diff options
author | Eric <eric@piwigo.org> | 2009-11-18 20:07:20 +0000 |
---|---|---|
committer | Eric <eric@piwigo.org> | 2009-11-18 20:07:20 +0000 |
commit | 1235bab5276f8c56ed6ba9cff46563c143c3e240 (patch) | |
tree | 653723f35e14bcee66eeb6bad049c3b106444040 /admin | |
parent | 8a299654501db00316a56efda76448a6bb3975e1 (diff) |
Escape all login and username characters in database
Display correctly usernames
(I hope not to have made mistakes)
git-svn-id: http://piwigo.org/svn/trunk@4304 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'admin')
-rw-r--r-- | admin/comments.php | 2 | ||||
-rw-r--r-- | admin/history.php | 2 | ||||
-rw-r--r-- | admin/include/c13y_internal.class.php | 2 | ||||
-rw-r--r-- | admin/include/functions.php | 2 | ||||
-rw-r--r-- | admin/include/functions_notification_by_mail.inc.php | 12 | ||||
-rw-r--r-- | admin/notification_by_mail.php | 10 | ||||
-rw-r--r-- | admin/rating.php | 2 | ||||
-rw-r--r-- | admin/upload.php | 2 | ||||
-rw-r--r-- | admin/user_list.php | 2 |
9 files changed, 18 insertions, 18 deletions
diff --git a/admin/comments.php b/admin/comments.php index cadc3dc67..d4fc89a66 100644 --- a/admin/comments.php +++ b/admin/comments.php @@ -160,7 +160,7 @@ while ($row = mysql_fetch_assoc($result)) } else { - $author_name = $row['username']; + $author_name = stripslashes($row['username']); } $template->append( 'comments', diff --git a/admin/history.php b/admin/history.php index 1560d428b..afc1712e1 100644 --- a/admin/history.php +++ b/admin/history.php @@ -259,7 +259,7 @@ SELECT '.$conf['user_fields']['id'].' AS id $username_of = array(); while ($row = mysql_fetch_assoc($result)) { - $username_of[$row['id']] = $row['username']; + $username_of[$row['id']] = stripslashes($row['username']); } } diff --git a/admin/include/c13y_internal.class.php b/admin/include/c13y_internal.class.php index c807ac24c..6402c6516 100644 --- a/admin/include/c13y_internal.class.php +++ b/admin/include/c13y_internal.class.php @@ -195,7 +195,7 @@ class c13y_internal $inserts = array( array( 'id' => $id, - 'username' => $name, + 'username' => addslashes($name), 'password' => $password ), ); diff --git a/admin/include/functions.php b/admin/include/functions.php index f023a7a5d..d1e82f15f 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -2112,7 +2112,7 @@ SELECT '.$conf['user_fields']['username'].' return false; } - return $username; + return stripslashes($username); } function get_newsletter_subscribe_base_url($language) { diff --git a/admin/include/functions_notification_by_mail.inc.php b/admin/include/functions_notification_by_mail.inc.php index 11b9454f4..6a674c5e0 100644 --- a/admin/include/functions_notification_by_mail.inc.php +++ b/admin/include/functions_notification_by_mail.inc.php @@ -288,7 +288,7 @@ function inc_mail_sent_success($nbm_user) global $page, $env_nbm; $env_nbm['sent_mail_count'] += 1; - array_push($page['infos'], sprintf($env_nbm['msg_info'], $nbm_user['username'], $nbm_user['mail_address'])); + array_push($page['infos'], sprintf($env_nbm['msg_info'], stripslashes($nbm_user['username']), $nbm_user['mail_address'])); } /* @@ -301,7 +301,7 @@ function inc_mail_sent_failed($nbm_user) global $page, $env_nbm; $env_nbm['error_on_mail_count'] += 1; - array_push($page['errors'], sprintf($env_nbm['msg_error'], $nbm_user['username'], $nbm_user['mail_address'])); + array_push($page['errors'], sprintf($env_nbm['msg_error'], stripslashes($nbm_user['username']), $nbm_user['mail_address'])); } /* @@ -338,7 +338,7 @@ function assign_vars_nbm_mail_content($nbm_user) ( array ( - 'USERNAME' => $nbm_user['username'], + 'USERNAME' => stripslashes($nbm_user['username']), 'SEND_AS_NAME' => $env_nbm['send_as_name'], @@ -427,7 +427,7 @@ function do_subscribe_unsubscribe_notification_by_mail($is_admin_request, $is_su if (pwg_mail ( - format_email($nbm_user['username'], $nbm_user['mail_address']), + format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']), array ( 'from' => $env_nbm['send_as_mail_formated'], @@ -465,12 +465,12 @@ function do_subscribe_unsubscribe_notification_by_mail($is_admin_request, $is_su ) ); $updated_data_count += 1; - array_push($page['infos'], sprintf($msg_info, $nbm_user['username'], $nbm_user['mail_address'])); + array_push($page['infos'], sprintf($msg_info, stripslashes($nbm_user['username']), $nbm_user['mail_address'])); } else { $error_on_updated_data_count += 1; - array_push($page['errors'], sprintf($msg_error, $nbm_user['username'], $nbm_user['mail_address'])); + array_push($page['errors'], sprintf($msg_error, stripslashes($nbm_user['username']), $nbm_user['mail_address'])); } } diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php index 11863b7f5..95aea99ae 100644 --- a/admin/notification_by_mail.php +++ b/admin/notification_by_mail.php @@ -175,7 +175,7 @@ order by $page['infos'], sprintf( l10n('nbm_user_x_added'), - $nbm_user['username'], + stripslashes($nbm_user['username']), get_email_address_as_display_text($nbm_user['mail_address']) ) ); @@ -388,7 +388,7 @@ function do_action_send_mail_notification($action = 'list_to_send', $check_key_l if (pwg_mail ( - format_email($nbm_user['username'], $nbm_user['mail_address']), + format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']), array ( 'from' => $env_nbm['send_as_mail_formated'], @@ -665,7 +665,7 @@ switch ($page['mode']) { if (get_boolean($nbm_user['enabled'])) { - $opt_true[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']'; + $opt_true[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']'; if ((isset($_POST['falsify']) and isset($_POST['cat_true']) and in_array($nbm_user['check_key'], $_POST['cat_true']))) { $opt_true_selected[] = $nbm_user['check_key']; @@ -673,7 +673,7 @@ switch ($page['mode']) } else { - $opt_false[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']'; + $opt_false[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']'; if (isset($_POST['trueify']) and isset($_POST['cat_false']) and in_array($nbm_user['check_key'], $_POST['cat_false'])) { $opt_false_selected[] = $nbm_user['check_key']; @@ -718,7 +718,7 @@ switch ($page['mode']) isset($_POST['send_selection']) and // not init !in_array($nbm_user['check_key'], $_POST['send_selection']) // not selected ) ? '' : 'checked="checked"', - 'USERNAME'=> $nbm_user['username'], + 'USERNAME'=> stripslashes($nbm_user['username']), 'EMAIL' => get_email_address_as_display_text($nbm_user['mail_address']), 'LAST_SEND'=> $nbm_user['last_send'] ); diff --git a/admin/rating.php b/admin/rating.php index da19b6b7a..99d703c72 100644 --- a/admin/rating.php +++ b/admin/rating.php @@ -96,7 +96,7 @@ SELECT '.$conf['user_fields']['username'].' as username, '.$conf['user_fields'][ $result = pwg_query($query); while ($row = mysql_fetch_assoc($result)) { - $users[$row['id']]=$row['username']; + $users[$row['id']]=stripslashes($row['username']); } diff --git a/admin/upload.php b/admin/upload.php index b36906778..94e526a35 100644 --- a/admin/upload.php +++ b/admin/upload.php @@ -177,7 +177,7 @@ while ( $row = mysql_fetch_assoc( $result ) ) (substr($row['file'], 0, 10)).'...' : $row['file'], 'PREVIEW_URL_IMG'=>$preview_url, 'UPLOAD_EMAIL'=>get_email_address_as_display_text($row['mail_address']), - 'UPLOAD_USERNAME'=>$row['username'] + 'UPLOAD_USERNAME'=>stripslashes($row['username']) ); // is there an existing associated thumnail ? diff --git a/admin/user_list.php b/admin/user_list.php index 73c1537bb..f679d95ce 100644 --- a/admin/user_list.php +++ b/admin/user_list.php @@ -702,7 +702,7 @@ foreach ($visible_user_list as $local_user) 'CHECKED' => $checked, 'U_PROFILE' => $profile_url.$local_user['id'], 'U_PERM' => $perm_url.$local_user['id'], - 'USERNAME' => $local_user['username'] + 'USERNAME' => stripslashes($local_user['username']) .($local_user['id'] == $conf['guest_id'] ? '<br>['.l10n('is_the_guest').']' : '') .($local_user['id'] == $conf['default_user_id'] |