Skip to content

Commit

Permalink
Cleanup
Browse files Browse the repository at this point in the history 
- process input with XoopsRequest
- add escape() calls in sql builds
  • Loading branch information
@geekwright
geekwright committed Apr 22, 2016
1 parent 1fb2686 commit 7c85ab3
Show file tree
Hide file tree
Showing 15 changed files with 201 additions and 158 deletions.
17 changes: 11 additions & 6 deletions add_breeder.php
View file
Expand Up @@ -42,13 +42,18 @@ function check()
redirect_header("javascript:history.go(-1)", 3, _NOPERM . "<br />" . _MA_PEDIGREE_REGIST);
exit();
}
$achternaam = $_POST['achternaam'];
$voornaam = $_POST['voornaam'];
$email = $_POST['email'];
$website = $_POST['website'];
$user = $_POST['user'];
$achternaam = XoopsRequest::getString('achternaam', '', 'post');
$voornaam = XoopsRequest::getString('voornaam', '', 'post');
$email = XoopsRequest::getEmail('email', '', 'post');
$website = XoopsRequest::getUrl('website', '', 'post');
$user = XoopsRequest::getString('user', '', 'post');
//insert into owner
$query = "INSERT INTO " . $xoopsDB->prefix("pedigree_owner") . " VALUES ('','" . $voornaam . "','" . $achternaam . "','','','','','','" . $email . "','" . $website . "','" . $user . "')";
$query = "INSERT INTO " . $xoopsDB->prefix("pedigree_owner") . " VALUES ('','"
. $xoopsDB->escape($voornaam) . "','"
. $xoopsDB->escape($achternaam) . "','','','','','','"
. $xoopsDB->escape($email) . "','"
. $xoopsDB->escape($website) . "','"
. $xoopsDB->escape($user) . "')";
$xoopsDB->query($query);
redirect_header("index.php", 1, "The data has been stored.");
}
Expand Down
52 changes: 27 additions & 25 deletions add_dog.php
View file
Expand Up @@ -102,9 +102,10 @@ function checkname()
$config_handler = xoops_getHandler('config');
$moduleConfig = $config_handler->getConfigsByCat(0, $module->getVar('mid'));

$name = $_POST['NAAM'];
$name = XoopsRequest::getString('NAAM', '', 'post');
//query
$queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_tree") . " WHERE NAAM LIKE'%" . $name . "%' ORDER BY NAAM";
$queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_tree") . " WHERE NAAM LIKE'%"
. $xoopsDB->escape($name) . "%' ORDER BY NAAM";
$result = $xoopsDB->query($queryString);
$numresults = $xoopsDB->getRowsNum($result);
if ($numresults >= 1 && !(isset($_GET['r']))) {
Expand Down Expand Up @@ -281,8 +282,15 @@ function sire()

//insert into pedigree_temp
$query
= "INSERT INTO " . $xoopsDB->prefix("pedigree_temp") . " VALUES ('" . $random . "','" . unhtmlentities($name) . "','" . $id_owner . "','" . $id_breeder . "','" . $user . "','" . $roft
. "','','','" . $foto . "', ''" . $usersql . ")";
= "INSERT INTO " . $xoopsDB->prefix("pedigree_temp") . " VALUES ('"
. $xoopsDB->escape($random) . "','"
. $xoopsDB->escape(unhtmlentities($name)) . "','"
. $xoopsDB->escape($id_owner) . "','"
. $xoopsDB->escape($id_breeder) . "','"
. $xoopsDB->escape($user) . "','"
. $xoopsDB->escape($roft) . "','','','"
. $xoopsDB->escape($foto) . "', ''"
. $usersql . ")";
//echo $query; die();
$xoopsDB->query($query);
redirect_header("add_dog.php?f=sire&random=" . $random . "&st=" . $st . "&r=1&l=a", 1, strtr(_MA_PEDIGREE_ADD_SIREPLZ, array('[father]' => $moduleConfig['father'])));
Expand Down Expand Up @@ -457,29 +465,16 @@ function dam()
redirect_header("javascript:history.go(-1)", 3, _NOPERM . "<br />" . _MA_PEDIGREE_REGIST);
exit();
}
if (empty($random)) {
$random = isset($_POST['random']) ? $_POST['random'] : null;
}
if (isset($_GET['random'])) {
$random = $_GET['random'];
}
if (empty($st)) {
$st = 0;
}
if (isset($_GET['st'])) {
$st = $_GET['st'];
}
$random = XoopsRequest::getInt('random', 0);
$st = XoopsRequest::getInt('st', 0, 'get');
//find letter on which to start else set to 'a'
if (isset($_GET['l'])) {
$l = $_GET['l'];
} else {
$l = "a";
}
$l = XoopsRequest::getString('l', 'a', 'get');
//make the redirect
if (!isset($_GET['r'])) {
//insert into pedigree_temp
$query = "UPDATE " . $xoopsDB->prefix("pedigree_temp") . " SET father =" . $_GET['selsire'] . " WHERE ID=" . $random;
$xoopsDB->queryf($query);
$query = "UPDATE " . $xoopsDB->prefix("pedigree_temp") . " SET father ="
. XoopsRequest::getInt('selsire', 0, 'get') . " WHERE ID=" . $random;
$xoopsDB->queryF($query);
redirect_header("add_dog.php?f=dam&random=" . $random . "&st=" . $st . "&r=1&l=a", 1, strtr(_MA_PEDIGREE_ADD_SIREOK, array('[mother]' => $moduleConfig['mother'])));
}

Expand Down Expand Up @@ -669,8 +664,15 @@ function check()
}
//insert into pedigree
$query
= "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES ('','" . addslashes($row['NAAM']) . "','" . $row['id_owner'] . "','" . $row['id_breeder'] . "','" . $row['user'] . "','"
. $row['roft'] . "','" . $_GET['seldam'] . "','" . $row['father'] . "','" . addslashes($row['foto']) . "',''" . $usersql . ")";
= "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES ('','"
. $xoopsDB->escape($row['NAAM']) . "','"
. $xoopsDB->escape($row['id_owner']) . "','"
. $xoopsDB->escape($row['id_breeder']) . "','"
. $xoopsDB->escape($row['user']) . "','"
. $xoopsDB->escape($row['roft']) . "','"
. $xoopsDB->escape($_GET['seldam']) . "','"
. $xoopsDB->escape($row['father']) . "','"
. $xoopsDB->escape($row['foto']) . "',''" . $usersql . ")";
$xoopsDB->queryF($query);
//echo $query; die();
}
Expand Down
73 changes: 30 additions & 43 deletions add_litter.php
View file
Expand Up @@ -149,20 +149,12 @@ function sire()
redirect_header("javascript:history.go(-1)", 3, _NOPERM . "<br />" . _MA_PEDIGREE_REGIST);
exit();
}
$userid = $_POST['userid'];
if (empty($random)) {
$random = $_POST['random'];
}
if (isset($_GET['random'])) {
$random = $_GET['random'];
}
if (empty($st)) {
$st = 0;
}
if (isset($_GET['st'])) {
$st = $_GET['st'];
}
$userid = XoopsRequest::getInt('userid', 0, 'post');
$random = XoopsRequest::getInt('random', 0);
$st = XoopsRequest::getInt('st', 0);
$userfields = "";
$name = '';
$roft = '';
for ($count = 1; $count < 11; ++$count) {
$namelitter = "name" . $count;
$roftlitter = "roft" . $count;
Expand Down Expand Up @@ -219,7 +211,12 @@ function sire()
$user{$fields[$i]} = $withinfield;
}
//insert into pedigree_temp
$query = "INSERT INTO " . $xoopsDB->prefix("pedigree_temp") . " VALUES ('" . $random . "','" . unhtmlentities($name) . "','0','" . $id_breeder . "','" . $userid . "','" . $roft . "','','','', ''";
$query = "INSERT INTO " . $xoopsDB->prefix("pedigree_temp") . " VALUES ('"
. XoopsRequest::getInt($random) . "','"
. XoopsRequest::getInt(unhtmlentities($name)) . "','0','"
. XoopsRequest::getInt($id_breeder) . "','"
. XoopsRequest::getInt($userid) . "','"
. XoopsRequest::getInt($roft) . "','','','', ''";
for ($i = 0; $i < count($fields); ++$i) {
$userfield = new Field($fields[$i], $animal->getconfig());
$fieldType = $userfield->getSetting("FieldType");
Expand All @@ -234,11 +231,7 @@ function sire()
redirect_header("add_litter.php?f=sire&random=" . $random . "&st=" . $st . "&r=1&l=a", 1, strtr(_MA_PEDIGREE_ADD_SIREPLZ, array('[father]' => $moduleConfig['father'])));
}
//find letter on which to start else set to 'a'
if (isset($_GET['l'])) {
$l = $_GET['l'];
} else {
$l = "a";
}
$l = XoopsRequest::getString('l', 'a', 'get');
//assign 'sire' to the template
$xoopsTpl->assign("sire", "1");
//create list of males dog to select from
Expand Down Expand Up @@ -393,37 +386,25 @@ function dam()
$config_handler = xoops_getHandler('config');
$moduleConfig = $config_handler->getConfigsByCat(0, $module->getVar('mid'));

if (empty($random)) {
$random = $_POST['random'];
}
if (isset($_GET['random'])) {
$random = $_GET['random'];
}
if (empty($st)) {
$st = 0;
}
if (isset($_GET['st'])) {
$st = $_GET['st'];
}
$random = XoopsRequest::getInt('random', 0);
$st = XoopsRequest::getInt('st', 0, 'get');
//make the redirect
if (!isset($_GET['r'])) {
//insert into pedigree_temp
$query = "UPDATE " . $xoopsDB->prefix("pedigree_temp") . " SET father =" . $_GET['selsire'] . " WHERE ID=" . $random;
$xoopsDB->queryf($query);
$query = "UPDATE " . $xoopsDB->prefix("pedigree_temp") . " SET father ="
. XoopsRequest::getInt('selsire', 0, 'get') . " WHERE ID=" . $random;
$xoopsDB->queryF($query);
redirect_header("add_litter.php?f=dam&random=" . $random . "&st=" . $st . "&r=1", 1, strtr(_MA_PEDIGREE_ADD_SIREOK, array('[mother]' => $moduleConfig['mother'])));
}
//find letter on which to start else set to 'a'
if (isset($_GET['l'])) {
$l = $_GET['l'];
} else {
$l = "a";
}
$l = XoopsRequest::getString('l', 'a', 'get');
//assign sire to the template
$xoopsTpl->assign("sire", "1");
//create list of males dog to select from
$perp = $moduleConfig['perpage'];
$perp = (int) $moduleConfig['perpage'];
//count total number of dogs
$numdog = "SELECT ID from " . $xoopsDB->prefix("pedigree_tree") . " WHERE roft='1' and NAAM LIKE '" . $l . "%'";
$numdog = "SELECT ID from " . $xoopsDB->prefix("pedigree_tree") . " WHERE roft='1' and NAAM LIKE '"
. $xoopsDB->escape($l) . "%'";
$numres = $xoopsDB->query($numdog);
//total number of dogs the query will find
$numresults = $xoopsDB->getRowsNum($numres);
Expand Down Expand Up @@ -581,6 +562,7 @@ function check()
//query
$queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_temp") . " WHERE ID = " . $random;
$result = $xoopsDB->query($queryString);
$seldam = XoopsRequest::getInt('seldam', 0, 'get');
while ($row = $xoopsDB->fetchArray($result)) {
//pull data apart.
if ($row['NAAM'] !== "") {
Expand All @@ -589,8 +571,13 @@ function check()
for ($c = 1; $c < count($names); ++$c) {
$query
=
"INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES ('','" . addslashes($names[$c]) . "','0','" . $row['id_breeder'] . "','" . $row['user'] . "','" . $genders[$c] . "','"
. $_GET['seldam'] . "','" . $row['father'] . "','',''";
"INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES ('','"
. $xoopsDB->escape($names[$c]) . "','0','"
. $xoopsDB->escape($row['id_breeder']) . "','"
. $xoopsDB->escape($row['user']) . "','"
. $xoopsDB->escape($genders[$c]) . "','"
. $xoopsDB->escape($seldam) . "','"
. $xoopsDB->escape($row['father']) . "','',''";
//create animal object
$animal = new Animal();
//test to find out how many user fields there are..
Expand All @@ -603,7 +590,7 @@ function check()
}
//insert into pedigree
$query .= ");";
$xoopsDB->queryf($query);
$xoopsDB->queryF($query);
}

}
Expand Down
5 changes: 3 additions & 2 deletions admin/savecolors.php
View file
Expand Up @@ -25,8 +25,9 @@
1
);

$sql = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value='" . $colourString . "' WHERE conf_name = 'pedigreeColours'";
$xoopsDB->queryf($sql);
$sql = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value='" .
$xoopsDB->escape($colourString) . "' WHERE conf_name = 'pedigreeColours'";
$xoopsDB->queryF($sql);
redirect_header("colors.php", 3, 'Your settings have been saved...');

xoops_cp_footer();
8 changes: 5 additions & 3 deletions admin/tools.php
View file
Expand Up @@ -273,7 +273,7 @@ function restore($id)
while ($row = $xoopsDB->fetchArray($result)) {

foreach ($row as $key => $values) {
$queryvalues .= "'" . $values . "',";
$queryvalues .= "'" . $xoopsDB->escape($values) . "',";
}
$outgoing = substr_replace($queryvalues, "", -1);
$query = "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES (" . $outgoing . ")";
Expand Down Expand Up @@ -355,7 +355,8 @@ function settingssave()
$settings = array('perpage', 'ownerbreeder', 'brothers', 'uselitter', 'pups');
foreach ($_POST as $key => $values) {
if (in_array($key, $settings)) {
$query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" . $values . "' WHERE conf_name = '" . $key . "'";
$query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" .
$xoopsDB->escape($values) . "' WHERE conf_name = '" . $xoopsDB->escape($key) . "'";
$xoopsDB->query($query);
}
}
Expand Down Expand Up @@ -427,7 +428,8 @@ function langsave()
$settings = array('animalType', 'animalTypes', 'male', 'female', 'children', 'mother', 'father', 'litter', 'welcome');
foreach ($_POST as $key => $values) {
if (in_array($key, $settings)) {
$query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" . $values . "' WHERE conf_name = '" . $key . "'";
$query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '"
. $xoopsDB->escape($values) . "' WHERE conf_name = '" . $xoopsDB->escape($key) . "'";
$xoopsDB->query($query);
}
}
Expand Down
24 changes: 14 additions & 10 deletions blocks/menu_block.php
View file
Expand Up @@ -4,15 +4,16 @@
// Copyright 2004, James Cotton
// http://www.dobermannvereniging.nl

$dirname = basename(dirname(__DIR__));
// Include any constants used for internationalizing templates.
if (file_exists(XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/language/" . $xoopsConfig['language'] . "/main.php")) {
require_once XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/language/" . $xoopsConfig['language'] . "/main.php";
if (file_exists(XOOPS_ROOT_PATH . "/modules/{$dirname}/language/{$xoopsConfig['language']}/main.php")) {
require_once XOOPS_ROOT_PATH . "/modules/{$dirname}/language/{$xoopsConfig['language']}/main.php";
} else {
include_once XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/language/english/main.php";
include_once XOOPS_ROOT_PATH . "/modules/{$dirname}/language/english/main.php";
}
// Include any common code for this module.
require_once(XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/include/class_field.php");
require_once(XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/include/functions.php");
require_once(XOOPS_ROOT_PATH . "/modules/{$dirname}/include/class_field.php");
require_once(XOOPS_ROOT_PATH . "/modules/{$dirname}/include/functions.php");

/**
* @return XoopsTpl
Expand All @@ -21,9 +22,11 @@ function menu_block()
{
global $xoopsTpl, $xoopsUser, $apppath;

$dirname = basename(dirname(__DIR__));

//get module configuration
$module_handler = xoops_getHandler('module');
$module = $module_handler->getByDirname("pedigree");
$module = $module_handler->getByDirname($dirname);
$config_handler = xoops_getHandler('config');
$moduleConfig = $config_handler->getConfigsByCat(0, $module->getVar('mid'));

Expand All @@ -37,11 +40,12 @@ function menu_block()
$head = $colors[5];
$body = $colors[6];
$title = $colors[7];
/* WTF - WHY is this in a block???????
//inline-css
echo "<style>";
//text-colour
echo "body {margin: 0;padding: 0;background: " . $body . ";color: " . $text
. ";font-size: 62.5%; /* <-- Resets 1em to 10px */font-family: 'Lucida Grande', Verdana, Arial, Sans-Serif; text-align: left;}";
. ";font-size: 62.5%; font-family: 'Lucida Grande', Verdana, Arial, Sans-Serif; text-align: left;}";
//link-colour
echo "a, h2 a:hover, h3 a:hover { color: " . $actlink . "; text-decoration: none; }";
//link hover colour
Expand All @@ -58,12 +62,11 @@ function menu_block()
echo ".odd {background-color: " . $odd . "; padding: 3px;}";
echo "tr.odd td {background-color: " . $odd . "; padding: 3px;}";
echo "</style>";

*/
//iscurrent user a module admin ?
$modadmin = false;
$xoopsModule = XoopsModule::getByDirname("pedigree");
if (!empty($xoopsUser)) {
if ($xoopsUser->isAdmin($xoopsModule->mid())) {
if ($xoopsUser->isAdmin($module->mid())) {
$modadmin = true;
}
}
Expand Down Expand Up @@ -204,6 +207,7 @@ function menu_block()

//create path taken
//showpath();
$xoopsTpl->assign("modulename", $dirname);
$xoopsTpl->assign("menuarray", $menuarray);
//return the template contents
return $xoopsTpl;
Expand Down
4 changes: 2 additions & 2 deletions coi.php
View file
Expand Up @@ -1061,9 +1061,9 @@ function one_animal($ID)
strtr(_MA_PEDIGREE_COI_COIEX, array('[animalType]' => $moduleConfig['animalType'], '[animalTypes]' => $moduleConfig['animalTypes'], '[children]' => $moduleConfig['children']))
);
$xoopsTpl->assign("COIcoi", _MA_PEDIGREE_COI_COI);
$dogid = isset($_GET['dogid']) ? $_GET['dogid'] : 0;
$dogid = XoopsRequest::getInt('dogid', 0, 'get');
$query = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET coi=" . $f1 . " WHERE ID = '$dogid'";
$xoopsDB->queryf($query);
$xoopsDB->queryF($query);
arsort($deltaf);
$j = 1;
foreach ($deltaf as $i => $v) {
Expand Down
4 changes: 2 additions & 2 deletions deletebreederpage.php
View file
Expand Up @@ -29,8 +29,8 @@

global $xoopsTpl, $xoopsDB, $xoopsUser;

$ownid = $_POST['dogid'];
$ownername = $_POST['curname'];
$ownid = XoopsRequest::getInt('dogid', 0, 'post');
$ownername = XoopsRequest::getString('curname', '', 'post');

if (!empty($ownername)) {
$queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_owner") . " WHERE ID=" . $ownid;
Expand Down
4 changes: 2 additions & 2 deletions deletepage.php
View file
Expand Up @@ -30,8 +30,8 @@

global $xoopsTpl, $xoopsDB, $xoopsUser;

$dogid = $_POST['dogid'];
$dogname = $_POST['curname'];
$dogid = XoopsRequest::getInt('dogid', 0, 'post');
$dogname = XoopsRequest::getString('curname', '', 'post');

if (!empty($dogname)) {
$queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_tree") . " WHERE ID=" . $dogid;
Expand Down
2 changes: 1 addition & 1 deletion dog.php
View file
Expand Up @@ -55,7 +55,7 @@
$myts = MyTextSanitizer::getInstance();

if (isset($_GET['id'])) {
$id = $_GET['id'];
$id = XoopsRequest::getInt('id', 0, 'get');
} else {
echo "No dog has been selected";
die();
Expand Down

0 comments on commit 7c85ab3

Please sign in to comment.