|
From: Garvin H. <gar...@us...> - 2004-07-17 12:16:58
|
Update of /cvsroot/php-blog/serendipity In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22170 Modified Files: serendipity_admin_comments.inc.php Log Message: more code style, and added missing serendipity_db_escape_string() to possible dangerous input vars. Index: serendipity_admin_comments.inc.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/serendipity_admin_comments.inc.php,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- serendipity_admin_comments.inc.php 17 Jul 2004 12:04:10 -0000 1.2 +++ serendipity_admin_comments.inc.php 17 Jul 2004 12:16:42 -0000 1.3 @@ -1,4 +1,4 @@ -<?php +<?php # $Id$ if (IN_serendipity !== true) { die ("Don't hack!"); } @@ -8,15 +8,16 @@ if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'doEdit' && !isset($serendipity['POST']['preview']) ) { $sql = "UPDATE {$serendipity['dbPrefix']}comments SET - author = '". $serendipity['POST']['name'] ."', - email = '". $serendipity['POST']['email'] ."', - url = '". $serendipity['POST']['url'] ."', - parent_id = '". $serendipity['POST']['replyTo']."', - body = '". $serendipity['POST']['comment']."' - WHERE id = ". $serendipity['GET']['id'] ." AND entry_id = ". $serendipity['POST']['entry_id']; + author = '" . serendipity_db_escape_string($serendipity['POST']['name']) . "', + email = '" . serendipity_db_escape_string($serendipity['POST']['email']) . "', + url = '" . serendipity_db_escape_string($serendipity['POST']['url']) . "', + parent_id = '" . serendipity_db_escape_string($serendipity['POST']['replyTo']) . "', + body = '" . serendipity_db_escape_string($serendipity['POST']['comment']) . "' + WHERE id = " . serendipity_db_escape_string($serendipity['GET']['id']) . " AND + entry_id = " . serendipity_db_escape_string($serendipity['POST']['entry_id']); serendipity_db_query($sql); echo COMMENT_EDITED; - return 1; + return true; } @@ -26,24 +27,24 @@ FROM {$serendipity['dbPrefix']}comments c LEFT JOIN {$serendipity['dbPrefix']}entries e ON (e.id = c.entry_id) LEFT JOIN {$serendipity['dbPrefix']}authors a ON (e.authorid = a.authorid) - WHERE c.id = ". $serendipity['GET']['id'] ." AND status = 'pending'"; + WHERE c.id = " . serendipity_db_escape_string($serendipity['GET']['id']) ." AND status = 'pending'"; $rs = serendipity_db_query($sql, true); - if ( $rs === false ) { + if ($rs === false) { echo ERROR .': '. sprintf(COMMENT_ALREADY_APPROVED, $serendipity['GET']['id']); - return 1; + return true; } serendipity_approveComment($serendipity['GET']['id'], serendipity_db_bool($rs['mail_comments']), $rs['entry_id'], $rs['authoremail'], $rs['email'], $rs['author'], $rs['url'], $rs['title'], $rs['body'], $rs['type']); - echo DONE .': '. sprintf(COMMENT_APPROVED, $serendipity['GET']['id']); - return 1; + echo DONE . ': '. sprintf(COMMENT_APPROVED, $serendipity['GET']['id']); + return true; } /* We are asked to delete a comment */ if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'delete' ) { serendipity_deleteComment($serendipity['GET']['id'], $serendipity['GET']['entry_id']); - echo DONE .': '. sprintf(COMMENT_DELETED, $serendipity['GET']['id']);; - return 1; + echo DONE . ': '. sprintf(COMMENT_DELETED, $serendipity['GET']['id']);; + return true; } /* We are either in edit mode, or preview mode */ @@ -81,40 +82,46 @@ } - serendipity_displayCommentForm($serendipity['GET']['entry_id'], '?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=doEdit&serendipity[id]='. $serendipity['GET']['id'] .'&serendipity[entry_id]='. $serendipity['GET']['entry_id'], NULL, $data, false); - return 1; + serendipity_displayCommentForm( + $serendipity['GET']['entry_id'], + '?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=doEdit&serendipity[id]=' . $serendipity['GET']['id'] . '&serendipity[entry_id]=' . $serendipity['GET']['entry_id'], + NULL, + $data, + false + ); + + return true; } $sql = serendipity_db_query("SELECT c.*, e.title FROM {$serendipity['dbPrefix']}comments c LEFT JOIN {$serendipity['dbPrefix']}entries e ON (e.id = c.entry_id) WHERE type = 'NORMAL' - ". (($serendipity['serendipityUserlevel'] != USERLEVEL_ADMIN) ? 'AND e.authorid = '. $serendipity['authorId'] : '') ." + " . (($serendipity['serendipityUserlevel'] != USERLEVEL_ADMIN) ? 'AND e.authorid = ' . $serendipity['authorId'] : '') . " ORDER BY id DESC LIMIT 10"); -if ( !is_array($sql) ) { +if (!is_array($sql)) { echo NO_COMMENTS; return; } ?> -<script language="Javascript1.2" type="text/javascript"> +<script type="text/javascript"> function toggle(id) { - if ( document.getElementById(id +'_full').style.display == '' ) { - document.getElementById(id +'_full').style.display='none'; - document.getElementById(id +'_summary').style.display=''; - document.getElementById(id +'_link').innerHTML = '<?php echo VIEW ?>'; + if ( document.getElementById(id + '_full').style.display == '' ) { + document.getElementById(id + '_full').style.display='none'; + document.getElementById(id + '_summary').style.display=''; + document.getElementById(id + '_link').innerHTML = '<?php echo VIEW ?>'; } else { - document.getElementById(id +'_full').style.display=''; - document.getElementById(id +'_summary').style.display='none'; - document.getElementById(id +'_link').innerHTML = '<?php echo HIDE ?>'; + document.getElementById(id + '_full').style.display=''; + document.getElementById(id + '_summary').style.display='none'; + document.getElementById(id + '_link').innerHTML = '<?php echo HIDE ?>'; } - } </script> <table width="100%" cellspacing="5" cellpadding="0" border="0" class="serendipity_admin_list"> <?php $i = 0; -foreach ( $sql as $rs ) { +foreach ($sql as $rs) { if (empty($rs['author'])) { $rs['author'] = ANONYMOUS; } @@ -125,8 +132,7 @@ $rs['email'] = 'N/A'; } - - $class = 'serendipity_admin_list_item_'. (($i++ % 2 == 0 ) ? 'even' : 'uneven'); + $class = 'serendipity_admin_list_item_' . (($i++ % 2 == 0 ) ? 'even' : 'uneven'); ?> <tr> <td class="serendipity_admin_list_item <?php echo $class ?>" style="padding: 3px"> @@ -147,7 +153,7 @@ <td style="border-top: 1px solid #CCCCCC; border-bottom: 1px solid #CCCCCC" colspan="4"><div id="<?php echo $rs['id'] ?>_summary"><?php echo nl2br(substr(strip_tags($rs['body']), 0, 200)) ?> ...</div><div id="<?php echo $rs['id'] ?>_full" style="display: none"><?php echo nl2br(strip_tags($rs['body'])) ?></div></td> </tr> </table> -<?php if ( $rs['status'] == 'pending' ) { ?> +<?php if ($rs['status'] == 'pending') { ?> <strong>[<a href="?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=approve&serendipity[id]=<?php echo $rs['id'] ?>">Approve</a>]</strong> - <?php } ?> [<a href="?serendipity[action]=admin&serendipity[adminModule]=comments&serendipity[adminAction]=delete&serendipity[id]=<?php echo $rs['id'] ?>&serendipity[entry_id]=<?php echo $rs['entry_id'] ?>"><?php echo DELETE ?></a>] - |
