Bug fixes

admin/fees.php

@@ -62,15 +62,19 @@
 			}
 			else
 			{
-				$query = "UPDATE " . $DBPrefix . "fees SET value = '" . $system->input_money($_POST['value']) . "' WHERE type = '" . $_GET['type'] . "'";
-				$system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
+				$query = "UPDATE " . $DBPrefix . "fees SET value = :value WHERE type = :type";
+				$params = array();
+				$params[] = array(':value', $system->input_money($_POST['value']), 'float');
+				$params[] = array(':type', $_GET['type'], 'str');
+				$db->query($query, $params);
 				$errmsg = $feenames[$_GET['type']] . $MSG['359'];
 			}
 		}
-		$query = "SELECT value FROM " . $DBPrefix . "fees WHERE type = '" . $_GET['type'] . "'";
-		$res = mysql_query($query);
-		$system->check_mysql($res, $query, __LINE__, __FILE__);
-		$value = mysql_result($res, 0);
+		$query = "SELECT value FROM " . $DBPrefix . "fees WHERE type = :type";
+		$params = array();
+		$params[] = array(':type', $_GET['type'], 'str');
+		$db->query($query, $params);
+		$value = $db->result('value');
 
 		$template->assign_vars(array(
 				'VALUE' => $system->print_money_nosymbol($value),
@@ -90,20 +94,28 @@
 					$value = $system->input_money($value);
 				}
 				$query = "UPDATE " . $DBPrefix . "fees SET
-						fee_from = '" . $system->input_money($_POST['fee_from'][$i]) . "',
-						fee_to = '" . $system->input_money($_POST['fee_to'][$i]) . "',
-						value = '" . $value . "',
-						fee_type = '" . $_POST['type'][$i] . "'
-						WHERE id = " . $_POST['tier_id'][$i];
-				$system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
+						fee_from = :fee_from,
+						fee_to = :fee_to,
+						value = :value,
+						fee_type = :fee_type
+						WHERE id = :fee_id";
+				$params = array();
+				$params[] = array(':fee_from', $system->input_money($_POST['fee_from'][$i]), 'float');
+				$params[] = array(':fee_to', $system->input_money($_POST['fee_to'][$i]), 'float');
+				$params[] = array(':value', $value, 'float');
+				$params[] = array(':fee_type', $_POST['type'][$i], 'str');
+				$params[] = array(':fee_id', $_POST['tier_id'][$i], 'int');
+				$db->query($query, $params);
 				$errmsg = $feenames[$_GET['type']] . $MSG['359'];
 			}
 			if (isset($_POST['fee_delete']))
 			{
 				for($i = 0; $i < count($_POST['fee_delete']); $i++)
 				{
-					$query = "DELETE FROM " . $DBPrefix . "fees WHERE id = " . $_POST['fee_delete'][$i];
-					$system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
+					$query = "DELETE FROM " . $DBPrefix . "fees WHERE id = :fee_id";
+					$params = array();
+					$params[] = array(':fee_id', $_POST['fee_delete'][$i], 'int');
+					$db->query($query, $params);
 				}
 			}
 			if(!empty($_POST['new_fee_from']) && !empty($_POST['new_fee_to']) && !empty($_POST['new_value']) && !empty($_POST['new_type']))
@@ -116,8 +128,14 @@
 						$value = $system->input_money($value);
 					}
 					$query = "INSERT INTO " . $DBPrefix . "fees VALUES
-							(NULL, '" . $system->input_money($_POST['new_fee_from']) . "', '" . $system->input_money($_POST['new_fee_to']) . "', '" . $_POST['new_type'] . "', '" . $value . "', '" . $_GET['type'] . "')";
-					$system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
+							(NULL, :fee_from, :fee_to, :new_type, :value, :type)";
+					$params = array();
+					$params[] = array(':fee_from', $system->input_money($_POST['new_fee_from']), 'float');
+					$params[] = array(':fee_to', $system->input_money($_POST['new_fee_to']), 'float');
+					$params[] = array(':new_type', $_POST['new_type'], 'str');
+					$params[] = array(':value', $value, 'float');
+					$params[] = array(':type', $_GET['type'], 'str');
+					$db->query($query, $params);
 					$level_added = true;
 				}
 				else
@@ -126,10 +144,11 @@
 				}
 			}
 		}
-		$query = "SELECT * FROM " . $DBPrefix . "fees WHERE type = '" . $_GET['type'] . "' ORDER BY fee_from ASC";
-		$res = mysql_query($query);
-		$system->check_mysql($res, $query, __LINE__, __FILE__);
-		while($row = mysql_fetch_assoc($res))
+		$query = "SELECT * FROM " . $DBPrefix . "fees WHERE type = :type ORDER BY fee_from ASC";
+		$params = array();
+		$params[] = array(':type', $_GET['type'], 'str');
+		$db->query($query, $params);
+		while($row = $db->fetch())
 		{
 			$template->assign_block_vars('fees', array(
 					'ID' => $row['id'],

adsearch.php

@@ -163,19 +163,21 @@
 		if (is_array($_SESSION['advs']['payment']) && count($_SESSION['advs']['payment']) > 1)
 		{
 			$pri = false;
+			$i = 0;
 			foreach ($payment as $key => &$val)
 			{
 				if (!$pri)
 				{
-					$ora = "((au.payment LIKE :payment)";
-					$asparams[] = array(":payment", '%' . $system->cleanvars($val) . '%', 'str');
+					$ora = "((au.payment LIKE :payment" . get_param_number($i) . ")";
+					$asparams[] = array(":payment" . get_param_number($i), '%' . $system->cleanvars($val) . '%', 'str');
 				}
 				else
 				{
-					$ora .= " OR (au.payment LIKE :payment) AND ";
-					$asparams[] = array(":payment", '%' . $system->cleanvars($val) . '%', 'str');
+					$ora .= " OR (au.payment LIKE :payment" . get_param_number($i) . ") AND ";
+					$asparams[] = array(":payment" . get_param_number($i), '%' . $system->cleanvars($val) . '%', 'str');
 				}
 				$pri = true;
+				$i++;
 			}
 			$ora .= ") ";
 		}

buy_now.php

@@ -338,7 +338,7 @@
 		$buy_done = 1;
 	}
 }
-$id = $db->lastInsertId();
+$winner_id = $db->lastInsertId();
 
 $additional_shipping = $Auction['additional_shipping_cost'] * ($qty - 1);
 $shipping_cost = ($Auction['shipping'] == 1) ? ($Auction['shipping_cost'] + $additional_shipping) : 0;
@@ -347,7 +347,7 @@
 $template->assign_vars(array(
 		'ERROR' => (isset($ERR)) ? $ERR : '',
 		'ID' => $_REQUEST['id'],
-		'WINID' => $id,
+		'WINID' => $winner_id,
 		'TITLE' => $Auction['title'],
 		'BN_PRICE' => $system->print_money($Auction['buy_now']),
 		'BN_TOTAL' => $system->print_money($BN_total),

cron.php

@@ -44,9 +44,8 @@
 $query = "SELECT value, fee_type FROM " . $DBPrefix . "fees WHERE type = 'buyer_fee'";
 $db->direct_query($query);
 $row = $db->result();
-$buyer_fee = $row['value'];
-$buyer_fee = (empty($buyer_fee)) ? 0 : $buyer_fee;
-$buyer_fee_type = $row['fee_type'];
+$buyer_fee = (isset($row['value'])) ? $row['value'] : 0;
+$buyer_fee_type = (isset($row['fee_type'])) ? $row['fee_type'] : 'flat';
 
 // get closed auction fee
 $query = "SELECT * FROM " . $DBPrefix . "fees WHERE type = 'endauc_fee' ORDER BY value ASC";

docs/readme.txt

@@ -16,7 +16,7 @@ INSTALLATION
 1. Upload all the files except the docs directory
 2. CHMOD the uploaded directory to 0777
 3. CHMOD the includes/config.inc.php.new to 0777
-4. CHMOD the includes/countries.inc.php to 0777
+4. CHMOD the language/EN/countries.inc.php to 0777
 5. CHMOD the includes/membertypes.inc.php to 0777
 6. CHMOD the language/EN/categories.inc.php to 0777
 7. CHMOD the language/EN/categories_select_box.inc.php to 0777

includes/functions_rebuild.php

@@ -81,17 +81,11 @@ function rebuild_html_file($table)
 	$num_rows = mysql_num_rows($res);
 
 	$output = '<?php' . "\n";
-	$output.= '$' . $array_name . ' = array(\'\', ' . "\n";
+	$output.= '$' . $array_name . ' = array(' . "\n";
 
-	$i = 0;
 	while ($row = mysql_fetch_assoc($res))
 	{
-		$output .= '\'' . $row[$field_name] . '\'';
-		$i++;
-		if ($i < $num_rows)
-			$output .= ',' . "\n";
-		else
-			$output .= "\n";
+		$output .= '\'' . $row[$field_name] . '\' => \'' . $row[$field_name] . '\',' . "\n";
 	}
 
 	$output .= ');' . "\n" . '?>';

install/functions.php

@@ -303,9 +303,9 @@ function show_config_table($fresh = true)
 		$data .= '</tr>';
 
 		$directories = array(
-			'includes/countries.inc.php',
 			'includes/currencies.php',
 			'includes/membertypes.inc.php',
+			'language/EN/countries.inc.php',
 			'language/EN/categories.inc.php',
 			'language/EN/categories_select_box.inc.php'
 			);