Unnessarry addslashes() and SQL_ESCAPE() removed, some added, some bigintval() added
authorRoland Häder <roland@mxchange.org>
Mon, 13 Oct 2008 17:51:03 +0000 (17:51 +0000)
committerRoland Häder <roland@mxchange.org>
Mon, 13 Oct 2008 17:51:03 +0000 (17:51 +0000)
16 files changed:
inc/databases.php
inc/modules/admin/what-admin_add.php
inc/modules/admin/what-adminedit.php
inc/modules/admin/what-config_cats.php
inc/modules/admin/what-edit_emails.php
inc/modules/admin/what-sub_points.php
inc/modules/guest/what-login.php
inc/modules/guest/what-register.php
inc/modules/member/what-holiday.php
inc/modules/member/what-mydata.php
inc/modules/member/what-newsletter.php
inc/modules/member/what-order.php
inc/modules/member/what-payout.php
inc/modules/member/what-support.php
inc/modules/member/what-transfer.php
inc/mysql-manager.php

index 4ed7bc1..bd32483 100644 (file)
@@ -113,7 +113,7 @@ define('USAGE_BASE', "usage");
 define('SERVER_URL', "http://www.mxchange.org");
 
 // This current patch level
-define('CURR_SVN_REVISION', "513");
+define('CURR_SVN_REVISION', "514");
 
 // Take a prime number which is long (if you know a longer one please try it out!)
 define('_PRIME', 591623);
index ca79dce..483a4b1 100644 (file)
@@ -175,7 +175,7 @@ if (!isset($_POST['ok']))
                                $_POST['menu'],
                                $_POST['name'],
                                $_POST['title'],
-                               addslashes($_POST['descr']),
+                               $_POST['descr'],
                                bigintval($_POST['sort']),
                        ), __FILE__, __LINE__
                );
@@ -188,7 +188,7 @@ if (!isset($_POST['ok']))
                        array(
                                $_POST['name'],
                                $_POST['title'],
-                               addslashes($_POST['descr']),
+                               $_POST['descr'],
                                bigintval($_POST['sort']),
                        ), __FILE__, __LINE__
                );
index f30250d..aadbd0c 100644 (file)
@@ -169,7 +169,7 @@ WHERE ".$AND." AND id=%s LIMIT 1",
        $menu,
        $_POST['sel_action'][$sel],
        $_POST['sel_what'][$sel],
-       addslashes($_POST['sel_desc'][$sel]),
+       $_POST['sel_desc'][$sel],
        $sel,
 ), __FILE__, __LINE__);
                }
index 38e4012..fd795ff 100644 (file)
@@ -47,11 +47,11 @@ $CATS = "";
 if (isset($_POST['add'])) {
        // Add a new category
        $result = SQL_QUERY_ESC("SELECT id FROM "._MYSQL_PREFIX."_cats WHERE cat='%s' LIMIT 1",
-        array(addslashes($_POST['catname'])), __FILE__, __LINE__);
+               array($_POST['catname']), __FILE__, __LINE__);
        if (SQL_NUMROWS($result) == 0) {
                // Category does not exists, we simply add it...
                $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_cats (cat, visible, sort) VALUES ('%s','%s','%s')",
-                array(addslashes($_POST['catname']), $_POST['visible'], bigintval($_POST['parent'] + 1)), __FILE__, __LINE__);
+                       array($_POST['catname'], $_POST['visible'], bigintval($_POST['parent'] + 1)), __FILE__, __LINE__);
                $content = "<SPAN class=\"admin_done\">".CATEGORY_ADDED."</SPAN>";
        } else {
                // Category does already exists
index 907ceb2..d073ed9 100644 (file)
@@ -73,9 +73,9 @@ text='%s',
 url='%s'
 WHERE id=%s LIMIT 1",
  array(
-       addslashes($_POST['subj']),
-       addslashes($_POST['text']),
-       addslashes($_POST['url']),
+       $_POST['subj'],
+       $_POST['text'],
+       $_POST['url'],
        bigintval($_POST['id']),
 ), __FILE__, __LINE__);
                        if (SQL_AFFECTEDROWS() == 1)
index 6ac3053..d962bc9 100644 (file)
@@ -68,7 +68,7 @@ if ($_GET['u_id'] == "all")
 
                                        // Prepare content
                                        $content = array(
-                                               'text' => SQL_ESCAPE($_POST['reason']),
+                                               'text'   => SQL_ESCAPE($_POST['reason']),
                                                'points' => bigintval($_POST['points'])
                                        );
 
@@ -108,7 +108,7 @@ if ($_GET['u_id'] == "all")
 
                        // Prepare content
                        $content = array(
-                               'text' => SQL_ESCAPE($_POST['reason']),
+                               'text'   => SQL_ESCAPE($_POST['reason']),
                                'points' => bigintval($_POST['points'])
                        );
 
index 76312e8..efaf745 100644 (file)
@@ -239,11 +239,11 @@ if (IS_MEMBER()) {
        if ($probe_nickname) {
                // Nickname entered
                $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE nickname='%s' OR email='%s' LIMIT 1",
-                array(addslashes($uid), $_POST['email']), __FILE__, __LINE__);
+                       array($uid, $_POST['email']), __FILE__, __LINE__);
        } else {
                // Direct userid entered
                $result = SQL_QUERY_ESC("SELECT userid, status FROM "._MYSQL_PREFIX."_user_data WHERE userid=%s OR email='%s' LIMIT 1",
-                array($uid, $_POST['email']), __FILE__, __LINE__);
+                       array(bigintval($uid), $_POST['email']), __FILE__, __LINE__);
        }
 
        // Any entry found?
index cec98b6..e4fa749 100644 (file)
@@ -221,7 +221,7 @@ if ((isset($_POST['ok'])) && (!$FAILED))
        } else {
                // Old way with enterable two-char-code
                $countryRow = "country";
-               $countryData = addslashes(substr($_POST['cntry'], 0, 2));
+               $countryData = substr($_POST['cntry'], 0, 2);
        }
 
        //////////////////////////////
@@ -232,14 +232,14 @@ if ((isset($_POST['ok'])) && (!$FAILED))
 VALUES ('%s','%s','%s','%s','%s',%s,'%s','%s',%s, %s,%s,'%s',%s, %s,'%s','UNCONFIRMED','%s','%s', UNIX_TIMESTAMP(), UNIX_TIMESTAMP()".$ADD2.")",
        array(
                $countryRow,
-               SQL_ESCAPE(substr($_POST['gender'], 0, 1)),
-               SQL_ESCAPE($_POST['surname']),
-               SQL_ESCAPE($_POST['family_name']),
-               SQL_ESCAPE($_POST['street_nr']),
+               substr($_POST['gender'], 0, 1),
+               $_POST['surname'],
+               $_POST['family_name'],
+               $_POST['street_nr'],
                $countryData,
                bigintval($_POST['zip']),
-               SQL_ESCAPE($_POST['city']),
-               SQL_ESCAPE($_POST['addy']),
+               $_POST['city'],
+               $_POST['addy'],
                bigintval($_POST['day']),
                bigintval($_POST['month']),
                bigintval($_POST['year']),
index 11da0f7..0a840a1 100644 (file)
@@ -130,7 +130,7 @@ WHERE userid=%s LIMIT 1",
 
                // Create task
                $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (userid, assigned_admin, status, task_type, subject, text, task_created) VALUES ('%s','0','NEW','HOLIDAY_REQUEST','%s','%s', UNIX_TIMESTAMP())",
-                array($GLOBALS['userid'], HOLIDAY_ADMIN_SUBJECT, addslashes($msg)), __FILE__, __LINE__);
+                array($GLOBALS['userid'], HOLIDAY_ADMIN_SUBJECT, $msg), __FILE__, __LINE__);
 
                // Display message
                LOAD_TEMPLATE("admin_settings_saved", false, HOLIDAY_IS_ACTIVATED_NOW);
index 37015ef..848b54f 100644 (file)
@@ -201,25 +201,15 @@ case "save": // Save entered data
        $DATA[3] = $DATA[2] + $_CONFIG['profile_lock'];
 
        // How far is last change on his profile away from now?
-       if (($DATA[3] > time()) && (!IS_ADMIN()) && ($_CONFIG['profile_lock'] > 0))
-       {
+       if (($DATA[3] > time()) && (!IS_ADMIN()) && ($_CONFIG['profile_lock'] > 0)) {
                $DATA[3] = MAKE_DATETIME($DATA[3] + $_CONFIG['profile_lock'], "0");
                // You cannot change your account
                LOAD_TEMPLATE("member_mydata_locked");
-       }
-        elseif (!VALIDATE_EMAIL($_POST['addy']))
-       {
+       } elseif (!VALIDATE_EMAIL($_POST['addy'])) {
                // Invalid email address!
                LOAD_TEMPLATE("admin_settings_saved", false, INVALID_EMAIL_ADDRESS_ENTERED);
-       }
-        else
-       {
-               // Secure every submitted variable
-               foreach ($_POST as $key => $value)
-               {
-                       $_POST[$key] = addslashes($value);
-               }
-
+       } else {
+               // Generate hash
                $hash = generateHash($_POST['pass1'], substr($DATA[1], 0, -40));
                if ((($hash == $DATA[1]) || ($_POST['pass1'] == $_POST['pass2'])) && (!empty($_POST['pass1'])))
                {
index a427d96..e6d343d 100644 (file)
@@ -65,7 +65,7 @@ if ((isset($_POST['ok'])) && ($status == "Y") && ($span == "0"))
 
        // Add task
        $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (assigned_admin, status, task_type, subject, text, task_created, userid)
-VALUES ('0','NEW','NL_UNSUBSCRIBE','".ADMIN_NL_SUBJECT."','".addslashes($admin_msg)."', UNIX_TIMESTAMP(),'%s')", array($GLOBALS['userid']), __FILE__, __LINE__);
+VALUES ('0','NEW','NL_UNSUBSCRIBE','".ADMIN_NL_SUBJECT."','".$admin_msg."', UNIX_TIMESTAMP(),'%s')", array($GLOBALS['userid']), __FILE__, __LINE__);
 
        // Send mail to member
        $msg = LOAD_EMAIL_TEMPLATE("member_newsletter_request", array(), $GLOBALS['userid']);
index 5f5422d..a41eb09 100644 (file)
@@ -55,13 +55,6 @@ if (empty($_POST['html']))     $_POST['html']     = "";
 if (empty($_POST['receiver'])) $_POST['receiver'] = "";
 if (IS_ADMIN()) $whereStatement = "";
 
-// Add slashes to every value
-foreach($_POST as $key => $value)
-{
-       // Skip submit buttons
-       if (($key != "data") && ($key != "frametester")) $_POST[$key] = addslashes($value);
-}
-
 // Minimum mails / order
 define('__MIN_VALUE', $_CONFIG['order_min']);
 
@@ -138,7 +131,7 @@ WHERE sender=%s AND url='%s' AND timestamp > (UNIX_TIMESTAMP() - %s) LIMIT 1",
                                // URL found!
                                $URL = URL."/modules.php?module=login&amp;what=order&amp;msg=".CODE_URL_FOUND;
                        }
-                       $TEST = str_replace("\n", "", str_replace("\r", "", addslashes($_POST['text'])));
+                       $TEST = str_replace("\n", "", str_replace("\r", "", $_POST['text']));
                        if (strlen($TEST) > $_CONFIG['max_tlength'])
                        {
                                // Text is too long!
@@ -297,8 +290,8 @@ WHERE userid=%s AND holiday_start < UNIX_TIMESTAMP() AND holiday_end > UNIX_TIME
  VALUES ('%s','%s','%s','%s','%s','TEMP','%s','%s','%s','%s','%s','%s')",
 array(
        $GLOBALS['userid'],
-       addslashes($_POST['subject']),
-       addslashes($_POST['text']),
+       $_POST['subject'],
+       $_POST['text'],
        $RECEIVER,
        bigintval($_POST['type']),
        $TIME,
@@ -316,8 +309,8 @@ array(
  VALUES ('%s','%s','%s','%s','%s','TEMP','%s','%s','%s','%s','%s')",
 array(
        $GLOBALS['userid'],
-       addslashes($_POST['subject']),
-       addslashes($_POST['text']),
+       $_POST['subject'],
+       $_POST['text'],
        $RECEIVER,
        bigintval($_POST['type']),
        $TIME,
index a62131d..9b9f607 100644 (file)
@@ -217,7 +217,7 @@ VALUES (%s,%s,%s, UNIX_TIMESTAMP(), 'NEW','%s','%s','%s')",
                                        }
                                         else
                                        {
-                                               $msg_adm = addslashes(LOAD_EMAIL_TEMPLATE("admin_payout_request_banner", array(), $GLOBALS['userid']));
+                                               $msg_adm = LOAD_EMAIL_TEMPLATE("admin_payout_request_banner", array(), $GLOBALS['userid']);
                                        }
                                }
                                 else
@@ -236,7 +236,7 @@ VALUES (%s,%s,%s,'%s',%s, UNIX_TIMESTAMP(), 'NEW','%s')",
 
                                        // Load templates
                                        $msg_mem = LOAD_EMAIL_TEMPLATE("member_payout_request", array(), $GLOBALS['userid']);
-                                       $msg_adm = addslashes(LOAD_EMAIL_TEMPLATE("admin_payout_request", array(), $GLOBALS['userid']));
+                                       $msg_adm = LOAD_EMAIL_TEMPLATE("admin_payout_request", array(), $GLOBALS['userid']);
                                        $admin_tpl = "";
                                        if (GET_EXT_VERSION("admins") >= "0.4.1")
                                        {
index 9d8b8fa..4dd0614 100644 (file)
@@ -76,7 +76,7 @@ if ((!isset($_POST['ok'])) || (empty($_POST['qsummary'])))
 
        // Drop a message in the admin's area
        $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_task_system (userid, assigned_admin, status, task_type, subject, text, task_created) VALUES ('%s','0','NEW','SUPPORT_MEMBER','%s','%s', UNIX_TIMESTAMP())",
-        array($GLOBALS['userid'], addslashes($subj_a), addslashes($_POST['qsummary'].":".$_POST['qdetails'])), __FILE__, __LINE__);
+               array($GLOBALS['userid'], $subj_a, $_POST['qsummary'].":".$_POST['qdetails']), __FILE__, __LINE__);
 
        // Form sent
        LOAD_TEMPLATE("member_support_contcted");
index 0a10862..c7130ff 100644 (file)
@@ -185,11 +185,11 @@ case "new": // Start new transfer
 
                        // Add entries to both tables
                        $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_user_transfers_in (userid, from_uid, points, reason, time_trans, trans_id) VALUES ('%s','%s','%s','%s', UNIX_TIMESTAMP(),'%s')",
-                        array(bigintval($_POST['to_uid']), $GLOBALS['userid'], bigintval($_POST['points']), addslashes($_POST['reason']), __TRANS_ID),
-                        __FILE__, __LINE__);
+                               array(bigintval($_POST['to_uid']), $GLOBALS['userid'], bigintval($_POST['points']), $_POST['reason'], __TRANS_ID),
+                               __FILE__, __LINE__);
                        $result = SQL_QUERY_ESC("INSERT INTO "._MYSQL_PREFIX."_user_transfers_out (userid, to_uid, points, reason, time_trans, trans_id) VALUES ('%s','%s','%s','%s', UNIX_TIMESTAMP(),'%s')",
-                        array($GLOBALS['userid'], bigintval($_POST['to_uid']), bigintval($_POST['points']), addslashes($_POST['reason']), __TRANS_ID),
-                        __FILE__, __LINE__);
+                               array($GLOBALS['userid'], bigintval($_POST['to_uid']), bigintval($_POST['points']), $_POST['reason'], __TRANS_ID),
+                               __FILE__, __LINE__);
 
                        // Add points to account *directly* ...
                        ADD_POINTS_REFSYSTEM(bigintval($_POST['to_uid']), bigintval($_POST['points']), false, "0", false, "direct");
index 1def311..036e853 100644 (file)
@@ -1917,7 +1917,7 @@ VALUES (%s,0,'NEW','EXTENSION','%s','%s',UNIX_TIMESTAMP())",
                        array(
                                $admin_id,
                                $subject,
-                               addslashes($msg),
+                               SQL_ESCAPE($msg),
                        ),  __FILE__, __LINE__, true, false
                );
        } // END - if
@@ -2057,7 +2057,7 @@ function ADD_BONUS_MAIL_TO_QUEUE ($subject, $text, $receiverList, $points, $seco
 VALUES ('%s','%s','%s','%s','%s','NEW', UNIX_TIMESTAMP(),'%s','%s','%s','%s','%s')",
  array(
        $subject,
-       addslashes($text),
+       $text,
        $receiverList,
        $points,
        $seconds,
@@ -2074,7 +2074,7 @@ VALUES ('%s','%s','%s','%s','%s','NEW', UNIX_TIMESTAMP(),'%s','%s','%s','%s','%s
 VALUES ('%s','%s','%s','%s','%s','NEW', UNIX_TIMESTAMP(),'%s','%s','%s','%s')",
  array(
        $subject,
-       addslashes($text),
+       $text,
        $receiverList,
        $points,
        $seconds,