X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=inc%2Fmodules%2Fframetester.php;h=947753f18a38ef1599c053220a703587549e65e8;hb=3b7577d3b3e6522d8898ed1799031b6de696accc;hp=a66a557a8d00a889bae1ea62041ff282d2391c93;hpb=60494e212a67fe360bfbb481eb4928480a6f379b;p=mailer.git

diff --git a/inc/modules/frametester.php b/inc/modules/frametester.php
index a66a557a8d..947753f18a 100644
--- a/inc/modules/frametester.php
+++ b/inc/modules/frametester.php
@@ -32,58 +32,57 @@
  ************************************************************************/
 
 // Some security stuff...
-if (ereg(basename(__FILE__), $_SERVER['PHP_SELF']))
-{
+if (!defined('__SECURITY')) {
 	$INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php";
 	require($INC);
 }
 
 $MODE = "guest";
 
-if (!empty($_GET['order']))
-{
+if (!empty($_GET['order'])) {
 	// Order number placed, is he also logged in?
-	if(IS_LOGGED_IN())
-	{
+	if (IS_MEMBER()) {
 		// Ok, test passed... :)
-		$result = SQL_QUERY_ESC("SELECT subject, url FROM "._MYSQL_PREFIX."_pool WHERE id=%d AND sender=%d AND data_type='TEMP' LIMIT 1",
+		$result = SQL_QUERY_ESC("SELECT subject, url FROM "._MYSQL_PREFIX."_pool WHERE id=%s AND sender=%s AND data_type='TEMP' LIMIT 1",
 		 array(bigintval($_GET['order']), $GLOBALS['userid']), __FILE__, __LINE__);
 
 		// Finally is the entry valid?
-		if (SQL_NUMROWS($result) == 1)
-		{
+		if (SQL_NUMROWS($result) == 1) {
 			// Load subject and URL (but forwhat do we need the subject line here???
 			list($sub, $url) = SQL_FETCHROW($result);
 
 			// This fixes a white page
 			$_POST['url'] = $url;
 
-			// Update his login data
-			UPDATE_LOGIN_DATA();
+			// Mode is member
 			$MODE = "member";
-		}
-		 else
-		{
+		} else {
 			// Matching line not found!
 			LOAD_URL("modules.php?module=index&amp;what=login");
 		}
 
 		// Free memory
 		SQL_FREERESULT($result);
-	}
-	 else
-	{
+	} else {
 		// He is no longer logged in
 		LOAD_URL("modules.php?module=index&amp;what=login");
 	}
 }
 
-if ((!empty($_POST['url'])) || (!empty($_GET['url'])) || (!empty($_GET['frame'])))
-{
+if ((!empty($_POST['url'])) || (!empty($_GET['url'])) || (!empty($_GET['frame']))) {
+	// Default URL is ours
 	$url = URL;
+
+	// Decode URL if set in GET parameters
+	if (!empty($_GET['url']))  $url = gzuncompress(base64_decode(str_replace(" ", "+", COMPILE_CODE(urldecode($_GET['url'])))));
+
+	// Use URL from POST data if set
 	if (!empty($_POST['url'])) $url = $_POST['url'];
-	if (!empty($_GET['url']))  $url = base64_decode(urldecode(COMPILE_CODE($_GET['url'])));
-	switch ($_GET['frame'])
+
+	// Add missing element
+	$frame = "";
+	if (!empty($_GET['frame'])) $frame = SQL_ESCAPE($_GET['frame']);
+	switch ($frame)
 	{
 	case "":
 		switch ($MODE)
@@ -114,9 +113,7 @@ if ((!empty($_POST['url'])) || (!empty($_GET['url'])) || (!empty($_GET['frame'])
 		LOAD_TEMPLATE("member_order_send", false, $_GET['order']);
 		break;
 	}
-}
- else
-{
+} else {
 	// Go away...
 	LOAD_URL("modules.php?module=login");
 }