Add some codes from 3.61. Currently files under /nucleus/libs and /nucleus/libs/sql...

[nucleus-jp/nucleus-jp-ancient.git] / utf8 / nucleus / libs / TEMPLATE.php

diff --git a/utf8/nucleus/libs/TEMPLATE.php b/utf8/nucleus/libs/TEMPLATE.php
index 084102f..624b4af 100755 (executable)
--- a/utf8/nucleus/libs/TEMPLATE.php
+++ b/utf8/nucleus/libs/TEMPLATE.php
@@ -2,7 +2,7 @@
 
 /*
  * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)
- * Copyright (C) 2002-2006 The Nucleus Group
+ * Copyright (C) 2002-2010 The Nucleus Group
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
@@ -14,9 +14,9 @@
  * A class representing a template
  *
  * @license http://nucleuscms.org/license.txt GNU General Public License
- * @copyright Copyright (C) 2002-2006 The Nucleus Group
- * @version $Id: TEMPLATE.php,v 1.6 2006-07-20 08:01:52 kimitake Exp $
- * @version $NucleusJP: TEMPLATE.php,v 1.5 2006/07/12 07:11:47 kimitake Exp $
+ * @copyright Copyright (C) 2002-2010 The Nucleus Group
+ * @version $Id$
+ * @version $NucleusJP: TEMPLATE.php,v 1.6 2006/07/20 08:01:52 kimitake Exp $
  */
 class TEMPLATE {
 
@@ -39,9 +39,9 @@ class TEMPLATE {
        function getIdFromName($name) {
                $query =  'SELECT tdnumber'
                           . ' FROM '.sql_table('template_desc')
-                          . ' WHERE tdname="'.addslashes($name).'"';
+                          . ' WHERE tdname="'.sql_real_escape_string($name).'"';
                $res = sql_query($query);
-               $obj = mysql_fetch_object($res);
+               $obj = sql_fetch_object($res);
                return $obj->tdnumber;
        }
 
@@ -50,8 +50,8 @@ class TEMPLATE {
         */
        function updateGeneralInfo($name, $desc) {
                $query =  'UPDATE '.sql_table('template_desc').' SET'
-                          . " tdname='" . addslashes($name) . "',"
-                          . " tddesc='" . addslashes($desc) . "'"
+                          . " tdname='" . sql_real_escape_string($name) . "',"
+                          . " tddesc='" . sql_real_escape_string($desc) . "'"
                           . " WHERE tdnumber=" . $this->getID();
                sql_query($query);
        }
@@ -63,11 +63,11 @@ class TEMPLATE {
                $id = $this->getID();
 
                // delete old thingie
-               sql_query('DELETE FROM '.sql_table('template')." WHERE tpartname='". addslashes($type) ."' and tdesc=" . intval($id));
+               sql_query('DELETE FROM '.sql_table('template')." WHERE tpartname='". sql_real_escape_string($type) ."' and tdesc=" . intval($id));
 
                // write new thingie
                if ($content) {
-                       sql_query('INSERT INTO '.sql_table('template')." SET tcontent='" . addslashes($content) . "', tpartname='" . addslashes($type) . "', tdesc=" . intval($id));
+                       sql_query('INSERT INTO '.sql_table('template')." SET tcontent='" . sql_real_escape_string($content) . "', tpartname='" . sql_real_escape_string($type) . "', tdesc=" . intval($id));
                }
        }
 
@@ -95,8 +95,8 @@ class TEMPLATE {
                        )
                );
 
-               sql_query('INSERT INTO '.sql_table('template_desc')." (tdname, tddesc) VALUES ('" . addslashes($name) . "','" . addslashes($desc) . "')");
-               $newId = mysql_insert_id();
+               sql_query('INSERT INTO '.sql_table('template_desc')." (tdname, tddesc) VALUES ('" . sql_real_escape_string($name) . "','" . sql_real_escape_string($desc) . "')");
+               $newId = sql_insert_id();
 
                $manager->notify(
                        'PostAddTemplate',
@@ -119,15 +119,23 @@ class TEMPLATE {
         * @param $name name of the template file
         */
        function read($name) {
+               global $manager;
+               $manager->notify(
+                       'PreTemplateRead',
+                       array(
+                               'template' => &$name
+                       )
+               );
+
                $query = 'SELECT tpartname, tcontent'
                           . ' FROM '.sql_table('template_desc').', '.sql_table('template')
-                          . ' WHERE tdesc=tdnumber and tdname="' . addslashes($name) . '"';
+                          . ' WHERE tdesc=tdnumber and tdname="' . sql_real_escape_string($name) . '"';
                $res = sql_query($query);
-               while ($obj = mysql_fetch_object($res))
+               while ($obj = sql_fetch_object($res))
                        $template[$obj->tpartname] = $obj->tcontent;
 
                // set locale according to template:
-               if ($template['LOCALE'])
+               if (isset($template['LOCALE']))
                        setlocale(LC_TIME,$template['LOCALE']);
                else
                        setlocale(LC_TIME,'');
@@ -160,15 +168,15 @@ class TEMPLATE {
        // returns true if there is a template with the given shortname
        // (static)
        function exists($name) {
-               $r = sql_query('select * FROM '.sql_table('template_desc').' WHERE tdname="'.addslashes($name).'"');
-               return (mysql_num_rows($r) != 0);
+               $r = sql_query('select * FROM '.sql_table('template_desc').' WHERE tdname="'.sql_real_escape_string($name).'"');
+               return (sql_num_rows($r) != 0);
        }
 
        // returns true if there is a template with the given ID
        // (static)
        function existsID($id) {
                $r = sql_query('select * FROM '.sql_table('template_desc').' WHERE tdnumber='.intval($id));
-               return (mysql_num_rows($r) != 0);
+               return (sql_num_rows($r) != 0);
        }
 
        // (static)
@@ -180,7 +188,7 @@ class TEMPLATE {
        function getDesc($id) {
                $query = 'SELECT tddesc FROM '.sql_table('template_desc').' WHERE tdnumber='. intval($id);
                $res = sql_query($query);
-               $obj = mysql_fetch_object($res);
+               $obj = sql_fetch_object($res);
                return $obj->tddesc;
        }
 
@@ -188,4 +196,4 @@ class TEMPLATE {
 
 }
 
-?>
+?>
\ No newline at end of file