIGHT; ?>\r
@@ -5384,7 +5294,7 @@ selector();
 \r
                        <div id="quickmenu">\r
 \r
-                               <?php                           // ---- user settings ----\r
+                               <?php                      // ---- user settings ----\r
                                if (($action != 'showlogin') && ($member->isLoggedIn())) {\r
                                        echo '<ul>';\r
                                        echo '<li><a href="index.php?action=overview">',_QMENU_HOME,'</a></li>';\r
@@ -5480,12 +5390,14 @@ selector();
                        </div>\r
 \r
                        <!-- content / quickmenu container -->\r
+                       <div class="clear"></div>       <!-- new -->\r
                        </div>\r
 \r
-\r
+                       <!-- adminwrapper -->   <!-- new -->\r
+                       </div>   <!-- new -->\r
                        </body>\r
                        </html>\r
-               <?php   }\r
+               <?php   }\r
 \r
        /**\r
         * @todo document this\r
@@ -5823,7 +5735,7 @@ selector();
 \r
                </form>\r
 \r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
        /**\r
@@ -5832,12 +5744,12 @@ selector();
        function action_banlistadd() {\r
                global $member;\r
 \r
-               $blogid =               intPostVar('blogid');\r
-               $allblogs =     postVar('allblogs');\r
-               $iprange =              postVar('iprange');\r
+               $blogid =          intPostVar('blogid');\r
+               $allblogs =      postVar('allblogs');\r
+               $iprange =        postVar('iprange');\r
                if ($iprange == "custom")\r
                        $iprange = postVar('customiprange');\r
-               $reason =               postVar('reason');\r
+               $reason =          postVar('reason');\r
 \r
                $member->blogAdminRights($blogid) or $this->disallow();\r
 \r
@@ -5924,7 +5836,7 @@ selector();
                        <br /><?php echo _RESTORE_WARNING?>\r
                </p></form>\r
 \r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
        }\r
 \r
        /**\r
@@ -5974,7 +5886,7 @@ selector();
                $this->pagehead();\r
                ?>\r
                <h2><?php echo _RESTORE_COMPLETE?></h2>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
 \r
        }\r
 \r
@@ -5993,7 +5905,7 @@ selector();
 \r
                echo '<h2>' , _PLUGS_TITLE_MANAGE , ' ', help('plugins'), '</h2>';\r
 \r
-               echo '<h3>' , _PLUGS_TITLE_INSTALLED , '</h3>';\r
+               echo '<h3>' , _PLUGS_TITLE_INSTALLED , ' &nbsp;&nbsp;<span style="font-size:smaller">', helplink('getplugins'), _PLUGS_TITLE_GETPLUGINS, '</a></span></h3>';\r
 \r
 \r
                $query =  'SELECT * FROM '.sql_table('plugin').' ORDER BY porder ASC';\r
@@ -6014,23 +5926,31 @@ selector();
                        </div></form>\r
 \r
                        <h3><?php echo _PLUGS_TITLE_NEW?></h3>\r
-\r
-                       <?php                           // find a list of possibly non-installed plugins\r
+                       \r
+                       <?php\r
+                       // find a list of possibly non-installed plugins\r
                                $candidates = array();\r
                                global $DIR_PLUGINS;\r
                                $dirhandle = opendir($DIR_PLUGINS);\r
-                               while ($filename = readdir($dirhandle)) {\r
-                                       if (ereg('^NP_(.*)\.php$',$filename,$matches)) {\r
+                               while ($filename = readdir($dirhandle) )\r
+                               {\r
+                                       # replaced ereg() below with preg_match(). ereg* functions are deprecated in PHP 5.3.0\r
+                                       # original ereg: ereg('^NP_(.*)\.php$',$filename,$matches)\r
+                                       if (preg_match('#^NP_(.*)\.php$#', $filename, $matches) )\r
+                                       {\r
                                                $name = $matches[1];\r
                                                // only show in list when not yet installed\r
-                                               $res = sql_query('SELECT * FROM '.sql_table('plugin').' WHERE pfile="NP_'.addslashes($name).'"');\r
-                                               if (mysql_num_rows($res) == 0)\r
-                                                       array_push($candidates,$name);\r
+                                               $res = sql_query('SELECT * FROM ' . sql_table('plugin') . ' WHERE `pfile` = "NP_' . sql_real_escape_string($name) . '"');\r
+                                               if (sql_num_rows($res) == 0)\r
+                                               {\r
+                                                       array_push($candidates, $name);\r
+                                               }\r
                                        }\r
                                }\r
                                closedir($dirhandle);\r
-\r
-                               if (sizeof($candidates) > 0) {\r
+                               \r
+                               if (sizeof($candidates) > 0)\r
+                               {\r
                        ?>\r
 \r
                        <p><?php echo _PLUGS_ADD_TEXT?></p>\r
@@ -6040,14 +5960,20 @@ selector();
                                <input type='hidden' name='action' value='pluginadd' />\r
                                <?php $manager->addTicketHidden() ?>\r
                                <select name="filename" tabindex="30">\r
-                               <?php                                   foreach($candidates as $name)\r
-                                               echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+                               <?php   \r
+                               foreach($candidates as $name)\r
+                               {\r
+                                       echo '<option value="NP_',$name,'">',htmlspecialchars($name),'</option>';\r
+                               }\r
                                ?>\r
                                </select>\r
                                <input type='submit' tabindex="40" value='<?php echo _PLUGS_BTN_INSTALL?>' />\r
                        </div></form>\r
 \r
-               <?php                   } else {        // sizeof(candidates) == 0\r
+               <?php\r
+                               }\r
+                               else\r
+                               {\r
                                echo '<p>',_PLUGS_NOCANDIDATES,'</p>';\r
                        }\r
 \r
@@ -6108,7 +6034,7 @@ selector();
 \r
                // get number of currently installed plugins\r
                $res = sql_query('SELECT * FROM '.sql_table('plugin'));\r
-               $numCurrent = mysql_num_rows($res);\r
+               $numCurrent = sql_num_rows($res);\r
 \r
                // plugin will be added as last one in the list\r
                $newOrder = $numCurrent + 1;\r
@@ -6121,9 +6047,9 @@ selector();
                );\r
 \r
                // do this before calling getPlugin (in case the plugin id is used there)\r
-               $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.addslashes($name).'")';\r
+               $query = 'INSERT INTO '.sql_table('plugin').' (porder, pfile) VALUES ('.$newOrder.',"'.sql_real_escape_string($name).'")';\r
                sql_query($query);\r
-               $iPid = mysql_insert_id();\r
+               $iPid = sql_insert_id();\r
 \r
                $manager->clearCachedInfo('installedPlugins');\r
 \r
@@ -6163,7 +6089,7 @@ selector();
                {\r
 \r
                        $res = sql_query('SELECT * FROM '.sql_table('plugin') . ' WHERE pfile="' . $pluginName . '"');\r
-                       if (mysql_num_rows($res) == 0)\r
+                       if (sql_num_rows($res) == 0)\r
                        {\r
                                // uninstall plugin again...\r
                                $this->deleteOnePlugin($plugin->getID());\r
@@ -6200,14 +6126,14 @@ selector();
 \r
                // loop over all installed plugins\r
                $res = sql_query('SELECT pid, pfile FROM '.sql_table('plugin'));\r
-               while($o = mysql_fetch_object($res)) {\r
+               while($o = sql_fetch_object($res)) {\r
                        $pid = $o->pid;\r
                        $plug =& $manager->getPlugin($o->pfile);\r
                        if ($plug)\r
                        {\r
                                $eventList = $plug->getEventList();\r
                                foreach ($eventList as $eventName)\r
-                                       sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.addslashes($eventName).'\')');\r
+                                       sql_query('INSERT INTO '.sql_table('plugin_event').' (pid, event) VALUES ('.$pid.', \''.sql_real_escape_string($eventName).'\')');\r
                        }\r
                }\r
 \r
@@ -6286,7 +6212,7 @@ selector();
 \r
                // check dependency before delete\r
                $res = sql_query('SELECT pfile FROM '.sql_table('plugin'));\r
-               while($o = mysql_fetch_object($res)) {\r
+               while($o = sql_fetch_object($res)) {\r
                        $plug =& $manager->getPlugin($o->pfile);\r
                        if ($plug)\r
                        {\r
@@ -6316,7 +6242,7 @@ selector();
                // get OIDs from plugin_option_desc\r
                $res = sql_query('SELECT oid FROM ' . sql_table('plugin_option_desc') . ' WHERE opid=' . $pid);\r
                $aOIDs = array();\r
-               while ($o = mysql_fetch_object($res)) {\r
+               while ($o = sql_fetch_object($res)) {\r
                        array_push($aOIDs, $o->oid);\r
                }\r
 \r
@@ -6327,7 +6253,7 @@ selector();
 \r
                // update order numbers\r
                $res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid=' . $pid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                sql_query('UPDATE '.sql_table('plugin').' SET porder=(porder - 1) WHERE porder>'.$o->porder);\r
 \r
                // delete row\r
@@ -6355,7 +6281,7 @@ selector();
 \r
                // 1. get old order number\r
                $res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid='.$plugid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                $oldOrder = $o->porder;\r
 \r
                // 2. calculate new order number\r
@@ -6385,11 +6311,11 @@ selector();
 \r
                // 1. get old order number\r
                $res = sql_query('SELECT porder FROM '.sql_table('plugin').' WHERE pid='.$plugid);\r
-               $o = mysql_fetch_object($res);\r
+               $o = sql_fetch_object($res);\r
                $oldOrder = $o->porder;\r
 \r
                $res = sql_query('SELECT * FROM '.sql_table('plugin'));\r
-               $maxOrder = mysql_num_rows($res);\r
+               $maxOrder = sql_num_rows($res);\r
 \r
                // 2. calculate new order number\r
                $newOrder = ($oldOrder < $maxOrder) ? ($oldOrder + 1) : $maxOrder;\r
@@ -6440,7 +6366,7 @@ selector();
                $aOIDs = array();\r
                $query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ' WHERE ocontext=\'global\' and opid=' . $pid . ' ORDER BY oid ASC';\r
                $r = sql_query($query);\r
-               while ($o = mysql_fetch_object($r)) {\r
+               while ($o = sql_fetch_object($r)) {\r
                        array_push($aOIDs, $o->oid);\r
                        $aOptions[$o->oid] = array(\r
                                                'oid' => $o->oid,\r
@@ -6455,7 +6381,7 @@ selector();
                // fill out actual values\r
                if (count($aOIDs) > 0) {\r
                        $r = sql_query('SELECT oid, ovalue FROM ' . sql_table('plugin_option') . ' WHERE oid in ('.implode(',',$aOIDs).')');\r
-                       while ($o = mysql_fetch_object($r))\r
+                       while ($o = sql_fetch_object($r))\r
                                $aOptions[$o->oid]['value'] = $o->ovalue;\r
                }\r
 \r
@@ -6470,7 +6396,7 @@ selector();
                ?>\r
                        </div>\r
                        </form>\r
-               <?php           $this->pagefoot();\r
+               <?php      $this->pagefoot();\r
 \r
 \r
 \r
@@ -6506,16 +6432,16 @@ selector();
                // (note: this might contain doubles for overlapping contextids)\r
                $aIdToValue = array();\r
                $res = sql_query('SELECT oid, ovalue FROM ' . sql_table('plugin_option') . ' WHERE ocontextid=' . intval($contextid));\r
-               while ($o = mysql_fetch_object($res)) {\r
+               while ($o = sql_fetch_object($res)) {\r
                        $aIdToValue[$o->oid] = $o->ovalue;\r
                }\r
 \r
                // get list of oids per pid\r
                $query = 'SELECT * FROM ' . sql_table('plugin_option_desc') . ',' . sql_table('plugin')\r
-                          . ' WHERE opid=pid and ocontext=\''.addslashes($context).'\' ORDER BY porder, oid ASC';\r
+                          . ' WHERE opid=pid and ocontext=\''.sql_real_escape_string($context).'\' ORDER BY porder, oid ASC';\r
                $res = sql_query($query);\r
                $aOptions = array();\r
-               while ($o = mysql_fetch_object($res)) {\r
+               while ($o = sql_fetch_object($res)) {\r
                        if (in_array($o->oid, array_keys($aIdToValue)))\r
                                $value = $aIdToValue[$o->oid];\r
                        else\r
@@ -6545,20 +6471,19 @@ selector();
                        // new plugin?\r
                        if ($iPrevPid != $aOption['pid']) {\r
                                $iPrevPid = $aOption['pid'];\r
-\r
-                               echo '<tr><th colspan="2">Options for ', htmlspecialchars($aOption['pfile']),'</th></tr>';\r
+                               if (!defined('_PLUGIN_OPTIONS_TITLE')) {\r
+                                       define('_PLUGIN_OPTIONS_TITLE', 'Options for %s');\r
+                               }\r
+                               echo '<tr><th colspan="2">'.sprintf(_PLUGIN_OPTIONS_TITLE, htmlspecialchars($aOption['pfile'], ENT_QUOTES)).'</th></tr>';\r
                        }\r
-\r
+                       \r
                        $meta = NucleusPlugin::getOptionMeta($aOption['typeinfo']);\r
                        if (@$meta['access'] != 'hidden') {\r
                                echo '<tr>';\r
                                listplug_plugOptionRow($aOption);\r
                                echo '</tr>';\r
                        }\r
-\r
                }\r
-\r
-\r
        }\r
 \r
        /**\r
@@ -6574,7 +6499,7 @@ selector();
 \r
                if ($name=="admin") {\r
                        echo '<input onclick="selectCanLogin(true);" type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';\r
-               } else {\r
+               } else {\r
                        echo '<input type="radio" name="', htmlspecialchars($name),'" value="', htmlspecialchars($value1),'" ';\r
                }\r
 \r