Project

General

Profile

« Previous | Next » 

Revision 1868

Added by Dietmar over 11 years ago

! change mysql_esc_string to WbDatabase::getInstance()->escapeStrinng()

View differences:

branches/2.8.x/CHANGELOG
12 12
===============================================================================
13 13

  
14 14

  
15
19 Feb-2013 Build 1868 Dietmar Woellbrink (Luisehahne)
16
! change mysql_esc_string to WbDatabase::getInstance()->escapeStrinng() 
15 17
19 Feb-2013 Build 1867 Dietmar Woellbrink (Luisehahne)
16 18
! fixed pagetree header
17 19
19 Feb-2013 Build 1866 Dietmar Woellbrink (Luisehahne)
branches/2.8.x/wb/admin/groups/save.inc.php
56 56
			$template_permissions = implode (',', $template_permissions);
57 57

  
58 58
			// prepare empty record to add new group
59
			$group_name = mysql_real_escape_string(strip_tags(trim($admin->get_post('name'))));
59
			$group_name = $database->escapeString(strip_tags(trim($admin->get_post('name'))));
60 60
//	print '<pre style="text-align: left;"><strong>function '.__FUNCTION__.'( '.''.' );</strong>  basename: '.basename(__FILE__).'  line: '.__LINE__.' -> <br />';
61 61
//	print_r( $_POST ); print '</pre>';
62 62

  
branches/2.8.x/wb/admin/pages/settings_save.php
260 260
     . 'SET `parent`='.$parent.', '
261 261
     .     '`page_title`=\''.$page_title.'\', '
262 262
     .     '`tooltip`=\''.$page_title.'\', '
263
     .     '`page_icon` =\''.mysql_real_escape_string($sPageIcon).'\', '
263
     .     '`page_icon` =\''.$database->escapeString($sPageIcon).'\', '
264 264
     .     '`menu_title`=\''.$menu_title.'\', '
265
     .     '`menu_icon_0` =\''.mysql_real_escape_string($sMenuIcon0).'\', '
266
     .     '`menu_icon_1` =\''.mysql_real_escape_string($sMenuIcon1).'\', '
265
     .     '`menu_icon_0` =\''.$database->escapeString($sMenuIcon0).'\', '
266
     .     '`menu_icon_1` =\''.$database->escapeString($sMenuIcon1).'\', '
267 267
     .     '`menu`='.$menu.', '
268 268
     .     '`level`='.$level.', '
269 269
     .     '`page_trail`=\''.$page_trail.'\', '
......
299 299
	$order->clean($old_parent);
300 300
}
301 301

  
302
/* BEGIN page "access file" code */
302
// using standard function by core,
303
function fix_page_trail($page_id) {
304
    global $database,$admin,$target_url,$pagetree_url,$MESSAGE;
303 305

  
304
// Create a new file in the /pages dir if title changed
305
if(!is_writable(WB_PATH.PAGES_DIRECTORY.'/'))
306
    $target_url = (isset($_POST['back_submit'])) ? $pagetree_url : $target_url;
307

  
308
    // Work out level
309
    $level = level_count($page_id);
310
    // Work out root parent
311
    $root_parent = root_parent($page_id);
312
    // Work out page trail
313
    $page_trail = get_page_trail($page_id);
314
    // Update page with new level and link
315
    $sql  = 'UPDATE `'.TABLE_PREFIX.'pages` SET ';
316
    $sql .= '`root_parent` = '.$root_parent.', ';
317
    $sql .= '`level` = '.$level.', ';
318
    $sql .= '`page_trail` = "'.$page_trail.'" ';
319
    $sql .= 'WHERE `page_id` = '.$page_id;
320

  
321
    if($database->query($sql)) {
322
    	$admin->print_success($MESSAGE['PAGES_SAVED_SETTINGS'], $target_url );
323
    } else {
324
    	$admin->print_error($database->get_error(), $target_url );
325
    }
326
}
327

  
328
// Fix sub-pages page trail
329
fix_page_trail($page_id);
330

  
331
/**
332
 * 
333
 * BEGIN page "access file" code
334
 * first check for existing pages directory
335
 * if not exists try to create
336
 * otherwise acess denied
337
 * 
338
 */
339
$bCanCreateAcessFiles = is_writeable(WB_PATH);
340
$bCanCreateAcessFiles = ( ( $bCanCreateAcessFiles==true ) ? make_dir(WB_PATH.PAGES_DIRECTORY) : false );
341
if( !$bCanCreateAcessFiles )
306 342
{
307 343
	$admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE'], $target_url);
308 344
} else {
345
// Create a new file in the /pages dir if title changed
346

  
309 347
    $old_filename = WB_PATH.PAGES_DIRECTORY.$old_link.PAGE_EXTENSION;
310 348

  
311 349
	// First check if we need to create a new file
......
366 404
	}
367 405
}
368 406

  
369
// using standard function by core,
370
function fix_page_trail($page_id) {
371
    global $database,$admin,$target_url,$pagetree_url,$MESSAGE;
372

  
373
    $target_url = (isset($_POST['back_submit'])) ? $pagetree_url : $target_url;
374

  
375
    // Work out level
376
    $level = level_count($page_id);
377
    // Work out root parent
378
    $root_parent = root_parent($page_id);
379
    // Work out page trail
380
    $page_trail = get_page_trail($page_id);
381
    // Update page with new level and link
382
    $sql  = 'UPDATE `'.TABLE_PREFIX.'pages` SET ';
383
    $sql .= '`root_parent` = '.$root_parent.', ';
384
    $sql .= '`level` = '.$level.', ';
385
    $sql .= '`page_trail` = "'.$page_trail.'" ';
386
    $sql .= 'WHERE `page_id` = '.$page_id;
387

  
388
    if($database->query($sql)) {
389
    	$admin->print_success($MESSAGE['PAGES_SAVED_SETTINGS'], $target_url );
390
    } else {
391
    	$admin->print_error($database->get_error(), $target_url );
392
    }
393
}
394

  
395
// Fix sub-pages page trail
396
fix_page_trail($page_id);
397

  
398 407
$admin->print_footer();
branches/2.8.x/wb/admin/pages/add.php
16 16
 */
17 17

  
18 18
// Create new admin object and print admin header
19
require('../../config.php');
20
require_once(WB_PATH.'/framework/class.admin.php');
19
//require('../../config.php');
20
//require_once(WB_PATH.'/framework/class.admin.php');
21
// Create new admin object and print admin header
22
if(!defined('WB_URL'))
23
{
24
    $config_file = realpath('../../config.php');
25
    if(file_exists($config_file) && !defined('WB_URL'))
26
    {
27
    	require($config_file);
28
    }
29
}
30
if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); }
21 31
// suppress to print the header, so no new FTAN will be set
22 32
$admin = new admin('Pages', 'pages_add', false);
23 33
if (!$admin->checkFTAN())
......
178 188
$sql .= '`viewing_groups` = "'.$viewing_groups.'"';
179 189

  
180 190
$database->query($sql);
181
/*
182
$query = "INSERT INTO ".TABLE_PREFIX."pages
183
(page_title,menu_title,parent,template,target,position,visibility,searching,menu,language,admin_groups,viewing_groups,modified_when,modified_by) VALUES
184
('$title','$title','$parent','$template','_top','$position','$visibility','1','1','$language','$admin_groups','$viewing_groups','".time()."','".$admin->get_user_id()."')";
185
$database->query($query);
186
*/
191

  
187 192
if($database->is_error())
188 193
{
189 194
	$admin->print_error($database->get_error());
......
205 210
$sql .= '`level` = '.$level.', ';
206 211
$sql .= '`link` = "'.$link.'", ';
207 212
$sql .= '`page_trail` = "'.$page_trail.'"';
208
$sql .= (defined('PAGE_LANGUAGES') && PAGE_LANGUAGES)
213
$sql .= ((defined('PAGE_LANGUAGES') && PAGE_LANGUAGES)
209 214
         && $field_set
210 215
         && ($language == DEFAULT_LANGUAGE)
211
         && (file_exists(WB_PATH.'/modules/mod_multilingual/update_keys.php')
212
         )
213
         ? ', `page_code` = '.(int)$page_id.' ' : ' ';
216
         && class_exists('m_MultiLingual_Lib')
217
         ? ', `page_code` = '.(int)$page_id.' ' : ' ');
214 218
$sql .= 'WHERE `page_id` = '.$page_id;
215 219
$database->query($sql);
216 220
/*
......
220 224
{
221 225
	$admin->print_error($database->get_error());
222 226
}
223
// Create a new file in the /pages dir
224
create_access_file($filename, $page_id, $level);
225 227

  
226
if(!file_exists($filename)) {
227
	$admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE']);
228
}
229

  
230
// add position 1 to new page
228
// add position 1 to new page section
231 229
$position = 1;
232 230

  
233 231
// Add new record into the sections table
234
//$database->query("INSERT INTO ".TABLE_PREFIX."sections (page_id,position,module,block) VALUES ('$page_id','$position', '$module','1')");
235

  
236 232
// Insert module into DB
237 233
$sql  = 'INSERT INTO `'.TABLE_PREFIX.'sections` SET ';
238 234
$sql .= '`page_id` = '.(int)$page_id.', ';
......
251 247
	}
252 248
}
253 249

  
250
// Create a new file in the /pages dir
251
create_access_file($filename, $page_id, $level);
252

  
253
if(!file_exists($filename)) {
254
	$admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE']);
255
}
256

  
254 257
// Check if there is a db error, otherwise say successful
255 258
if($database->is_error()) {
256 259
	$admin->print_error($database->get_error().' (sections)');
branches/2.8.x/wb/admin/interface/version.php
51 51

  
52 52
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
53 53
if(!defined('VERSION')) define('VERSION', '2.8.3');
54
if(!defined('REVISION')) define('REVISION', '1867');
54
if(!defined('REVISION')) define('REVISION', '1868');
55 55
if(!defined('SP')) define('SP', '');
branches/2.8.x/wb/admin/settings/save.php
272 272

  
273 273
	    if ( !in_array($value, $disallow_in_fields) && (isset($_POST[$setting_name]) || $passed == true) )
274 274
	    {
275
	        $value = trim($admin->add_slashes($value));
275
	        $value = trim($database->escapeString($value));
276 276
	        $sql = 'UPDATE `'.TABLE_PREFIX.'settings` ';
277
	        $sql .= 'SET `value` = \''.($value).'\' '; // mysql_escape_string
277
	        $sql .= 'SET `value` = \''.($value).'\' ';
278 278
	        $sql .= 'WHERE `name` != \'wb_version\' ';
279 279
	        $sql .= 'AND `name` = \''.$setting_name.'\' ';
280 280
	        if (!$database->query($sql))
branches/2.8.x/wb/admin/users/save.php
182 182
            // Update the database
183 183
            if($password == "") {
184 184
                $sql .= '`group_id`     = '.intval($group_id).', '.
185
                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
186
                        '`username` = \''.mysql_real_escape_string($username).'\', '.
185
                        '`groups_id`    = \''.$database->escapeString($groups_id).'\', '.
186
                        '`username` = \''.$database->escapeString($username).'\', '.
187 187
                        '`active` = '.intval($active).', '.
188
                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
189
                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.
190
                        '`email` = \''.mysql_real_escape_string($email).'\' '.
188
                        '`display_name` = \''.$database->escapeString($display_name).'\', '.
189
                        '`home_folder` = \''.$database->escapeString($home_folder).'\', '.
190
                        '`email` = \''.$database->escapeString($email).'\' '.
191 191
                        'WHERE `user_id` = '.intval($user_id).'';
192 192

  
193 193
            } else {
194 194

  
195 195
                $sql .= '`group_id`     = '.intval($group_id).', '.
196
                        '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
197
                        '`username` = \''.mysql_real_escape_string($username).'\', '.
196
                        '`groups_id`    = \''.$database->escapeString($groups_id).'\', '.
197
                        '`username` = \''.$database->escapeString($username).'\', '.
198 198
                        '`password` = \''.md5($password).'\', '.
199 199
                        '`active` = '.intval($active).', '.
200
                        '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
201
                        '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '.
202
                        '`email` = \''.mysql_real_escape_string($email).'\' '.
200
                        '`display_name` = \''.$database->escapeString($display_name).'\', '.
201
                        '`home_folder` = \''.$database->escapeString($home_folder).'\', '.
202
                        '`email` = \''.$database->escapeString($email).'\' '.
203 203
                        'WHERE `user_id` = '.intval($user_id).'';
204 204

  
205 205
            }
branches/2.8.x/wb/admin/users/add.php
156 156
            // Inser the user into the database
157 157
			$sql  = 'INSERT INTO `'.TABLE_PREFIX.'users` SET '.
158 158
                    '`group_id`     = '.intval($group_id).', '.
159
                    '`groups_id`    = \''.mysql_real_escape_string($groups_id).'\', '.
159
                    '`groups_id`    = \''.$database->escapeString($groups_id).'\', '.
160 160
                    '`active`       = '.intval($active).', '.
161
                    '`username`     = \''.mysql_real_escape_string($username).'\', '.
161
                    '`username`     = \''.$database->escapeString($username).'\', '.
162 162
                    '`password`     = \''.md5($password).'\', '.
163
                    '`confirm_code` = \''.mysql_real_escape_string($confirm_code).'\', '.
163
                    '`confirm_code` = \''.$database->escapeString($confirm_code).'\', '.
164 164
                    '`confirm_timeout` = '.intval($confirm_timeout).', '.
165
                    '`remember_key` = \''.mysql_real_escape_string($remember_key).'\', '.
165
                    '`remember_key` = \''.$database->escapeString($remember_key).'\', '.
166 166
                    '`last_reset`   = '.intval($last_reset).', '.
167
                    '`display_name` = \''.mysql_real_escape_string($display_name).'\', '.
168
                    '`email`        = \''.mysql_real_escape_string($email).'\', '.
167
                    '`display_name` = \''.$database->escapeString($display_name).'\', '.
168
                    '`email`        = \''.$database->escapeString($email).'\', '.
169 169
                    '`timezone`     = '.intval($timezone).', '.
170
                    '`date_format`  = \''.mysql_real_escape_string($date_format).'\', '.
171
                    '`time_format`  = \''.mysql_real_escape_string($time_format).'\', '.
172
                    '`language`     = \''.mysql_real_escape_string($language).'\', '.
173
                    '`home_folder`  = \''.mysql_real_escape_string($home_folder).'\', '.
170
                    '`date_format`  = \''.$database->escapeString($date_format).'\', '.
171
                    '`time_format`  = \''.$database->escapeString($time_format).'\', '.
172
                    '`language`     = \''.$database->escapeString($language).'\', '.
173
                    '`home_folder`  = \''.$database->escapeString($home_folder).'\', '.
174 174
                    '`login_when`   = '.intval($login_when).', '.
175
                    '`login_ip`     = \''.mysql_real_escape_string($login_ip).'\' '.
175
                    '`login_ip`     = \''.$database->escapeString($login_ip).'\' '.
176 176
                    '';
177 177
            if($database->query($sql)) {
178 178
            	msgQueue::add($MESSAGE['USERS_ADDED'], true);
branches/2.8.x/wb/admin/languages/uninstall.php
65 65
	$admin->print_error($MESSAGE['GENERIC_CANNOT_UNINSTALL_IN_USE']);
66 66
} else {
67 67
	$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
68
	$sql .= 'WHERE`language`=\''.mysql_real_escape_string($code).'\'';
68
	$sql .= 'WHERE`language`=\''.$database->escapeString($code).'\'';
69 69
	if( $database->get_one($sql) ) {
70 70
		$admin->print_error($MESSAGE['GENERIC_CANNOT_UNINSTALL_IN_USE']);
71 71
	}
......
77 77
} else {
78 78
	// Remove entry from DB
79 79
	$sql  = 'DELETE FROM `'.TABLE_PREFIX.'addons` ';
80
	$sql .= 'WHERE `directory`=\''.mysql_real_escape_string($code).'\' ';
80
	$sql .= 'WHERE `directory`=\''.$database->escapeString($code).'\' ';
81 81
	$sql .=   'AND `type`=`type`=\'language\' ';
82 82
	if( $database->query($sql) ) {
83 83
        // Print success message
branches/2.8.x/wb/admin/addons/CopyTheme.php
97 97
	private function _SanitizeNewName($sName)
98 98
	{
99 99
		$sName = (trim($sName) == '' ? 'MyNewTheme' : $sName);
100
		$sName = mysql_real_escape_string($sName);
100
		$sName = $this->_oDb->escapeString($sName);
101 101
		$iCount = '';
102 102
		do {
103 103
			$sSearch = $sName.($iCount ? ' '.$iCount : '');
......
260 260
		     .     '`function`=\'theme\', '
261 261
		     .     '`directory`=\''.$aVariables['directory'].'\', '
262 262
		     .     '`name`=\''.$aVariables['name'].'\', '
263
		     .     '`description`=\''.mysql_real_escape_string($aVariables['description']).'\', '
263
		     .     '`description`=\''.$this->_oDb->escapeString($aVariables['description']).'\', '
264 264
		     .     '`version`=\''.$aVariables['version'].'\', '
265 265
		     .     '`platform`=\''.$aVariables['platform'].'\', '
266
		     .     '`author`=\''.mysql_real_escape_string($aVariables['author']).'\', '
267
		     .     '`license`=\''.mysql_real_escape_string($aVariables['license']).'\'';
266
		     .     '`author`=\''.$this->_oDb->escapeString($aVariables['author']).'\', '
267
		     .     '`license`=\''.$this->_oDb->escapeString($aVariables['license']).'\'';
268 268
		if(!$this->_oDb->query($sql)) {
269 269

  
270 270
			$sMsg = $this->_aLang['GENERIC_NOT_UPGRADED'].' ['.$this->_sNewThemeDir.'/info.php]';
branches/2.8.x/wb/account/save_confirm.php
26 26
require_once(dirname(__FILE__).'/AccountSignup.php');
27 27
AccountSignup::deleteOutdatedConfirmations();
28 28

  
29
$sPassword = mysql_escape_string($wb->StripCodeFromText($wb->get_post('new_password_1')));
30
$sLoginName = mysql_escape_string($wb->StripCodeFromText($wb->get_post('new_loginname')));
31
$sConfirmationId = mysql_escape_string($wb->StripCodeFromText($wb->get_post('confirm_code')));
29
$sPassword = $database->escapeString($wb->StripCodeFromText($wb->get_post('new_password_1')));
30
$sLoginName = $database->escapeString($wb->StripCodeFromText($wb->get_post('new_loginname')));
31
$sConfirmationId = $database->escapeString($wb->StripCodeFromText($wb->get_post('confirm_code')));
32 32

  
33 33
$bSendRegistrationMailtoUser = false;
34 34
$bSendRegistrationMailtoAdmin = false;
branches/2.8.x/wb/account/email.php
46 46
    			if(!$wb->validate_email($email)){
47 47
    				$error[] = ($MESSAGE['USERS_INVALID_EMAIL']);
48 48
    			} else {
49
        			$email = mysql_escape_string($email);
49
        			$email = $database->escapeString($email);
50 50
                    // Update the database
51 51
        			$sql = "UPDATE `".TABLE_PREFIX."users` SET `email` = '".$email."' WHERE `user_id` = ".$wb->get_user_id();
52 52
        			$database->query($sql);
branches/2.8.x/wb/modules/wysiwyg/save.php
45 45
	$searchfor = '@(<[^>]*=\s*")('.preg_quote($sMediaUrl).')([^">]*".*>)@siU';
46 46
    $content = preg_replace($searchfor, '$1{SYSVAR:MEDIA_REL}$3', $content);
47 47
	// searching in $text will be much easier this way
48
    $content = mysql_real_escape_string ($content);
48
    $content = WbDatabase::getInstance()->escapeString ($content);
49 49
	$text = umlauts_to_entities(strip_tags($content), strtoupper(DEFAULT_CHARSET), 0);
50 50
	$sql  = 'UPDATE `'.TABLE_PREFIX.'mod_wysiwyg` ';
51 51
	$sql .= 'SET `content`=\''.$content.'\', `text`=\''.$text.'\' ';
branches/2.8.x/wb/modules/form/view.php
82 82

  
83 83
		$label_id = 'wb_'.preg_replace('/[^a-z0-9]/i', '_', $key).$field_id;
84 84
		if(in_array($key, $params[1])) {
85
			$key = '<input class="frm-field_checkbox" type="checkbox" id="'.$label_id.'" name="field'.$field_id.'['.$idx.']" value="'.$key.'" />'.'<label for="'.$label_id.'" class="frm-checkbox_label">'.$key.'</lable>'.$seperator;
85
			$key = '<input class="frm-field_checkbox" type="checkbox" id="'.$label_id.'" name="field'.$field_id.'['.$idx.']" value="'.$key.'" />'.PHP_EOL.'<label for="'.$label_id.'" class="frm-checkbox_label">'.$key.'</lable>'.$seperator;
86 86
		} else {
87
			$key = '<input class="frm-field_checkbox" type="checkbox" id="'.$label_id.'" name="field'.$field_id.'['.$idx.']" value="'.$key.'" />'.'<label for="'.$label_id.'" class="frm-checkbox_label">'.$key.'</label>'.$seperator;
87
			$key = '<input class="frm-field_checkbox" type="checkbox" id="'.$label_id.'" name="field'.$field_id.'['.$idx.']" value="'.$key.'" />'.PHP_EOL.'<label for="'.$label_id.'" class="frm-checkbox_label">'.$key.'</label>'.$seperator;
88 88
		}
89 89
	}
90 90
}
......
96 96
		$seperator = $params[2];
97 97
		$label_id = 'wb_'.preg_replace('/[^a-z0-9]/i', '_', $n).$field_id;
98 98
		if($n == $params[3]) {
99
			$n = '<input class="frm-field_checkbox" type="radio" id="'.$label_id.'" name="field'.$field_id.'" value="'.$n.'" checked="checked" />'.'<label for="'.$label_id.'" class="frm-checkbox_label">'.$n.'</label>'.$seperator;
99
			$n = '<input class="frm-field_checkbox" type="radio" id="'.$label_id.'" name="field'.$field_id.'" value="'.$n.'" checked="checked" />'.PHP_EOL.'<label for="'.$label_id.'" class="frm-checkbox_label">'.$n.'</label>'.$seperator;
100 100
		} else {
101
			$n = '<input class="frm-field_checkbox" type="radio" id="'.$label_id.'" name="field'.$field_id.'" value="'.$n.'" />'.'<label for="'.$label_id.'" class="frm-checkbox_label">'.$n.'</label>'.$seperator;
101
			$n = '<input class="frm-field_checkbox" type="radio" id="'.$label_id.'" name="field'.$field_id.'" value="'.$n.'" />'.PHP_EOL.'<label for="'.$label_id.'" class="frm-checkbox_label">'.$n.'</label>'.$seperator;
102 102
		}
103 103
	}
104 104
}
......
201 201
				$vars = array('{TITLE}', '{REQUIRED}');
202 202
				if (($field['type'] == "radio") || ($field['type'] == "checkbox")) {
203 203
					$field_title = $field['title'];
204
				} else {
205
					$field_title = '<label for="field'.$field_id.'">'.$field['title'].'</label>';
204
				} elseif($field['type'] == 'heading') {
205
					$field_title = PHP_EOL.'<label>'.$field['title'].'</label>'.PHP_EOL;
206
				}else {
207
					$field_title = PHP_EOL.'<label for="field'.$field_id.'">'.$field['title'].'</label>'.PHP_EOL;
206 208
				}
207 209
				$values = array($field_title);
208 210
				if ($field['required'] == 1) {
branches/2.8.x/wb/modules/form/frontend.css
1 1
.frm-required { color :#ff0000; }
2 2
.frm-field_title { font-size :12px; width :25%; vertical-align :top; white-space :nowrap; text-align :right; }
3
.field_heading,
4
.frm-field_heading { border-bottom: 1px ridge; font-weight: bold; }
3 5
.frm-textfield { font-size :12px; width :90%; }
4 6
.frm-textarea { font-size :12px; width :100%; height :100px; }
5 7
.frm-field_heading { font-size :12px; font-weight :bold; border-bottom-width :2px; border-bottom-style :solid; border-bottom-color :#666666; padding-top :10px; color :#666666; }
......
20 22
.previewPrintTop img { padding-left :16px; }
21 23
fieldset { border :none; }
22 24
.frm-thankyou { font-size :1em; }
23
.frm-tbody {  }
25
.frm-tbody {  }		
branches/2.8.x/wb/modules/form/modify.php
203 203
$page = 1;
204 204
if(isset($_GET['page']) && is_numeric(trim($_GET['page'])))
205 205
{
206
	$page = intval(mysql_real_escape_string($_GET['page']));
206
	$page = intval($database->escapeString($_GET['page']));
207 207
}
208 208

  
209 209
// How many adjacent pages should be shown on each side?
branches/2.8.x/wb/modules/output_filter/tool.php
48 48
					  '`email_filter`='.$data['email_filter'].', '.
49 49
					  '`sys_rel`='.$data['sys_rel'].', '.
50 50
					  '`mailto_filter`='.$data['mailto_filter'].', '.
51
					  '`at_replacement`=\''.mysql_real_escape_string($data['at_replacement']).'\', '.
52
					  '`dot_replacement`=\''.mysql_real_escape_string($data['dot_replacement']).'\'';
51
					  '`at_replacement`=\''.$database->escapeString($data['at_replacement']).'\', '.
52
					  '`dot_replacement`=\''.$database->escapeString($data['dot_replacement']).'\'';
53 53
			if($database->query($sql)) {
54 54
			//anything ok
55 55
				$msgOk = $MESSAGE['RECORD_MODIFIED_SAVED'];
branches/2.8.x/wb/modules/news/add.php
24 24
}
25 25
/* -------------------------------------------------------- */
26 26

  
27
$header = '<table cellpadding=\"0\" cellspacing=\"0\" class=\"loop-header\">'."\n";
27
$header = '<table class=\"loop-header\">'."\n";
28 28
$post_loop = '<tr class=\"post-top\">
29 29
<td class=\"post-title\"><a href=\"[LINK]\">[TITLE]</a></td>
30 30
<td class=\"post-date\">[PUBLISHED_DATE], [PUBLISHED_TIME]</td>
......
36 36
</td>
37 37
</tr>';
38 38
$footer = '</table>
39
<table cellpadding="0" cellspacing="0" class="page-header" style="display: [DISPLAY_PREVIOUS_NEXT_LINKS]">
39
<table class="page-header" style="display: [DISPLAY_PREVIOUS_NEXT_LINKS]">
40 40
<tr>
41 41
<td class="page-left">[PREVIOUS_PAGE_LINK]</td>
42 42
<td class="page-center">[OF]</td>
......
59 59
<a href=\"[BACK]\">[TEXT_BACK]</a>';
60 60
$comments_header = addslashes('<br /><br />
61 61
<h2>[TEXT_COMMENTS]</h2>
62
<table cellpadding="2" cellspacing="0" class="comment-header">');
62
<table class="comment-header">');
63 63
$comments_loop = addslashes('<tr>
64 64
<td class="comment_title">[TITLE]</td>
65 65
<td class="comment_info">[TEXT_BY] [DISPLAY_NAME] [TEXT_ON] [DATE] [TEXT_AT] [TIME]</td>
branches/2.8.x/wb/modules/news/comment_page.php
61 61
	$values = array(POST_TITLE, $MOD_NEWS['TEXT_COMMENT']);
62 62
	echo str_replace($vars, $values, ($settings['comments_page']));
63 63
	?>
64
	<form name="comment" action="<?php echo WB_URL.'/modules/news/submit_comment.php?page_id='.PAGE_ID.'&amp;section_id='.SECTION_ID.'&amp;post_id='.POST_ID; ?>" method="post">
64
	<form action="<?php echo WB_URL.'/modules/news/submit_comment.php?page_id='.PAGE_ID.'&amp;section_id='.SECTION_ID.'&amp;post_id='.POST_ID; ?>" method="post">
65 65
	<?php if(ENABLED_ASP) { // add some honeypot-fields
66 66
	?>
67 67
	<input type="hidden" name="submitted_when" value="<?php $t=time(); echo $t; $_SESSION['submitted_when']=$t; ?>" />
branches/2.8.x/wb/modules/news/save_post.php
18 18
	function createNewsAccessFile($newLink, $oldLink, $page_id, $section_id, $post_id)
19 19
	{
20 20
		global $admin, $MESSAGE;
21
		$sError = '';
21 22
		$sPagesPath = WB_PATH.PAGES_DIRECTORY;
22 23
		$sPostsPath = $sPagesPath.'/posts';
23
	// create /posts/ - directory if not exists
24
		if(!file_exists($sPostsPath)) {
25
			if(is_writable($sPagesPath)) {
26
				make_dir(WB_PATH.PAGES_DIRECTORY.'/posts/');
27
			}else {
28
				$admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE']);
29
			}
30
		}
31
	// check if /posts/ - dir is writable
32
		if(!is_writable($sPostsPath.'/')) {
33
			$admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE']);
34
		}
24
		$sBackUrl = ADMIN_URL.'/pages/modify.php?page_id='.$page_id;
35 25
	// delete old accessfile if link has changed
36 26
		if(($newLink != $oldLink) && (is_writable($sPostsPath.$oldLink.PAGE_EXTENSION))) {
37 27
			if(!unlink($sPostsPath.$oldLink.PAGE_EXTENSION)) {
38
				$admin->print_error($MESSAGE['PAGES_CANNOT_DELETE_ACCESS_FILE'].' - '.$oldLink);
28
				$admin->print_error($MESSAGE['PAGES_CANNOT_DELETE_ACCESS_FILE'].' - '.$oldLink,$sBackUrl);
39 29
			}
40 30
		}
41 31
	// all ok, now create new accessfile
42 32
		$newFile = $sPagesPath.$newLink.PAGE_EXTENSION;
43 33
		// $backSteps = preg_replace('/^'.preg_quote(WB_PATH).'/', '', $sPostsPath);
44
		$backSteps = preg_replace('@^'.preg_quote(WB_PATH).'@', '', $sPostsPath);
45
		$backSteps = str_repeat( '../', substr_count($backSteps, '/'));
46
		$content =
47
			'<?php'."\n".
48
			'// *** This file is generated by WebsiteBaker Ver.'.WB_VERSION."\n".
49
			'// *** Creation date: '.date('c')."\n".
50
			'// *** Do not modify this file manually'."\n".
51
			'// *** WB will rebuild this file from time to time!!'."\n".
52
			'// *************************************************'."\n".
53
			"\t".'$page_id      = '.$page_id.';'."\n".
54
			"\t".'$section_id   = '.$section_id.';'."\n".
55
			"\t".'$post_id      = '.$post_id.';'."\n".
56
			"\t".'$post_section = '.$section_id.';'."\n".
57
//			"\t".'define(\'POST_SECTION\', '.$section_id.');'."\n".
58
//			"\t".'define(\'POST_ID\',      '.$post_id.');'."\n".
59
			"\t".'require(\''.$backSteps.'index.php\');'."\n".
60
			'// *************************************************'."\n";
61
		if( file_put_contents($newFile, $content) !== false ) {
62
		// Chmod the file
63
			change_mode($newFile);
64
		}else {
65
			$admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE'],ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
66
			// $admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE'].': '.$newFile);
67

  
34
				$aOptionalCommands = array(
35
				         '$section_id   = '.$section_id,
36
				         '$post_id      = '.$post_id ,
37
				         '$post_section = '.$section_id
38
				);
39
		if(	($sError = create_access_file($newFile, $page_id, 0, $aOptionalCommands))!==true ) 
40
		{
41
			$admin->print_error($sError,$sBackUrl );
68 42
		}
69 43
	} // end of function createNewsAccessFile
70 44
/* ************************************************************************** */
......
95 69
	if($admin->get_post('title') == '' AND $admin->get_post('url') == '') {
96 70
        $recallUrl = WB_URL.'/modules/news/modify_post.php?page_id='.$page_id.
97 71
		             '&section_id='.$section_id.'&post_id='.$admin->getIDKEY($post_id);
98
		$admin->print_error($MESSAGE['GENERIC']['FILL_IN_ALL'], $recallUrl);
72
		$admin->print_error($MESSAGE['GENERIC_FILL_IN_ALL'], $recallUrl);
99 73
	}else {
100 74
		$title      = $admin->get_post_escaped('title');
101 75
		$short      = $admin->get_post_escaped('short');
......
112 86
	require(WB_PATH.'/framework/functions.php');
113 87
// Work-out what the link should be
114 88
	$newLink = '/posts/'.page_filename($title).PAGE_SPACER.$post_id;
115
// create new accessfile
116
	createNewsAccessFile($newLink, $oldLink, $page_id, $section_id, $post_id);
117 89
// get publisedwhen and publisheduntil
118 90
	$publishedwhen = jscalendar_to_timestamp($admin->get_post_escaped('publishdate'));
119 91
	if($publishedwhen == '' || $publishedwhen < 1) { $publishedwhen=0; }
......
133 105
	$sql .=     '`posted_when`='.time().', ';
134 106
	$sql .=     '`posted_by`='.(int)$admin->get_user_id().' ';
135 107
	$sql .= 'WHERE `post_id`='.(int)$post_id;
136
	$database->query($sql);
108
	if( $database->query($sql) ) { 
109
		// create new accessfile
110
		createNewsAccessFile($newLink, $oldLink, $page_id, $section_id, $post_id);
111
	}
137 112
// Check if there is a db error, otherwise say successful
138 113
	if($database->is_error()) {
139 114
		$recallUrl = WB_URL.'/modules/news/modify_post.php?page_id='.$page_id.
branches/2.8.x/wb/modules/news/submit_comment.php
26 26
*/
27 27

  
28 28
require_once(WB_PATH.'/framework/class.wb.php');
29
$wb = new wb;
29
if( !(isset($wb) && is_object($wb)) ) { $wb = new wb(); }
30 30
include_once (WB_PATH.'/framework/functions.php');
31 31
/*
32 32
$post_id = (int)$_GET['post_id'];

Also available in: Unified diff