[geeklog-cvs] geeklog: Fixed handling of special characters in the list query
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sun Mar 29 15:53:27 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/7237b4518928
changeset: 6872:7237b4518928
user: Dirk Haun <dirk at haun-online.de>
date: Sun Mar 29 20:13:51 2009 +0200
description:
Fixed handling of special characters in the list query
diffstat:
1 file changed, 31 insertions(+), 21 deletions(-)
system/lib-admin.php | 52 +++++++++++++++++++++++++++++---------------------
diffs (128 lines):
diff -r 123e4e95721b -r 7237b4518928 system/lib-admin.php
--- a/system/lib-admin.php Sun Mar 29 17:38:54 2009 +0200
+++ b/system/lib-admin.php Sun Mar 29 20:13:51 2009 +0200
@@ -33,6 +33,12 @@
// | |
// +---------------------------------------------------------------------------+
+/**
+* This file contains functions used in the admin panels (mostly for the
+* various lists of stories, users, etc.).
+*
+*/
+
if (strpos(strtolower($_SERVER['PHP_SELF']), 'lib-admin.php') !== false) {
die('This file can not be used on its own!');
}
@@ -45,6 +51,7 @@
* @param array $text_arr array with different text strings
* @param array $data_arr array with sql query data - array of list records
* @param array $options array of options - intially just used for the Check-All feature
+* @param array $form_arr optional extra forms at top or bottom
* @return string HTML output of function
*
*/
@@ -198,6 +205,8 @@
* @param array $defsort_arr default sorting values
* @param string $filter additional drop-down filters
* @param string $extra additional values passed to fieldfunction
+* @param array $options array of options - intially just used for the Check-All feature
+* @param array $form_arr optional extra forms at top or bottom
* @return string HTML output of function
*
*/
@@ -218,14 +227,16 @@
}
$query = '';
- if (isset ($_REQUEST['q'])) { # get query (text-search)
- $query = $_REQUEST['q'];
+ if (isset ($_REQUEST['q'])) { // get query (text-search)
+COM_errorLog($_REQUEST['q']);
+ $query = strip_tags(COM_stripslashes($_REQUEST['q']));
+COM_errorLog($query);
}
- $query_limit = "";
- if (isset($_REQUEST['query_limit'])) { # get query-limit (list-length)
- $query_limit = COM_applyFilter ($_REQUEST['query_limit'], true);
- if($query_limit == 0) {
+ $query_limit = '';
+ if (isset($_REQUEST['query_limit'])) { // get query-limit (list-length)
+ $query_limit = COM_applyFilter($_REQUEST['query_limit'], true);
+ if ($query_limit == 0) {
$query_limit = 50;
}
}
@@ -242,11 +253,6 @@
if ($curpage <= 0) {
$curpage = 1; #current page has to be larger 0
}
-
- #$unfiltered='';
- #if (!empty($query_arr['unfiltered'])) {
- # $unfiltered = $query_arr['unfiltered'];
- #}
$help_url = ''; # do we have a help url for the block-header?
if (!empty ($text_arr['help_url'])) {
@@ -319,13 +325,14 @@
if ($has_extras) { // show search
$admin_templates->set_var('lang_search', $LANG_ADMIN['search']);
$admin_templates->set_var('lang_submit', $LANG_ADMIN['submit']);
- $admin_templates->set_var('lang_limit_results', $LANG_ADMIN['limit_results']);
- $admin_templates->set_var('last_query', COM_applyFilter($query));
+ $admin_templates->set_var('lang_limit_results',
+ $LANG_ADMIN['limit_results']);
+ $admin_templates->set_var('last_query', htmlspecialchars($query));
$admin_templates->set_var('filter', $filter);
}
- $sql_query = addslashes ($query); # replace quotes etc for security
- $sql = $query_arr['sql']; # get sql from array that builds data
+ $sql_query = addslashes($query); // replace quotes etc for security
+ $sql = $query_arr['sql']; // get sql from array that builds data
$order_var = ''; # number that is displayed in URL
$order = ''; # field that is used in SQL
@@ -374,6 +381,7 @@
if (!empty ($order_for_query)) { # concat order string
$order_sql = "ORDER BY $order_for_query $direction";
+COM_errorLog("order_sql: $order_sql");
}
$th_subtags = ''; // other tags in the th, such as onclick and mouseover
$header_text = ''; // title as displayed to the user
@@ -395,15 +403,15 @@
} else {
$separator = '?';
}
- $th_subtags .= " onclick=\"window.location.href='$form_url$separator" #onclick action
+ $th_subtags .= " onclick=\"window.location.href='$form_url$separator" // onclick action
."order=$order_var&prevorder=$order&direction=$direction";
- if (!empty ($page)) {
+ if (!empty($page)) {
$th_subtags .= '&' . $component . 'listpage=' . $page;
}
- if (!empty ($query)) {
- $th_subtags .= '&q=' . $query;
+ if (!empty($query)) {
+ $th_subtags .= '&q=' . urlencode($query);
}
- if (!empty ($query_limit)) {
+ if (!empty($query_limit)) {
$th_subtags .= '&query_limit=' . $query_limit;
}
$th_subtags .= "';\"";
@@ -570,8 +578,10 @@
* @return string HTML output of function
*
*/
-function ADMIN_createMenu($menu_arr, $text, $icon = '') {
+function ADMIN_createMenu($menu_arr, $text, $icon = '')
+{
global $_CONF;
+
$admin_templates = new Template($_CONF['path_layout'] . 'admin/lists');
$admin_templates->set_file (
array ('top_menu' => 'topmenu.thtml')
More information about the geeklog-cvs
mailing list