Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1867) +++ branches/2.8.x/CHANGELOG (revision 1868) @@ -12,6 +12,8 @@ =============================================================================== +19 Feb-2013 Build 1868 Dietmar Woellbrink (Luisehahne) +! change mysql_esc_string to WbDatabase::getInstance()->escapeStrinng() 19 Feb-2013 Build 1867 Dietmar Woellbrink (Luisehahne) ! fixed pagetree header 19 Feb-2013 Build 1866 Dietmar Woellbrink (Luisehahne) Index: branches/2.8.x/wb/admin/groups/save.inc.php =================================================================== --- branches/2.8.x/wb/admin/groups/save.inc.php (revision 1867) +++ branches/2.8.x/wb/admin/groups/save.inc.php (revision 1868) @@ -56,7 +56,7 @@ $template_permissions = implode (',', $template_permissions); // prepare empty record to add new group - $group_name = mysql_real_escape_string(strip_tags(trim($admin->get_post('name')))); + $group_name = $database->escapeString(strip_tags(trim($admin->get_post('name')))); // print '
function '.__FUNCTION__.'( '.''.' );  basename: '.basename(__FILE__).'  line: '.__LINE__.' -> 
';
 //	print_r( $_POST ); print '
'; Index: branches/2.8.x/wb/admin/pages/settings_save.php =================================================================== --- branches/2.8.x/wb/admin/pages/settings_save.php (revision 1867) +++ branches/2.8.x/wb/admin/pages/settings_save.php (revision 1868) @@ -260,10 +260,10 @@ . 'SET `parent`='.$parent.', ' . '`page_title`=\''.$page_title.'\', ' . '`tooltip`=\''.$page_title.'\', ' - . '`page_icon` =\''.mysql_real_escape_string($sPageIcon).'\', ' + . '`page_icon` =\''.$database->escapeString($sPageIcon).'\', ' . '`menu_title`=\''.$menu_title.'\', ' - . '`menu_icon_0` =\''.mysql_real_escape_string($sMenuIcon0).'\', ' - . '`menu_icon_1` =\''.mysql_real_escape_string($sMenuIcon1).'\', ' + . '`menu_icon_0` =\''.$database->escapeString($sMenuIcon0).'\', ' + . '`menu_icon_1` =\''.$database->escapeString($sMenuIcon1).'\', ' . '`menu`='.$menu.', ' . '`level`='.$level.', ' . '`page_trail`=\''.$page_trail.'\', ' @@ -299,13 +299,51 @@ $order->clean($old_parent); } -/* BEGIN page "access file" code */ +// using standard function by core, +function fix_page_trail($page_id) { + global $database,$admin,$target_url,$pagetree_url,$MESSAGE; -// Create a new file in the /pages dir if title changed -if(!is_writable(WB_PATH.PAGES_DIRECTORY.'/')) + $target_url = (isset($_POST['back_submit'])) ? $pagetree_url : $target_url; + + // Work out level + $level = level_count($page_id); + // Work out root parent + $root_parent = root_parent($page_id); + // Work out page trail + $page_trail = get_page_trail($page_id); + // Update page with new level and link + $sql = 'UPDATE `'.TABLE_PREFIX.'pages` SET '; + $sql .= '`root_parent` = '.$root_parent.', '; + $sql .= '`level` = '.$level.', '; + $sql .= '`page_trail` = "'.$page_trail.'" '; + $sql .= 'WHERE `page_id` = '.$page_id; + + if($database->query($sql)) { + $admin->print_success($MESSAGE['PAGES_SAVED_SETTINGS'], $target_url ); + } else { + $admin->print_error($database->get_error(), $target_url ); + } +} + +// Fix sub-pages page trail +fix_page_trail($page_id); + +/** + * + * BEGIN page "access file" code + * first check for existing pages directory + * if not exists try to create + * otherwise acess denied + * + */ +$bCanCreateAcessFiles = is_writeable(WB_PATH); +$bCanCreateAcessFiles = ( ( $bCanCreateAcessFiles==true ) ? make_dir(WB_PATH.PAGES_DIRECTORY) : false ); +if( !$bCanCreateAcessFiles ) { $admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE'], $target_url); } else { +// Create a new file in the /pages dir if title changed + $old_filename = WB_PATH.PAGES_DIRECTORY.$old_link.PAGE_EXTENSION; // First check if we need to create a new file @@ -366,33 +404,4 @@ } } -// using standard function by core, -function fix_page_trail($page_id) { - global $database,$admin,$target_url,$pagetree_url,$MESSAGE; - - $target_url = (isset($_POST['back_submit'])) ? $pagetree_url : $target_url; - - // Work out level - $level = level_count($page_id); - // Work out root parent - $root_parent = root_parent($page_id); - // Work out page trail - $page_trail = get_page_trail($page_id); - // Update page with new level and link - $sql = 'UPDATE `'.TABLE_PREFIX.'pages` SET '; - $sql .= '`root_parent` = '.$root_parent.', '; - $sql .= '`level` = '.$level.', '; - $sql .= '`page_trail` = "'.$page_trail.'" '; - $sql .= 'WHERE `page_id` = '.$page_id; - - if($database->query($sql)) { - $admin->print_success($MESSAGE['PAGES_SAVED_SETTINGS'], $target_url ); - } else { - $admin->print_error($database->get_error(), $target_url ); - } -} - -// Fix sub-pages page trail -fix_page_trail($page_id); - $admin->print_footer(); Index: branches/2.8.x/wb/admin/pages/add.php =================================================================== --- branches/2.8.x/wb/admin/pages/add.php (revision 1867) +++ branches/2.8.x/wb/admin/pages/add.php (revision 1868) @@ -16,8 +16,18 @@ */ // Create new admin object and print admin header -require('../../config.php'); -require_once(WB_PATH.'/framework/class.admin.php'); +//require('../../config.php'); +//require_once(WB_PATH.'/framework/class.admin.php'); +// Create new admin object and print admin header +if(!defined('WB_URL')) +{ + $config_file = realpath('../../config.php'); + if(file_exists($config_file) && !defined('WB_URL')) + { + require($config_file); + } +} +if(!class_exists('admin', false)){ include(WB_PATH.'/framework/class.admin.php'); } // suppress to print the header, so no new FTAN will be set $admin = new admin('Pages', 'pages_add', false); if (!$admin->checkFTAN()) @@ -178,12 +188,7 @@ $sql .= '`viewing_groups` = "'.$viewing_groups.'"'; $database->query($sql); -/* -$query = "INSERT INTO ".TABLE_PREFIX."pages -(page_title,menu_title,parent,template,target,position,visibility,searching,menu,language,admin_groups,viewing_groups,modified_when,modified_by) VALUES -('$title','$title','$parent','$template','_top','$position','$visibility','1','1','$language','$admin_groups','$viewing_groups','".time()."','".$admin->get_user_id()."')"; -$database->query($query); -*/ + if($database->is_error()) { $admin->print_error($database->get_error()); @@ -205,12 +210,11 @@ $sql .= '`level` = '.$level.', '; $sql .= '`link` = "'.$link.'", '; $sql .= '`page_trail` = "'.$page_trail.'"'; -$sql .= (defined('PAGE_LANGUAGES') && PAGE_LANGUAGES) +$sql .= ((defined('PAGE_LANGUAGES') && PAGE_LANGUAGES) && $field_set && ($language == DEFAULT_LANGUAGE) - && (file_exists(WB_PATH.'/modules/mod_multilingual/update_keys.php') - ) - ? ', `page_code` = '.(int)$page_id.' ' : ' '; + && class_exists('m_MultiLingual_Lib') + ? ', `page_code` = '.(int)$page_id.' ' : ' '); $sql .= 'WHERE `page_id` = '.$page_id; $database->query($sql); /* @@ -220,19 +224,11 @@ { $admin->print_error($database->get_error()); } -// Create a new file in the /pages dir -create_access_file($filename, $page_id, $level); -if(!file_exists($filename)) { - $admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE']); -} - -// add position 1 to new page +// add position 1 to new page section $position = 1; // Add new record into the sections table -//$database->query("INSERT INTO ".TABLE_PREFIX."sections (page_id,position,module,block) VALUES ('$page_id','$position', '$module','1')"); - // Insert module into DB $sql = 'INSERT INTO `'.TABLE_PREFIX.'sections` SET '; $sql .= '`page_id` = '.(int)$page_id.', '; @@ -251,6 +247,13 @@ } } +// Create a new file in the /pages dir +create_access_file($filename, $page_id, $level); + +if(!file_exists($filename)) { + $admin->print_error($MESSAGE['PAGES_CANNOT_CREATE_ACCESS_FILE']); +} + // Check if there is a db error, otherwise say successful if($database->is_error()) { $admin->print_error($database->get_error().' (sections)'); Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1867) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1868) @@ -51,5 +51,5 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.3'); -if(!defined('REVISION')) define('REVISION', '1867'); +if(!defined('REVISION')) define('REVISION', '1868'); if(!defined('SP')) define('SP', ''); Index: branches/2.8.x/wb/admin/settings/save.php =================================================================== --- branches/2.8.x/wb/admin/settings/save.php (revision 1867) +++ branches/2.8.x/wb/admin/settings/save.php (revision 1868) @@ -272,9 +272,9 @@ if ( !in_array($value, $disallow_in_fields) && (isset($_POST[$setting_name]) || $passed == true) ) { - $value = trim($admin->add_slashes($value)); + $value = trim($database->escapeString($value)); $sql = 'UPDATE `'.TABLE_PREFIX.'settings` '; - $sql .= 'SET `value` = \''.($value).'\' '; // mysql_escape_string + $sql .= 'SET `value` = \''.($value).'\' '; $sql .= 'WHERE `name` != \'wb_version\' '; $sql .= 'AND `name` = \''.$setting_name.'\' '; if (!$database->query($sql)) Index: branches/2.8.x/wb/admin/users/save.php =================================================================== --- branches/2.8.x/wb/admin/users/save.php (revision 1867) +++ branches/2.8.x/wb/admin/users/save.php (revision 1868) @@ -182,24 +182,24 @@ // Update the database if($password == "") { $sql .= '`group_id` = '.intval($group_id).', '. - '`groups_id` = \''.mysql_real_escape_string($groups_id).'\', '. - '`username` = \''.mysql_real_escape_string($username).'\', '. + '`groups_id` = \''.$database->escapeString($groups_id).'\', '. + '`username` = \''.$database->escapeString($username).'\', '. '`active` = '.intval($active).', '. - '`display_name` = \''.mysql_real_escape_string($display_name).'\', '. - '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '. - '`email` = \''.mysql_real_escape_string($email).'\' '. + '`display_name` = \''.$database->escapeString($display_name).'\', '. + '`home_folder` = \''.$database->escapeString($home_folder).'\', '. + '`email` = \''.$database->escapeString($email).'\' '. 'WHERE `user_id` = '.intval($user_id).''; } else { $sql .= '`group_id` = '.intval($group_id).', '. - '`groups_id` = \''.mysql_real_escape_string($groups_id).'\', '. - '`username` = \''.mysql_real_escape_string($username).'\', '. + '`groups_id` = \''.$database->escapeString($groups_id).'\', '. + '`username` = \''.$database->escapeString($username).'\', '. '`password` = \''.md5($password).'\', '. '`active` = '.intval($active).', '. - '`display_name` = \''.mysql_real_escape_string($display_name).'\', '. - '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '. - '`email` = \''.mysql_real_escape_string($email).'\' '. + '`display_name` = \''.$database->escapeString($display_name).'\', '. + '`home_folder` = \''.$database->escapeString($home_folder).'\', '. + '`email` = \''.$database->escapeString($email).'\' '. 'WHERE `user_id` = '.intval($user_id).''; } Index: branches/2.8.x/wb/admin/users/add.php =================================================================== --- branches/2.8.x/wb/admin/users/add.php (revision 1867) +++ branches/2.8.x/wb/admin/users/add.php (revision 1868) @@ -156,23 +156,23 @@ // Inser the user into the database $sql = 'INSERT INTO `'.TABLE_PREFIX.'users` SET '. '`group_id` = '.intval($group_id).', '. - '`groups_id` = \''.mysql_real_escape_string($groups_id).'\', '. + '`groups_id` = \''.$database->escapeString($groups_id).'\', '. '`active` = '.intval($active).', '. - '`username` = \''.mysql_real_escape_string($username).'\', '. + '`username` = \''.$database->escapeString($username).'\', '. '`password` = \''.md5($password).'\', '. - '`confirm_code` = \''.mysql_real_escape_string($confirm_code).'\', '. + '`confirm_code` = \''.$database->escapeString($confirm_code).'\', '. '`confirm_timeout` = '.intval($confirm_timeout).', '. - '`remember_key` = \''.mysql_real_escape_string($remember_key).'\', '. + '`remember_key` = \''.$database->escapeString($remember_key).'\', '. '`last_reset` = '.intval($last_reset).', '. - '`display_name` = \''.mysql_real_escape_string($display_name).'\', '. - '`email` = \''.mysql_real_escape_string($email).'\', '. + '`display_name` = \''.$database->escapeString($display_name).'\', '. + '`email` = \''.$database->escapeString($email).'\', '. '`timezone` = '.intval($timezone).', '. - '`date_format` = \''.mysql_real_escape_string($date_format).'\', '. - '`time_format` = \''.mysql_real_escape_string($time_format).'\', '. - '`language` = \''.mysql_real_escape_string($language).'\', '. - '`home_folder` = \''.mysql_real_escape_string($home_folder).'\', '. + '`date_format` = \''.$database->escapeString($date_format).'\', '. + '`time_format` = \''.$database->escapeString($time_format).'\', '. + '`language` = \''.$database->escapeString($language).'\', '. + '`home_folder` = \''.$database->escapeString($home_folder).'\', '. '`login_when` = '.intval($login_when).', '. - '`login_ip` = \''.mysql_real_escape_string($login_ip).'\' '. + '`login_ip` = \''.$database->escapeString($login_ip).'\' '. ''; if($database->query($sql)) { msgQueue::add($MESSAGE['USERS_ADDED'], true); Index: branches/2.8.x/wb/admin/languages/uninstall.php =================================================================== --- branches/2.8.x/wb/admin/languages/uninstall.php (revision 1867) +++ branches/2.8.x/wb/admin/languages/uninstall.php (revision 1868) @@ -65,7 +65,7 @@ $admin->print_error($MESSAGE['GENERIC_CANNOT_UNINSTALL_IN_USE']); } else { $sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` '; - $sql .= 'WHERE`language`=\''.mysql_real_escape_string($code).'\''; + $sql .= 'WHERE`language`=\''.$database->escapeString($code).'\''; if( $database->get_one($sql) ) { $admin->print_error($MESSAGE['GENERIC_CANNOT_UNINSTALL_IN_USE']); } @@ -77,7 +77,7 @@ } else { // Remove entry from DB $sql = 'DELETE FROM `'.TABLE_PREFIX.'addons` '; - $sql .= 'WHERE `directory`=\''.mysql_real_escape_string($code).'\' '; + $sql .= 'WHERE `directory`=\''.$database->escapeString($code).'\' '; $sql .= 'AND `type`=`type`=\'language\' '; if( $database->query($sql) ) { // Print success message Index: branches/2.8.x/wb/admin/addons/CopyTheme.php =================================================================== --- branches/2.8.x/wb/admin/addons/CopyTheme.php (revision 1867) +++ branches/2.8.x/wb/admin/addons/CopyTheme.php (revision 1868) @@ -97,7 +97,7 @@ private function _SanitizeNewName($sName) { $sName = (trim($sName) == '' ? 'MyNewTheme' : $sName); - $sName = mysql_real_escape_string($sName); + $sName = $this->_oDb->escapeString($sName); $iCount = ''; do { $sSearch = $sName.($iCount ? ' '.$iCount : ''); @@ -260,11 +260,11 @@ . '`function`=\'theme\', ' . '`directory`=\''.$aVariables['directory'].'\', ' . '`name`=\''.$aVariables['name'].'\', ' - . '`description`=\''.mysql_real_escape_string($aVariables['description']).'\', ' + . '`description`=\''.$this->_oDb->escapeString($aVariables['description']).'\', ' . '`version`=\''.$aVariables['version'].'\', ' . '`platform`=\''.$aVariables['platform'].'\', ' - . '`author`=\''.mysql_real_escape_string($aVariables['author']).'\', ' - . '`license`=\''.mysql_real_escape_string($aVariables['license']).'\''; + . '`author`=\''.$this->_oDb->escapeString($aVariables['author']).'\', ' + . '`license`=\''.$this->_oDb->escapeString($aVariables['license']).'\''; if(!$this->_oDb->query($sql)) { $sMsg = $this->_aLang['GENERIC_NOT_UPGRADED'].' ['.$this->_sNewThemeDir.'/info.php]'; Index: branches/2.8.x/wb/account/save_confirm.php =================================================================== --- branches/2.8.x/wb/account/save_confirm.php (revision 1867) +++ branches/2.8.x/wb/account/save_confirm.php (revision 1868) @@ -26,9 +26,9 @@ require_once(dirname(__FILE__).'/AccountSignup.php'); AccountSignup::deleteOutdatedConfirmations(); -$sPassword = mysql_escape_string($wb->StripCodeFromText($wb->get_post('new_password_1'))); -$sLoginName = mysql_escape_string($wb->StripCodeFromText($wb->get_post('new_loginname'))); -$sConfirmationId = mysql_escape_string($wb->StripCodeFromText($wb->get_post('confirm_code'))); +$sPassword = $database->escapeString($wb->StripCodeFromText($wb->get_post('new_password_1'))); +$sLoginName = $database->escapeString($wb->StripCodeFromText($wb->get_post('new_loginname'))); +$sConfirmationId = $database->escapeString($wb->StripCodeFromText($wb->get_post('confirm_code'))); $bSendRegistrationMailtoUser = false; $bSendRegistrationMailtoAdmin = false; Index: branches/2.8.x/wb/account/email.php =================================================================== --- branches/2.8.x/wb/account/email.php (revision 1867) +++ branches/2.8.x/wb/account/email.php (revision 1868) @@ -46,7 +46,7 @@ if(!$wb->validate_email($email)){ $error[] = ($MESSAGE['USERS_INVALID_EMAIL']); } else { - $email = mysql_escape_string($email); + $email = $database->escapeString($email); // Update the database $sql = "UPDATE `".TABLE_PREFIX."users` SET `email` = '".$email."' WHERE `user_id` = ".$wb->get_user_id(); $database->query($sql); Index: branches/2.8.x/wb/modules/wysiwyg/save.php =================================================================== --- branches/2.8.x/wb/modules/wysiwyg/save.php (revision 1867) +++ branches/2.8.x/wb/modules/wysiwyg/save.php (revision 1868) @@ -45,7 +45,7 @@ $searchfor = '@(<[^>]*=\s*")('.preg_quote($sMediaUrl).')([^">]*".*>)@siU'; $content = preg_replace($searchfor, '$1{SYSVAR:MEDIA_REL}$3', $content); // searching in $text will be much easier this way - $content = mysql_real_escape_string ($content); + $content = WbDatabase::getInstance()->escapeString ($content); $text = umlauts_to_entities(strip_tags($content), strtoupper(DEFAULT_CHARSET), 0); $sql = 'UPDATE `'.TABLE_PREFIX.'mod_wysiwyg` '; $sql .= 'SET `content`=\''.$content.'\', `text`=\''.$text.'\' '; Index: branches/2.8.x/wb/modules/form/view.php =================================================================== --- branches/2.8.x/wb/modules/form/view.php (revision 1867) +++ branches/2.8.x/wb/modules/form/view.php (revision 1868) @@ -82,9 +82,9 @@ $label_id = 'wb_'.preg_replace('/[^a-z0-9]/i', '_', $key).$field_id; if(in_array($key, $params[1])) { - $key = ''.'