Escape all login and username characters in database

Display correctly usernames (I hope not to have made mistakes) git-svn-id: http://piwigo.org/svn/trunk@4304 68402e56-0260-453c-a942-63ccdbb3a9ee
author: Eric <eric@piwigo.org> 2009-11-18 20:07:20 +0000
committer: Eric <eric@piwigo.org> 2009-11-18 20:07:20 +0000
commit: 1235bab5276f8c56ed6ba9cff46563c143c3e240 (patch)
tree: 653723f35e14bcee66eeb6bad049c3b106444040 /admin
parent: 8a299654501db00316a56efda76448a6bb3975e1 (diff)
9 files changed, 18 insertions, 18 deletions
diff --git a/admin/comments.php b/admin/comments.php
index cadc3dc67..d4fc89a66 100644
--- a/admin/comments.php
+++ b/admin/comments.php
@@ -160,7 +160,7 @@ while ($row = mysql_fetch_assoc($result))
   }
   else
   {
-    $author_name = $row['username'];
+    $author_name = stripslashes($row['username']);
   }
   $template->append(
     'comments',
diff --git a/admin/history.php b/admin/history.php
index 1560d428b..afc1712e1 100644
--- a/admin/history.php
+++ b/admin/history.php
@@ -259,7 +259,7 @@ SELECT '.$conf['user_fields']['id'].' AS id
     $username_of = array();
     while ($row = mysql_fetch_assoc($result))
     {
-      $username_of[$row['id']] = $row['username'];
+      $username_of[$row['id']] = stripslashes($row['username']);
     }
   }
 
diff --git a/admin/include/c13y_internal.class.php b/admin/include/c13y_internal.class.php
index c807ac24c..6402c6516 100644
--- a/admin/include/c13y_internal.class.php
+++ b/admin/include/c13y_internal.class.php
@@ -195,7 +195,7 @@ class c13y_internal
             $inserts = array(
               array(
                 'id'       => $id,
-                'username' => $name,
+                'username' => addslashes($name),
                 'password' => $password
                 ),
               );
diff --git a/admin/include/functions.php b/admin/include/functions.php
index f023a7a5d..d1e82f15f 100644
--- a/admin/include/functions.php
+++ b/admin/include/functions.php
@@ -2112,7 +2112,7 @@ SELECT '.$conf['user_fields']['username'].'
     return false;
   }
 
-  return $username;
+  return stripslashes($username);
 }
 
 function get_newsletter_subscribe_base_url($language) {
diff --git a/admin/include/functions_notification_by_mail.inc.php b/admin/include/functions_notification_by_mail.inc.php
index 11b9454f4..6a674c5e0 100644
--- a/admin/include/functions_notification_by_mail.inc.php
+++ b/admin/include/functions_notification_by_mail.inc.php
@@ -288,7 +288,7 @@ function inc_mail_sent_success($nbm_user)
   global $page, $env_nbm;
 
   $env_nbm['sent_mail_count'] += 1;
-  array_push($page['infos'], sprintf($env_nbm['msg_info'], $nbm_user['username'], $nbm_user['mail_address']));
+  array_push($page['infos'], sprintf($env_nbm['msg_info'], stripslashes($nbm_user['username']), $nbm_user['mail_address']));
 }
 
 /*
@@ -301,7 +301,7 @@ function inc_mail_sent_failed($nbm_user)
   global $page, $env_nbm;
 
   $env_nbm['error_on_mail_count'] += 1;
-  array_push($page['errors'], sprintf($env_nbm['msg_error'], $nbm_user['username'], $nbm_user['mail_address']));
+  array_push($page['errors'], sprintf($env_nbm['msg_error'], stripslashes($nbm_user['username']), $nbm_user['mail_address']));
 }
 
 /*
@@ -338,7 +338,7 @@ function assign_vars_nbm_mail_content($nbm_user)
   (
     array
     (
-      'USERNAME' => $nbm_user['username'],
+      'USERNAME' => stripslashes($nbm_user['username']),
 
       'SEND_AS_NAME' => $env_nbm['send_as_name'],
 
@@ -427,7 +427,7 @@ function do_subscribe_unsubscribe_notification_by_mail($is_admin_request, $is_su
 
         if (pwg_mail
             (
-              format_email($nbm_user['username'], $nbm_user['mail_address']),
+              format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']),
               array
               (
                 'from' => $env_nbm['send_as_mail_formated'],
@@ -465,12 +465,12 @@ function do_subscribe_unsubscribe_notification_by_mail($is_admin_request, $is_su
           )
         );
         $updated_data_count += 1;
-        array_push($page['infos'], sprintf($msg_info, $nbm_user['username'], $nbm_user['mail_address']));
+        array_push($page['infos'], sprintf($msg_info, stripslashes($nbm_user['username']), $nbm_user['mail_address']));
       }
       else
       {
         $error_on_updated_data_count += 1;
-        array_push($page['errors'], sprintf($msg_error, $nbm_user['username'], $nbm_user['mail_address']));
+        array_push($page['errors'], sprintf($msg_error, stripslashes($nbm_user['username']), $nbm_user['mail_address']));
       }
 
     }
diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php
index 11863b7f5..95aea99ae 100644
--- a/admin/notification_by_mail.php
+++ b/admin/notification_by_mail.php
@@ -175,7 +175,7 @@ order by
         $page['infos'],
         sprintf(
           l10n('nbm_user_x_added'),
-          $nbm_user['username'],
+          stripslashes($nbm_user['username']),
           get_email_address_as_display_text($nbm_user['mail_address'])
         )
       );
@@ -388,7 +388,7 @@ function do_action_send_mail_notification($action = 'list_to_send', $check_key_l
 
               if (pwg_mail
                   (
-                    format_email($nbm_user['username'], $nbm_user['mail_address']),
+                    format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']),
                     array
                     (
                       'from' => $env_nbm['send_as_mail_formated'],
@@ -665,7 +665,7 @@ switch ($page['mode'])
     {
       if (get_boolean($nbm_user['enabled']))
       {
-        $opt_true[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
+        $opt_true[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
         if ((isset($_POST['falsify']) and isset($_POST['cat_true']) and in_array($nbm_user['check_key'], $_POST['cat_true'])))
         {
           $opt_true_selected[] = $nbm_user['check_key'];
@@ -673,7 +673,7 @@ switch ($page['mode'])
       }
       else
       {
-        $opt_false[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
+        $opt_false[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
         if (isset($_POST['trueify']) and isset($_POST['cat_false']) and in_array($nbm_user['check_key'], $_POST['cat_false']))
         {
           $opt_false_selected[] = $nbm_user['check_key'];
@@ -718,7 +718,7 @@ switch ($page['mode'])
                               isset($_POST['send_selection']) and // not init
                               !in_array($nbm_user['check_key'], $_POST['send_selection']) // not selected
                             )   ? '' : 'checked="checked"',
-              'USERNAME'=> $nbm_user['username'],
+              'USERNAME'=> stripslashes($nbm_user['username']),
               'EMAIL' => get_email_address_as_display_text($nbm_user['mail_address']),
               'LAST_SEND'=> $nbm_user['last_send']
               );
diff --git a/admin/rating.php b/admin/rating.php
index da19b6b7a..99d703c72 100644
--- a/admin/rating.php
+++ b/admin/rating.php
@@ -96,7 +96,7 @@ SELECT '.$conf['user_fields']['username'].' as username, '.$conf['user_fields'][
 $result = pwg_query($query);
 while ($row = mysql_fetch_assoc($result))
 {
-  $users[$row['id']]=$row['username'];
+  $users[$row['id']]=stripslashes($row['username']);
 }
 
 
diff --git a/admin/upload.php b/admin/upload.php
index b36906778..94e526a35 100644
--- a/admin/upload.php
+++ b/admin/upload.php
@@ -177,7 +177,7 @@ while ( $row = mysql_fetch_assoc( $result ) )
           (substr($row['file'], 0, 10)).'...' : $row['file'],
       'PREVIEW_URL_IMG'=>$preview_url,
       'UPLOAD_EMAIL'=>get_email_address_as_display_text($row['mail_address']),
-      'UPLOAD_USERNAME'=>$row['username']
+      'UPLOAD_USERNAME'=>stripslashes($row['username'])
     );
 
   // is there an existing associated thumnail ?
diff --git a/admin/user_list.php b/admin/user_list.php
index 73c1537bb..f679d95ce 100644
--- a/admin/user_list.php
+++ b/admin/user_list.php
@@ -702,7 +702,7 @@ foreach ($visible_user_list as $local_user)
       'CHECKED' => $checked,
       'U_PROFILE' => $profile_url.$local_user['id'],
       'U_PERM' => $perm_url.$local_user['id'],
-      'USERNAME' => $local_user['username']
+      'USERNAME' => stripslashes($local_user['username'])
         .($local_user['id'] == $conf['guest_id']
           ? '<br>['.l10n('is_the_guest').']' : '')
         .($local_user['id'] == $conf['default_user_id']
author	Eric <eric@piwigo.org>	2009-11-18 20:07:20 +0000
committer	Eric <eric@piwigo.org>	2009-11-18 20:07:20 +0000
commit	1235bab5276f8c56ed6ba9cff46563c143c3e240 (patch)
tree	653723f35e14bcee66eeb6bad049c3b106444040 /admin
parent	8a299654501db00316a56efda76448a6bb3975e1 (diff)