Commit f516626a authored by Dries's avatar Dries
Browse files

A rather large and important update:

revised most of the SQL queries and tried to make drupal as secure as possible (while trying to avoid redundant/duplicate checks).  For drupal's sake, try to screw something up.  See the mail about PHPNuke being hacked appr. 6 days ago.  The one who finds a problem is rewarded a beer (and I'm willing to ship it to Norway if required).  I beg you to be evil.  Try dumping a table a la "http://localhost/index.php?date=77778;DROP TABLE users" or something. ;)
parent 2b2e81f6
......@@ -214,9 +214,9 @@ function account_content_edit() {
function account_content_save($edit) {
global $user;
if ($user->id) {
db_query("DELETE FROM layout WHERE user = $user->id");
db_query("DELETE FROM layout WHERE user = '$user->id'");
foreach (($edit ? $edit : array()) as $block=>$weight) {
db_query("INSERT INTO layout (user, block) VALUES ('". check_input($user->id) ."', '". check_input($block) ."')");
db_query("INSERT INTO layout (user, block) VALUES ('$user->id', '". check_input($block) ."')");
}
}
}
......@@ -294,7 +294,7 @@ function account_validate($user) {
// Verify whether username and e-mail address are unique:
if (db_num_rows(db_query("SELECT userid FROM users WHERE LOWER(userid) = LOWER('$user[userid]')")) > 0) $error = t("the specified username is already taken");
if (db_num_rows(db_query("SELECT real_email FROM users WHERE LOWER(real_email)=LOWER('$user[real_email]')")) > 0) $error = t("the specified e-mail address is already in use by another account");
if (db_num_rows(db_query("SELECT real_email FROM users WHERE LOWER(real_email) = LOWER('$user[real_email]')")) > 0) $error = t("the specified e-mail address is already in use by another account");
return $error;
}
......@@ -302,7 +302,7 @@ function account_validate($user) {
function account_email_submit($userid, $email) {
global $theme, $site_name, $site_url;
$result = db_query("SELECT id FROM users WHERE userid = '". check_input($userid) ."' AND real_email = '". check_input($email) ."'");
$result = db_query("SELECT id FROM users WHERE userid = '$userid' AND real_email = '$email'");
if ($account = db_fetch_object($result)) {
$passwd = account_password();
......@@ -370,7 +370,7 @@ function account_create_confirm($name, $hash) {
if ($account = db_fetch_object($result)) {
if ($account->status == 1) {
if ($account->hash == $hash) {
db_query("UPDATE users SET status = 2, hash = '' WHERE userid = '$name'");
db_query("UPDATE users SET status = '2', hash = '' WHERE userid = '$name'");
$output = t("Your account has been successfully confirmed.");
watchdog("message", "$name: account confirmation successful");
}
......@@ -404,13 +404,13 @@ function account_password($min_length=6) {
function account_track_comments() {
global $theme, $user;
$sresult = db_query("SELECT s.id, s.subject, COUNT(s.id) as count FROM comments c LEFT JOIN stories s ON c.lid = s.id WHERE c.author = $user->id GROUP BY s.id DESC LIMIT 5");
$sresult = db_query("SELECT s.id, s.subject, COUNT(s.id) AS count FROM comments c LEFT JOIN stories s ON c.lid = s.id WHERE c.author = '$user->id' GROUP BY s.id DESC LIMIT 5");
while ($story = db_fetch_object($sresult)) {
$output .= "<LI>". format_plural($story->count, "comment", "comments") ." ". t("attached to story") ." `<A HREF=\"story.php?id=$story->id\">". check_output($story->subject) ."</A>`:</LI>\n";
$output .= " <UL>\n";
$cresult = db_query("SELECT * FROM comments WHERE author = $user->id AND lid = $story->id");
$cresult = db_query("SELECT * FROM comments WHERE author = '$user->id' AND lid = '$story->id'");
while ($comment = db_fetch_object($cresult)) {
$output .= " <LI><A HREF=\"story.php?id=$story->id&cid=$comment->cid&pid=$comment->pid#$comment->cid\">". check_output($comment->subject) ."</A> - ". t("replies") .": ". comment_num_replies($comment->cid) ." - ". t("score") .": ". comment_score($comment) ."</LI>\n";
}
......@@ -425,7 +425,7 @@ function account_track_comments() {
function account_track_stories() {
global $theme, $user;
$result = db_query("SELECT s.id, s.subject, s.timestamp, s.section, COUNT(c.cid) as count FROM stories s LEFT JOIN comments c ON c.lid = s.id WHERE s.status = 2 AND s.author = $user->id GROUP BY s.id DESC");
$result = db_query("SELECT s.id, s.subject, s.timestamp, s.section, COUNT(c.cid) AS count FROM stories s LEFT JOIN comments c ON c.lid = s.id WHERE s.status = '2' AND s.author = '$user->id' GROUP BY s.id DESC");
while ($story = db_fetch_object($result)) {
$output .= "<TABLE BORDER=\"0\" CELLPADDING=\"1\" CELLSPACING=\"1\">\n";
......@@ -446,11 +446,11 @@ function account_track_site() {
$period = 259200; // 3 days
$sresult = db_query("SELECT s.subject, s.id, COUNT(c.lid) AS count FROM comments c LEFT JOIN stories s ON c.lid = s.id WHERE s.status = 2 AND c.link = 'story' AND ". time() ." - c.timestamp < $period GROUP BY c.lid ORDER BY s.timestamp DESC LIMIT 10");
$sresult = db_query("SELECT s.subject, s.id, COUNT(c.lid) AS count FROM comments c LEFT JOIN stories s ON c.lid = s.id WHERE s.status = '2' AND c.link = 'story' AND ". time() ." - c.timestamp < $period GROUP BY c.lid ORDER BY s.timestamp DESC LIMIT 10");
while ($story = db_fetch_object($sresult)) {
$output .= "<LI>". format_plural($story->count, "comment", "comments") ." ". t("attached to story") ." '<A HREF=\"story.php?id=$story->id\">". check_output($story->subject) ."</A>':</LI>";
$cresult = db_query("SELECT c.subject, c.cid, c.pid, u.userid FROM comments c LEFT JOIN users u ON u.id = c.author WHERE c.lid = $story->id AND c.link = 'story' ORDER BY timestamp DESC LIMIT $story->count");
$cresult = db_query("SELECT c.subject, c.cid, c.pid, u.userid FROM comments c LEFT JOIN users u ON u.id = c.author WHERE c.lid = '$story->id' AND c.link = 'story' ORDER BY timestamp DESC LIMIT $story->count");
$output .= "<UL>\n";
while ($comment = db_fetch_object($cresult)) {
$output .= " <LI>'<A HREF=\"story.php?id=$story->id&cid=$comment->cid&pid=$comment->pid#$comment->cid\">". check_output($comment->subject) ."</A>' ". t("by") ." ". format_username($comment->userid) ."</LI>\n";
......@@ -471,10 +471,10 @@ function account_track_site() {
switch ($op) {
case t("E-mail new password"):
account_email_submit($userid, $email);
account_email_submit(check_input($userid), check_input($email));
break;
case t("Create account"):
account_create_submit($userid, $email);
account_create_submit(check_input($userid), check_input($email));
break;
case t("Save user information"):
account_user_save($edit);
......@@ -489,10 +489,10 @@ function account_track_site() {
account_user($user->userid);
break;
case "confirm":
account_create_confirm($name, $hash);
account_create_confirm(check_input($name), check_input($hash));
break;
case "login":
account_session_start($userid, $passwd);
account_session_start(check_input($userid), check_input($passwd));
header("Location: account.php?op=info");
break;
case "logout":
......@@ -505,7 +505,7 @@ function account_track_site() {
account_user($user->userid);
break;
default:
account_user($name);
account_user(check_input($name));
}
break;
case "track":
......
......@@ -10,10 +10,9 @@
0x03 => "hostnames",
0x04 => "usernames");
function ban_match($mask, $category) {
// Perform query:
$result = db_query("SELECT * FROM bans WHERE type = $category AND LOWER('$mask') LIKE LOWER(mask)");
$result = db_query("SELECT * FROM bans WHERE type = '$category' AND LOWER('$mask') LIKE LOWER(mask)");
// Return result:
return db_fetch_object($result);
......@@ -25,29 +24,29 @@ function ban_add($mask, $category, $reason, $message = "") {
if (empty($mask)) {
$message = "failed: empty banmasks are not allowed.<P>\n";
}
else if ($ban = db_fetch_object(db_query("SELECT * FROM bans WHERE type = $category AND '$mask' LIKE mask"))) {
else if ($ban = db_fetch_object(db_query("SELECT * FROM bans WHERE type = '$category' AND '$mask' LIKE mask"))) {
$message = "failed: ban is already matched by '$ban->mask'.<P>\n";
}
else {
$result = db_query("INSERT INTO bans (mask, type, reason, timestamp) VALUES ('$mask', '$category', '$reason', '". time() ."')");
$message = "added new ban with mask `$mask'.<P>\n";
$message = "added new ban with mask '$mask'.<P>\n";
// Add log entry:
watchdog("message", "added new ban `$mask' to category `". $index2type[$category] ."' with reason `$reason'.");
watchdog("message", "added new ban '$mask' to category '". $index2type[$category] ."' with reason '$reason'.");
}
}
function ban_delete($id) {
global $index2type;
$result = db_query("SELECT * FROM bans WHERE id = $id");
$result = db_query("SELECT * FROM bans WHERE id = '$id'");
if ($ban = db_fetch_object($result)) {
// Perform query:
$result = db_query("DELETE FROM bans WHERE id = $id");
$result = db_query("DELETE FROM bans WHERE id = '$id'");
// Deleted log entry:
watchdog("message", "removed ban `$ban->mask' from category `". $index2type[$ban->type] ."'.");
watchdog("message", "removed ban '$ban->mask' from category '". $index2type[$ban->type] ."'.");
}
}
......
......@@ -34,7 +34,7 @@ function comment_moderate($moderate) {
foreach ($moderate as $id=>$vote) {
if ($vote != $comment_votes[$none] && !user_get($user, "history", "c$id")) {
// Update the comment's score:
$result = db_query("UPDATE comments SET score = score $vote, votes = votes + 1 WHERE cid = $id");
$result = db_query("UPDATE comments SET score = score ". check_input($vote) .", votes = votes + 1 WHERE cid = '". check_input($id) ."'");
// Update the user's history:
$user = user_set($user, "history", "c$id", $vote);
......@@ -52,13 +52,13 @@ function comment_reply($pid, $id) {
global $allowed_html, $link, $REQUEST_URI, $theme, $user;
if ($pid) {
$item = db_fetch_object(db_query("SELECT comments.*, users.userid FROM comments LEFT JOIN users ON comments.author = users.id WHERE comments.cid = $pid"));
$item = db_fetch_object(db_query("SELECT comments.*, users.userid FROM comments LEFT JOIN users ON comments.author = users.id WHERE comments.cid = '$pid'"));
comment_view(new Comment($item->userid, $item->subject, $item->comment, $item->timestamp, $item->url, $item->fake_email, comment_score($comment), $comment->votes, $item->cid, $item->lid), t("reply to this comment"));
}
else {
$pid = 0;
if ($link == "story") {
$item = db_fetch_object(db_query("SELECT stories.*, users.userid FROM stories LEFT JOIN users ON stories.author = users.id WHERE stories.status != 0 AND stories.id = $id"));
$item = db_fetch_object(db_query("SELECT stories.*, users.userid FROM stories LEFT JOIN users ON stories.author = users.id WHERE stories.status != 0 AND stories.id = '$id'"));
$theme->article($item, "");
}
}
......@@ -132,7 +132,7 @@ function comment_post($pid, $id, $subject, $comment) {
global $theme, $link, $user;
// Check for duplicate comments:
$duplicate = db_result(db_query("SELECT COUNT(cid) FROM comments WHERE link = '$link' AND pid = '$pid' AND lid = '$id' AND subject = '". check_input($subject) ."' AND comment = '". check_input($comment) ."'"), 0);
$duplicate = db_result(db_query("SELECT COUNT(cid) FROM comments WHERE link = '$link' AND pid = '$pid' AND lid = '$id' AND subject = '$subject' AND comment = '$comment'"), 0);
if ($duplicate != 0) {
watchdog("error", "comment: attempt to insert duplicate comment");
......@@ -145,7 +145,7 @@ function comment_post($pid, $id, $subject, $comment) {
watchdog("comment", "comment: added comment with subject '$subject'");
// Add comment to database:
db_query("INSERT INTO comments (link, lid, pid, author, subject, comment, hostname, timestamp, score) VALUES ('". check_input($link) ."', $id, $pid, '$user->id', '". check_input($subject) ."', '". check_input($comment) ."', '". getenv("REMOTE_ADDR") ."', '". time() ."', '". ($user->userid ? 1 : 0) ."')");
db_query("INSERT INTO comments (link, lid, pid, author, subject, comment, hostname, timestamp, score) VALUES ('$link', '$id', '$pid', '$user->id', '$subject', '$comment', '". getenv("REMOTE_ADDR") ."', '". time() ."', '". ($user->userid ? 1 : 0) ."')");
}
}
......@@ -155,7 +155,7 @@ function comment_score($comment) {
}
function comment_num_replies($id, $count = 0) {
$result = db_query("SELECT COUNT(cid) FROM comments WHERE pid = $id");
$result = db_query("SELECT COUNT(cid) FROM comments WHERE pid = '$id'");
return ($result) ? db_result($result, 0) : 0;
}
......@@ -165,7 +165,7 @@ function comment_num_filtered($lid, $pid) {
$threshold = ($user->id) ? $user->threshold : "0";
$pid = ($pid) ? $pid : 0;
$result = db_query("SELECT COUNT(cid) FROM comments WHERE lid = $lid AND pid = $pid AND ((votes = 0 AND score < $threshold) OR (score / votes < $threshold))");
$result = db_query("SELECT COUNT(cid) FROM comments WHERE lid = '$lid' AND pid = '$pid' AND ((votes = 0 AND score < $threshold) OR (score / votes < $threshold))");
return ($result) ? db_result($result, 0) : 0;
}
......@@ -183,7 +183,7 @@ function comment_moderation($comment) {
}
else {
// comment has already been moderated:
$output .= "<TABLE BORDER=\"0\" CELLSPACING=\"1\" CELLPADDING=\"1\"><TR><TD>". t("score") .":</TD><TD>". check_output($comment->score) ."</TD></TR><TR><TD>". t("votes") .":</TD><TD>". check_output($comment->votes) ."</TR></TABLE>\n";
$output .= "<TABLE BORDER=\"0\" CELLSPACING=\"1\" CELLPADDING=\"1\"><TR><TD ALIGN=\"right\">". t("score") .":</TD><TD>". check_output($comment->score) ."</TD></TR><TR><TD ALIGN=\"right\">". t("votes") .":</TD><TD>". check_output($comment->votes) ."</TR></TABLE>\n";
}
return $output;
......@@ -221,8 +221,8 @@ function comment_order($order) {
}
function comment_query($link, $lid, $order, $pid = -1) {
$query .= "SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE link = '$link' AND c.lid = $lid";
if ($pid >= 0) $query .= " AND pid = $pid";
$query .= "SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE link = '$link' AND c.lid = '$lid'";
if ($pid >= 0) $query .= " AND pid = '$pid'";
if ($order == 1) $query .= " ORDER BY c.timestamp DESC";
else if ($order == 2) $query .= " ORDER BY c.timestamp";
else if ($order == 3) $query .= " ORDER BY c.score DESC";
......@@ -262,7 +262,7 @@ function comment_view($comment, $folded = 0) {
function comment_thread_min($cid, $threshold) {
global $user;
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.pid = $cid ORDER BY c.timestamp, c.cid");
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.pid = '$cid' ORDER BY c.timestamp, c.cid");
print "<UL>";
while ($comment = db_fetch_object($result)) {
......@@ -275,7 +275,7 @@ function comment_thread_min($cid, $threshold) {
function comment_thread_max($cid, $mode, $threshold, $level = 0, $dummy = 0) {
global $link, $user;
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE link = '$link' AND c.pid = $cid ORDER BY c.timestamp, c.cid");
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE link = '$link' AND c.pid = '$cid' ORDER BY c.timestamp, c.cid");
print "<UL>";
while ($comment = db_fetch_object($result)) {
......@@ -304,7 +304,7 @@ function comment_render($lid, $cid) {
}
if ($cid > 0) {
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE cid = $cid");
$result = db_query("SELECT c.*, u.* FROM comments c LEFT JOIN users u ON c.author = u.id WHERE cid = '$cid'");
if ($comment = db_fetch_object($result)) {
comment_view($comment, comment_link($comment));
}
......
......@@ -15,7 +15,7 @@ function module_execute($module, $hook, $argument = "") {
function module_rehash_crons($name, $module) {
if ($module["cron"]) {
if (!db_fetch_object(db_query("SELECT * FROM crons WHERE module = '$name'"))) {
db_query("INSERT INTO crons (module, scheduled, timestamp) VALUES ('". check_input($name) ."', '172800', '0')");
db_query("INSERT INTO crons (module, scheduled, timestamp) VALUES ('$name', '172800', '0')");
}
}
else {
......@@ -27,11 +27,11 @@ function module_rehash_blocks($name, $module) {
db_query("UPDATE blocks SET remove = '1' WHERE module = '$name'");
if ($module["block"] && $blocks = $module["block"]()) {
foreach ($blocks as $offset=>$block) {
if (!db_fetch_object(db_query("SELECT * FROM blocks WHERE module = '$name' AND name = '". check_input($block["info"]) ."'"))) {
db_query("INSERT INTO blocks (name, module, offset) VALUES ('". check_input($block["info"]) ."', '". check_input($name) ."', '". check_input($offset) ."')");
if (!db_fetch_object(db_query("SELECT * FROM blocks WHERE module = '$name' AND name = '$block[info]'"))) {
db_query("INSERT INTO blocks (name, module, offset) VALUES ('$block[info]', '$name', '$offset')");
}
else {
db_query("UPDATE blocks SET offset = '". check_input($offset) ."', remove = '0' WHERE module = '$name' AND name = '". check_input($block["info"]) ."'");
db_query("UPDATE blocks SET offset = '$offset', remove = '0' WHERE module = '$name' AND name = '$block[info]'");
}
}
}
......@@ -45,7 +45,7 @@ function module_rehash($name) {
$result = db_query("SELECT * FROM modules WHERE name = '$name'");
if (!$object = db_fetch_object($result)) {
db_query("INSERT INTO modules (name) VALUES ('". check_input($name) ."')");
db_query("INSERT INTO modules (name) VALUES ('$name')");
}
// rehash crons (if necessary):
......
......@@ -4,7 +4,7 @@
// Initialize/pre-process variables:
$number = ($user->stories) ? $user->stories : 10;
$date = ($date) ? $date : time();
$date = ($date > 0) ? $date : time();
// Perform query:
$result = db_query("SELECT stories.*, users.userid, COUNT(comments.lid) AS comments FROM stories LEFT JOIN comments ON stories.id = comments.lid LEFT JOIN users ON stories.author = users.id WHERE stories.status = 2 ". ($section ? "AND section = '$section' " : "") ."AND stories.timestamp <= $date GROUP BY stories.id ORDER BY stories.timestamp DESC LIMIT $number");
......
......@@ -15,7 +15,7 @@ function account_help() {
function account_find($keys) {
global $user;
$find = array();
$result = db_query("SELECT * FROM users WHERE userid LIKE '%". check_input($keys) ."%' LIMIT 20");
$result = db_query("SELECT * FROM users WHERE userid LIKE '%$keys%' LIMIT 20");
while ($account = db_fetch_object($result)) {
array_push($find, array("subject" => $account->userid, "link" => (user_access($user, "account") ? "admin.php?mod=account&op=view&name=$account->userid" : "account.php?op=view&name=$account->userid"), "user" => $account->userid));
}
......@@ -51,7 +51,7 @@ function account_access($account) {
}
function account_blocks($id) {
$result = db_query("SELECT * FROM layout WHERE user = $id");
$result = db_query("SELECT * FROM layout WHERE user = '$id'");
while ($layout = db_fetch_object($result)) {
$output .= "<LI>$layout->block</LI>\n";
}
......@@ -67,7 +67,7 @@ function account_stories($id) {
}
function account_comments($id) {
$result = db_query("SELECT * FROM comments WHERE link = 'story' AND author = $id ORDER BY timestamp DESC");
$result = db_query("SELECT * FROM comments WHERE link = 'story' AND author = '$id' ORDER BY timestamp DESC");
while ($comment = db_fetch_object($result)) {
$output .= "<LI><A HREF=\"story.php?id=$comment->lid&cid=$comment->cid&pid=$comment->pid#$comment->cid\">$comment->subject</A></LI>\n";
}
......@@ -77,7 +77,7 @@ function account_comments($id) {
function account_delete($name) {
$result = db_query("SELECT * FROM users WHERE userid = '$name' AND status = 0 AND id > 1");
if ($account = db_fetch_object($result)) {
db_query("DELETE FROM users WHERE id = $account->id");
db_query("DELETE FROM users WHERE id = '$account->id'");
}
else {
print "<P>Failed to delete account '". format_username($name) ."': the account must be blocked first.</P>";
......@@ -170,12 +170,12 @@ function account_admin() {
switch ($op) {
case "Delete account":
case "delete":
account_delete($name);
account_delete(check_input($name));
account_display();
break;
case "Edit account":
case "edit":
account_edit($name);
account_edit(check_input($name));
break;
case "help":
account_help();
......@@ -188,8 +188,8 @@ function account_admin() {
account_view($name);
break;
case "Save account":
account_edit_save($name, $edit);
account_view($name);
account_edit_save(check_input($name), $edit);
account_view(check_input($name));
break;
default:
account_display();
......
......@@ -32,7 +32,7 @@ class backend {
if (time() - $this->timestamp > $timout) $this->url2sql();
// Read headlines:
$result = db_query("SELECT * FROM headlines WHERE id = $this->id ORDER BY number");
$result = db_query("SELECT * FROM headlines WHERE id = '$this->id' ORDER BY number");
while ($headline = db_fetch_object($result)) {
array_push($this->headlines, "<A HREF=\"$headline->link\">$headline->title</A>");
}
......@@ -91,7 +91,7 @@ class backend {
}
// Mark channels as being updated:
$result = db_query("UPDATE channel SET timestamp = '". time() ."' WHERE id = $this->id");
$result = db_query("UPDATE channel SET timestamp = '". time() ."' WHERE id = '$this->id'");
$this->timestamp = time();
}
else {
......@@ -113,7 +113,7 @@ class backend {
if (time() - $this->timestamp > $timout) $this->url2sql();
// Grab headlines from database:
$result = db_query("SELECT * FROM headlines WHERE id = $this->id ORDER BY number");
$result = db_query("SELECT * FROM headlines WHERE id = '$this->id' ORDER BY number");
while ($headline = db_fetch_object($result)) {
$content .= "<LI><A HREF=\"$headline->link\">$headline->title</A></LI>";
}
......@@ -133,27 +133,18 @@ class backend {
function delete() {
// Delete channel:
$result = db_query("DELETE FROM channel WHERE id = $this->id");
$result = db_query("DELETE FROM channel WHERE id = '$this->id'");
// Delete headlines:
$result = db_query("DELETE FROM headlines WHERE id = $this->id");
$result = db_query("DELETE FROM headlines WHERE id = '$this->id'");
}
function refresh() {
// Delete headlines:
$result = db_query("DELETE FROM headlines WHERE id = $this->id");
$result = db_query("DELETE FROM headlines WHERE id = '$this->id'");
// Mark channel as invalid to enforce an update:
$result = db_query("UPDATE channel SET timestamp = 1 WHERE id = $this->id");
}
function dump() {
print "<B>Dump backend:</B><BR>";
print "Id: $this->id<BR>";
print "Site: $this->site<BR>";
print "URL: $this->url<BR>";
print "File: $this->file<BR>";
print "Contact: $this->contact<BR>";
$result = db_query("UPDATE channel SET timestamp = 1 WHERE id = '$this->id'");
}
}
......
......@@ -118,11 +118,11 @@ function ban_admin() {
switch ($op) {
case "Add ban":
ban_admin_new($mask, $category, $reason);
ban_display($category);
ban_admin_new(check_input($mask), check_input($category), check_input($reason));
ban_display(check_input($category));
break;
case "Check ban":
ban_check($mask, $category);
ban_check(check_input($mask), check_input($category));
break;
case "add":
ban_admin_add();
......@@ -134,9 +134,9 @@ function ban_admin() {
ban_admin_check();
break;
case "delete":
ban_delete($id);
ban_delete(check_input($id));
default:
ban_display($category);
ban_display(check_input($category));
}
}
......
......@@ -35,7 +35,7 @@ function block_page() {
function block_admin_save($edit) {
foreach ($edit as $key=>$value) {
db_query("UPDATE blocks SET region = '$value[region]', status = '$value[status]', weight = '$value[weight]' WHERE name = '$key'");
db_query("UPDATE blocks SET region = '". check_input($value[region]) ."', status = '". check_input($value[status]) ."', weight = '". check_input($value[weight]) ."' WHERE name = '". check_input($key) ."'");
}
}
......
......@@ -35,7 +35,7 @@ function block_page() {
function block_admin_save($edit) {
foreach ($edit as $key=>$value) {
db_query("UPDATE blocks SET region = '$value[region]', status = '$value[status]', weight = '$value[weight]' WHERE name = '$key'");
db_query("UPDATE blocks SET region = '". check_input($value[region]) ."', status = '". check_input($value[status]) ."', weight = '". check_input($value[weight]) ."' WHERE name = '". check_input($key) ."'");
}
}
......
......@@ -89,7 +89,7 @@ function box_admin_new() {
}
function box_admin_add($subject, $content, $info, $link, $type) {
db_query("INSERT INTO boxes (subject, content, info, link, type) VALUES ('". check_input($subject) ."', '". check_code($content) ."', '". check_input($info) ."', '". check_input($link) ."', '". check_input($type) ."')");
db_query("INSERT INTO boxes (subject, content, info, link, type) VALUES ('$subject', '$content', '$info', '$link', '$type')");
}
function box_admin_delete($id) {
......@@ -144,7 +144,7 @@ function box_admin_edit($id) {
}
function box_admin_save($id, $subject, $content, $info, $link, $type) {
db_query("UPDATE boxes SET subject = '". check_input($subject) ."', content = '". check_code($content) ."', info = '". check_input($info) ."', link = '". check_input($link) ."', type = '". check_input($type) ."' WHERE id = '$id'");
db_query("UPDATE boxes SET subject = '$subject', content = '$content', info = '$info', link = '$link', type = '$type' WHERE id = '$id'");
watchdog("message", "modified box `$subject'");
}
......@@ -155,12 +155,12 @@ function box_admin() {
switch ($op) {
case "Add box":
box_admin_add($subject, $content, $info, $link, $type);
box_admin_add(check_input($subject), check_code($content), check_input($info), check_input($link), check_input($type));
box_admin_display();
box_admin_rehash();
break;
case "Save box":
box_admin_save($id, $subject, $content, $info, $link, $type);
box_admin_save(check_input($id), check_input($subject), check_code($content), check_input($info), check_input($link), check_input($type));
box_admin_display();
box_admin_rehash();
break;
......@@ -171,10 +171,10 @@ function box_admin() {
box_admin_new();
break;
case "edit":
box_admin_edit($id);
box_admin_edit(check_input($id));
break;
case "delete":
box_admin_delete($id);
box_admin_delete(check_input($id));
box_admin_rehash();
// fall through
default:
......
......@@ -6,7 +6,7 @@
function comment_find($keys) {
global $user;
$find = array();
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.subject LIKE '%". check_input($keys) ."%' OR c.comment LIKE '%". check_input($keys) ."%' ORDER BY c.timestamp DESC LIMIT 20");
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.subject LIKE '%$keys%' OR c.comment LIKE '%$keys%' ORDER BY c.timestamp DESC LIMIT 20");
while ($comment = db_fetch_object($result)) {
array_push($find, array("subject" => check_output($comment->subject), "link" => (user_access($user, "comment") ? "admin.php?mod=comment&op=edit&id=$comment->cid" : "story.php?id=$comment->lid&cid=$comment->cid"), "user" => $story->userid, "date" => $comment->timestamp));
}
......@@ -20,7 +20,7 @@ function comment_search() {
}
function comment_edit($id) {
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.cid = $id");
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.cid = '$id'");
$comment = db_fetch_object($result);
......@@ -42,7 +42,7 @@ function comment_edit($id) {
}
function comment_save($id, $subject, $comment) {
db_query("UPDATE comments SET subject = '". check_input($subject) ."', comment = '". check_input($comment) ."' WHERE cid = $id");
db_query("UPDATE comments SET subject = '$subject', comment = '$comment' WHERE cid = '$id'");
watchdog("message", "comment: modified '$subject'");
}
......@@ -96,11 +96,11 @@ function comment_admin() {
comment_search();
break;
case "Save comment":
comment_save($id, $subject, $comment);
comment_save(check_input($id), check_input($subject), check_input($comment));
comment_display();
break;
case "Update":
comment_display($order);
comment_display(check_input($order));
break;
default:
comment_display();
......
......@@ -6,7 +6,7 @@
function comment_find($keys) {
global $user;
$find = array();
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.subject LIKE '%". check_input($keys) ."%' OR c.comment LIKE '%". check_input($keys) ."%' ORDER BY c.timestamp DESC LIMIT 20");
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.subject LIKE '%$keys%' OR c.comment LIKE '%$keys%' ORDER BY c.timestamp DESC LIMIT 20");
while ($comment = db_fetch_object($result)) {
array_push($find, array("subject" => check_output($comment->subject), "link" => (user_access($user, "comment") ? "admin.php?mod=comment&op=edit&id=$comment->cid" : "story.php?id=$comment->lid&cid=$comment->cid"), "user" => $story->userid, "date" => $comment->timestamp));
}
......@@ -20,7 +20,7 @@ function comment_search() {
}
function comment_edit($id) {
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.cid = $id");
$result = db_query("SELECT c.*, u.userid FROM comments c LEFT JOIN users u ON c.author = u.id WHERE c.cid = '$id'");
$comment = db_fetch_object($result);
......@@ -42,7 +42,7 @@ function comment_edit($id) {
}
function comment_save($id, $subject, $comment) {
db_query("UPDATE comments SET subject = '". check_input($subject) ."', comment = '". check_input($comment) ."' WHERE cid = $id");
db_query("UPDATE comments SET subject = '$subject', comment = '$comment' WHERE cid = '$id'");
watchdog("message", "comment: modified '$subject'");
}
......@@ -96,11 +96,11 @@ function comment_admin() {
comment_search();
break;
case "Save comment":
comment_save($id, $subject, $comment);
comment_save(check_input($id), check_input($subject), check_input($comment));
comment_display();
break;
case "Update":
comment_display($order);
comment_display(check_input($order));
break;
default:
comment_display();
......
......@@ -14,7 +14,7 @@
function diary_find($keys) {
global $user;