- merge rev 2765,2769 from branch 2.0
* 2765 mysql potential injection paranoia + code compaction in common.inc.php * 2769 added an image sort order by privacy level (admins only) * 2769 fix an IE6 display issue with quick search on index page git-svn-id: http://piwigo.org/svn/trunk@2770 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
rvelices
parent
faa543851b
commit
90be9fbb84
5 changed files with 25 additions and 65 deletions
|
|
@ -36,64 +36,21 @@ set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
|
||||||
//
|
//
|
||||||
if( !get_magic_quotes_gpc() )
|
if( !get_magic_quotes_gpc() )
|
||||||
{
|
{
|
||||||
|
function sanitize_mysql_kv(&$v, $k)
|
||||||
|
{
|
||||||
|
$v = addslashes($v);
|
||||||
|
}
|
||||||
if( is_array( $_GET ) )
|
if( is_array( $_GET ) )
|
||||||
{
|
{
|
||||||
while( list($k, $v) = each($_GET) )
|
array_walk_recursive( $_GET, 'sanitize_mysql_kv' );
|
||||||
{
|
|
||||||
if( is_array($_GET[$k]) )
|
|
||||||
{
|
|
||||||
while( list($k2, $v2) = each($_GET[$k]) )
|
|
||||||
{
|
|
||||||
$_GET[$k][$k2] = addslashes($v2);
|
|
||||||
}
|
}
|
||||||
@reset($_GET[$k]);
|
if( is_array( $_POST ) )
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
$_GET[$k] = addslashes($v);
|
array_walk_recursive( $_POST, 'sanitize_mysql_kv' );
|
||||||
}
|
}
|
||||||
}
|
if( is_array( $_COOKIE ) )
|
||||||
@reset($_GET);
|
|
||||||
}
|
|
||||||
|
|
||||||
if( is_array($_POST) )
|
|
||||||
{
|
{
|
||||||
while( list($k, $v) = each($_POST) )
|
array_walk_recursive( $_COOKIE, 'sanitize_mysql_kv' );
|
||||||
{
|
|
||||||
if( is_array($_POST[$k]) )
|
|
||||||
{
|
|
||||||
while( list($k2, $v2) = each($_POST[$k]) )
|
|
||||||
{
|
|
||||||
$_POST[$k][$k2] = addslashes($v2);
|
|
||||||
}
|
|
||||||
@reset($_POST[$k]);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$_POST[$k] = addslashes($v);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@reset($_POST);
|
|
||||||
}
|
|
||||||
|
|
||||||
if( is_array($_COOKIE) )
|
|
||||||
{
|
|
||||||
while( list($k, $v) = each($_COOKIE) )
|
|
||||||
{
|
|
||||||
if( is_array($_COOKIE[$k]) )
|
|
||||||
{
|
|
||||||
while( list($k2, $v2) = each($_COOKIE[$k]) )
|
|
||||||
{
|
|
||||||
$_COOKIE[$k][$k2] = addslashes($v2);
|
|
||||||
}
|
|
||||||
@reset($_COOKIE[$k]);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$_COOKIE[$k] = addslashes($v);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@reset($_COOKIE);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ( !empty($_SERVER["PATH_INFO"]) )
|
if ( !empty($_SERVER["PATH_INFO"]) )
|
||||||
|
|
|
||||||
|
|
@ -273,7 +273,8 @@ function get_category_preferred_image_orders()
|
||||||
l10n('Rank'),
|
l10n('Rank'),
|
||||||
'rank ASC',
|
'rank ASC',
|
||||||
('categories' == @$page['section'] and !isset($page['flat']) and !isset($page['chronology_field']) )
|
('categories' == @$page['section'] and !isset($page['flat']) and !isset($page['chronology_field']) )
|
||||||
)
|
),
|
||||||
|
array( l10n('permissions'), 'level DESC', is_admin() )
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -187,6 +187,7 @@ function ws_caddie_add($params, &$service)
|
||||||
{
|
{
|
||||||
return new PwgError(401, 'Access denied');
|
return new PwgError(401, 'Access denied');
|
||||||
}
|
}
|
||||||
|
$params['image_id'] = array_map( 'intval',$params['image_id'] );
|
||||||
if ( empty($params['image_id']) )
|
if ( empty($params['image_id']) )
|
||||||
{
|
{
|
||||||
return new PwgError(WS_ERR_INVALID_PARAM, "Invalid image_id");
|
return new PwgError(WS_ERR_INVALID_PARAM, "Invalid image_id");
|
||||||
|
|
@ -291,7 +292,7 @@ SELECT i.*, GROUP_CONCAT(category_id) cat_ids
|
||||||
AND ', $where_clauses).'
|
AND ', $where_clauses).'
|
||||||
GROUP BY i.id
|
GROUP BY i.id
|
||||||
'.$order_by.'
|
'.$order_by.'
|
||||||
LIMIT '.$params['per_page']*$params['page'].','.$params['per_page'];
|
LIMIT '.(int)($params['per_page']*$params['page']).','.(int)$params['per_page'];
|
||||||
|
|
||||||
$result = pwg_query($query);
|
$result = pwg_query($query);
|
||||||
while ($row = mysql_fetch_assoc($result))
|
while ($row = mysql_fetch_assoc($result))
|
||||||
|
|
@ -683,8 +684,8 @@ SELECT id, date, author, content
|
||||||
FROM '.COMMENTS_TABLE.'
|
FROM '.COMMENTS_TABLE.'
|
||||||
WHERE '.$where_comments.'
|
WHERE '.$where_comments.'
|
||||||
ORDER BY date
|
ORDER BY date
|
||||||
LIMIT '.$params['comments_per_page']*(int)$params['comments_page'].
|
LIMIT '.(int)($params['comments_per_page']*$params['comments_page']).
|
||||||
','.$params['comments_per_page'];
|
','.(int)$params['comments_per_page'];
|
||||||
|
|
||||||
$result = pwg_query($query);
|
$result = pwg_query($query);
|
||||||
while ($row = mysql_fetch_assoc($result))
|
while ($row = mysql_fetch_assoc($result))
|
||||||
|
|
@ -857,6 +858,7 @@ function ws_images_setPrivacyLevel($params, &$service)
|
||||||
{
|
{
|
||||||
return new PwgError(401, 'Access denied');
|
return new PwgError(401, 'Access denied');
|
||||||
}
|
}
|
||||||
|
$params['image_id'] = array_map( 'intval',$params['image_id'] );
|
||||||
if ( empty($params['image_id']) )
|
if ( empty($params['image_id']) )
|
||||||
{
|
{
|
||||||
return new PwgError(WS_ERR_INVALID_PARAM, "Invalid image_id");
|
return new PwgError(WS_ERR_INVALID_PARAM, "Invalid image_id");
|
||||||
|
|
@ -1342,7 +1344,7 @@ SELECT DISTINCT i.* FROM '.IMAGES_TABLE.' i
|
||||||
WHERE '. implode('
|
WHERE '. implode('
|
||||||
AND ', $where_clauses).'
|
AND ', $where_clauses).'
|
||||||
'.$order_by.'
|
'.$order_by.'
|
||||||
LIMIT '.$params['per_page']*$params['page'].','.$params['per_page'];
|
LIMIT '.(int)($params['per_page']*$params['page']).','.(int)$params['per_page'];
|
||||||
|
|
||||||
$result = pwg_query($query);
|
$result = pwg_query($query);
|
||||||
while ($row = mysql_fetch_assoc($result))
|
while ($row = mysql_fetch_assoc($result))
|
||||||
|
|
|
||||||
|
|
@ -197,7 +197,7 @@ if ( $page['section']=='search' and $page['start']==0 and
|
||||||
$hints = array();
|
$hints = array();
|
||||||
foreach ( $cats as $cat )
|
foreach ( $cats as $cat )
|
||||||
{
|
{
|
||||||
$hints[] = get_cat_display_name( array($cat) );
|
$hints[] = get_cat_display_name( array($cat), '', false );
|
||||||
}
|
}
|
||||||
$template->assign( 'category_search_results', $hints);
|
$template->assign( 'category_search_results', $hints);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -32,19 +32,19 @@
|
||||||
{/if}
|
{/if}
|
||||||
|
|
||||||
{if isset($U_MODE_FLAT) }
|
{if isset($U_MODE_FLAT) }
|
||||||
<li><a href="{$U_MODE_FLAT}" title="{'mode_flat_hint'|@translate}" rel="nofollow"><img src="{$ROOT_URL}{$themeconf.icon_dir}/flat.png" class="button" alt="{'mode_flat_hint'|@translate}"></a></li>
|
<li><a href="{$U_MODE_FLAT}" title="{'mode_flat_hint'|@translate}" rel="nofollow"><img src="{$ROOT_URL}{$themeconf.icon_dir}/flat.png" class="button" alt="{'mode_flat_hint'|@translate}" /></a></li>
|
||||||
{/if}
|
{/if}
|
||||||
|
|
||||||
{if isset($U_MODE_NORMAL) }
|
{if isset($U_MODE_NORMAL) }
|
||||||
<li><a href="{$U_MODE_NORMAL}" title="{'mode_normal_hint'|@translate}"><img src="{$ROOT_URL}{$themeconf.icon_dir}/normal_mode.png" class="button" alt="{'mode_normal_hint'|@translate}"></a></li>
|
<li><a href="{$U_MODE_NORMAL}" title="{'mode_normal_hint'|@translate}"><img src="{$ROOT_URL}{$themeconf.icon_dir}/normal_mode.png" class="button" alt="{'mode_normal_hint'|@translate}" /></a></li>
|
||||||
{/if}
|
{/if}
|
||||||
|
|
||||||
{if isset($U_MODE_POSTED) }
|
{if isset($U_MODE_POSTED) }
|
||||||
<li><a href="{$U_MODE_POSTED}" title="{'mode_posted_hint'|@translate}" rel="nofollow"><img src="{$ROOT_URL}{$themeconf.icon_dir}/calendar.png" class="button" alt="{'mode_posted_hint'|@translate}"></a></li>
|
<li><a href="{$U_MODE_POSTED}" title="{'mode_posted_hint'|@translate}" rel="nofollow"><img src="{$ROOT_URL}{$themeconf.icon_dir}/calendar.png" class="button" alt="{'mode_posted_hint'|@translate}" /></a></li>
|
||||||
{/if}
|
{/if}
|
||||||
|
|
||||||
{if isset($U_MODE_CREATED) }
|
{if isset($U_MODE_CREATED) }
|
||||||
<li><a href="{$U_MODE_CREATED}" title="{'mode_created_hint'|@translate}" rel="nofollow"><img src="{$ROOT_URL}{$themeconf.icon_dir}/calendar_created.png" class="button" alt="{'mode_created_hint'|@translate}"></a></li>
|
<li><a href="{$U_MODE_CREATED}" title="{'mode_created_hint'|@translate}" rel="nofollow"><img src="{$ROOT_URL}{$themeconf.icon_dir}/calendar_created.png" class="button" alt="{'mode_created_hint'|@translate}" /></a></li>
|
||||||
{/if}
|
{/if}
|
||||||
|
|
||||||
{if !empty($PLUGIN_INDEX_ACTIONS)}{$PLUGIN_INDEX_ACTIONS}{/if}
|
{if !empty($PLUGIN_INDEX_ACTIONS)}{$PLUGIN_INDEX_ACTIONS}{/if}
|
||||||
|
|
@ -71,7 +71,7 @@
|
||||||
{if !empty($PLUGIN_INDEX_CONTENT_BEGIN)}{$PLUGIN_INDEX_CONTENT_BEGIN}{/if}
|
{if !empty($PLUGIN_INDEX_CONTENT_BEGIN)}{$PLUGIN_INDEX_CONTENT_BEGIN}{/if}
|
||||||
|
|
||||||
{if !empty($category_search_results) }
|
{if !empty($category_search_results) }
|
||||||
<div style="font-size:16px;text-align:left;margin:10px">{'Category results for'|@translate} <strong>{$QUERY_SEARCH}</strong> :
|
<div style="font-size:16px;margin:10px 16px">{'Category results for'|@translate} <strong>{$QUERY_SEARCH}</strong> :
|
||||||
<em><strong>
|
<em><strong>
|
||||||
{foreach from=$category_search_results item=res name=res_loop}
|
{foreach from=$category_search_results item=res name=res_loop}
|
||||||
{if !$smarty.foreach.res_loop.first} — {/if}
|
{if !$smarty.foreach.res_loop.first} — {/if}
|
||||||
|
|
@ -82,7 +82,7 @@
|
||||||
{/if}
|
{/if}
|
||||||
|
|
||||||
{if !empty($tag_search_results) }
|
{if !empty($tag_search_results) }
|
||||||
<div style="font-size:16px;text-align:left;margin:10px">{'Tag results for'|@translate} <strong>{$QUERY_SEARCH}</strong> :
|
<div style="font-size:16px;margin:10px 16px">{'Tag results for'|@translate} <strong>{$QUERY_SEARCH}</strong> :
|
||||||
<em><strong>
|
<em><strong>
|
||||||
{foreach from=$tag_search_results item=res name=res_loop}
|
{foreach from=$tag_search_results item=res name=res_loop}
|
||||||
{if !$smarty.foreach.res_loop.first} — {/if}
|
{if !$smarty.foreach.res_loop.first} — {/if}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue