/*
* Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)
- * Copyright (C) 2002-2006 The Nucleus Group
+ * Copyright (C) 2002-2010 The Nucleus Group
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* A class representing a template
*
* @license http://nucleuscms.org/license.txt GNU General Public License
- * @copyright Copyright (C) 2002-2006 The Nucleus Group
- * @version $Id: TEMPLATE.php,v 1.6 2006-07-20 08:01:52 kimitake Exp $
- * @version $NucleusJP: TEMPLATE.php,v 1.5 2006/07/12 07:11:47 kimitake Exp $
+ * @copyright Copyright (C) 2002-2010 The Nucleus Group
+ * @version $Id$
+ * @version $NucleusJP: TEMPLATE.php,v 1.6 2006/07/20 08:01:52 kimitake Exp $
*/
class TEMPLATE {
function getIdFromName($name) {
$query = 'SELECT tdnumber'
. ' FROM '.sql_table('template_desc')
- . ' WHERE tdname="'.addslashes($name).'"';
+ . ' WHERE tdname="'.sql_real_escape_string($name).'"';
$res = sql_query($query);
- $obj = mysql_fetch_object($res);
+ $obj = sql_fetch_object($res);
return $obj->tdnumber;
}
*/
function updateGeneralInfo($name, $desc) {
$query = 'UPDATE '.sql_table('template_desc').' SET'
- . " tdname='" . addslashes($name) . "',"
- . " tddesc='" . addslashes($desc) . "'"
+ . " tdname='" . sql_real_escape_string($name) . "',"
+ . " tddesc='" . sql_real_escape_string($desc) . "'"
. " WHERE tdnumber=" . $this->getID();
sql_query($query);
}
$id = $this->getID();
// delete old thingie
- sql_query('DELETE FROM '.sql_table('template')." WHERE tpartname='". addslashes($type) ."' and tdesc=" . intval($id));
+ sql_query('DELETE FROM '.sql_table('template')." WHERE tpartname='". sql_real_escape_string($type) ."' and tdesc=" . intval($id));
// write new thingie
if ($content) {
- sql_query('INSERT INTO '.sql_table('template')." SET tcontent='" . addslashes($content) . "', tpartname='" . addslashes($type) . "', tdesc=" . intval($id));
+ sql_query('INSERT INTO '.sql_table('template')." SET tcontent='" . sql_real_escape_string($content) . "', tpartname='" . sql_real_escape_string($type) . "', tdesc=" . intval($id));
}
}
)
);
- sql_query('INSERT INTO '.sql_table('template_desc')." (tdname, tddesc) VALUES ('" . addslashes($name) . "','" . addslashes($desc) . "')");
- $newId = mysql_insert_id();
+ sql_query('INSERT INTO '.sql_table('template_desc')." (tdname, tddesc) VALUES ('" . sql_real_escape_string($name) . "','" . sql_real_escape_string($desc) . "')");
+ $newId = sql_insert_id();
$manager->notify(
'PostAddTemplate',
* @param $name name of the template file
*/
function read($name) {
+ global $manager;
+ $manager->notify(
+ 'PreTemplateRead',
+ array(
+ 'template' => &$name
+ )
+ );
+
$query = 'SELECT tpartname, tcontent'
. ' FROM '.sql_table('template_desc').', '.sql_table('template')
- . ' WHERE tdesc=tdnumber and tdname="' . addslashes($name) . '"';
+ . ' WHERE tdesc=tdnumber and tdname="' . sql_real_escape_string($name) . '"';
$res = sql_query($query);
- while ($obj = mysql_fetch_object($res))
+ while ($obj = sql_fetch_object($res))
$template[$obj->tpartname] = $obj->tcontent;
// set locale according to template:
- if ($template['LOCALE'])
+ if (isset($template['LOCALE']))
setlocale(LC_TIME,$template['LOCALE']);
else
setlocale(LC_TIME,'');
// returns true if there is a template with the given shortname
// (static)
function exists($name) {
- $r = sql_query('select * FROM '.sql_table('template_desc').' WHERE tdname="'.addslashes($name).'"');
- return (mysql_num_rows($r) != 0);
+ $r = sql_query('select * FROM '.sql_table('template_desc').' WHERE tdname="'.sql_real_escape_string($name).'"');
+ return (sql_num_rows($r) != 0);
}
// returns true if there is a template with the given ID
// (static)
function existsID($id) {
$r = sql_query('select * FROM '.sql_table('template_desc').' WHERE tdnumber='.intval($id));
- return (mysql_num_rows($r) != 0);
+ return (sql_num_rows($r) != 0);
}
// (static)
function getDesc($id) {
$query = 'SELECT tddesc FROM '.sql_table('template_desc').' WHERE tdnumber='. intval($id);
$res = sql_query($query);
- $obj = mysql_fetch_object($res);
+ $obj = sql_fetch_object($res);
return $obj->tddesc;
}
}
-?>
+?>
\ No newline at end of file