Revision 1486
Added by DarkViper over 13 years ago
| branches/2.8.x/CHANGELOG | ||
|---|---|---|
| 12 | 12 |
|
| 13 | 13 |
=============================== FEATURES FREEZE ================================ |
| 14 | 14 |
----------------------------------- Fixes 2.8.2 -------------------------------- |
| 15 |
08 Aug-2011 Build 1486 Werner v.d.Decken(DarkViper) |
|
| 16 |
# database::field_modify() there was a bug to fix |
|
| 17 |
# all other files: fix SQL-statements to SQL-strict |
|
| 15 | 18 |
01 Aug-2011 Build 1485 Dietmar Woellbrink (Luisehahne) |
| 16 | 19 |
! rename config.php.bak to config.php.new |
| 17 | 20 |
# fixed rss.php SERVER_EMAIL |
| branches/2.8.x/wb/admin/interface/version.php | ||
|---|---|---|
| 52 | 52 |
|
| 53 | 53 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
| 54 | 54 |
if(!defined('VERSION')) define('VERSION', '2.8.2');
|
| 55 |
if(!defined('REVISION')) define('REVISION', '1485');
|
|
| 55 |
if(!defined('REVISION')) define('REVISION', '1486');
|
|
| branches/2.8.x/wb/framework/class.admin.php | ||
|---|---|---|
| 57 | 57 |
} |
| 58 | 58 |
|
| 59 | 59 |
// Check if the backend language is also the selected language. If not, send headers again. |
| 60 |
$get_user_language = @$database->query("SELECT language FROM ".TABLE_PREFIX.
|
|
| 61 |
"users WHERE user_id = '" .(int) $this->get_user_id() ."'"); |
|
| 60 |
$sql = 'SELECT `language` FROM `'.TABLE_PREFIX.'users` '; |
|
| 61 |
$sql .= 'WHERE `user_id`='.(int)$this->get_user_id(); |
|
| 62 |
$get_user_language = @$database->query($sql); |
|
| 62 | 63 |
$user_language = ($get_user_language) ? $get_user_language->fetchRow() : ''; |
| 63 | 64 |
// prevent infinite loop if language file is not XX.php (e.g. DE_du.php) |
| 64 | 65 |
$user_language = substr($user_language[0],0,2); |
| ... | ... | |
| 94 | 95 |
global $database; |
| 95 | 96 |
// $GLOBALS['FTAN'] = $this->getFTAN(); |
| 96 | 97 |
$this->createFTAN(); |
| 97 |
$get_title = $database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name = 'website_title'");
|
|
| 98 |
$sql = 'SELECT `value` FROM `'.TABLE_PREFIX.'settings` WHERE `name`=\'website_title\''; |
|
| 99 |
$get_title = $database->query($sql); |
|
| 98 | 100 |
$title = $get_title->fetchRow(); |
| 99 | 101 |
$header_template = new Template(THEME_PATH.'/templates'); |
| 100 | 102 |
$header_template->set_file('page', 'header.htt');
|
| ... | ... | |
| 110 | 112 |
$view_url = WB_URL; |
| 111 | 113 |
if(isset($_GET['page_id'])) {
|
| 112 | 114 |
// extract page link from the database |
| 113 |
$result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) addslashes($_GET['page_id']) ."'");
|
|
| 115 |
$sql = 'SELECT `link` FROM `'.TABLE_PREFIX.'pages` '; |
|
| 116 |
$sql .= 'WHERE `page_id`='.intval($_GET['page_id']); |
|
| 117 |
$result = @$database->query($sql); |
|
| 114 | 118 |
$row = @$result->fetchRow(); |
| 115 | 119 |
if($row) $view_url .= PAGES_DIRECTORY .$row['link']. PAGE_EXTENSION; |
| 116 | 120 |
} |
| ... | ... | |
| 247 | 251 |
$retval = array('username'=>'unknown','display_name'=>'Unknown','email'=>'');
|
| 248 | 252 |
$sql = 'SELECT `username`,`display_name`,`email` '; |
| 249 | 253 |
$sql .= 'FROM `'.TABLE_PREFIX.'users` '; |
| 250 |
$sql .= 'WHERE `user_id`='.(int)$user_id.' '; |
|
| 251 |
// $sql .= 'AND (`statusflags` & '.USERS_DELETED.') > 0'; |
|
| 254 |
$sql .= 'WHERE `user_id`='.(int)$user_id; |
|
| 252 | 255 |
if( ($resUsers = $database->query($sql)) ) {
|
| 253 | 256 |
if( ($recUser = $resUsers->fetchRow()) ) {
|
| 254 | 257 |
$retval = $recUser; |
| ... | ... | |
| 261 | 264 |
function get_section_details( $section_id, $backLink = 'index.php' ) {
|
| 262 | 265 |
global $database, $TEXT; |
| 263 | 266 |
$sql = 'SELECT * FROM `'.TABLE_PREFIX.'sections` '; |
| 264 |
$sql .= 'WHERE `section_id`='.intval($section_id).' LIMIT 1';
|
|
| 267 |
$sql .= 'WHERE `section_id`='.intval($section_id); |
|
| 265 | 268 |
if(($resSection = $database->query($sql))){
|
| 266 | 269 |
if(!($recSection = $resSection->fetchRow())) {
|
| 267 | 270 |
$this->print_header(); |
| ... | ... | |
| 275 | 278 |
} |
| 276 | 279 |
|
| 277 | 280 |
function get_page_details( $page_id, $backLink = 'index.php' ) {
|
| 278 |
global $database, $TEXT; |
|
| 279 |
$sql = 'SELECT * FROM `'.TABLE_PREFIX.'pages` '; |
|
| 280 |
$sql .= 'WHERE `page_id`='.(int)$page_id.' LIMIT 1'; |
|
| 281 |
if(($resPages = $database->query($sql))){
|
|
| 282 |
if(!($recPage = $resPages->fetchRow())) {
|
|
| 283 |
$this->print_header(); |
|
| 284 |
$this->print_error($TEXT['PAGE'].' '.$TEXT['NOT_FOUND'], $backLink, true); |
|
| 285 |
} |
|
| 286 |
} else {
|
|
| 287 |
$this->print_header(); |
|
| 288 |
$this->print_error($database->get_error(), $backLink, true); |
|
| 289 |
} |
|
| 290 |
return $recPage; |
|
| 291 |
} |
|
| 292 |
|
|
| 293 |
/** Function get_page_permission takes either a numerical page_id, |
|
| 294 |
* upon which it looks up the permissions in the database, |
|
| 295 |
* or an array with keys admin_groups and admin_users |
|
| 296 |
*/ |
|
| 297 |
/* |
|
| 298 |
function get_page_permission($page,$action='admin') {
|
|
| 299 |
if ($action!='viewing') $action='admin'; |
|
| 300 |
$action_groups=$action.'_groups'; |
|
| 301 |
$action_users=$action.'_users'; |
|
| 302 |
if (is_array($page)) {
|
|
| 303 |
$groups=$page[$action_groups]; |
|
| 304 |
$users=$page[$action_users]; |
|
| 281 |
global $database, $TEXT; |
|
| 282 |
$sql = 'SELECT * FROM `'.TABLE_PREFIX.'pages` '; |
|
| 283 |
$sql .= 'WHERE `page_id`='.intval($page_id); |
|
| 284 |
if(($resPages = $database->query($sql))){
|
|
| 285 |
if(!($recPage = $resPages->fetchRow())) {
|
|
| 286 |
$this->print_header(); |
|
| 287 |
$this->print_error($TEXT['PAGE'].' '.$TEXT['NOT_FOUND'], $backLink, true); |
|
| 288 |
} |
|
| 305 | 289 |
} else {
|
| 306 |
global $database; |
|
| 307 |
$results = $database->query("SELECT $action_groups,$action_users FROM ".TABLE_PREFIX."pages WHERE page_id = '$page'");
|
|
| 308 |
$result = $results->fetchRow(); |
|
| 309 |
$groups = explode(',', str_replace('_', '', $result[$action_groups]));
|
|
| 310 |
$users = explode(',', str_replace('_', '', $result[$action_users]));
|
|
| 290 |
$this->print_header(); |
|
| 291 |
$this->print_error($database->get_error(), $backLink, true); |
|
| 311 | 292 |
} |
| 312 |
|
|
| 313 |
$in_group = FALSE; |
|
| 314 |
foreach($this->get_groups_id() as $cur_gid){
|
|
| 315 |
if (in_array($cur_gid, $groups)) {
|
|
| 316 |
$in_group = TRUE; |
|
| 317 |
} |
|
| 318 |
} |
|
| 319 |
if((!$in_group) AND !is_numeric(array_search($this->get_user_id(), $users))) {
|
|
| 320 |
return false; |
|
| 321 |
} |
|
| 322 |
return true; |
|
| 293 |
return $recPage; |
|
| 323 | 294 |
} |
| 324 |
*/ |
|
| 325 | 295 |
|
| 326 | 296 |
function get_page_permission($page,$action='admin') {
|
| 327 | 297 |
if($action != 'viewing') { $action = 'admin'; }
|
| ... | ... | |
| 386 | 356 |
if(isset($_GET['tool'])) |
| 387 | 357 |
{
|
| 388 | 358 |
// check if displayed page contains a installed admin tool |
| 389 |
$result = $database->query("SELECT * FROM " .TABLE_PREFIX ."addons
|
|
| 390 |
WHERE type = 'module' AND function = 'tool' AND directory = '".addslashes($_GET['tool'])."'"); |
|
| 359 |
$sql = 'SELECT * FROM `'.TABLE_PREFIX.'addons` '; |
|
| 360 |
$sql .= 'WHERE `type`=\'module\' AND `function`=\'tool\' AND `directory`=\''.addslashes($_GET['tool']).'\''; |
|
| 361 |
$result = $database->query($sql); |
|
| 391 | 362 |
if($result->numRows()) |
| 392 | 363 |
{
|
| 393 | 364 |
// check if admin tool directory contains a backend_body.js file to include |
| ... | ... | |
| 408 | 379 |
$page_id = (int) addslashes($_POST['page_id']); |
| 409 | 380 |
} |
| 410 | 381 |
// gather information for all models embedded on actual page |
| 411 |
$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
|
|
| 412 |
WHERE page_id=$page_id");
|
|
| 382 |
$sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` WHERE `page_id`='.(int)$page_id;
|
|
| 383 |
$query_modules = $database->query($sql);
|
|
| 413 | 384 |
while($row = $query_modules->fetchRow()) {
|
| 414 | 385 |
// check if page module directory contains a backend_body.js file |
| 415 | 386 |
if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file")) {
|
| ... | ... | |
| 450 | 421 |
// check if backend.js or backend.css files needs to be included to the <head></head> section of the backend |
| 451 | 422 |
if(isset($_GET['tool'])) {
|
| 452 | 423 |
// check if displayed page contains a installed admin tool |
| 453 |
$result = $database->query("SELECT * FROM " .TABLE_PREFIX ."addons
|
|
| 454 |
WHERE type = 'module' AND function = 'tool' AND directory = '".addslashes($_GET['tool'])."'");
|
|
| 455 |
|
|
| 424 |
$sql = 'SELECT * FROM `'.TABLE_PREFIX.'addons` ';
|
|
| 425 |
$sql .= 'WHERE `type`=\'module\' AND `function`=\'tool\' AND `directory`=\''.addslashes($_GET['tool']).'\'';
|
|
| 426 |
$result = $database->query($sql); |
|
| 456 | 427 |
if($result->numRows()) {
|
| 457 | 428 |
// check if admin tool directory contains a backend.js or backend.css file to include |
| 458 | 429 |
$tool = $result->fetchRow(); |
| ... | ... | |
| 470 | 441 |
} |
| 471 | 442 |
|
| 472 | 443 |
// gather information for all models embedded on actual page |
| 473 |
$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
|
|
| 474 |
WHERE page_id=$page_id");
|
|
| 444 |
$sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` WHERE `page_id`='.(int)$page_id;
|
|
| 445 |
$query_modules = $database->query($sql);
|
|
| 475 | 446 |
|
| 476 | 447 |
while($row = $query_modules->fetchRow()) {
|
| 477 | 448 |
// check if page module directory contains a backend.js or backend.css file |
| branches/2.8.x/wb/framework/class.database.php | ||
|---|---|---|
| 214 | 214 |
public function field_modify($table_name, $field_name, $description) |
| 215 | 215 |
{
|
| 216 | 216 |
$retval = false; |
| 217 |
if( $this->field_exists($field_name, $table_name) )
|
|
| 217 |
if( $this->field_exists($table_name, $field_name) )
|
|
| 218 | 218 |
{ // modify a existing field in a table
|
| 219 |
$sql = 'ALTER TABLE `'.$table_name.'` DROP `'.$field_name.'`'; |
|
| 219 |
$sql = 'ALTER TABLE `'.$table_name.'` MODIFY `'.$field_name.'` '.$description; |
|
| 220 |
$retval = ( $this->query($sql) ? true : false); |
|
| 221 |
$this->set_error(mysql_error()); |
|
| 220 | 222 |
} |
| 223 |
return $retval; |
|
| 221 | 224 |
} |
| 222 | 225 |
|
| 223 | 226 |
/* |
| 224 | 227 | |
| branches/2.8.x/wb/framework/class.login.php | ||
|---|---|---|
| 74 | 74 |
// User has been "remembered" |
| 75 | 75 |
// Get the users password |
| 76 | 76 |
// $database = new database(); |
| 77 |
$query_details = $database->query("SELECT * FROM ".$this->users_table." WHERE user_id = '".$this->get_safe_remember_key()."' LIMIT 1");
|
|
| 77 |
$sql = 'SELECT * FROM `'.$this->users_table.'` '; |
|
| 78 |
$sql .= 'WHERE `user_id`=\''.$this->get_safe_remember_key().'\''; |
|
| 79 |
$query_details = $database->query($sql); |
|
| 78 | 80 |
$fetch_details = $query_details->fetchRow(); |
| 79 | 81 |
$this->username = $fetch_details['username']; |
| 80 | 82 |
$this->password = $fetch_details['password']; |
| ... | ... | |
| 130 | 132 |
// $database = new database(); |
| 131 | 133 |
// $query = 'SELECT * FROM `'.$this->users_table.'` WHERE MD5(`username`) = "'.md5($this->username).'" AND `password` = "'.$this->password.'" AND `active` = 1'; |
| 132 | 134 |
$loginname = ( preg_match('/[\;\=\&\|\<\> ]/',$this->username) ? '' : $this->username );
|
| 133 |
$query = 'SELECT * FROM `'.$this->users_table.'` WHERE `username` = "'.$loginname.'" AND `password` = "'.$this->password.'" AND `active` = 1'; |
|
| 134 |
$results = $database->query($query); |
|
| 135 |
$sql = 'SELECT * FROM `'.$this->users_table.'` '; |
|
| 136 |
$sql .= 'WHERE `username`=\''.$loginname.'\' AND `password`=\''.$this->password.'\' AND `active`=1'; |
|
| 137 |
$results = $database->query($sql); |
|
| 135 | 138 |
$results_array = $results->fetchRow(); |
| 136 | 139 |
$num_rows = $results->numRows(); |
| 137 | 140 |
if($num_rows == 1) {
|
| ... | ... | |
| 183 | 186 |
$first_group = true; |
| 184 | 187 |
foreach (explode(",", $this->get_session('GROUPS_ID')) as $cur_group_id)
|
| 185 | 188 |
{
|
| 186 |
$query = "SELECT * FROM ".$this->groups_table." WHERE group_id = '".$cur_group_id."'";
|
|
| 187 |
$results = $database->query($query);
|
|
| 189 |
$sql = 'SELECT * FROM `'.$this->groups_table.'` WHERE `group_id`=\''.$cur_group_id.'\'';
|
|
| 190 |
$results = $database->query($sql);
|
|
| 188 | 191 |
$results_array = $results->fetchRow(); |
| 189 | 192 |
$_SESSION['GROUP_NAME'][$cur_group_id] = $results_array['name']; |
| 190 | 193 |
// Set system permissions |
| ... | ... | |
| 213 | 216 |
// Update the users table with current ip and timestamp |
| 214 | 217 |
$get_ts = time(); |
| 215 | 218 |
$get_ip = $_SERVER['REMOTE_ADDR']; |
| 216 |
$query = "UPDATE ".$this->users_table." SET login_when = '$get_ts', login_ip = '$get_ip' WHERE user_id = '$user_id'"; |
|
| 217 |
$database->query($query); |
|
| 219 |
$sql = 'UPDATE `'.$this->users_table.'` '; |
|
| 220 |
$sql .= 'SET `login_when`=\''.$get_ts.'\', `login_ip`=\''.$get_ip.'\' '; |
|
| 221 |
$sql .= 'WHERE `user_id`=\''.$user_id.'\''; |
|
| 222 |
$database->query($sql); |
|
| 218 | 223 |
}else {
|
| 219 | 224 |
$num_rows = 0; |
| 220 | 225 |
} |
| branches/2.8.x/wb/framework/class.frontend.php | ||
|---|---|---|
| 69 | 69 |
} |
| 70 | 70 |
// Check if we should add page language sql code |
| 71 | 71 |
if(PAGE_LANGUAGES) {
|
| 72 |
$this->sql_where_language = " AND language = '".LANGUAGE."'";
|
|
| 72 |
$this->sql_where_language = ' AND `language`=\''.LANGUAGE.'\'';
|
|
| 73 | 73 |
} |
| 74 | 74 |
// Get default page |
| 75 | 75 |
// Check for a page id |
| 76 | 76 |
$table_p = TABLE_PREFIX.'pages'; |
| 77 | 77 |
$table_s = TABLE_PREFIX.'sections'; |
| 78 | 78 |
$now = time(); |
| 79 |
$query_default = " |
|
| 80 |
SELECT `p`.`page_id`, `link` |
|
| 81 |
FROM `$table_p` AS `p` INNER JOIN `$table_s` USING(`page_id`) |
|
| 82 |
WHERE `parent` = '0' AND `visibility` = 'public' |
|
| 83 |
AND (($now>=`publ_start` OR `publ_start`=0) AND ($now<=`publ_end` OR `publ_end`=0)) |
|
| 84 |
$this->sql_where_language |
|
| 85 |
ORDER BY `p`.`position` ASC LIMIT 1"; |
|
| 86 |
$get_default = $database->query($query_default); |
|
| 79 |
$sql = 'SELECT `p`.`page_id`, `link` '; |
|
| 80 |
$sql .= 'FROM `'.$table_p.'` AS `p` INNER JOIN `'.$table_s.'` USING(`page_id`) '; |
|
| 81 |
$sql .= 'WHERE `parent`=0 AND `visibility`=\'public\' '; |
|
| 82 |
$sql .= 'AND (('.$now.'>=`publ_start` OR `publ_start`=0) ';
|
|
| 83 |
$sql .= 'AND ('.$now.'<=`publ_end` OR `publ_end`=0)) ';
|
|
| 84 |
if(trim($this->sql_where_language) != '') {
|
|
| 85 |
$sql .= trim($this->sql_where_language).' '; |
|
| 86 |
} |
|
| 87 |
$sql .= 'ORDER BY `p`.`position` ASC'; |
|
| 88 |
$get_default = $database->query($sql); |
|
| 87 | 89 |
$default_num_rows = $get_default->numRows(); |
| 88 | 90 |
if(!isset($page_id) OR !is_numeric($page_id)){
|
| 89 | 91 |
// Go to or show default page |
| ... | ... | |
| 121 | 123 |
global $database; |
| 122 | 124 |
if($this->page_id != 0) {
|
| 123 | 125 |
// Query page details |
| 124 |
$query_page = "SELECT * FROM ".TABLE_PREFIX."pages WHERE page_id = '{$this->page_id}'";
|
|
| 125 |
$get_page = $database->query($query_page);
|
|
| 126 |
$sql = 'SELECT * FROM `'.TABLE_PREFIX.'pages` WHERE `page_id`='.(int)$this->page_id;
|
|
| 127 |
$get_page = $database->query($sql);
|
|
| 126 | 128 |
// Make sure page was found in database |
| 127 | 129 |
if($get_page->numRows() == 0) {
|
| 128 | 130 |
// Print page not found message |
| ... | ... | |
| 231 | 233 |
|
| 232 | 234 |
// set visibility SQL code |
| 233 | 235 |
// never show no-vis, hidden or deleted pages |
| 234 |
$this->extra_where_sql = "visibility != 'none' AND visibility != 'hidden' AND visibility != 'deleted'";
|
|
| 236 |
$this->extra_where_sql = '`visibility`!=\'none\' AND `visibility`!=\'hidden\' AND `visibility`!=\'deleted\'';
|
|
| 235 | 237 |
// Set extra private sql code |
| 236 | 238 |
if($this->is_authenticated()==false) {
|
| 237 | 239 |
// if user is not authenticated, don't show private pages either |
| 238 |
$this->extra_where_sql .= " AND visibility != 'private'";
|
|
| 240 |
$this->extra_where_sql .= ' AND `visibility`!=\'private\'';
|
|
| 239 | 241 |
// and 'registered' without frontend login doesn't make much sense! |
| 240 | 242 |
if (FRONTEND_LOGIN==false) {
|
| 241 |
$this->extra_where_sql .= " AND visibility != 'registered'";
|
|
| 243 |
$this->extra_where_sql .= ' AND `visibility`!=\'registered\'';
|
|
| 242 | 244 |
} |
| 243 | 245 |
} |
| 244 | 246 |
$this->extra_where_sql .= $this->sql_where_language; |
| ... | ... | |
| 370 | 372 |
return; |
| 371 | 373 |
// Check if we should add menu number check to query |
| 372 | 374 |
if($this->menu_parent == 0) {
|
| 373 |
$menu_number = "menu = '$this->menu_number'";
|
|
| 375 |
$menu_number = '`menu`='.intval($this->menu_number);
|
|
| 374 | 376 |
} else {
|
| 375 | 377 |
$menu_number = '1'; |
| 376 | 378 |
} |
| 377 | 379 |
// Query pages |
| 378 |
$query_menu = $database->query("SELECT page_id,menu_title,page_title,link,target,level,visibility,viewing_groups,viewing_users FROM ".TABLE_PREFIX."pages WHERE parent = '$this->menu_parent' AND $menu_number AND $this->extra_where_sql ORDER BY position ASC");
|
|
| 380 |
$sql = 'SELECT `page_id`,`menu_title`,`page_title`,`link`,`target`,`level`,'; |
|
| 381 |
$sql .= '`visibility`,viewing_groups,viewing_users '; |
|
| 382 |
$sql .= 'FROM `'.TABLE_PREFIX.'pages` '; |
|
| 383 |
$sql .= 'WHERE `parent`='.(int)$this->menu_parent.' AND '.$menu_number.' AND '.$this->extra_where_sql.' '; |
|
| 384 |
$sql .= 'ORDER BY `position` ASC'; |
|
| 385 |
$query_menu = $database->query($sql); |
|
| 379 | 386 |
// Check if there are any pages to show |
| 380 | 387 |
if($query_menu->numRows() > 0) {
|
| 381 | 388 |
// Print menu header |
Also available in: Unified diff
database::field_modify() there was a bug to fix
all other files: fixed SQL-statements to SQL-strict