Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG	(revision 1485)
+++ branches/2.8.x/CHANGELOG	(revision 1486)
@@ -12,6 +12,9 @@
 
 =============================== FEATURES FREEZE ================================
 ----------------------------------- Fixes 2.8.2 --------------------------------
+08 Aug-2011 Build 1486 Werner v.d.Decken(DarkViper)
+# database::field_modify() there was a bug to fix
+# all other files: fix SQL-statements to SQL-strict
 01 Aug-2011 Build 1485 Dietmar Woellbrink (Luisehahne)
 ! rename config.php.bak to config.php.new
 # fixed rss.php SERVER_EMAIL
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php	(revision 1485)
+++ branches/2.8.x/wb/admin/interface/version.php	(revision 1486)
@@ -52,4 +52,4 @@
 
 // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
 if(!defined('VERSION')) define('VERSION', '2.8.2');
-if(!defined('REVISION')) define('REVISION', '1485');
+if(!defined('REVISION')) define('REVISION', '1486');
Index: branches/2.8.x/wb/framework/class.admin.php
===================================================================
--- branches/2.8.x/wb/framework/class.admin.php	(revision 1485)
+++ branches/2.8.x/wb/framework/class.admin.php	(revision 1486)
@@ -57,8 +57,9 @@
 		}
 
 		// Check if the backend language is also the selected language. If not, send headers again.
-		$get_user_language = @$database->query("SELECT language FROM ".TABLE_PREFIX.
-			"users WHERE user_id = '" .(int) $this->get_user_id() ."'");
+		$sql  = 'SELECT `language` FROM `'.TABLE_PREFIX.'users` ';
+		$sql .= 'WHERE `user_id`='.(int)$this->get_user_id();
+		$get_user_language = @$database->query($sql);
 		$user_language = ($get_user_language) ? $get_user_language->fetchRow() : '';
 		// prevent infinite loop if language file is not XX.php (e.g. DE_du.php)
 		$user_language = substr($user_language[0],0,2);
@@ -94,7 +95,8 @@
 		global $database;
 		// $GLOBALS['FTAN'] = $this->getFTAN();
 		$this->createFTAN();
-		$get_title = $database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name = 'website_title'");
+		$sql = 'SELECT `value` FROM `'.TABLE_PREFIX.'settings` WHERE `name`=\'website_title\'';
+		$get_title = $database->query($sql);
 		$title = $get_title->fetchRow();
 		$header_template = new Template(THEME_PATH.'/templates');
 		$header_template->set_file('page', 'header.htt');
@@ -110,7 +112,9 @@
 		$view_url = WB_URL;
 		if(isset($_GET['page_id'])) {
 			// extract page link from the database
-			$result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) addslashes($_GET['page_id']) ."'");
+			$sql  = 'SELECT `link` FROM `'.TABLE_PREFIX.'pages` ';
+			$sql .= 'WHERE `page_id`='.intval($_GET['page_id']);
+			$result = @$database->query($sql);
 			$row = @$result->fetchRow();
 			if($row) $view_url .= PAGES_DIRECTORY .$row['link']. PAGE_EXTENSION;
 		}
@@ -247,8 +251,7 @@
   $retval = array('username'=>'unknown','display_name'=>'Unknown','email'=>'');
   $sql  = 'SELECT `username`,`display_name`,`email` ';
   $sql .= 'FROM `'.TABLE_PREFIX.'users` ';
-  $sql .= 'WHERE `user_id`='.(int)$user_id.' ';
-  // $sql .= 'AND (`statusflags` & '.USERS_DELETED.') > 0';
+  $sql .= 'WHERE `user_id`='.(int)$user_id;
   if( ($resUsers = $database->query($sql)) ) {
    if( ($recUser = $resUsers->fetchRow()) ) {
     $retval = $recUser;
@@ -261,7 +264,7 @@
 	function get_section_details( $section_id, $backLink = 'index.php' ) {
 	global $database, $TEXT;
 		$sql  = 'SELECT * FROM `'.TABLE_PREFIX.'sections` ';
-		$sql .= 'WHERE `section_id`='.intval($section_id).' LIMIT 1';
+		$sql .= 'WHERE `section_id`='.intval($section_id);
 		if(($resSection = $database->query($sql))){
 			if(!($recSection = $resSection->fetchRow())) {
 				$this->print_header();
@@ -275,53 +278,20 @@
 	}
 
 	function get_page_details( $page_id, $backLink = 'index.php' ) {
-	  global $database, $TEXT;
-	  $sql  = 'SELECT * FROM `'.TABLE_PREFIX.'pages` ';
-	  $sql .= 'WHERE `page_id`='.(int)$page_id.' LIMIT 1';
-	  if(($resPages = $database->query($sql))){
-	   if(!($recPage = $resPages->fetchRow())) {
-	    $this->print_header();
-	    $this->print_error($TEXT['PAGE'].' '.$TEXT['NOT_FOUND'], $backLink, true);
-	   }
-	  } else {
-	   $this->print_header();
-	   $this->print_error($database->get_error(), $backLink, true);
-	  }
-	  return $recPage;
-	 }
-
-	/** Function get_page_permission takes either a numerical page_id,
-	 * upon which it looks up the permissions in the database,
-	 * or an array with keys admin_groups and admin_users
-	 */
-/*
-	function get_page_permission($page,$action='admin') {
-		if ($action!='viewing') $action='admin';
-		$action_groups=$action.'_groups';
-		$action_users=$action.'_users';
-		if (is_array($page)) {
-				$groups=$page[$action_groups];
-				$users=$page[$action_users];
+		global $database, $TEXT;
+		$sql  = 'SELECT * FROM `'.TABLE_PREFIX.'pages` ';
+		$sql .= 'WHERE `page_id`='.intval($page_id);
+		if(($resPages = $database->query($sql))){
+			if(!($recPage = $resPages->fetchRow())) {
+			$this->print_header();
+			$this->print_error($TEXT['PAGE'].' '.$TEXT['NOT_FOUND'], $backLink, true);
+			}
 		} else {
-			global $database;
-			$results = $database->query("SELECT $action_groups,$action_users FROM ".TABLE_PREFIX."pages WHERE page_id = '$page'");
-			$result = $results->fetchRow();
-			$groups = explode(',', str_replace('_', '', $result[$action_groups]));
-			$users = explode(',', str_replace('_', '', $result[$action_users]));
+			$this->print_header();
+			$this->print_error($database->get_error(), $backLink, true);
 		}
-
-		$in_group = FALSE;
-		foreach($this->get_groups_id() as $cur_gid){
-		    if (in_array($cur_gid, $groups)) {
-		        $in_group = TRUE;
-		    }
-		}
-		if((!$in_group) AND !is_numeric(array_search($this->get_user_id(), $users))) {
-			return false;
-		}
-		return true;
+		return $recPage;
 	}
-*/
 
 	function get_page_permission($page,$action='admin') {
 		if($action != 'viewing') { $action = 'admin'; }
@@ -386,8 +356,9 @@
 		if(isset($_GET['tool']))
 			{
 			// check if displayed page contains a installed admin tool
-			$result = $database->query("SELECT * FROM " .TABLE_PREFIX ."addons
-				WHERE type = 'module' AND function = 'tool' AND directory = '".addslashes($_GET['tool'])."'");
+			$sql  = 'SELECT * FROM `'.TABLE_PREFIX.'addons` ';
+			$sql .= 'WHERE `type`=\'module\' AND `function`=\'tool\' AND `directory`=\''.addslashes($_GET['tool']).'\'';
+			$result = $database->query($sql);
 			if($result->numRows())
 				{
 				// check if admin tool directory contains a backend_body.js file to include
@@ -408,8 +379,8 @@
 				$page_id = (int) addslashes($_POST['page_id']);
 			}
 			// gather information for all models embedded on actual page
-			$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
-				WHERE page_id=$page_id");
+			$sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` WHERE `page_id`='.(int)$page_id;
+			$query_modules = $database->query($sql);
 			while($row = $query_modules->fetchRow()) {
 				// check if page module directory contains a backend_body.js file
 				if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file")) {
@@ -450,9 +421,9 @@
 		// check if backend.js or backend.css files needs to be included to the <head></head> section of the backend
 		if(isset($_GET['tool'])) {
 			// check if displayed page contains a installed admin tool
-			$result = $database->query("SELECT * FROM " .TABLE_PREFIX ."addons
-				WHERE type = 'module' AND function = 'tool' AND directory = '".addslashes($_GET['tool'])."'");
-
+			$sql  = 'SELECT * FROM `'.TABLE_PREFIX.'addons` ';
+			$sql .= 'WHERE `type`=\'module\' AND `function`=\'tool\' AND `directory`=\''.addslashes($_GET['tool']).'\'';
+			$result = $database->query($sql);
 			if($result->numRows()) {
 				// check if admin tool directory contains a backend.js or backend.css file to include
 				$tool = $result->fetchRow();
@@ -470,8 +441,8 @@
 			}
 
     		// gather information for all models embedded on actual page
-			$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
-				WHERE page_id=$page_id");
+			$sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` WHERE `page_id`='.(int)$page_id;
+			$query_modules = $database->query($sql);
 
     		while($row = $query_modules->fetchRow()) {
 				// check if page module directory contains a backend.js or backend.css file
Index: branches/2.8.x/wb/framework/class.database.php
===================================================================
--- branches/2.8.x/wb/framework/class.database.php	(revision 1485)
+++ branches/2.8.x/wb/framework/class.database.php	(revision 1486)
@@ -214,10 +214,13 @@
 	public function field_modify($table_name, $field_name, $description)
 	{
 		$retval = false;
-		if( $this->field_exists($field_name, $table_name) )
+		if( $this->field_exists($table_name, $field_name) )
 		{ // modify a existing field in a table
-			$sql  = 'ALTER TABLE `'.$table_name.'` DROP `'.$field_name.'`';
+			$sql  = 'ALTER TABLE `'.$table_name.'` MODIFY `'.$field_name.'` '.$description;
+			$retval = ( $this->query($sql) ? true : false);
+			$this->set_error(mysql_error());
 		}
+		return $retval;
 	}
 
 /*

Property changes on: branches/2.8.x/wb/framework/class.database.php
___________________________________________________________________
Modified: svn:keywords
## -1 +1,4 ##
-Date Revision Id HeadURL
\ No newline at end of property
+Id
+Revision
+HeadURL
+Date
\ No newline at end of property
Index: branches/2.8.x/wb/framework/class.login.php
===================================================================
--- branches/2.8.x/wb/framework/class.login.php	(revision 1485)
+++ branches/2.8.x/wb/framework/class.login.php	(revision 1486)
@@ -74,7 +74,9 @@
 			// User has been "remembered"
 			// Get the users password
 			// $database = new database();
-			$query_details = $database->query("SELECT * FROM ".$this->users_table." WHERE user_id = '".$this->get_safe_remember_key()."' LIMIT 1");
+			$sql  = 'SELECT * FROM `'.$this->users_table.'` ';
+			$sql .= 'WHERE `user_id`=\''.$this->get_safe_remember_key().'\'';
+			$query_details = $database->query($sql);
 			$fetch_details = $query_details->fetchRow();
 			$this->username = $fetch_details['username'];
 			$this->password = $fetch_details['password'];
@@ -130,8 +132,9 @@
 		// $database = new database();
 		// $query = 'SELECT * FROM `'.$this->users_table.'` WHERE MD5(`username`) = "'.md5($this->username).'" AND `password` = "'.$this->password.'" AND `active` = 1';
  		$loginname = ( preg_match('/[\;\=\&\|\<\> ]/',$this->username) ? '' : $this->username );
-		$query = 'SELECT * FROM `'.$this->users_table.'` WHERE `username` = "'.$loginname.'" AND `password` = "'.$this->password.'" AND `active` = 1';
-		$results = $database->query($query);
+		$sql  = 'SELECT * FROM `'.$this->users_table.'` ';
+		$sql .= 'WHERE `username`=\''.$loginname.'\' AND `password`=\''.$this->password.'\' AND `active`=1';
+		$results = $database->query($sql);
 		$results_array = $results->fetchRow();
 		$num_rows = $results->numRows();
 		if($num_rows == 1) {
@@ -183,8 +186,8 @@
 			$first_group = true;
 			foreach (explode(",", $this->get_session('GROUPS_ID')) as $cur_group_id)
             {
-				$query = "SELECT * FROM ".$this->groups_table." WHERE group_id = '".$cur_group_id."'";
-				$results = $database->query($query);
+				$sql = 'SELECT * FROM `'.$this->groups_table.'` WHERE `group_id`=\''.$cur_group_id.'\'';
+				$results = $database->query($sql);
 				$results_array = $results->fetchRow();
 				$_SESSION['GROUP_NAME'][$cur_group_id] = $results_array['name'];
 				// Set system permissions
@@ -213,8 +216,10 @@
 			// Update the users table with current ip and timestamp
 			$get_ts = time();
 			$get_ip = $_SERVER['REMOTE_ADDR'];
-			$query = "UPDATE ".$this->users_table." SET login_when = '$get_ts', login_ip = '$get_ip' WHERE user_id = '$user_id'";
-			$database->query($query);
+			$sql  = 'UPDATE `'.$this->users_table.'` ';
+			$sql .= 'SET `login_when`=\''.$get_ts.'\', `login_ip`=\''.$get_ip.'\' ';
+			$sql .= 'WHERE `user_id`=\''.$user_id.'\'';
+			$database->query($sql);
 		}else {
 		  $num_rows = 0;
 		}
Index: branches/2.8.x/wb/framework/class.frontend.php
===================================================================
--- branches/2.8.x/wb/framework/class.frontend.php	(revision 1485)
+++ branches/2.8.x/wb/framework/class.frontend.php	(revision 1486)
@@ -69,7 +69,7 @@
 		}
 		// Check if we should add page language sql code
 		if(PAGE_LANGUAGES) {
-			$this->sql_where_language = " AND language = '".LANGUAGE."'";
+			$this->sql_where_language = ' AND `language`=\''.LANGUAGE.'\'';
 		}
 		// Get default page
 		// Check for a page id
@@ -76,14 +76,16 @@
 		$table_p = TABLE_PREFIX.'pages';
 		$table_s = TABLE_PREFIX.'sections';
 		$now = time();
-		$query_default = "
-			SELECT `p`.`page_id`, `link`
-			FROM `$table_p` AS `p` INNER JOIN `$table_s` USING(`page_id`)
-			WHERE `parent` = '0' AND `visibility` = 'public'
-			AND (($now>=`publ_start` OR `publ_start`=0) AND ($now<=`publ_end` OR `publ_end`=0))
-			$this->sql_where_language
-			ORDER BY `p`.`position` ASC LIMIT 1";
-		$get_default = $database->query($query_default);
+		$sql  = 'SELECT `p`.`page_id`, `link` ';
+		$sql .= 'FROM `'.$table_p.'` AS `p` INNER JOIN `'.$table_s.'` USING(`page_id`) ';
+		$sql .= 'WHERE `parent`=0 AND `visibility`=\'public\' ';
+		$sql .=     'AND (('.$now.'>=`publ_start` OR `publ_start`=0) ';
+		$sql .=     'AND ('.$now.'<=`publ_end` OR `publ_end`=0)) ';
+		if(trim($this->sql_where_language) != '') {
+			$sql .= trim($this->sql_where_language).' ';
+		}
+		$sql .= 'ORDER BY `p`.`position` ASC';
+		$get_default = $database->query($sql);
 		$default_num_rows = $get_default->numRows();
 		if(!isset($page_id) OR !is_numeric($page_id)){
 			// Go to or show default page
@@ -121,8 +123,8 @@
 		global $database;
 	    if($this->page_id != 0) {
 			// Query page details
-			$query_page = "SELECT * FROM ".TABLE_PREFIX."pages WHERE page_id = '{$this->page_id}'";
-			$get_page = $database->query($query_page);
+			$sql = 'SELECT * FROM `'.TABLE_PREFIX.'pages` WHERE `page_id`='.(int)$this->page_id;
+			$get_page = $database->query($sql);
 			// Make sure page was found in database
 			if($get_page->numRows() == 0) {
 				// Print page not found message
@@ -231,14 +233,14 @@
 
 		// set visibility SQL code
 		// never show no-vis, hidden or deleted pages
-		$this->extra_where_sql = "visibility != 'none' AND visibility != 'hidden' AND visibility != 'deleted'";
+		$this->extra_where_sql = '`visibility`!=\'none\' AND `visibility`!=\'hidden\' AND `visibility`!=\'deleted\'';
 		// Set extra private sql code
 		if($this->is_authenticated()==false) {
 			// if user is not authenticated, don't show private pages either
-			$this->extra_where_sql .= " AND visibility != 'private'";
+			$this->extra_where_sql .= ' AND `visibility`!=\'private\'';
 			// and 'registered' without frontend login doesn't make much sense!
 			if (FRONTEND_LOGIN==false) {
-				$this->extra_where_sql .= " AND visibility != 'registered'";
+				$this->extra_where_sql .= ' AND `visibility`!=\'registered\'';
 			}
 		}
 		$this->extra_where_sql .= $this->sql_where_language;
@@ -370,12 +372,17 @@
 	       return;
 		// Check if we should add menu number check to query
 		if($this->menu_parent == 0) {
-			$menu_number = "menu = '$this->menu_number'";
+			$menu_number = '`menu`='.intval($this->menu_number);
 		} else {
 			$menu_number = '1';
 		}
 		// Query pages
-		$query_menu = $database->query("SELECT page_id,menu_title,page_title,link,target,level,visibility,viewing_groups,viewing_users FROM ".TABLE_PREFIX."pages WHERE parent = '$this->menu_parent' AND $menu_number AND $this->extra_where_sql ORDER BY position ASC");
+		$sql  = 'SELECT `page_id`,`menu_title`,`page_title`,`link`,`target`,`level`,';
+		$sql .=        '`visibility`,viewing_groups,viewing_users ';
+		$sql .= 'FROM `'.TABLE_PREFIX.'pages` ';
+		$sql .= 'WHERE `parent`='.(int)$this->menu_parent.' AND '.$menu_number.' AND '.$this->extra_where_sql.' ';
+		$sql .= 'ORDER BY `position` ASC';
+		$query_menu = $database->query($sql);
 		// Check if there are any pages to show
 		if($query_menu->numRows() > 0) {
 			// Print menu header