Unlock of booked URLs in surfbar added, fix for URL-encoded links in loader module

[mailer.git] / inc / modules / frametester.php

diff --git a/inc/modules/frametester.php b/inc/modules/frametester.php
index a6daa40721cd307f0ec7313acc5ac36bd93642e9..49b06b359e17ef12edd66f6b8d131012cad1f3bb 100644 (file)
--- a/inc/modules/frametester.php
+++ b/inc/modules/frametester.php
@@ -43,7 +43,7 @@ if (!empty($_GET['order'])) {
        // Order number placed, is he also logged in?
        if(IS_LOGGED_IN()) {
                // Ok, test passed... :)
-               $result = SQL_QUERY_ESC("SELECT subject, url FROM "._MYSQL_PREFIX."_pool WHERE id=%d AND sender=%d AND data_type='TEMP' LIMIT 1",
+               $result = SQL_QUERY_ESC("SELECT subject, url FROM "._MYSQL_PREFIX."_pool WHERE id=%s AND sender=%s AND data_type='TEMP' LIMIT 1",
                 array(bigintval($_GET['order']), $GLOBALS['userid']), __FILE__, __LINE__);
 
                // Finally is the entry valid?
@@ -71,10 +71,19 @@ if (!empty($_GET['order'])) {
 }
 
 if ((!empty($_POST['url'])) || (!empty($_GET['url'])) || (!empty($_GET['frame']))) {
+       // Default URL is ours
        $url = URL;
+
+       // Decode URL if set in GET parameters
+       if (!empty($_GET['url']))  $url = COMPILE_CODE(gzuncompress(base64_decode(urldecode($_GET['url']))));
+
+       // Use URL from POST data if set
        if (!empty($_POST['url'])) $url = $_POST['url'];
-       if (!empty($_GET['url']))  $url = base64_decode(urldecode(COMPILE_CODE($_GET['url'])));
-       switch ($_GET['frame'])
+
+       // Add missing element
+       $frame = "";
+       if (!empty($_GET['frame'])) $frame = SQL_ESCAPE($_GET['frame']);
+       switch ($frame)
        {
        case "":
                switch ($MODE)