Merge remote branch 'origin/develop' into develop

framework/core/expFramework.php

@@ -174,11 +174,11 @@ function redirect_to($params=array(), $secure=false) {
     exit();
 }   
 
-function flash($name, $msg="") {
+function flash($name, $msg) {
     expQueue::flash($name, $msg);
 }
 
-function flashAndFlow($name, $msg="") {
+function flashAndFlow($name, $msg) {
     expQueue::flashAndFlow($name, $msg);
 }
 

framework/core/subsystems/expQueue.php

@@ -40,19 +40,19 @@ public function isEmpty() {
 		expQueue::isQueueEmpty();
 	}
 
-	static function flash($name, $msg="") {
+	static function flash($name, $msg) {
         	$flash = exponent_sessions_get('flash');
 	        if(empty($flash[$name])) $flash[$name]  = $msg;           
 	        else $flash[$name] .= "<br/><br/>" . $msg;
 	        exponent_sessions_set('flash', $flash);
     	}
 
-	static function flashAndFlow($name, $msg="") {
+	static function flashAndFlow($name, $msg) {
     		flash($name, $msg);
 	    	expHistory::back();
 	}
 
-	static function flashIfNotLoggedIn($name, $msg="") {
+	static function flashIfNotLoggedIn($name, $msg) {
 		global $user;
 		if (!$user->isLoggedIn()) self::flashAndFlow($name, $msg);
 	}

framework/modules/ecommerce/controllers/billingController.php

@@ -88,7 +88,7 @@ public function activate(){
 	        $calc = new billingcalculator($this->params['id']);
 	        $calc->update($this->params);
 	        if ($calc->calculator->hasConfig() && empty($calc->config)) {
-	            flash('messages', $calc->calculator->name().' requires configuration. Please do so now.');
+	            flash('message', $calc->calculator->name().' requires configuration. Please do so now.');
 	            redirect_to(array('controller'=>'billing', 'action'=>'configure', 'id'=>$calc->id));
 	        }
 	    }

framework/modules/ecommerce/controllers/storeController.php

@@ -1206,13 +1206,14 @@ private function parseAndTrim($str, $unescape=false)
         $str = str_replace("�","¾",$str);
         if ($unescape) $str = stripcslashes(trim(str_replace("�", "™", $str)));  
         else {
-	        if (DB_ENGINE=='mysqli') {
-		        $str = @mysqli_real_escape_string($db->connection,trim(str_replace("�", "™", $str)));
-	        } elseif(DB_ENGINE=='mysql') {
-	            $str = @mysql_real_escape_string(trim(str_replace("�", "™", $str)),$db->connection);
-	        } else {
-		        $str = trim(str_replace("�", "™", $str));
-	        }
+//	        if (DB_ENGINE=='mysqli') {
+//		        $str = @mysqli_real_escape_string($db->connection,trim(str_replace("�", "™", $str)));
+//	        } elseif(DB_ENGINE=='mysql') {
+//	            $str = @mysql_real_escape_string(trim(str_replace("�", "™", $str)),$db->connection);
+//	        } else {
+//		        $str = trim(str_replace("�", "™", $str));
+//	        }
+	        $str = @$db->escapeString(trim(str_replace("�", "™", $str)));
         }
         //echo "2<br>"; eDebug($str,die);
         return $str;

framework/modules/report/controllers/reportController.php

@@ -1132,13 +1132,14 @@ public static function parseAndTrimImport($str,$isHTML = false)
         $str = str_replace("�","¾",$str);
         //$str = htmlspecialchars($str);
         //$str = utf8_encode($str);
-        if (DB_ENGINE=='mysqli') {
-	        $str = @mysqli_real_escape_string($db->connection,trim(str_replace("�", "™", $str)));
-        } elseif(DB_ENGINE=='mysql') {
-            $str = @mysql_real_escape_string(trim(str_replace("�", "™", $str)),$db->connection);
-        } else {
-	        $str = trim(str_replace("�", "™", $str));
-        }
+//        if (DB_ENGINE=='mysqli') {
+//	        $str = @mysqli_real_escape_string($db->connection,trim(str_replace("�", "™", $str)));
+//        } elseif(DB_ENGINE=='mysql') {
+//            $str = @mysql_real_escape_string(trim(str_replace("�", "™", $str)),$db->connection);
+//        } else {
+//	        $str = trim(str_replace("�", "™", $str));
+//        }
+        $str = @$db->escapeString($db->connection,trim(str_replace("�", "™", $str)));
         //echo "2<br>"; eDebug($str,die);
         return $str;
     }
@@ -1165,13 +1166,14 @@ public static function parseAndTrim($str,$isHTML = false)
         $str = str_replace("�","&#190;",$str);
         //$str = htmlspecialchars($str);
         //$str = utf8_encode($str);
-        if (DB_ENGINE=='mysqli') {
-	        $str = @mysqli_real_escape_string($db->connection,trim(str_replace("�", "&trade;", $str)));
-        } elseif(DB_ENGINE=='mysql') {
-            $str = @mysql_real_escape_string(trim(str_replace("�", "&trade;", $str)),$db->connection);
-        } else {
-	        $str = trim(str_replace("�", "&trade;", $str));
-        }
+//        if (DB_ENGINE=='mysqli') {
+//	        $str = @mysqli_real_escape_string($db->connection,trim(str_replace("�", "&trade;", $str)));
+//        } elseif(DB_ENGINE=='mysql') {
+//            $str = @mysql_real_escape_string(trim(str_replace("�", "&trade;", $str)),$db->connection);
+//        } else {
+//	        $str = trim(str_replace("�", "&trade;", $str));
+//        }
+        $str = @$db->escapeString($db->connection,trim(str_replace("�", "&trade;", $str)));
         //echo "2<br>"; eDebug($str,die);
         return $str;
     }

install/index.php

@@ -27,7 +27,8 @@
 include_once('../exponent.php');
 
 if (!file_exists('not_configured') && file_exists(BASE.'conf/config.php')) {
-	header('Location: ../index.php');
+//	header('Location: ../index.php');
+	header('Location: ./pages/final.php');  // take us to the final install/upgrade page
 	exit('This Exponent Site has already been configured.');
 }
 

install/pages/install-7.php

@@ -28,7 +28,7 @@
 	echo $i18n['bad_username'];
 } else {
     if (expValidator::validate_email_address($_POST['email']) == false) {
-        flash('You must supply a valid email address.');
+        flash('error','You must supply a valid email address.');
         header('Location: index.php?page=install-6&erremail=true');
         exit();
     }

install/pages/save_admin.php

@@ -28,7 +28,7 @@
 	echo $i18n['bad_username'];
 } else {
     if (expValidator::validate_email_address($_POST['email']) == false) {
-        flash('You must supply a valid email address.');
+        flash('error','You must supply a valid email address.');
         header('Location: index.php?page=admin_user&erremail=true');
         exit();
     }

install/pages/upgrade-1.php

@@ -28,13 +28,13 @@
 "); ?>
 </p>
 <p>
-<?php //echo gt("
-//Next, we'll <a href=\"http://docs.exponentcms.org/docs/current/install-tables\" target=\"_blank\">Install Tables</a>, and run through any upgrade scripts needed to bring your code and database up to date.
-//"); ?>
-<!--</p>-->
-<!--<a class="awesome large green" href="?page=upgrade-2">--><?php //echo gt("Continue to Install Tables"); ?><!--</a>-->
 <?php echo gt("
-Next, we'll run through any upgrade scripts needed to bring your code and database up to date.
+Next, we'll <a href=\"http://docs.exponentcms.org/docs/current/install-tables\" target=\"_blank\">Install Tables</a>, and then run through any upgrade scripts needed to bring your code and database up to date.
 "); ?>
 </p>
-<a class="awesome large green" href="?page=upgrade-3"><?php echo gt('Continue Upgrade') ?></a>
+<a class="awesome large green" href="?page=upgrade-2"><?php echo gt("Continue to Install Tables"); ?></a>
+<?php //echo gt("
+//Next, we'll run through any upgrade scripts needed to bring your code and database up to date.
+//"); ?>
+<!--</p>-->
+<!--<a class="awesome large green" href="?page=upgrade-3">--><?php //echo gt('Continue Upgrade') ?><!--</a>-->

install/pages/upgrade-2.php

@@ -76,7 +76,7 @@
             if (file_exists($dirpath)) {
                 $def_dir = opendir($dirpath);
                 while (($def = readdir($def_dir)) !== false) {
-                    eDebug("$dirpath/$def");
+//                    eDebug("$dirpath/$def");
     				if (is_readable("$dirpath/$def") && is_file("$dirpath/$def") && substr($def,-4,4) == ".php" && substr($def,-9,9) != ".info.php") {
     					$tablename = substr($def,0,-4);
     					$dd = include("$dirpath/$def");
@@ -138,7 +138,7 @@
 		</div>
 		 <?php } elseif ($statusnum == TMP_TABLE_INSTALLED) {  ?>
 		<div style="color: green; font-weight: bold">
-			<?php echo gt('Succeeded') ?>
+			<?php echo gt('Added') ?>
 		</div>
         <?php } elseif ($statusnum == TMP_TABLE_FAILED) {  ?>
 		<div style="color: red; font-weight: bold">
@@ -160,7 +160,7 @@
 	$line++;
 	}
 ?>
- <tbody>
+ </tbody>
 </table>
 <?php
 }

install/upgrades/install_tables.php

@@ -23,7 +23,7 @@
  * @package Installation
  */
 class install_tables extends upgradescript {
-	protected $from_version = '0.96.3';
+//	protected $from_version = '0.96.3';
 //	protected $to_version = '1110.97.0'; //set this to something ridiculously high so it always runs
 
 	/**

modules/calendarmodule/actions/search.php

@@ -39,7 +39,8 @@
 if (!defined("SYS_DATETIME")) include_once(BASE."subsystems/datetime.php");
 if (isset($_GET['categoryid'])) $xsearch = " AND category_id='" . $_GET['categoryid'] ."'";
 //$o = $db->selectObjects("calendar","title='".mysql_escape_string(trim($_GET['title']))."'" . $xsearch);
-$o = $db->selectObjects("calendar","title='".mysqli_real_escape_string(trim($_GET['title']))."'" . $xsearch);
+//$o = $db->selectObjects("calendar","title='".mysqli_real_escape_string(trim($_GET['title']))."'" . $xsearch);
+$o = $db->selectObjects("calendar","title='".$db->escapeString(trim($_GET['title']))."'" . $xsearch);
 for ($j = 0; $j < count($o); $j++) {
 	$o[$j]->dates = $db->selectObjects("eventdate","event_id=".$o[$j]->id);
 	foreach ($o[$j]->dates as $key=>$date){

modules/formbuilder/actions/submit_form.php

@@ -50,13 +50,14 @@
         $emailValue = htmlspecialchars_decode(call_user_func(array($control_type,'parseData'),$c->name,$_POST,true));
         //$value = mysql_escape_string($emailValue);
 
-        if (DB_ENGINE=='mysqli') {
-            $value = stripslashes(mysqli_real_escape_string($db->connection,$emailValue));
-        } elseif(DB_ENGINE=='mysql') {
-            $value = stripslashes(mysql_real_escape_string($emailValue,$db->connection));
-        } else {
-            $value = $emailValue;
-        }
+//        if (DB_ENGINE=='mysqli') {
+//            $value = stripslashes(mysqli_real_escape_string($db->connection,$emailValue));
+//        } elseif(DB_ENGINE=='mysql') {
+//            $value = stripslashes(mysql_real_escape_string($emailValue,$db->connection));
+//        } else {
+//            $value = $emailValue;
+//        }
+        $value = stripslashes($db->escapeString($emailValue));
 
         //eDebug($value);
         $varname = $c->name;

phpdoc.ini

@@ -89,11 +89,11 @@ directory = .
 ;; legal values: any wildcard strings separated by commas
 ;; remember, this pathing is RELATIVE to the top-most directory in your "directory" value
 ;ignore = path/to/ignore*,*list.php,myfile.php,subdirectory/
-ignore = external/,tmp/
+ignore = external/,tmp/,framework/modules/pixidou/
 
 ;; comma-separated list of Converters to use in outputformat:Convertername:templatedirectory format
 ;; legal values: HTML:frames:default,HTML:frames:l0l33t,HTML:frames:phpdoc.de,HTML:frames:phphtmllib,
-;;               HTML:frames:earthli,
+;;               HTML:frames:earthli, HTML:frames:phpedit,
 ;;               HTML:frames:DOM/default,HTML:frames:DOM/l0l33t,HTML:frames:DOM/phpdoc.de,
 ;;               HTML:frames:DOM/phphtmllib,HTML:frames:DOM/earthli
 ;;               HTML:Smarty:default,HTML:Smarty:PHP,HTML:Smarty:HandS

subsystems/database/mysqli.php

@@ -65,7 +65,7 @@ function connect ($username, $password, $hostname, $database, $new=false) {
 
 		//As we do not have any setting for ISAM or InnoDB tables yet, i set the minimum specs
 		// for using this feature to 4.1.2, although isam tables got the support for utf8 already in 4.1
-		//anything else would result in an inconsitent user experience
+		//anything else would result in an inconsistent user experience
 		//TODO: determine how to handle encoding on postgres
 
 		list($major, $minor, $micro) = sscanf(mysqli_get_server_info($this->connection), "%d.%d.%d-%s");
@@ -499,15 +499,16 @@ function toggle($table, $col, $where=null) {
         $obj->$col = ($obj->$col == 0) ? 1 : 0;
         $this->updateObject($obj, $table);
     }
-
-    /**
-     * Update a column in all records in a table
-     *
-     * @param  $table
-     * @param  $col
-     * @param null $where
-     * @return void
-     */
+
+	/**
+	 * Update a column in all records in a table
+	 *
+	 * @param  $table
+	 * @param  $col
+	 * @param $val
+	 * @param int|null $where
+	 * @return void
+	 */
     function columnUpdate($table, $col, $val, $where=1) {         
         $res = @mysqli_query($this->connection, "UPDATE `" . $this->prefix . "$table` SET `$col`='" . $val . "' WHERE $where");
         /*if ($res == null)
@@ -517,12 +518,12 @@ function columnUpdate($table, $col, $val, $where=1) {
             $objects[] = mysqli_fetch_object($res);*/
         //return $objects;
     }
-    
+
 	/**
 	 * @param  $object
 	 * @param  $table
 	 * @param  $col
-	 * @param null $where
+	 * @param int|null $where
 	 * @return bool
 	 */
     function setUniqueFlag($object, $table, $col, $where=1) {
@@ -898,15 +899,23 @@ function selectObject($table, $where) {
             return null;
         return mysqli_fetch_object($res);
     }
-
-    function lockTable($table,$lockType="WRITE") {
+
+	/**
+	 * @param $table
+	 * @param string $lockType
+	 * @return mixed
+	 */
+	function lockTable($table,$lockType="WRITE") {
         $sql = "LOCK TABLES `" . $this->prefix . "$table` $lockType";
 
         $res = mysqli_query($this->connection, $sql); 
         return $res;
     }
-
-    function unlockTables() {
+
+	/**
+	 * @return mixed
+	 */
+	function unlockTables() {
         $sql = "UNLOCK TABLES";
 
         $res = mysqli_query($this->connection, $sql);
@@ -1345,6 +1354,15 @@ function inError() {
         return ($this->connection != null && mysqli_errno($this->connection) != 0);
     }
 
+	/**
+	 * Unescape a string based on the database connection
+	 * @param $string
+	 * @return string
+	 */
+	function escapeString($string) {
+	    return (mysqli_real_escape_string($this->connection, $string));
+	}
+
 	/**
 	 * Create a SQL "limit" phrase
 	 *
@@ -1438,18 +1456,20 @@ function selectArray($table, $where = null, $orderby = null, $is_revisioned=fals
         return mysqli_fetch_assoc($res);
     }
 
-    /**
-     * Select a records from the database
+	/**
+	 * Select a records from the database
+	 * @param string $table The name of the table/object to look at
+	 * @param string $where Criteria used to narrow the result set.  If this
+	 *   is specified as null, then no criteria is applied, and all objects are
+	 *   returned
+	 * @param  $classname
+	 * @param bool $get_assoc
+	 * @param bool $get_attached
+	 * @param array $except
+	 * @param bool $cascade_except
 
-     * @param string $table The name of the table/object to look at
-     * @param string $where Criteria used to narrow the result set.  If this
-     *   is specified as null, then no criteria is applied, and all objects are
-     *   returned
-     * @param  $classname
-     * @param bool $get_assoc
-     * @param bool $get_attached
-     * @return array
-     */
+	 * @return array
+	 */
     function selectExpObjects($table, $where=null, $classname, $get_assoc=true, $get_attached=true, $except=array(), $cascade_except=false) {
         if ($where == null) $where = "1";        
         $sql = "SELECT * FROM `" . $this->prefix . "$table` WHERE $where";
@@ -1651,7 +1671,11 @@ function selectNestedNodeChildren($table, $node=null) {
         return $children;
 	}
 
-	/* This function returns all the text columns in the given table */
+	/**
+	 * This function returns all the text columns in the given table
+	 * @param $table
+	 * @return array
+	 */
 	function getTextColumns($table) {
 		$sql = "SHOW COLUMNS FROM " . $this->prefix.$table . " WHERE type = 'text' OR type like 'varchar%'";
 		$res = @mysqli_query($this->connection, $sql);