diff options
author | nikrou <nikrou@piwigo.org> | 2009-06-24 19:00:40 +0000 |
---|---|---|
committer | nikrou <nikrou@piwigo.org> | 2009-06-24 19:00:40 +0000 |
commit | ed7f7a574eeb9b921d4b85c6e8607faac4971a47 (patch) | |
tree | 2da0b667a74771d3f5859b6c1b4c7b590a7421b2 | |
parent | 64c872a83e726ec4d298be479b57dae13fb2c0c6 (diff) |
Fix two problem with Feature 1026 :
use of $conf['user_fields']['username'] and $conf['user_fields']['id'] instead of username and id
escape comment content before editing it.
git-svn-id: http://piwigo.org/svn/trunk@3452 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r-- | admin/comments.php | 5 | ||||
-rw-r--r-- | comments.php | 8 | ||||
-rw-r--r-- | include/picture_comment.inc.php | 5 | ||||
-rw-r--r-- | template/yoga/comment_list.tpl | 2 |
4 files changed, 11 insertions, 9 deletions
diff --git a/admin/comments.php b/admin/comments.php index d62b4aca3..cadc3dc67 100644 --- a/admin/comments.php +++ b/admin/comments.php @@ -134,12 +134,13 @@ $template->assign( $list = array(); $query = ' -SELECT c.id, c.image_id, c.date, c.author, u.username, c.content, i.path, i.tn_ext +SELECT c.id, c.image_id, c.date, c.author, '. +$conf['user_fields']['username'].' AS username, c.content, i.path, i.tn_ext FROM '.COMMENTS_TABLE.' AS c INNER JOIN '.IMAGES_TABLE.' AS i ON i.id = c.image_id LEFT JOIN '.USERS_TABLE.' AS u - ON u.id = c.author_id + ON u.'.$conf['user_fields']['id'].' = c.author_id WHERE validated = \'false\' ORDER BY c.date DESC ;'; diff --git a/comments.php b/comments.php index f5147e1b4..4fb15642e 100644 --- a/comments.php +++ b/comments.php @@ -101,7 +101,7 @@ if (isset($_GET['cat']) and 0 != $_GET['cat']) if (isset($_GET['author']) and !empty($_GET['author'])) { $page['where_clauses'][] = - 'u.username = \''.addslashes($_GET['author']).'\' + 'u.'.$conf['user_fields']['username'].' = \''.addslashes($_GET['author']).'\' OR author = \''.addslashes($_GET['author']).'\''; } @@ -268,7 +268,7 @@ SELECT COUNT(DISTINCT(com.id)) INNER JOIN '.COMMENTS_TABLE.' AS com ON ic.image_id = com.image_id LEFT JOIN '.USERS_TABLE.' As u - ON u.id = com.author_id + ON u.'.$conf['user_fields']['id'].' = com.author_id WHERE '.implode(' AND ', $page['where_clauses']).' ;'; @@ -300,7 +300,7 @@ SELECT com.id AS comment_id , ic.category_id , com.author , com.author_id - , username + , '.$conf['user_fields']['username'].' AS username , com.date , com.content , com.validated @@ -308,7 +308,7 @@ SELECT com.id AS comment_id INNER JOIN '.COMMENTS_TABLE.' AS com ON ic.image_id = com.image_id LEFT JOIN '.USERS_TABLE.' AS u - ON u.id = com.author_id + ON u.'.$conf['user_fields']['id'].' = com.author_id WHERE '.implode(' AND ', $page['where_clauses']).' GROUP BY comment_id diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index 8845ee47a..e957424f5 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -128,10 +128,11 @@ SELECT COUNT(*) AS nb_comments } $query = ' -SELECT com.id,author,author_id,username,date,image_id,content,validated +SELECT com.id,author,author_id,'.$conf['user_fields']['username'].' AS username, + date,image_id,content,validated FROM '.COMMENTS_TABLE.' AS com LEFT JOIN '.USERS_TABLE.' AS u - ON u.id = author_id + ON u.'.$conf['user_fields']['id'].' = author_id WHERE image_id = '.$page['image_id']. $validated_clause.' ORDER BY date ASC diff --git a/template/yoga/comment_list.tpl b/template/yoga/comment_list.tpl index ece0c652b..3a5c1e16f 100644 --- a/template/yoga/comment_list.tpl +++ b/template/yoga/comment_list.tpl @@ -42,7 +42,7 @@ <form method="post" action="{$comment.U_EDIT}" class="filter" id="editComment"> <fieldset> <legend>{'Edit a comment'|@translate}</legend> - <label>{'comment'|@translate}<textarea name="content" id="contenteditid" rows="5" cols="80">{$comment.CONTENT}</textarea></label> + <label>{'comment'|@translate}<textarea name="content" id="contenteditid" rows="5" cols="80">{$comment.CONTENT|escape}</textarea></label> <input type="hidden" name="key" value="{$comment.KEY}"> <input type="hidden" name="image_id" value="{$comment.IMAGE_ID|default:$current.id}"> <input class="submit" type="submit" value="{'Submit'|@translate}"> |