Revision 656
Added by thorn almost 17 years ago
class.admin.php | ||
---|---|---|
101 | 101 |
$view_url = WB_URL; |
102 | 102 |
if(isset($_GET['page_id'])) { |
103 | 103 |
// extract page link from the database |
104 |
$result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) $_GET['page_id'] ."'");
|
|
104 |
$result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) addslashes($_GET['page_id']) ."'");
|
|
105 | 105 |
$row = @$result->fetchRow(); |
106 | 106 |
if($row) $view_url .= PAGES_DIRECTORY .$row['link']. PAGE_EXTENSION; |
107 | 107 |
} |
... | ... | |
311 | 311 |
if(isset($_GET['tool'])) { |
312 | 312 |
// check if displayed page contains a installed admin tool |
313 | 313 |
$result = $database->query("SELECT * FROM " .TABLE_PREFIX ."addons |
314 |
WHERE type = 'module' AND function = 'tool' AND directory = '".$_GET['tool']."'");
|
|
314 |
WHERE type = 'module' AND function = 'tool' AND directory = '".addslashes($_GET['tool'])."'");
|
|
315 | 315 |
|
316 | 316 |
if($result->numRows()) { |
317 | 317 |
// check if admin tool directory contains a backend.js or backend.css file to include |
... | ... | |
323 | 323 |
} |
324 | 324 |
} elseif(isset($_GET['page_id'])) { |
325 | 325 |
// check if displayed page in the backend contains a page module |
326 |
$page_id = (int) $_GET['page_id'];
|
|
326 |
$page_id = (int) addslashes($_GET['page_id']);
|
|
327 | 327 |
|
328 | 328 |
// gather information for all models embedded on actual page |
329 | 329 |
$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections |
Also available in: Unified diff
Added some missing add_slashes(), get_post_escaped(), and strip_tags() for $_POST, $_GET and $_REQUEST-data. Also for $_SERVER['PHP_SELF'].