Changeset 115 for trunk/admin
- Timestamp:
- 04/10/06 22:17:16 (3 years ago)
- Files:
-
- 1 modified
-
trunk/admin/index.php (modified) (21 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/admin/index.php
r103 r115 114 114 <div class="log_head"> 115 115 <span class="log_subject"> 116 <a href="?action=edit_post&id=<?=$row["id"]?>"><?= $row["title"]?></a> 116 <a href="?action=edit_post&id=<?=$row["id"]?>"><?=stripslashes($row["title"])?></a> 117 117 <? 118 $r =& $db->query( "SELECT COUNT(*) FROM articles WHERE categories_id=".$row["id"]);118 $r =& $db->query(sprintf("SELECT COUNT(*) FROM articles WHERE categories_id = %d", $row["id"])); 119 119 if (PEAR::isError($r)) { 120 120 die($r->getMessage()); … … 127 127 <div class="log_body"> 128 128 <span class="log_contents"> 129 <?= $row["body"]?>129 <?=stripslashes($row["body"])?> 130 130 </span> 131 131 </div> … … 168 168 $post["date"] = mktime(); 169 169 $post["categories_id"] = 0; 170 $post["active"] = "on";171 $post["public"] = "on";172 $post["mail_comments"] = "on";173 } else { 174 $res =& $db->query( "SELECT * FROM articles WHERE id=$id");170 $post["active"] = 1; 171 $post["public"] = 1; 172 $post["mail_comments"] = 1; 173 } else { 174 $res =& $db->query(sprintf("SELECT * FROM articles WHERE id = %d", $id)); 175 175 if (PEAR::isError($res)) { 176 176 die($res->getMessage()); … … 202 202 <div class="log_head"> 203 203 <span class="log_subject"> 204 <input type="text" id="title" name="post[title]" value="<?= $post["title"]?>" /> 204 <input type="text" id="title" name="post[title]" value="<?=stripslashes($post["title"])?>" /> 205 205 category: 206 206 <select name="post[categories_id]"> … … 223 223 /* xinha stuff */ 224 224 ?> 225 <textarea id="editor_area" name="post[body]" rows="10" cols="50" style="width: 100%"><?= $post["body"]?></textarea>225 <textarea id="editor_area" name="post[body]" rows="10" cols="50" style="width: 100%"><?=stripslashes($post["body"])?></textarea> 226 226 <? 227 227 … … 253 253 </select> 254 254 <br /> 255 send trackback info to: 256 <input type="text" name="post[tb_uri]" value="<?=$post["tb_uri"]?>" size="50" /><br /> 257 <input type="checkbox" name="post[mail_comments]"<? if ($post["mail_comments"]) { echo " CHECKED"; } ?> /> send comments as email to me.</span> 255 send trackback info to: 256 <input type="text" name="post[tb_uri]" value="<?=$post["tb_uri"]?>" size="50" /><br /> 257 <input type="checkbox" value="1" name="post[mail_comments]"<? if ($post["mail_comments"]) { echo " checked=\"checked\""; } ?> /> send comments as email to me. 258 </span> 258 259 <input type="submit" value="save" /> 259 260 <? if ($post["id"]) { ?> … … 264 265 </div> 265 266 <div class="log_foot"> 266 <span class="log_date">active: <input type="checkbox" name="post[active]" <? if ($post["active"]) { echo "checked=\"checked\""; } ?> /></span>267 <span class="log_author">public: <input type="checkbox" name="post[public]" <? if ($post["public"]) { echo "checked=\"checked\""; } ?> /></span>268 <span class="log_author">aside: <input type="checkbox" name="post[aside]" <? if ($post["aside"]) { echo "checked=\"checked\""; } ?> /></span>267 <span class="log_date">active: <input type="checkbox" value="1" name="post[active]" <? if ($post["active"]) { echo "checked=\"checked\""; } ?> /></span> 268 <span class="log_author">public: <input type="checkbox" value="1" name="post[public]" <? if ($post["public"]) { echo "checked=\"checked\""; } ?> /></span> 269 <span class="log_author">aside: <input type="checkbox" value="1" name="post[aside]" <? if ($post["aside"]) { echo "checked=\"checked\""; } ?> /></span> 269 270 </div> 270 271 </div> … … 280 281 //--------------------------------------- 281 282 function save_post($post) { 282 global $db;283 $db = $GLOBALS["db"]; 283 284 if ($post["id"]) { 284 $sql = "SELECT date,active FROM articles WHERE id=".(int)$post["id"];285 $sql = sprintf("SELECT date,active FROM articles WHERE id = %d", $post["id"]); 285 286 $r =& $db->query($sql); 286 287 $r->fetchInto($orig_post, DB_FETCHMODE_ASSOC); 287 $query = "UPDATE articles SET "; 288 $query .= "\"title\"='".$post["title"]."'"; 289 $query .= ", \"body\"='".$post["body"]."'"; 290 $query .= ", categories_id=".$post["categories_id"]; 291 $query .= ($post["active"]=="on")?", active=1":", active=0"; 292 $query .= ($post["public"]=="on")?", public=1":", public=0"; 293 $query .= ($post["aside"]=="on")?", aside=1":", aside=0"; 294 $query .= ($post["mail_comments"]=="on")?", mail_comments=1":", mail_comments=0"; 288 $query = sprintf("UPDATE articles SET title = '%s', body = '%s', categories_id = %d, active = %d, public = %d, aside = %d, mail_comments = %d", 289 preg_quote(strip_tags($post["title"]), "'"), 290 preg_quote(_strip_tags($post["body"]), "'"), 291 $post["categories_id"], 292 $post["active"], 293 $post["public"], 294 $post["aside"], 295 $post["mail_comments"] 296 ); 295 297 //if post was inactive, and now it's active, we don't update the "modified" fields in the database. 296 if ($post["active"] == "on") {297 if ($orig_post["active"] !=0) {298 $query .= ", last_modified=".mktime();299 $query .= ", modified_by=".$_SESSION["author_id"];298 if ($post["active"]) { 299 if ($orig_post["active"]) { 300 $query .= sprintf(", last_modified = %d", mktime()); 301 $query .= sprintf(", modified_by = %d", $_SESSION["author_id"]); 300 302 } 301 303 } 302 304 //only update the date if it is not the same day as the posts original date 303 305 if (date("d", $orig_post["date"]) != $post["day"] || date("m", $orig_post["date"]) != $post["month"] || date("Y", $orig_post["date"]) != $post["year"]) { 304 $query .= ", date=".mktime(date("H"), date("i"), date("s"), $post["month"], $post["day"], $post["year"]); 305 } 306 $query .= ", ping_sent=1, tb_uri='".$tb_uri."'"; 307 $query .= " WHERE id=".$post["id"]; 308 } else { 309 $query = "INSERT INTO articles (title, body, authors_id, categories_id, date, active, public, aside, mail_comments, ping_sent, tb_uri) VALUES ("; 310 $query .= "'".$post["title"]."'"; 311 $query .= ", '".$post["body"]."'"; 312 $query .= ", ".$_SESSION["author_id"]; 313 $query .= ", ".$post["categories_id"]; 314 $query .= ", ".mktime(date("H"), date("i"), date("s"), $post["month"], $post["day"], $post["year"]); 315 $query .= ($post["active"]=="on")?", 1":", 0"; 316 $query .= ($post["public"]=="on")?", 1":", 0"; 317 $query .= ($post["aside"]=="on")?", 1":", 0"; 318 $query .= ($post["mail_comments"]=="on")?", 1":", 0"; 319 $query .= ", 0"; 320 $query .= ", '".$post["tb_uri"]."'"; 321 $query .= ")"; 306 $query .= sprintf(", date = %d", mktime(date("H"), date("i"), date("s"), $post["month"], $post["day"], $post["year"])); 307 } 308 $query .= sprintf(", ping_sent = 1, tb_uri = '%s'", preg_quote($tb_uri, "'")); 309 $query .= sprintf(" WHERE id = %d", $post["id"]); 310 } else { 311 $query = "INSERT INTO articles (title, body, authors_id, categories_id, date, active, public, aside, mail_comments, ping_sent, tb_uri)"; 312 $query .= sprintf("VALUES ('%s', '%s', %d, %d, %d, %d, %d, %d, %d, %d, '%s')", 313 preg_quote(strip_tags($post["title"]), "'"), 314 preg_quote(_strip_tags($post["body"]), "'"), 315 $_SESSION["author_id"], 316 $post["categories_id"], 317 mktime(date("H"), date("i"), date("s"), $post["month"], $post["day"], $post["year"]), 318 $post["active"], $post["public"], $post["aside"], $post["mail_comments"], 0, 319 preg_quote($post["tb_uri"], "'") 320 ); 322 321 } 323 322 $res =& $db->query($query); … … 326 325 } 327 326 if (!$post["id"]) { 328 $sql = "SELECT id FROM articles WHERE title='".$post["title"]."' AND body='".$post["body"]."' AND authors_id=".$_SESSION["author_id"]." AND categories_id=".$post["categories_id"]; 327 /* this is a new post. fetch old data */ 328 $sql = sprintf("SELECT id FROM articles WHERE title = '%s' AND body = '%s' AND authors_id = %d AND categories_id = %d", 329 preg_quote(strip_tags($post["title"]), "'"), 330 preg_quote(_strip_tags($post["body"]), "'"), 331 $_SESSION["author_id"], $post["categories_id"] 332 ); 329 333 $res =& $db->query($sql); 330 334 $res->fetchInto($temp, DB_FETCHMODE_ASSOC); … … 340 344 $http->addPostData("url", $post_uri); 341 345 $http->addPostData("blog_name", "http://".$_SERVER["SERVER_NAME"].substr($_SERVER["REQUEST_URI"],0,strpos($_SERVER["REQUEST_URI"], "/admin/index.php"))."/"); 342 $http->AddPostData("excerpt", substr( strip_tags($post["body"]), 100));346 $http->AddPostData("excerpt", substr(_strip_tags($post["body"]), 100)); 343 347 $http->addPostData("charset", "UTF-8"); 344 348 if (!PEAR::isError($http->sendRequest())) { … … 347 351 die("error"); 348 352 } 349 $sql = "UPDATE articles SET ping_sent=1 WHERE id=".$post["id"];353 $sql = sprintf("UPDATE articles SET ping_sent = 1 WHERE id = %d", $post["id"]); 350 354 $res =& $db->query($sql); 351 355 } … … 358 362 function delete_post($id) { 359 363 global $db; 360 $query = "DELETE FROM articles WHERE id=$id";364 $query = sprintf("DELETE FROM articles WHERE id = %d", $id); 361 365 $res =& $db->query($query); 362 366 if (PEAR::isError($res)) { … … 364 368 } 365 369 //delete comments for this post 366 $query = "DELETE FROM comments WHERE articles_id=$id";370 $query = sprintf("DELETE FROM comments WHERE articles_id = %d", $id); 367 371 $res =& $db->query($query); 368 372 if (PEAR::isError($res)) { … … 388 392 <div class="log_head"> 389 393 <span class="log_subject"> 390 <a href="?action=edit_cat&id=<?=$row["id"]?>"><?= $row["name"]?></a> 394 <a href="?action=edit_cat&id=<?=$row["id"]?>"><?=stripslashes($row["name"])?></a> 391 395 <? 392 $r =& $db->query( "SELECT COUNT(*) FROM articles WHERE categories_id=".$row["id"]);396 $r =& $db->query(sprintf("SELECT COUNT(*) FROM articles WHERE categories_id = %d", $row["id"])); 393 397 if (PEAR::isError($r)) { 394 398 die($r->getMessage()); … … 401 405 <div class="log_body"> 402 406 <span class="log_contents"> 403 <?=nl2br( $row["desc"])?>407 <?=nl2br(stripslashes($row["desc"]))?> 404 408 </span> 405 409 </div> … … 422 426 $cat["name"] = "category name"; 423 427 $cat["desc"] = "Category description"; 424 $cat["active"] = " on";425 $cat["public"] = " on";426 } else { 427 $res =& $db->query( "SELECT * FROM categories WHERE id=$id");428 $cat["active"] = "1"; 429 $cat["public"] = "1"; 430 } else { 431 $res =& $db->query(sprintf("SELECT * FROM categories WHERE id = %d", $id)); 428 432 if (PEAR::isError($res)) { 429 433 die($res->getMessage()); … … 438 442 <div class="log_head"> 439 443 <span class="log_subject"> 440 <input type="text" name="cat[name]" value="<?= $cat["name"]?>" /> 444 <input type="text" name="cat[name]" value="<?=stripslashes($cat["name"])?>" /> 441 445 <? 442 $r =& $db->query( "SELECT COUNT(*) FROM articles WHERE categories_id=".$cat["id"]);446 $r =& $db->query(sprintf("SELECT COUNT(*) FROM articles WHERE categories_id = %d", $cat["id"])); 443 447 if (PEAR::isError($r)) { 444 448 die($r->getMessage()); … … 451 455 <div class="log_body"> 452 456 <span class="log_contents"> 453 <textarea name="cat[description]" style="width: 200px; height: 100px;"><?= $cat["desc"]?></textarea>457 <textarea name="cat[description]" style="width: 200px; height: 100px;"><?=stripslashes($cat["desc"])?></textarea> 454 458 </span> 455 459 <input type="submit" value="save" /> … … 460 464 </div> 461 465 <div class="log_foot"> 462 <span class="log_date">active: <input type="checkbox" name="cat[active]" <? if ($cat["active"]) { echo "checked=\"checked\""; } ?> /></span>463 <span class="log_author">public: <input type="checkbox" name="cat[public]" <? if ($cat["public"]) { echo "checked=\"checked\""; } ?> /></span>466 <span class="log_date">active: <input type="checkbox" value="1" name="cat[active]" <? if ($cat["active"]) { echo "checked=\"checked\""; } ?> /></span> 467 <span class="log_author">public: <input type="checkbox" value="1" name="cat[public]" <? if ($cat["public"]) { echo "checked=\"checked\""; } ?> /></span> 464 468 </div> 465 469 </div> … … 474 478 global $db; 475 479 if ($cat["id"]) { 476 $query = "UPDATE categories SET "; 477 $query .= "\"name\"='".$cat["name"]."'"; 478 $query .= ", \"desc\"='".$cat["description"]."'"; 479 $query .= ($cat["active"]=="on")?", active=1":", active=0"; 480 $query .= ($cat["public"]=="on")?", public=1":", public=0"; 481 $query .= " WHERE id=".$cat["id"]; 482 } else { 483 $query = "INSERT INTO categories (\"name\", \"desc\", active, public) VALUES ("; 484 $query .= "'".$cat["name"]."'"; 485 $query .= ", '".$cat["description"]."'"; 486 $query .= ($cat["active"]=="on")?", 1":", 0"; 487 $query .= ($cat["public"]=="on")?", 1":", 0"; 488 $query .= ")"; 480 $query = sprintf("UPDATE categories SET \"name\" = '%s', \"desc\" = '%s', active = %d, public = %d WHERE id = %d", 481 preg_quote(strip_tags($cat["name"]), "'"), 482 preg_quote(strip_tags($cat["description"]), "'"), 483 $cat["active"], 484 $cat["public"], 485 $cat["id"] 486 ); 487 } else { 488 $query = sprintf("INSERT INTO categories (\"name\", \"desc\", active, public) VALUES ('%s', '%s', %d, %d)", 489 preg_quote(strip_tags($cat["name"]), "'"), 490 preg_quote(strip_tags($cat["description"]), "'"), 491 $cat["active"], 492 $cat["public"] 493 ); 489 494 } 490 495 $res =& $db->query($query); … … 1093 1098 } 1094 1099 1100 //}}}-------------------------------------- 1101 //{{{ _strip_tags: strip tags we don't like 1102 //----------------------------------------- 1103 function _strip_tags($text) { 1104 $allowed_tags = "<h1><h2><p><font><ul><li><ol><blockquote><u><strike><sub><br>"; 1105 $allowed_tags .= "<sup><img><a><table><tbody><tr><td><tt><pre><div><span>"; 1106 $text = strip_tags($text, $allowed_tags); 1107 return preg_replace('/<(.*?)>/ie', "'<'._strip_attributes('\\1').'>'", $text); 1108 } 1109 1110 //}}}--------------------------------------------------- 1111 //{{{ _strip_attributes: strip evil attributes from tags 1112 //------------------------------------------------------ 1113 function _strip_attributes($text) { 1114 $attr_to_strip = array( 1115 "javascript:", 1116 "onclick", 1117 "ondblclick", 1118 "onmousedown", 1119 "onmouseup", 1120 "onmouseover" 1121 ); 1122 foreach ($attr_to_strip as $attribute) { 1123 $text = stripslashes(preg_replace("/$attribute/i", "forbidden", $text)); 1124 } 1125 return $text; 1126 } 1127 1095 1128 //}}}------------- 1096 1129 //{{{ plugin stuff
