SF.net SVN: postfixadmin:[1190] trunk
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
SF.net SVN: postfixadmin:[1190] trunk
|
From: <chr...@us...> - 2011-09-24 17:04:21
|
Revision: 1190
http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=1190&view=rev
Author: christian_boltz
Date: 2011-09-24 17:04:15 +0000 (Sat, 24 Sep 2011)
Log Message:
-----------
create_admin() cleanup
functions.inc.php:
- create_admin(): use db_insert instead of INSERT queries
(this includes automatic escaping of all values)
create-admin.php:
- use safepost instead of isset($_POST[...])
- don't escape_string post values - it's done inside create_admin now
- remove superfluous emptying of empty $tDomains for GET
- allow htmlentities-escaping for pAdminCreate_admin_username_text
- some whitespace / linebreak changes
setup.php:
- load config.inc.php only once (loading it twice will break if custom
hook functions exist in config.*.php - "can't redefine function ...")
- use safepost instead of isset($_POST[...])
- don't escape_string post values - it's done inside create_admin now
- escape $tUsername with htmlentities() instead of escape_string
Modified Paths:
--------------
trunk/create-admin.php
trunk/functions.inc.php
trunk/setup.php
Modified: trunk/create-admin.php
===================================================================
--- trunk/create-admin.php 2011-09-24 16:35:42 UTC (rev 1189)
+++ trunk/create-admin.php 2011-09-24 17:04:15 UTC (rev 1190)
@@ -38,34 +38,25 @@
$pAdminCreate_admin_username_text_error = "";
$pAdminCreate_admin_password_text_error = "";
-if ($_SERVER['REQUEST_METHOD'] == "GET")
-{
- $tDomains = array ();
-}
+if ($_SERVER['REQUEST_METHOD'] == "POST") {
+ $fUsername = safepost('fUsername');
+ $fPassword = safepost('fPassword');
+ $fPassword2 = safepost('fPassword2');
+ $fDomains = safepost('fDomains', array());
-if ($_SERVER['REQUEST_METHOD'] == "POST")
-{
- if (isset ($_POST['fUsername'])) $fUsername = escape_string ($_POST['fUsername']);
- if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
- if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
- $fDomains = array();
- if (!empty ($_POST['fDomains'])) $fDomains = escape_string($_POST['fDomains']);
-# TODO: work with non-escaped values here and do the escaping in create_admin()
list ($error, $infoMessage, $pAdminCreate_admin_username_text_error, $pAdminCreate_admin_password_text_error) = create_admin($fUsername, $fPassword, $fPassword2, $fDomains);
if ($error != 0) {
- if (isset ($_POST['fUsername'])) $tUsername = escape_string ($_POST['fUsername']);
- if (isset ($_POST['fDomains'])) $tDomains = $_POST['fDomains'];
+ $tUsername = $fUsername;
+ $tDomains = $fDomains;
}
-
- if(!empty($infoMessage))
- flash_info($infoMessage);
-
+
+ if(!empty($infoMessage)) flash_info($infoMessage);
}
$smarty->assign ('mode', 'create');
$smarty->assign ('tUsername', $tUsername);
-$smarty->assign ('pAdminCreate_admin_username_text', $PALANG['pAdminCreate_admin_username_text'], false);
+$smarty->assign ('pAdminCreate_admin_username_text', $PALANG['pAdminCreate_admin_username_text']);
$smarty->assign ('pAdminCreate_admin_username_text_error', $pAdminCreate_admin_username_text_error, false);
$smarty->assign ('admin_password_text_error', $pAdminCreate_admin_password_text_error, false);
$smarty->assign ('select_options', select_options ($list_domains, $tDomains), false);
Modified: trunk/functions.inc.php
===================================================================
--- trunk/functions.inc.php 2011-09-24 16:35:42 UTC (rev 1189)
+++ trunk/functions.inc.php 2011-09-24 17:04:15 UTC (rev 1190)
@@ -2264,14 +2264,22 @@
$password = pacrypt($fPassword);
// $pAdminCreate_admin_username_text = $PALANG['pAdminCreate_admin_username_text'];
- $result = db_query ("INSERT INTO " . table_by_key('admin') . " (username,password,created,modified) VALUES ('$fUsername','$password',NOW(),NOW())");
- if ($result['rows'] != 1) {
+ $db_values = array(
+ 'username' => $fUsername,
+ 'password' => $password,
+ );
+ $result = db_insert('admin', $db_values);
+ if ($result != 1) {
$pAdminCreate_admin_message = $PALANG['pAdminCreate_admin_result_error'] . "<br />($fUsername)<br />";
} else {
if (!empty ($fDomains[0])) {
for ($i = 0; $i < sizeof ($fDomains); $i++) {
$domain = $fDomains[$i];
- $result = db_query ("INSERT INTO " . table_by_key ('domain_admins') . " (username,domain,created) VALUES ('$fUsername','$domain',NOW())");
+ $db_values = array(
+ 'username' => $fUsername,
+ 'domain' => $domain,
+ );
+ $result = db_insert('domain_admins', $db_values, array('created'));
}
}
$pAdminCreate_admin_message = $PALANG['pAdminCreate_admin_result_success'] . "<br />($fUsername";
Modified: trunk/setup.php
===================================================================
--- trunk/setup.php 2011-09-24 16:35:42 UTC (rev 1189)
+++ trunk/setup.php 2011-09-24 17:04:15 UTC (rev 1190)
@@ -123,7 +123,6 @@
require_once($incpath.'/config.inc.php');
$config_loaded = 1;
- require($incpath.'/config.inc.php');
if(isset($CONF['configured'])) {
if($CONF['configured'] === TRUE) {
print "<li>Checking \$CONF['configured'] - OK\n";
@@ -341,9 +340,9 @@
}
if($error == 0 && $pw_check_result == 'pass_OK') {
- if (isset ($_POST['fUsername'])) $fUsername = escape_string ($_POST['fUsername']);
- if (isset ($_POST['fPassword'])) $fPassword = escape_string ($_POST['fPassword']);
- if (isset ($_POST['fPassword2'])) $fPassword2 = escape_string ($_POST['fPassword2']);
+ $fUsername = safepost('fUsername');
+ $fPassword = safepost('fPassword');
+ $fPassword2 = safepost('fPassword2');
// XXX need to ensure domains table includes an 'ALL' entry.
$table_domain = table_by_key('domain');
@@ -354,7 +353,7 @@
list ($error, $setupMessage, $pAdminCreate_admin_username_text, $pAdminCreate_admin_password_text) = create_admin($fUsername, $fPassword, $fPassword2, array('ALL'), TRUE);
if ($error != 0) {
- if (isset ($_POST['fUsername'])) $tUsername = escape_string ($_POST['fUsername']);
+ $tUsername = htmlentities($fUsername);
}
}
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
