Revision 656
Added by thorn over 17 years ago
| class.admin.php | ||
|---|---|---|
| 101 | 101 |
$view_url = WB_URL; |
| 102 | 102 |
if(isset($_GET['page_id'])) {
|
| 103 | 103 |
// extract page link from the database |
| 104 |
$result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) $_GET['page_id'] ."'");
|
|
| 104 |
$result = @$database->query("SELECT link FROM " .TABLE_PREFIX ."pages WHERE page_id = '" .(int) addslashes($_GET['page_id']) ."'");
|
|
| 105 | 105 |
$row = @$result->fetchRow(); |
| 106 | 106 |
if($row) $view_url .= PAGES_DIRECTORY .$row['link']. PAGE_EXTENSION; |
| 107 | 107 |
} |
| ... | ... | |
| 311 | 311 |
if(isset($_GET['tool'])) {
|
| 312 | 312 |
// check if displayed page contains a installed admin tool |
| 313 | 313 |
$result = $database->query("SELECT * FROM " .TABLE_PREFIX ."addons
|
| 314 |
WHERE type = 'module' AND function = 'tool' AND directory = '".$_GET['tool']."'");
|
|
| 314 |
WHERE type = 'module' AND function = 'tool' AND directory = '".addslashes($_GET['tool'])."'");
|
|
| 315 | 315 |
|
| 316 | 316 |
if($result->numRows()) {
|
| 317 | 317 |
// check if admin tool directory contains a backend.js or backend.css file to include |
| ... | ... | |
| 323 | 323 |
} |
| 324 | 324 |
} elseif(isset($_GET['page_id'])) {
|
| 325 | 325 |
// check if displayed page in the backend contains a page module |
| 326 |
$page_id = (int) $_GET['page_id'];
|
|
| 326 |
$page_id = (int) addslashes($_GET['page_id']);
|
|
| 327 | 327 |
|
| 328 | 328 |
// gather information for all models embedded on actual page |
| 329 | 329 |
$query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
|
Also available in: Unified diff
Added some missing add_slashes(), get_post_escaped(), and strip_tags() for $_POST, $_GET and $_REQUEST-data. Also for $_SERVER['PHP_SELF'].