From 7c85ab3276cdc5bf8b2d2181dbd3044cf0541089 Mon Sep 17 00:00:00 2001 From: geekwright Date: Fri, 22 Apr 2016 16:39:06 -0500 Subject: [PATCH] Cleanup - process input with XoopsRequest - add escape() calls in sql builds --- add_breeder.php | 17 ++++--- add_dog.php | 52 ++++++++++---------- add_litter.php | 73 ++++++++++++---------------- admin/savecolors.php | 5 +- admin/tools.php | 8 ++-- blocks/menu_block.php | 24 ++++++---- coi.php | 4 +- deletebreederpage.php | 4 +- deletepage.php | 4 +- dog.php | 2 +- edit.php | 15 ++++-- include/checkoutwizard.php | 22 ++++++--- include/functions.php | 9 ++-- tools.php | 22 ++++++--- updatepage.php | 98 ++++++++++++++++++++++---------------- 15 files changed, 201 insertions(+), 158 deletions(-) diff --git a/add_breeder.php b/add_breeder.php index 02bf8a4..fc202ea 100644 --- a/add_breeder.php +++ b/add_breeder.php @@ -42,13 +42,18 @@ function check() redirect_header("javascript:history.go(-1)", 3, _NOPERM . "
" . _MA_PEDIGREE_REGIST); exit(); } - $achternaam = $_POST['achternaam']; - $voornaam = $_POST['voornaam']; - $email = $_POST['email']; - $website = $_POST['website']; - $user = $_POST['user']; + $achternaam = XoopsRequest::getString('achternaam', '', 'post'); + $voornaam = XoopsRequest::getString('voornaam', '', 'post'); + $email = XoopsRequest::getEmail('email', '', 'post'); + $website = XoopsRequest::getUrl('website', '', 'post'); + $user = XoopsRequest::getString('user', '', 'post'); //insert into owner - $query = "INSERT INTO " . $xoopsDB->prefix("pedigree_owner") . " VALUES ('','" . $voornaam . "','" . $achternaam . "','','','','','','" . $email . "','" . $website . "','" . $user . "')"; + $query = "INSERT INTO " . $xoopsDB->prefix("pedigree_owner") . " VALUES ('','" + . $xoopsDB->escape($voornaam) . "','" + . $xoopsDB->escape($achternaam) . "','','','','','','" + . $xoopsDB->escape($email) . "','" + . $xoopsDB->escape($website) . "','" + . $xoopsDB->escape($user) . "')"; $xoopsDB->query($query); redirect_header("index.php", 1, "The data has been stored."); } diff --git a/add_dog.php b/add_dog.php index 7ec6d0a..66a65c0 100644 --- a/add_dog.php +++ b/add_dog.php @@ -102,9 +102,10 @@ function checkname() $config_handler = xoops_getHandler('config'); $moduleConfig = $config_handler->getConfigsByCat(0, $module->getVar('mid')); - $name = $_POST['NAAM']; + $name = XoopsRequest::getString('NAAM', '', 'post'); //query - $queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_tree") . " WHERE NAAM LIKE'%" . $name . "%' ORDER BY NAAM"; + $queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_tree") . " WHERE NAAM LIKE'%" + . $xoopsDB->escape($name) . "%' ORDER BY NAAM"; $result = $xoopsDB->query($queryString); $numresults = $xoopsDB->getRowsNum($result); if ($numresults >= 1 && !(isset($_GET['r']))) { @@ -281,8 +282,15 @@ function sire() //insert into pedigree_temp $query - = "INSERT INTO " . $xoopsDB->prefix("pedigree_temp") . " VALUES ('" . $random . "','" . unhtmlentities($name) . "','" . $id_owner . "','" . $id_breeder . "','" . $user . "','" . $roft - . "','','','" . $foto . "', ''" . $usersql . ")"; + = "INSERT INTO " . $xoopsDB->prefix("pedigree_temp") . " VALUES ('" + . $xoopsDB->escape($random) . "','" + . $xoopsDB->escape(unhtmlentities($name)) . "','" + . $xoopsDB->escape($id_owner) . "','" + . $xoopsDB->escape($id_breeder) . "','" + . $xoopsDB->escape($user) . "','" + . $xoopsDB->escape($roft) . "','','','" + . $xoopsDB->escape($foto) . "', ''" + . $usersql . ")"; //echo $query; die(); $xoopsDB->query($query); redirect_header("add_dog.php?f=sire&random=" . $random . "&st=" . $st . "&r=1&l=a", 1, strtr(_MA_PEDIGREE_ADD_SIREPLZ, array('[father]' => $moduleConfig['father']))); @@ -457,29 +465,16 @@ function dam() redirect_header("javascript:history.go(-1)", 3, _NOPERM . "
" . _MA_PEDIGREE_REGIST); exit(); } - if (empty($random)) { - $random = isset($_POST['random']) ? $_POST['random'] : null; - } - if (isset($_GET['random'])) { - $random = $_GET['random']; - } - if (empty($st)) { - $st = 0; - } - if (isset($_GET['st'])) { - $st = $_GET['st']; - } + $random = XoopsRequest::getInt('random', 0); + $st = XoopsRequest::getInt('st', 0, 'get'); //find letter on which to start else set to 'a' - if (isset($_GET['l'])) { - $l = $_GET['l']; - } else { - $l = "a"; - } + $l = XoopsRequest::getString('l', 'a', 'get'); //make the redirect if (!isset($_GET['r'])) { //insert into pedigree_temp - $query = "UPDATE " . $xoopsDB->prefix("pedigree_temp") . " SET father =" . $_GET['selsire'] . " WHERE ID=" . $random; - $xoopsDB->queryf($query); + $query = "UPDATE " . $xoopsDB->prefix("pedigree_temp") . " SET father =" + . XoopsRequest::getInt('selsire', 0, 'get') . " WHERE ID=" . $random; + $xoopsDB->queryF($query); redirect_header("add_dog.php?f=dam&random=" . $random . "&st=" . $st . "&r=1&l=a", 1, strtr(_MA_PEDIGREE_ADD_SIREOK, array('[mother]' => $moduleConfig['mother']))); } @@ -669,8 +664,15 @@ function check() } //insert into pedigree $query - = "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES ('','" . addslashes($row['NAAM']) . "','" . $row['id_owner'] . "','" . $row['id_breeder'] . "','" . $row['user'] . "','" - . $row['roft'] . "','" . $_GET['seldam'] . "','" . $row['father'] . "','" . addslashes($row['foto']) . "',''" . $usersql . ")"; + = "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES ('','" + . $xoopsDB->escape($row['NAAM']) . "','" + . $xoopsDB->escape($row['id_owner']) . "','" + . $xoopsDB->escape($row['id_breeder']) . "','" + . $xoopsDB->escape($row['user']) . "','" + . $xoopsDB->escape($row['roft']) . "','" + . $xoopsDB->escape($_GET['seldam']) . "','" + . $xoopsDB->escape($row['father']) . "','" + . $xoopsDB->escape($row['foto']) . "',''" . $usersql . ")"; $xoopsDB->queryF($query); //echo $query; die(); } diff --git a/add_litter.php b/add_litter.php index b45f85a..791de75 100644 --- a/add_litter.php +++ b/add_litter.php @@ -149,20 +149,12 @@ function sire() redirect_header("javascript:history.go(-1)", 3, _NOPERM . "
" . _MA_PEDIGREE_REGIST); exit(); } - $userid = $_POST['userid']; - if (empty($random)) { - $random = $_POST['random']; - } - if (isset($_GET['random'])) { - $random = $_GET['random']; - } - if (empty($st)) { - $st = 0; - } - if (isset($_GET['st'])) { - $st = $_GET['st']; - } + $userid = XoopsRequest::getInt('userid', 0, 'post'); + $random = XoopsRequest::getInt('random', 0); + $st = XoopsRequest::getInt('st', 0); $userfields = ""; + $name = ''; + $roft = ''; for ($count = 1; $count < 11; ++$count) { $namelitter = "name" . $count; $roftlitter = "roft" . $count; @@ -219,7 +211,12 @@ function sire() $user{$fields[$i]} = $withinfield; } //insert into pedigree_temp - $query = "INSERT INTO " . $xoopsDB->prefix("pedigree_temp") . " VALUES ('" . $random . "','" . unhtmlentities($name) . "','0','" . $id_breeder . "','" . $userid . "','" . $roft . "','','','', ''"; + $query = "INSERT INTO " . $xoopsDB->prefix("pedigree_temp") . " VALUES ('" + . XoopsRequest::getInt($random) . "','" + . XoopsRequest::getInt(unhtmlentities($name)) . "','0','" + . XoopsRequest::getInt($id_breeder) . "','" + . XoopsRequest::getInt($userid) . "','" + . XoopsRequest::getInt($roft) . "','','','', ''"; for ($i = 0; $i < count($fields); ++$i) { $userfield = new Field($fields[$i], $animal->getconfig()); $fieldType = $userfield->getSetting("FieldType"); @@ -234,11 +231,7 @@ function sire() redirect_header("add_litter.php?f=sire&random=" . $random . "&st=" . $st . "&r=1&l=a", 1, strtr(_MA_PEDIGREE_ADD_SIREPLZ, array('[father]' => $moduleConfig['father']))); } //find letter on which to start else set to 'a' - if (isset($_GET['l'])) { - $l = $_GET['l']; - } else { - $l = "a"; - } + $l = XoopsRequest::getString('l', 'a', 'get'); //assign 'sire' to the template $xoopsTpl->assign("sire", "1"); //create list of males dog to select from @@ -393,37 +386,25 @@ function dam() $config_handler = xoops_getHandler('config'); $moduleConfig = $config_handler->getConfigsByCat(0, $module->getVar('mid')); - if (empty($random)) { - $random = $_POST['random']; - } - if (isset($_GET['random'])) { - $random = $_GET['random']; - } - if (empty($st)) { - $st = 0; - } - if (isset($_GET['st'])) { - $st = $_GET['st']; - } + $random = XoopsRequest::getInt('random', 0); + $st = XoopsRequest::getInt('st', 0, 'get'); //make the redirect if (!isset($_GET['r'])) { //insert into pedigree_temp - $query = "UPDATE " . $xoopsDB->prefix("pedigree_temp") . " SET father =" . $_GET['selsire'] . " WHERE ID=" . $random; - $xoopsDB->queryf($query); + $query = "UPDATE " . $xoopsDB->prefix("pedigree_temp") . " SET father =" + . XoopsRequest::getInt('selsire', 0, 'get') . " WHERE ID=" . $random; + $xoopsDB->queryF($query); redirect_header("add_litter.php?f=dam&random=" . $random . "&st=" . $st . "&r=1", 1, strtr(_MA_PEDIGREE_ADD_SIREOK, array('[mother]' => $moduleConfig['mother']))); } //find letter on which to start else set to 'a' - if (isset($_GET['l'])) { - $l = $_GET['l']; - } else { - $l = "a"; - } + $l = XoopsRequest::getString('l', 'a', 'get'); //assign sire to the template $xoopsTpl->assign("sire", "1"); //create list of males dog to select from - $perp = $moduleConfig['perpage']; + $perp = (int) $moduleConfig['perpage']; //count total number of dogs - $numdog = "SELECT ID from " . $xoopsDB->prefix("pedigree_tree") . " WHERE roft='1' and NAAM LIKE '" . $l . "%'"; + $numdog = "SELECT ID from " . $xoopsDB->prefix("pedigree_tree") . " WHERE roft='1' and NAAM LIKE '" + . $xoopsDB->escape($l) . "%'"; $numres = $xoopsDB->query($numdog); //total number of dogs the query will find $numresults = $xoopsDB->getRowsNum($numres); @@ -581,6 +562,7 @@ function check() //query $queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_temp") . " WHERE ID = " . $random; $result = $xoopsDB->query($queryString); + $seldam = XoopsRequest::getInt('seldam', 0, 'get'); while ($row = $xoopsDB->fetchArray($result)) { //pull data apart. if ($row['NAAM'] !== "") { @@ -589,8 +571,13 @@ function check() for ($c = 1; $c < count($names); ++$c) { $query = - "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES ('','" . addslashes($names[$c]) . "','0','" . $row['id_breeder'] . "','" . $row['user'] . "','" . $genders[$c] . "','" - . $_GET['seldam'] . "','" . $row['father'] . "','',''"; + "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES ('','" + . $xoopsDB->escape($names[$c]) . "','0','" + . $xoopsDB->escape($row['id_breeder']) . "','" + . $xoopsDB->escape($row['user']) . "','" + . $xoopsDB->escape($genders[$c]) . "','" + . $xoopsDB->escape($seldam) . "','" + . $xoopsDB->escape($row['father']) . "','',''"; //create animal object $animal = new Animal(); //test to find out how many user fields there are.. @@ -603,7 +590,7 @@ function check() } //insert into pedigree $query .= ");"; - $xoopsDB->queryf($query); + $xoopsDB->queryF($query); } } diff --git a/admin/savecolors.php b/admin/savecolors.php index 6bc1694..6ae47b4 100644 --- a/admin/savecolors.php +++ b/admin/savecolors.php @@ -25,8 +25,9 @@ 1 ); -$sql = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value='" . $colourString . "' WHERE conf_name = 'pedigreeColours'"; -$xoopsDB->queryf($sql); +$sql = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value='" . + $xoopsDB->escape($colourString) . "' WHERE conf_name = 'pedigreeColours'"; +$xoopsDB->queryF($sql); redirect_header("colors.php", 3, 'Your settings have been saved...'); xoops_cp_footer(); diff --git a/admin/tools.php b/admin/tools.php index af55c4a..30025b8 100644 --- a/admin/tools.php +++ b/admin/tools.php @@ -273,7 +273,7 @@ function restore($id) while ($row = $xoopsDB->fetchArray($result)) { foreach ($row as $key => $values) { - $queryvalues .= "'" . $values . "',"; + $queryvalues .= "'" . $xoopsDB->escape($values) . "',"; } $outgoing = substr_replace($queryvalues, "", -1); $query = "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES (" . $outgoing . ")"; @@ -355,7 +355,8 @@ function settingssave() $settings = array('perpage', 'ownerbreeder', 'brothers', 'uselitter', 'pups'); foreach ($_POST as $key => $values) { if (in_array($key, $settings)) { - $query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" . $values . "' WHERE conf_name = '" . $key . "'"; + $query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" . + $xoopsDB->escape($values) . "' WHERE conf_name = '" . $xoopsDB->escape($key) . "'"; $xoopsDB->query($query); } } @@ -427,7 +428,8 @@ function langsave() $settings = array('animalType', 'animalTypes', 'male', 'female', 'children', 'mother', 'father', 'litter', 'welcome'); foreach ($_POST as $key => $values) { if (in_array($key, $settings)) { - $query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" . $values . "' WHERE conf_name = '" . $key . "'"; + $query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" + . $xoopsDB->escape($values) . "' WHERE conf_name = '" . $xoopsDB->escape($key) . "'"; $xoopsDB->query($query); } } diff --git a/blocks/menu_block.php b/blocks/menu_block.php index f8d6d50..054b75b 100644 --- a/blocks/menu_block.php +++ b/blocks/menu_block.php @@ -4,15 +4,16 @@ // Copyright 2004, James Cotton // http://www.dobermannvereniging.nl +$dirname = basename(dirname(__DIR__)); // Include any constants used for internationalizing templates. -if (file_exists(XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/language/" . $xoopsConfig['language'] . "/main.php")) { - require_once XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/language/" . $xoopsConfig['language'] . "/main.php"; +if (file_exists(XOOPS_ROOT_PATH . "/modules/{$dirname}/language/{$xoopsConfig['language']}/main.php")) { + require_once XOOPS_ROOT_PATH . "/modules/{$dirname}/language/{$xoopsConfig['language']}/main.php"; } else { - include_once XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/language/english/main.php"; + include_once XOOPS_ROOT_PATH . "/modules/{$dirname}/language/english/main.php"; } // Include any common code for this module. -require_once(XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/include/class_field.php"); -require_once(XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/include/functions.php"); +require_once(XOOPS_ROOT_PATH . "/modules/{$dirname}/include/class_field.php"); +require_once(XOOPS_ROOT_PATH . "/modules/{$dirname}/include/functions.php"); /** * @return XoopsTpl @@ -21,9 +22,11 @@ function menu_block() { global $xoopsTpl, $xoopsUser, $apppath; + $dirname = basename(dirname(__DIR__)); + //get module configuration $module_handler = xoops_getHandler('module'); - $module = $module_handler->getByDirname("pedigree"); + $module = $module_handler->getByDirname($dirname); $config_handler = xoops_getHandler('config'); $moduleConfig = $config_handler->getConfigsByCat(0, $module->getVar('mid')); @@ -37,11 +40,12 @@ function menu_block() $head = $colors[5]; $body = $colors[6]; $title = $colors[7]; +/* WTF - WHY is this in a block??????? //inline-css echo ""; - +*/ //iscurrent user a module admin ? $modadmin = false; - $xoopsModule = XoopsModule::getByDirname("pedigree"); if (!empty($xoopsUser)) { - if ($xoopsUser->isAdmin($xoopsModule->mid())) { + if ($xoopsUser->isAdmin($module->mid())) { $modadmin = true; } } @@ -204,6 +207,7 @@ function menu_block() //create path taken //showpath(); + $xoopsTpl->assign("modulename", $dirname); $xoopsTpl->assign("menuarray", $menuarray); //return the template contents return $xoopsTpl; diff --git a/coi.php b/coi.php index bb88e77..7773652 100644 --- a/coi.php +++ b/coi.php @@ -1061,9 +1061,9 @@ function one_animal($ID) strtr(_MA_PEDIGREE_COI_COIEX, array('[animalType]' => $moduleConfig['animalType'], '[animalTypes]' => $moduleConfig['animalTypes'], '[children]' => $moduleConfig['children'])) ); $xoopsTpl->assign("COIcoi", _MA_PEDIGREE_COI_COI); -$dogid = isset($_GET['dogid']) ? $_GET['dogid'] : 0; +$dogid = XoopsRequest::getInt('dogid', 0, 'get'); $query = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET coi=" . $f1 . " WHERE ID = '$dogid'"; -$xoopsDB->queryf($query); +$xoopsDB->queryF($query); arsort($deltaf); $j = 1; foreach ($deltaf as $i => $v) { diff --git a/deletebreederpage.php b/deletebreederpage.php index 3510479..0a3f077 100644 --- a/deletebreederpage.php +++ b/deletebreederpage.php @@ -29,8 +29,8 @@ global $xoopsTpl, $xoopsDB, $xoopsUser; -$ownid = $_POST['dogid']; -$ownername = $_POST['curname']; +$ownid = XoopsRequest::getInt('dogid', 0, 'post'); +$ownername = XoopsRequest::getString('curname', '', 'post'); if (!empty($ownername)) { $queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_owner") . " WHERE ID=" . $ownid; diff --git a/deletepage.php b/deletepage.php index caf67e8..91f6a2b 100644 --- a/deletepage.php +++ b/deletepage.php @@ -30,8 +30,8 @@ global $xoopsTpl, $xoopsDB, $xoopsUser; -$dogid = $_POST['dogid']; -$dogname = $_POST['curname']; +$dogid = XoopsRequest::getInt('dogid', 0, 'post'); +$dogname = XoopsRequest::getString('curname', '', 'post'); if (!empty($dogname)) { $queryString = "SELECT * from " . $xoopsDB->prefix("pedigree_tree") . " WHERE ID=" . $dogid; diff --git a/dog.php b/dog.php index 3239352..0bac8bb 100644 --- a/dog.php +++ b/dog.php @@ -55,7 +55,7 @@ $myts = MyTextSanitizer::getInstance(); if (isset($_GET['id'])) { - $id = $_GET['id']; + $id = XoopsRequest::getInt('id', 0, 'get'); } else { echo "No dog has been selected"; die(); diff --git a/edit.php b/edit.php index cc342eb..ffe70be 100644 --- a/edit.php +++ b/edit.php @@ -57,22 +57,29 @@ function save() } else { $newvalue = uploadedpict(0); } - $sql = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET user" . $fields[$i] . "='" . $newvalue . "' WHERE ID='" . $a . "'"; + $sql = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET user" . $fields[$i] . "='" . $xoopsDB->escape($newvalue) . "' WHERE ID='" . $a . "'"; $xoopsDB->queryF($sql); } } - $sql = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET NAAM = '" . $_POST['NAAM'] . "', roft = '" . $_POST['roft'] . "' WHERE ID='" . $a . "'"; + $NAAM = XoopsRequest::getString('NAAM', '', 'post'); + $roft = XoopsRequest::getString('roft', '', 'post'); + $sql = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET NAAM = '" + . $xoopsDB->escape($NAAM) . "', roft = '" + . $xoopsDB->escape($roft) . "' WHERE ID='" . $a . "'"; $xoopsDB->queryF($sql); $picturefield = $_FILES['photo']['name']; if (empty($picturefield) || $picturefield == "") { //llalalala } else { $foto = uploadedpict(0); - $sql = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET foto='" . $foto . "' WHERE ID='" . $a . "'"; + $sql = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET foto='" + . $xoopsDB->escape($foto) . "' WHERE ID='" . $a . "'"; } $xoopsDB->queryF($sql); if ($moduleConfig['ownerbreeder'] == '1') { - $sql = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET id_owner = '" . $_POST['id_owner'] . "', id_breeder = '" . $_POST['id_breeder'] . "' WHERE ID='" . $a . "'"; + $sql = "UPDATE " . $xoopsDB->prefix("pedigree_tree") . " SET id_owner = '" + . XoopsRequest::getInt('id_owner', 0, 'post') . "', id_breeder = '" + . XoopsRequest::getInt('id_breeder', 0, 'post') . "' WHERE ID='" . $a . "'"; $xoopsDB->queryF($sql); } redirect_header("dog.php?id=" . $a, 2, "Your changes have been saved"); diff --git a/include/checkoutwizard.php b/include/checkoutwizard.php index f0dd978..f188b9c 100644 --- a/include/checkoutwizard.php +++ b/include/checkoutwizard.php @@ -415,12 +415,22 @@ function completeCallback() } //Insert new record into pedigree_config - $sql = "INSERT INTO " . $xoopsDB->prefix("pedigree_fields") . " VALUES ('" . $nextfieldnum . "', '1', '" . htmlSpecialChars( - $this->getValue('name') - ) . "', '" . $this->getValue('fieldtype') . "', '" . $lookup . "', '" . $this->getValue('defaultvalue') . "', '" . $this->getValue( - 'explain' - ) . "', '" . $search . "', '" . $Litter . "', '" . $Generallitter . "', '" . $searchname . "', '" . $searchexplain . "', '" . $viewinpedigree . "', '" . $viewinadvanced . "', '" - . $viewinpie . "', '" . $viewinlist . "','','" . $nextfieldnum . "')"; + $sql = "INSERT INTO " . $xoopsDB->prefix("pedigree_fields") . " VALUES ('" . $nextfieldnum . "', '1', '" + . $xoopsDB->escape(htmlSpecialChars($this->getValue('name'))) . "', '" + . $xoopsDB->escape($this->getValue('fieldtype')) . "', '" + . $xoopsDB->escape($lookup) . "', '" + . $xoopsDB->escape($this->getValue('defaultvalue')) . "', '" + . $xoopsDB->escape($this->getValue('explain')) . "', '" + . $xoopsDB->escape($search) . "', '" + . $xoopsDB->escape($Litter) . "', '" + . $xoopsDB->escape($Generallitter) . "', '" + . $xoopsDB->escape($searchname) . "', '" + . $xoopsDB->escape($searchexplain) . "', '" + . $xoopsDB->escape($viewinpedigree) . "', '" + . $xoopsDB->escape($viewinadvanced) . "', '" + . $xoopsDB->escape($viewinpie) . "', '" + . $xoopsDB->escape($viewinlist) . "','','" + . $xoopsDB->escape($nextfieldnum) . "')"; $xoopsDB->queryF($sql); } } diff --git a/include/functions.php b/include/functions.php index 0467de8..368f8c7 100644 --- a/include/functions.php +++ b/include/functions.php @@ -27,12 +27,15 @@ // Site: http://www.chapi.de // // Project: The XOOPS Project // // ------------------------------------------------------------------------- // -require_once(XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/include/class_field.php"); -require_once(XOOPS_ROOT_PATH . "/modules/" . $xoopsModule->dirname() . "/include/config.php"); + +XoopsLoad::load('xoopsrequest'); +$dirname = basename(dirname(__DIR__)); +require_once(XOOPS_ROOT_PATH . "/modules/" . $dirname . "/include/class_field.php"); +require_once(XOOPS_ROOT_PATH . "/modules/" . $dirname . "/include/config.php"); //get module configuration $module_handler = xoops_getHandler('module'); -$module = $module_handler->getByDirname("pedigree"); +$module = $module_handler->getByDirname($dirname); $config_handler = xoops_getHandler('config'); $moduleConfig = $config_handler->getConfigsByCat(0, $module->getVar('mid')); diff --git a/tools.php b/tools.php index 2983b04..515493d 100644 --- a/tools.php +++ b/tools.php @@ -357,7 +357,8 @@ function savecolours() $col = $_POST['actlink'] . ";" . $_POST['even'] . ";#" . $female . ";" . $_POST['text'] . ";#" . $dark . ";#" . $head . ";" . $_POST['body'] . ";" . $_POST['actlink']; - $query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" . $col . "' WHERE conf_name = 'colourscheme'"; + $query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" + . $xoopsDB->escape($col) . "' WHERE conf_name = 'colourscheme'"; $xoopsDB->query($query); redirect_header("tools.php?op=colours", 1, "Your settings have been saved."); } @@ -456,6 +457,7 @@ function togglelocked($field) function lock($field) { global $xoopsDB; + $field = (int) $field; $sql = "UPDATE " . $xoopsDB->prefix("pedigree_fields") . " SET locked = '1' WHERE ID = '" . $field . "'"; $xoopsDB->queryF($sql); @@ -468,6 +470,7 @@ function lock($field) function unlock($field) { global $xoopsDB; + $field = (int) $field; $sql = "UPDATE " . $xoopsDB->prefix("pedigree_fields") . " SET locked = '0' WHERE ID = '" . $field . "'"; $xoopsDB->queryF($sql); @@ -520,6 +523,7 @@ function fieldmove($field, $move) function deluserfield($field) { global $xoopsDB; + $field = (int) $field; $sql = "UPDATE " . $xoopsDB->prefix("pedigree_fields") . " SET isActive = '0' WHERE ID = " . $field; $xoopsDB->queryF($sql); listuserfields(); @@ -531,6 +535,7 @@ function deluserfield($field) function restoreuserfield($field) { global $xoopsDB; + $field = (int) $field; $sql = "UPDATE " . $xoopsDB->prefix("pedigree_fields") . " SET isActive = '1' WHERE ID = " . $field; $xoopsDB->queryF($sql); listuserfields(); @@ -610,9 +615,9 @@ function lookupmove($field, $id, $move) $nextid = $values[$arraylocation - 1]['id']; $nextorder = $values[$arraylocation - 1]['orderof']; } - $sql = "UPDATE `draaf_pedigree_lookup" . $field . "` SET `order` = '" . $nextorder . "' WHERE `ID` = '" . $id . "'"; + $sql = "UPDATE `draaf_pedigree_lookup" . $field . "` SET `order` = '" . $nextorder . "' WHERE `ID` = '" . (int) $id . "'"; $xoopsDB->queryF($sql); - $sql = "UPDATE `draaf_pedigree_lookup" . $field . "` SET `order` = '" . $currentorder . "' WHERE `ID` = '" . $nextid . "'"; + $sql = "UPDATE `draaf_pedigree_lookup" . $field . "` SET `order` = '" . $currentorder . "' WHERE `ID` = '" . (int) $nextid . "'"; $xoopsDB->queryF($sql); editlookup($field); } @@ -641,7 +646,8 @@ function editlookupvalue($field, $id) function savelookupvalue($field, $id) { global $xoopsDB; - $SQL = "UPDATE " . $xoopsDB->prefix("pedigree_lookup" . $field) . " SET value = '" . $_POST['value'] . "' WHERE ID = " . $id; + $value = $xoopsDB->escape(XoopsRequest::getString('value', '', 'post')); + $SQL = "UPDATE " . $xoopsDB->prefix("pedigree_lookup" . $field) . " SET value = '" . $value . "' WHERE ID = " . $id; $xoopsDB->queryF($SQL); redirect_header("tools.php?op=editlookup&id=" . $field, 2, "The value has been saved."); } @@ -658,7 +664,7 @@ function dellookupvalue($field, $id) $userfield = new Field($field, $animal->getconfig()); $fieldType = $userfield->getSetting("FieldType"); $fieldobject = new $fieldType($userfield, $animal); - $default = $fieldobject->defaultvalue; + $default = $xoopsDB->escape($fieldobject->defaultvalue); if ($default == $id) { redirect_header("tools.php?op=editlookup&id=" . $field, 3, _MA_PEDIGREE_NO_DELETE . $fieldobject->fieldname); } @@ -1132,7 +1138,7 @@ function restore($id) while ($row = $xoopsDB->fetchArray($result)) { foreach ($row as $key => $values) { - $queryvalues .= "'" . $values . "',"; + $queryvalues .= "'" . $xoopsDB->escape($values) . "',"; } $outgoing = substr_replace($queryvalues, "", -1); $query = "INSERT INTO " . $xoopsDB->prefix("pedigree_tree") . " VALUES (" . $outgoing . ")"; @@ -1201,7 +1207,9 @@ function settingssave() $settings = array('perpage', 'ownerbreeder', 'brothers', 'uselitter', 'pups', 'showwelcome'); foreach ($_POST as $key => $values) { if (in_array($key, $settings)) { - $query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" . $values . "' WHERE conf_name = '" . $key . "'"; + $query = "UPDATE " . $xoopsDB->prefix("config") . " SET conf_value = '" + . $xoopsDB->escape($values) . "' WHERE conf_name = '" + . $xoopsDB->escape($key) . "'"; $xoopsDB->query($query); } } diff --git a/updatepage.php b/updatepage.php index 14951e9..94f61d1 100644 --- a/updatepage.php +++ b/updatepage.php @@ -32,22 +32,22 @@ global $xoopsModuleConfig; //possible variables (specific variables are found in the specified IF statement -$dogid = $_POST['dogid']; +$dogid = XoopsRequest::getInt('dogid', 0, 'post'); if (isset($_POST['ownerid'])) { - $dogid = $_POST['ownerid']; + $dogid = XoopsRequest::getInt('ownerid', 0, 'post'); } -$table = $_POST['dbtable']; -$field = $_POST['dbfield']; -$dogname = $_POST['curname']; -$name = $_POST['NAAM']; -$gender = $_POST['roft']; +$table = XoopsRequest::getString('dbtable', '', 'post'); +$field = XoopsRequest::getString('dbfield', '', 'post'); +$field = $xoopsDB->escape('`' . $field . '`'); +$dogname = XoopsRequest::getString('curname', '', 'post'); +$name = XoopsRequest::getString('NAAM', '', 'post'); +$gender = XoopsRequest::getString('roft', '', 'post'); if ('pedigree_' !== substr($table, 0, 9)) { redirect_header(XOOPS_URL, 3, _NOPERM); } -$a = (!isset($_POST['dogid']) ? $a = '' : $a = $_POST['dogid']); -$animal = new Animal($a); +$animal = new Animal($dogid); $fields = $animal->numoffields(); @@ -58,11 +58,11 @@ $currentfield = 'user' . $fields[$i]; $picturefield = $_FILES[$currentfield]['name']; if (empty($picturefield) || $picturefield == "") { - $newvalue = $_POST['user' . $fields[$i]]; + $newvalue = XoopsRequest::getString('user' . $fields[$i], '', 'post'); } else { $newvalue = uploadedpict(0); } - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $newvalue . "' WHERE ID='" . $dogid . "'"; + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $xoopsDB->escape($newvalue) . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $ch = 1; @@ -72,15 +72,15 @@ //name if (!empty($name)) { - $curval = $_POST['curvalname']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $name . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalname', '', 'post'); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $xoopsDB->escape($name) . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $ch = 1; } //owner if (isset($_POST['id_owner'])) { - $curval = $_POST['curvaleig']; + $curval = XoopsRequest::getInt('curvaleig', 0, 'post'); $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['id_owner'] . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); @@ -88,30 +88,33 @@ } //breeder if (isset($_POST['id_breeder'])) { - $curval = $_POST['curvalfok']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['id_breeder'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getInt('curvalfok', 0, 'post'); + $id_breeder = XoopsRequest::getInt('id_breeder', 0, 'post'); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $id_breeder . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $ch = 1; } //gender if (!empty($_POST['roft']) || $_POST['roft'] == '0') { - $curval = $_POST['curvalroft']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['roft'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getInt('curvalroft', 0, 'post'); + $roft = XoopsRequest::getInt('roft', 0, 'post'); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $roft . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $ch = 1; } //sire - dam if (isset($_GET['gend'])) { - $curval = $_GET['curval']; + $curval = XoopsRequest::getInt('curval', 0, 'get'); + $thisid = XoopsRequest::getInt('thisid', 0, 'get'); //$curname = getname($curval); $table = "pedigree_tree"; if ($_GET['gend'] == '0') { - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET father='" . $_GET['thisid'] . "' WHERE ID='" . $curval . "'"; + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET father='" . $thisid . "' WHERE ID='" . $curval . "'"; $xoopsDB->queryF($sql); } else { - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET mother='" . $_GET['thisid'] . "' WHERE ID='" . $curval . "'"; + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET mother='" . $thisid . "' WHERE ID='" . $curval . "'"; $xoopsDB->queryF($sql); } @@ -120,9 +123,9 @@ } //picture if ($_POST['dbfield'] == 'foto') { - $curval = $_POST['curvalpic']; + $curval = XoopsRequest::getString('curvalpic', '', 'post'); $foto = uploadedpict(0); - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET foto='" . $foto . "' WHERE ID='" . $dogid . "'"; + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET foto='" . $xoopsDB->escape($foto) . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $ch = 1; @@ -131,64 +134,75 @@ //owner //lastname if (isset($_POST['naaml'])) { - $curval = $_POST['curvalnamel']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['naaml'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalnamel', '', 'post'); + $naaml = XoopsRequest::getString('naaml', '', 'post'); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" + . $xoopsDB->escape($naaml) . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } //firstname if (isset($_POST['naamf'])) { - $curval = $_POST['curvalnamef']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['naamf'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalnamef', '', 'post'); + $naaml = XoopsRequest::getString('naamf', '', 'post'); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" + . $xoopsDB->escape($naamf) . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } //streetname if (isset($_POST['street'])) { - $curval = $_POST['curvalstreet']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['street'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalstreet', '', 'post'); + $street = $xoopsDB->escape(XoopsRequest::getString('street', '', 'post')); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $street . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } //housenumber if (isset($_POST['housenumber'])) { - $curval = $_POST['curvalhousenumber']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['housenumber'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalhousenumber', '', 'post'); + $housenumber = $xoopsDB->escape(XoopsRequest::getString('housenumber', '', 'post')); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $housenumber . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } //postcode if (isset($_POST['postcode'])) { - $curval = $_POST['curvalpostcode']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['postcode'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalpostcode', '', 'post'); + $postcode = $xoopsDB->escape(XoopsRequest::getString('postcode', '', 'post')); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $postcode . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } //city if (isset($_POST['city'])) { - $curval = $_POST['curvalcity']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['city'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalcity', '', 'post'); + $city = $xoopsDB->escape(XoopsRequest::getString('city', '', 'post')); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $city . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } //phonenumber if (isset($_POST['phonenumber'])) { - $curval = $_POST['curvalphonenumber']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['phonenumber'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalphonenumber', '', 'post'); + $phonenumber = $xoopsDB->escape(XoopsRequest::getString('phonenumber', '', 'post')); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $phonenumber . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } //email if (isset($_POST['email'])) { - $curval = $_POST['curvalemail']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['email'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalemail', '', 'post'); + $email = $xoopsDB->escape(XoopsRequest::getEmail('email', '', 'post')); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $email . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } //website if (isset($_POST['web'])) { - $curval = $_POST['curvalweb']; - $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $_POST['web'] . "' WHERE ID='" . $dogid . "'"; + $curval = XoopsRequest::getString('curvalweb', '', 'post'); + $web = $xoopsDB->escape(XoopsRequest::getUrl('web', '', 'post')); + $sql = "UPDATE " . $xoopsDB->prefix($table) . " SET " . $field . "='" . $web . "' WHERE ID='" . $dogid . "'"; $xoopsDB->queryF($sql); $chow = 1; } @@ -200,7 +214,7 @@ redirect_header("owner.php?ownid=" . $dogid, 1, _MD_DATACHANGED); } else { foreach ($_POST as $key => $values) { - $filesval .= $key . " : " . $values . "
"; + $filesval .= $key . " : " . XoopsRequest::getString($values) . "
"; } redirect_header("dog.php?id=" . $dogid, 15, 'ERROR!!
' . $filesval);