From 4c83f0cc7459cad9ec9c1c68963f5365155ee935 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Sun, 1 Mar 2009 01:47:17 +0000 Subject: [PATCH] Fixes for stripped HTML tags, and false warnings in debug log --- beg.php | 2 +- doubler.php | 2 +- img.php | 2 +- inc/db/lib-mysql3.php | 2 +- inc/extensions.php | 4 +- inc/fatal_errors.php | 2 +- inc/filters.php | 4 +- inc/functions.php | 53 +++++++++++++++---------- inc/header.php | 6 --- inc/hooks.php | 4 +- inc/language.php | 2 +- inc/language/de.php | 3 +- inc/libs/surfbar_functions.php | 2 +- inc/libs/user_functions.php | 18 ++++----- inc/load_extensions.php | 8 +++- inc/modules/admin.php | 6 +-- inc/modules/admin/admin-inc.php | 3 +- inc/modules/admin/what-adminedit.php | 4 +- inc/modules/admin/what-config_home.php | 2 +- inc/modules/admin/what-edit_sponsor.php | 6 +-- inc/modules/admin/what-guestedit.php | 4 +- inc/modules/admin/what-list_user.php | 8 ++-- inc/modules/admin/what-memedit.php | 4 +- inc/modules/admin/what-send_bonus.php | 2 +- inc/modules/admin/what-theme_edit.php | 2 +- inc/modules/admin/what-usage.php | 6 +-- inc/modules/frametester.php | 2 +- inc/modules/guest/what-login.php | 2 +- inc/modules/index.php | 2 +- inc/modules/member/what-primera.php | 6 +-- inc/modules/member/what-wernis.php | 6 +-- inc/mysql-connect.php | 4 +- inc/mysql-manager.php | 2 +- inc/request-functions.php | 18 ++++++--- inc/session.php | 2 +- inc/stylesheet.php | 4 +- install.php | 4 +- js.php | 2 +- sponsor_confirm.php | 2 +- 39 files changed, 118 insertions(+), 99 deletions(-) diff --git a/beg.php b/beg.php index 72148cbdb1..bcc39658e6 100644 --- a/beg.php +++ b/beg.php @@ -99,7 +99,7 @@ if (isBooleanConstantAndTrue('mxchange_installed')) { $points = mt_rand((getConfig('beg_points') * 100000), (getConfig('beg_points_max') * 100000)) / 100000; // Set nickname / userid for the template(s - define('__BEG_UID' , SQL_ESCAPE(REQUEST_GET('uid'))); + define('__BEG_UID' , REQUEST_GET(('uid'))); define('__BEG_CLICKS', ($clicks + 1)); define('__BEG_BANNER', LOAD_TEMPLATE("beg_banner", true)); define('__BEG_POINTS', TRANSLATE_COMMA($points)); diff --git a/doubler.php b/doubler.php index 9eb0c4e918..b3292fbecf 100644 --- a/doubler.php +++ b/doubler.php @@ -53,7 +53,7 @@ REDIRECT_ON_UNINSTALLED_EXTENSION("doubler"); // Is the script installed? if (isBooleanConstantAndTrue('mxchange_installed')) { // Probe for referal ID - if (REQUEST_ISSET_GET(('refid'))) $GLOBALS['refid'] = SQL_ESCAPE(REQUEST_GET('refid')); + if (REQUEST_ISSET_GET(('refid'))) $GLOBALS['refid'] = REQUEST_GET(('refid')); // Only check this if refid is provided! if ($GLOBALS['refid'] > 0) { diff --git a/img.php b/img.php index ba43157fc0..6cf27a6fe4 100644 --- a/img.php +++ b/img.php @@ -57,7 +57,7 @@ if (isBooleanConstantAndTrue('mxchange_installed')) { } elseif (REQUEST_ISSET_GET(('tag'))) { // Tag set so create the IFN (Include-FileName) $INC = sprintf("inc/img/tag-%s.php", - SQL_ESCAPE(REQUEST_GET('tag')) + REQUEST_GET(('tag')) ); // Include is readable? diff --git a/inc/db/lib-mysql3.php b/inc/db/lib-mysql3.php index bcdf041e36..deddd14903 100644 --- a/inc/db/lib-mysql3.php +++ b/inc/db/lib-mysql3.php @@ -288,7 +288,7 @@ function SQL_INSERTID () { } // Escape a string for the database -function SQL_ESCAPE ($str, $secureString=true,$strip=true) { +function SQL_ESCAPE ($str, $secureString=true, $strip=true) { // Secure string first? (which is the default behaviour!) if ($secureString) { // Then do it here diff --git a/inc/extensions.php b/inc/extensions.php index 88a33b4c0b..0fbfc12dbf 100644 --- a/inc/extensions.php +++ b/inc/extensions.php @@ -320,7 +320,7 @@ function EXTENSION_RUN_SQLS ($ext_id, $load_mode) { // Check if given extension is active function EXT_IS_ACTIVE ($ext_name) { // Extensions are all inactive during installation - if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isBooleanConstantAndTrue('mxchange_installing')) || (empty($ext_name))) return false; + if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isInstalling()) || (empty($ext_name))) return false; // Not active is the default $active = "N"; @@ -369,7 +369,7 @@ function GET_EXT_VERSION ($ext_name) { $ext_ver = false; // Extensions are all inactive during installation - if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isBooleanConstantAndTrue('mxchange_installing'))) return ""; + if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isInstalling())) return ""; //* DEBUG: */ DEBUG_LOG(__FUNCTION__, __LINE__, ": ext_name={$ext_name}"); // Is the cache written? diff --git a/inc/fatal_errors.php b/inc/fatal_errors.php index 94c4ea0d9e..a336a41483 100644 --- a/inc/fatal_errors.php +++ b/inc/fatal_errors.php @@ -43,7 +43,7 @@ if (getTotalFatalErrors() > 0) { // Set unset variable if (empty($check)) $check = ""; - if (isBooleanConstantAndTrue('mxchange_installing')) { + if (isInstalling()) { // While we are installing ouput other header than while it is installed... :-) $OUT = ""; foreach (getFatalArray() as $key => $value) { diff --git a/inc/filters.php b/inc/filters.php index 5050501031..64de90acd5 100644 --- a/inc/filters.php +++ b/inc/filters.php @@ -241,9 +241,9 @@ function FILTER_FLUSH_FILTERS () { $SQLs = array(); // Is a database link here and not in installation mode? - if ((!SQL_IS_LINK_UP()) && (!isBooleanConstantAndTrue('mxchange_installing'))) { + if ((!SQL_IS_LINK_UP()) && (!isInstalling())) { // Abort here - addFatalMessage(getMessage('FILTER_FLUSH_FAILED_NO_DATABASE'), array($filterFunction, $filterName)); + addFatalMessage(getMessage('FILTER_FLUSH_FAILED_NO_DATABASE')); return false; } // END - if diff --git a/inc/functions.php b/inc/functions.php index a0d62bc53d..fded480114 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -114,8 +114,10 @@ function OUTPUT_HTML ($HTML, $newLine = true) { // Output cached HTML code $OUTPUT = ob_get_contents(); - // Clear output buffer for later output - clearOutputBuffer(); + // Clear output buffer for later output if output is found + if (!empty($OUTPUT)) { + clearOutputBuffer(); + } // END - if // Send HTTP header header("HTTP/1.1 200"); @@ -139,8 +141,8 @@ function OUTPUT_HTML ($HTML, $newLine = true) { while (strpos($OUTPUT, '{!') > 0) { // Prepare the content and eval() it... $newContent = ""; - $eval = "\$newContent = \"".COMPILE_CODE(SQL_ESCAPE($OUTPUT))."\";"; - @eval($eval); + $eval = "\$newContent = \"".COMPILE_CODE(smartAddSlashes($OUTPUT, false, false))."\";"; + eval($eval); // Was that eval okay? if (empty($newContent)) { @@ -160,7 +162,7 @@ function OUTPUT_HTML ($HTML, $newLine = true) { // Compile and run finished rendered HTML code while (strpos($OUTPUT, '{!') > 0) { - $eval = "\$OUTPUT = \"".COMPILE_CODE(SQL_ESCAPE($OUTPUT))."\";"; + $eval = "\$OUTPUT = \"".COMPILE_CODE(smartAddSlashes($OUTPUT, false, false))."\";"; eval($eval); } // END - while @@ -345,7 +347,7 @@ function LOAD_TEMPLATE ($template, $return=false, $content=array()) { $ret = ""; if ((strpos($tmpl_file, "\$") !== false) || (strpos($tmpl_file, '{--') !== false) || (strpos($tmpl_file, '--}') > 0)) { // Okay, compile it! - $tmpl_file = "\$ret=\"".COMPILE_CODE(SQL_ESCAPE($tmpl_file))."\";"; + $tmpl_file = "\$ret=\"".COMPILE_CODE(smartAddSlashes($tmpl_file))."\";"; eval($tmpl_file); } else { // Simply return loaded code @@ -354,7 +356,7 @@ function LOAD_TEMPLATE ($template, $return=false, $content=array()) { // Add surrounding HTML comments to help finding bugs faster $ret = "\n".$ret."\n"; - } elseif ((IS_ADMIN()) || ((isBooleanConstantAndTrue('mxchange_installing')) && (!isBooleanConstantAndTrue('mxchange_installed')))) { + } elseif ((IS_ADMIN()) || ((isInstalling()) && (!isBooleanConstantAndTrue('mxchange_installed')))) { // Only admins shall see this warning or when installation mode is active $ret = "
".TEMPLATE_404."
(".basename($FQFN).")
@@ -391,7 +393,7 @@ function SEND_EMAIL($TO, $SUBJECT, $MSG, $HTML = "N", $FROM = "") { //* DEBUG: */ print __FUNCTION__."(".__LINE__."):TO={$TO},SUBJECT={$SUBJECT}
\n"; // Compile subject line (for POINTS constant etc.) - $eval = "\$SUBJECT = decodeEntities(\"".COMPILE_CODE(SQL_ESCAPE($SUBJECT))."\");"; + $eval = "\$SUBJECT = decodeEntities(\"".COMPILE_CODE(smartAddSlashes($SUBJECT))."\");"; eval($eval); // Set from header @@ -444,11 +446,11 @@ function SEND_EMAIL($TO, $SUBJECT, $MSG, $HTML = "N", $FROM = "") { } // Compile "TO" - $eval = "\$TO = \"".COMPILE_CODE(SQL_ESCAPE($TO))."\";"; + $eval = "\$TO = \"".COMPILE_CODE(smartAddSlashes($TO))."\";"; eval($eval); // Compile "MSG" - $eval = "\$MSG = \"".COMPILE_CODE(SQL_ESCAPE($MSG))."\";"; + $eval = "\$MSG = \"".COMPILE_CODE(smartAddSlashes($MSG))."\";"; eval($eval); // Fix HTML parameter (default is no!) @@ -868,7 +870,7 @@ function LOAD_EMAIL_TEMPLATE($template, $content=array(), $UID="0") { // Run code $tmpl_file = "\$newContent = decodeEntities(\"".COMPILE_CODE($tmpl_file)."\");"; - @eval($tmpl_file); + eval($tmpl_file); } elseif (!empty($template)) { // Template file not found! $newContent = "{--TEMPLATE_404--}: ".$template."
@@ -901,7 +903,7 @@ function LOAD_EMAIL_TEMPLATE($template, $content=array(), $UID="0") { return COMPILE_CODE($newContent); } // -function MAKE_TIME($H, $M, $S, $stamp) { +function MAKE_TIME ($H, $M, $S, $stamp) { // Extract day, month and year from given timestamp $DAY = date("d", $stamp); $MONTH = date("m", $stamp); @@ -911,7 +913,7 @@ function MAKE_TIME($H, $M, $S, $stamp) { return mktime($H, $M, $S, $MONTH, $DAY, $YEAR); } // -function LOAD_URL($URL, $addUrlData=true) { +function LOAD_URL ($URL, $addUrlData=true) { // Compile out URI codes $URL = compileUriCode($URL); @@ -922,7 +924,7 @@ function LOAD_URL($URL, $addUrlData=true) { } // Get output buffer - //* DEBUG: */ debug_report_bug(); + /* DEBUG: */ debug_report_bug(sprintf("%s[%s:] URL=%s", __FUNCTION__, __LINE__, $URL)); $OUTPUT = ob_get_contents(); // Clear it only if there is content @@ -2294,7 +2296,7 @@ function DISPLAY_PARSING_TIME_FOOTER() { // Check wether a boolean constant is set // Taken from user comments in PHP documentation for function constant() -function isBooleanConstantAndTrue($constName) { // : Boolean +function isBooleanConstantAndTrue ($constName) { // : Boolean // Failed by default $res = false; @@ -2302,11 +2304,15 @@ function isBooleanConstantAndTrue($constName) { // : Boolean if (isset($GLOBALS['cache_array']['const'][$constName])) { // Use cache //* DEBUG: */ print __FUNCTION__."(".__LINE__."): ".$constName."-CACHE!
\n"; - $res = $GLOBALS['cache_array']['const'][$constName]; + $res = ($GLOBALS['cache_array']['const'][$constName] === true); } else { // Check constant //* DEBUG: */ print __FUNCTION__."(".__LINE__."): ".$constName."-RESOLVE!
\n"; - if (defined($constName)) $res = (constant($constName) === true); + if (defined($constName)) { + // Found! + //* DEBUG: */ print __FUNCTION__."(".__LINE__."): ".$constName."-FOUND!
\n"; + $res = (constant($constName) === true); + } // END - if // Set cache $GLOBALS['cache_array']['const'][$constName] = $res; @@ -2371,14 +2377,14 @@ function GET_CURR_THEME() { // Fix it to default $ret = "default"; } // END - if - } elseif ((!isBooleanConstantAndTrue('mxchange_installed')) && ((isBooleanConstantAndTrue('mxchange_installing')) || ($GLOBALS['output_mode'] == true)) && ((REQUEST_ISSET_GET(('theme'))) || (REQUEST_ISSET_POST(('theme'))))) { + } elseif ((!isBooleanConstantAndTrue('mxchange_installed')) && ((isInstalling()) || ($GLOBALS['output_mode'] == true)) && ((REQUEST_ISSET_GET(('theme'))) || (REQUEST_ISSET_POST(('theme'))))) { // Prepare FQFN for checking - $theme = sprintf("%stheme/%s/theme.php", constant('PATH'), SQL_ESCAPE(REQUEST_GET('theme'))); + $theme = sprintf("%stheme/%s/theme.php", constant('PATH'), REQUEST_GET(('theme'))); // Installation mode active if ((REQUEST_ISSET_GET(('theme'))) && (FILE_READABLE($theme))) { // Set cookie from URL data - set_session('mxchange_theme', SQL_ESCAPE(REQUEST_GET('theme'))); + set_session('mxchange_theme', REQUEST_GET(('theme'))); } elseif (FILE_READABLE(sprintf("%stheme/%s/theme.php", constant('PATH'), SQL_ESCAPE(REQUEST_POST('theme'))))) { // Set cookie from posted data set_session('mxchange_theme', SQL_ESCAPE(REQUEST_POST('theme'))); @@ -2679,7 +2685,7 @@ function convertCodeToMessage ($code) { case constant('CODE_EXTENSION_PROBLEM'): if (REQUEST_ISSET_GET(('ext'))) { - $msg = sprintf(getMessage('EXTENSION_PROBLEM_EXT_INACTIVE'), SQL_ESCAPE(REQUEST_GET('ext'))); + $msg = sprintf(getMessage('EXTENSION_PROBLEM_EXT_INACTIVE'), REQUEST_GET(('ext'))); } else { $msg = getMessage('EXTENSION_PROBLEM_UNSET_EXT'); } @@ -3384,6 +3390,11 @@ function DETERMINE_REFID () { return $GLOBALS['refid']; } +// Check wether we are installing +function isInstalling () { + return (isset($GLOBALS['mxchange_installing'])); +} + ////////////////////////////////////////////////// // AUTOMATICALLY RE-GENERATED MISSING FUNCTIONS // ////////////////////////////////////////////////// diff --git a/inc/header.php b/inc/header.php index 50eebd7742..723933c179 100644 --- a/inc/header.php +++ b/inc/header.php @@ -77,12 +77,6 @@ if (($GLOBALS['header_sent'] != "1") && ($GLOBALS['header_sent'] != "2")) { // Remember title in constant for the template define('__PAGE_TITLE', $TITLE); } elseif ((!isBooleanConstantAndTrue('mxchange_installed')) || (!isBooleanConstantAndTrue('admin_registered'))) { - // Load language file because it was missing in installation finalizer step... *sigh* - $INC = sprintf("inc/language/install_%s.php", - GET_LANGUAGE() - ); - LOAD_INC_ONCE($INC); - // Installation mode define('__PAGE_TITLE', getMessage('INSTALLATION_OF_MXCHANGE')); } else { diff --git a/inc/hooks.php b/inc/hooks.php index 8bc6463e56..592c24d5dd 100644 --- a/inc/hooks.php +++ b/inc/hooks.php @@ -45,9 +45,9 @@ function __SHUTDOWN_HOOK () { if (SQL_IS_LINK_UP()) { // Close link SQL_CLOSE(__FILE__, __LINE__); - } else { + } elseif (!isInstalling()) { // No database link - addFatalMessage(getMessage('NO_DB_LINK')); + addFatalMessage(getMessage('NO_DB_LINK_SHUTDOWN')); } } diff --git a/inc/language.php b/inc/language.php index 6814974eb4..0c10b17787 100644 --- a/inc/language.php +++ b/inc/language.php @@ -61,7 +61,7 @@ if (!FILE_READABLE($FQFN)) { LOAD_INC($INC); // Check for installation mode -if (isBooleanConstantAndTrue('mxchange_installing')) { +if (isInstalling()) { // Load matching language file LOAD_INC("inc/language/install_".$mx_lang.".php"); } diff --git a/inc/language/de.php b/inc/language/de.php index ec12cd0c2a..dbe56aa7c6 100644 --- a/inc/language/de.php +++ b/inc/language/de.php @@ -164,7 +164,8 @@ define('MENU_IS_VISIBLE', "Menüpunkt ist sichtbar"); define('MENU_IS_ACTIVE', "Menüpunkt ist aktiviert"); define('CREATE_ACTION_FIRST', "Bitte erstellen Sie zuerst die action-xxxxx.php Datei. Dann können Sie sie hier auswählen."); define('IS_FIRST_MENU', "Ist das erste Hauptmenü"); -define('NO_DB_LINK', "Keine Verbindung zur Datenbank!"); +define('NO_DB_LINK', "Keine Verbindung zur Datenbank."); +define('NO_DB_LINK_SHUTDOWN', "Keine Verbindung zur Datenbank beim Schliessen der Verbindung."); define('MYSQL_DATA_MISSING', "Die Konfiguration Ihrer Datenbankverbindung ist unnvollständig. Bitte in inc/config.php mindestens den Hostnamen, Datenbanknamen und Login zur Datenbank eingeben."); define('REGISTER_PERSONAL_DATA', "Persönliche Daten"); define('REGISTER_CATEGORIES', "Interessengebiete"); diff --git a/inc/libs/surfbar_functions.php b/inc/libs/surfbar_functions.php index 390f874e4d..cab4fb587d 100644 --- a/inc/libs/surfbar_functions.php +++ b/inc/libs/surfbar_functions.php @@ -775,7 +775,7 @@ function SURFBAR_DETERMINE_TEMPLATE_NAME() { if (REQUEST_ISSET_GET(('frame'))) { // Use the frame as a template name part... ;-) $templateName = sprintf("surfbar_frame_%s", - SQL_ESCAPE(REQUEST_GET('frame')) + REQUEST_GET(('frame')) ); } // END - if diff --git a/inc/libs/user_functions.php b/inc/libs/user_functions.php index 2d40f4520a..b0de254c1e 100644 --- a/inc/libs/user_functions.php +++ b/inc/libs/user_functions.php @@ -40,8 +40,8 @@ if (!defined('__SECURITY')) { // Add links for selecting some users function alpha ($sortby, $colspan, $return=false) { if (!REQUEST_ISSET_GET(('offset'))) REQUEST_SET_GET('offset', 0); - $ADD = "&page=".SQL_ESCAPE(REQUEST_GET('page'))."&offset=".SQL_ESCAPE(REQUEST_GET('offset')); - if (REQUEST_ISSET_GET(('mode'))) $ADD .= "&mode=".SQL_ESCAPE(REQUEST_GET('mode')); + $ADD = "&page=".REQUEST_GET(('page'))."&offset=".REQUEST_GET(('offset')); + if (REQUEST_ISSET_GET(('mode'))) $ADD .= "&mode=".REQUEST_GET(('mode')); /* Creates the list of letters and makes them a link. */ $alphabet = array(_ALL2,"A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z",_OTHERS); @@ -54,7 +54,7 @@ function alpha ($sortby, $colspan, $return=false) { } else { // Output link to letter $OUT .= "".$ltr.""; } @@ -85,11 +85,11 @@ function SortLinks($letter, $sortby, $colspan, $return=false) { if (!REQUEST_ISSET_GET(('page'))) REQUEST_SET_GET('page' , 0); // Add page and offset - $ADD = "&page=".SQL_ESCAPE(REQUEST_GET('page'))."&offset=".SQL_ESCAPE(REQUEST_GET('offset')); + $ADD = "&page=".REQUEST_GET(('page'))."&offset=".REQUEST_GET(('offset')); // Add status or mode - if (REQUEST_ISSET_GET(('status'))) $ADD .= "&mode=".SQL_ESCAPE(REQUEST_GET('status')); - elseif (REQUEST_ISSET_GET(('mode'))) $ADD .= "&mode=".SQL_ESCAPE(REQUEST_GET('mode')); + if (REQUEST_ISSET_GET(('status'))) $ADD .= "&mode=".REQUEST_GET(('status')); + elseif (REQUEST_ISSET_GET(('mode'))) $ADD .= "&mode=".REQUEST_GET(('mode')); // Makes order by links.. if ($letter == "front") $letter = _ALL2; @@ -158,11 +158,11 @@ function ADD_PAGENAV($PAGES, $offset, $show_form, $colspan,$return=false) { $OUT .= ""; + $OUT .= "&letter=".REQUEST_GET(('letter'))."&sortby=".REQUEST_GET(('sortby'))."&page=".$page."&offset=".$offset."\">"; } $OUT .= $page; diff --git a/inc/load_extensions.php b/inc/load_extensions.php index ad2298df62..babd32e6af 100644 --- a/inc/load_extensions.php +++ b/inc/load_extensions.php @@ -46,7 +46,13 @@ $GLOBALS['cache_instance'] = null; $GLOBALS['cache_array'] = array(); // Skip loading extensions -if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isBooleanConstantAndTrue('mxchange_installing'))) return; +if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isInstalling())) { + // Init filter system here + INIT_FILTER_SYSTEM(); + + // Skip loading + return; +} // END - if // Initialize array for "always keep active extensions" $GLOBALS['cache_array']['active_extensions'] = array(); diff --git a/inc/modules/admin.php b/inc/modules/admin.php index 7261d1cddc..67f359aa6a 100644 --- a/inc/modules/admin.php +++ b/inc/modules/admin.php @@ -319,13 +319,13 @@ if (!isBooleanConstantAndTrue('admin_registered')) { // Load logout template if (REQUEST_ISSET_GET(('register'))) { // Secure input - $register = SQL_ESCAPE(REQUEST_GET('register')); + $register = REQUEST_GET(('register')); // Special logout redirect for installation of given extension LOAD_TEMPLATE(sprintf("admin_logout_%s_install", $register)); } elseif (REQUEST_ISSET_GET(('remove'))) { // Secure input - $remove = SQL_ESCAPE(REQUEST_GET('remove')); + $remove = REQUEST_GET(('remove')); // Special logout redirect for removal of given extension LOAD_TEMPLATE(sprintf("admin_logout_%s_remove", $remove)); @@ -358,7 +358,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { $area = "entrance"; // Check for similar URL variable - if (REQUEST_ISSET_GET(('area'))) $area = SQL_ESCAPE(REQUEST_GET('area')); + if (REQUEST_ISSET_GET(('area'))) $area = REQUEST_GET(('area')); // Load "logical-area menu-system" file LOAD_INC_ONCE("inc/modules/admin/lasys-inc.php"); diff --git a/inc/modules/admin/admin-inc.php b/inc/modules/admin/admin-inc.php index 233ae66a78..0e50b238a4 100644 --- a/inc/modules/admin/admin-inc.php +++ b/inc/modules/admin/admin-inc.php @@ -450,7 +450,8 @@ function ADD_ADMIN_MENU($act, $wht, $return=false) { // Compile and run the code here. This inserts all constants into the // HTML output. Costs me some time to figure this out... *sigh* Quix0r - $eval = "\$OUT = \"".COMPILE_CODE(SQL_ESCAPE($OUT))."\";"; + // @TODO Is this eval longer needed? + $eval = "\$OUT = \"".COMPILE_CODE(smartAddSlashes($OUT))."\";"; eval($eval); // Is there a cache instance again? diff --git a/inc/modules/admin/what-adminedit.php b/inc/modules/admin/what-adminedit.php index 380ef3157e..66f53c3321 100644 --- a/inc/modules/admin/what-adminedit.php +++ b/inc/modules/admin/what-adminedit.php @@ -44,8 +44,8 @@ ADD_DESCR("admin", __FILE__); $AND = "(`what` = '' OR `what` IS NULL)"; $SUB = ""; if (REQUEST_ISSET_GET(('sub'))) { - $AND = sprintf("action='%s' AND `what` IS NOT NULL", SQL_ESCAPE(REQUEST_GET('sub'))); - $SUB = SQL_ESCAPE(REQUEST_GET('sub')); + $AND = sprintf("action='%s' AND `what` IS NOT NULL", REQUEST_GET(('sub'))); + $SUB = REQUEST_GET(('sub')); } // Get count of (maybe) selected menu points diff --git a/inc/modules/admin/what-config_home.php b/inc/modules/admin/what-config_home.php index 7a0d4ccfd0..3f3f8ec1f5 100644 --- a/inc/modules/admin/what-config_home.php +++ b/inc/modules/admin/what-config_home.php @@ -67,7 +67,7 @@ case "settings": // Settings related to the index page case "target": // Set which what-file will be placed in home-page (only modules.php?module=index) if (REQUEST_ISSET_GET(('home'))) { // Set new home - UPDATE_CONFIG("index_home", SQL_ESCAPE(REQUEST_GET('home'))); + UPDATE_CONFIG("index_home", REQUEST_GET(('home'))); } // END - if // Load all what menu points diff --git a/inc/modules/admin/what-edit_sponsor.php b/inc/modules/admin/what-edit_sponsor.php index 183b4b1d99..36f33eff6f 100644 --- a/inc/modules/admin/what-edit_sponsor.php +++ b/inc/modules/admin/what-edit_sponsor.php @@ -95,7 +95,7 @@ if ((REQUEST_ISSET_GET(('id'))) && (REQUEST_ISSET_GET(('mode')))) { define('__INTERVAL' , CREATE_TIME_SELECTIONS($DATA['warning_interval'], "warning_interval", "MWDh")); // Init variables here - $TPL = sprintf("admin_edit_sponsor_%s", SQL_ESCAPE(REQUEST_GET('mode'))); + $TPL = sprintf("admin_edit_sponsor_%s", REQUEST_GET(('mode'))); $SQLs = array(); // Sponsor was found @@ -178,7 +178,7 @@ if ((REQUEST_ISSET_GET(('id'))) && (REQUEST_ISSET_GET(('mode')))) { default: // Unknown mode DEBUG_LOG(__FILE__, __LINE__, sprintf("Unknown mode %s detected.", REQUEST_GET('mode'))); - $MSG = sprintf(getMessage('ADMIN_SPONSOR_INVALID_MODE'), SQL_ESCAPE(REQUEST_GET('mode'))); + $MSG = sprintf(getMessage('ADMIN_SPONSOR_INVALID_MODE'), REQUEST_GET(('mode'))); break; } @@ -194,7 +194,7 @@ if ((REQUEST_ISSET_GET(('id'))) && (REQUEST_ISSET_GET(('mode')))) { LOAD_TEMPLATE($TPL); } else { // Template not found! - LOAD_TEMPLATE("admin_settings_saved", false, sprintf(getMessage('ADMIN_SPONSOR_MODUS_TPL_404'), SQL_ESCAPE(REQUEST_GET('mode')))); + LOAD_TEMPLATE("admin_settings_saved", false, sprintf(getMessage('ADMIN_SPONSOR_MODUS_TPL_404'), REQUEST_GET(('mode')))); } } else { // Sponsor not found! diff --git a/inc/modules/admin/what-guestedit.php b/inc/modules/admin/what-guestedit.php index ad43c6961a..d5486ef469 100644 --- a/inc/modules/admin/what-guestedit.php +++ b/inc/modules/admin/what-guestedit.php @@ -44,8 +44,8 @@ ADD_DESCR("admin", __FILE__); $AND = "(`what` = '' OR `what` IS NULL)"; $SUB = ""; if (REQUEST_ISSET_GET(('sub'))) { - $AND = sprintf("action='%s' AND `what` IS NOT NULL", SQL_ESCAPE(REQUEST_GET('sub'))); - $SUB = SQL_ESCAPE(REQUEST_GET('sub')); + $AND = sprintf("action='%s' AND `what` IS NOT NULL", REQUEST_GET(('sub'))); + $SUB = REQUEST_GET(('sub')); } // END - if // Get count of (maybe) selected menu points diff --git a/inc/modules/admin/what-list_user.php b/inc/modules/admin/what-list_user.php index 38702a8652..dfe81a2533 100644 --- a/inc/modules/admin/what-list_user.php +++ b/inc/modules/admin/what-list_user.php @@ -48,10 +48,10 @@ ADD_DESCR("admin", __FILE__); $listHeader = getMessage('ADMIN_ALL_ACCOUNTS'); if (REQUEST_ISSET_GET(('status'))) { // Set title according to the "status" - $listHeader = getMessage(sprintf("ADMIN_LIST_STATUS_%s_ACCOUNTS", strtoupper(SQL_ESCAPE(REQUEST_GET('status'))))); + $listHeader = getMessage(sprintf("ADMIN_LIST_STATUS_%s_ACCOUNTS", strtoupper(REQUEST_GET(('status'))))); } elseif (REQUEST_ISSET_GET(('mode'))) { // Set title according to the "mode" - $listHeader = getMessage(sprintf("ADMIN_LIST_MODE_%s_ACCOUNTS", strtoupper(SQL_ESCAPE(REQUEST_GET('mode'))))); + $listHeader = getMessage(sprintf("ADMIN_LIST_MODE_%s_ACCOUNTS", strtoupper(REQUEST_GET(('mode'))))); } // Remember it @@ -227,13 +227,13 @@ LIMIT 1", break; default: // Invalid list mode - DEBUG_LOG(__FILE__, __LINE__, sprintf("Invalid list mode %s detected.", SQL_ESCAPE(REQUEST_GET('mode')))); + DEBUG_LOG(__FILE__, __LINE__, sprintf("Invalid list mode %s detected.", REQUEST_GET(('mode')))); break; } } // END = if // Prepare SQL and run it - $SQL = "SELECT userid, gender, surname, family, email, REMOTE_ADDR, refid, status, emails_sent, mails_confirmed, emails_received".$MORE." FROM `{!_MYSQL_PREFIX!}_user_data`".$whereStatement." ORDER BY ".SQL_ESCAPE(REQUEST_GET('sortby')); + $SQL = "SELECT userid, gender, surname, family, email, REMOTE_ADDR, refid, status, emails_sent, mails_confirmed, emails_received".$MORE." FROM `{!_MYSQL_PREFIX!}_user_data`".$whereStatement." ORDER BY ".REQUEST_GET(('sortby')); $result_master = SQL_QUERY($SQL, __FILE__, __LINE__); // Calculate page count (0.5 fixes a bug with page count) diff --git a/inc/modules/admin/what-memedit.php b/inc/modules/admin/what-memedit.php index ed4f7f9182..038b52fd0c 100644 --- a/inc/modules/admin/what-memedit.php +++ b/inc/modules/admin/what-memedit.php @@ -44,8 +44,8 @@ ADD_DESCR("admin", __FILE__); $AND = "(`what` = '' OR `what` IS NULL)"; $SUB = ""; if (REQUEST_ISSET_GET(('sub'))) { - $AND = sprintf("action='%s' AND `what` IS NOT NULL", SQL_ESCAPE(REQUEST_GET('sub'))); - $SUB = SQL_ESCAPE(REQUEST_GET('sub')); + $AND = sprintf("action='%s' AND `what` IS NOT NULL", REQUEST_GET(('sub'))); + $SUB = REQUEST_GET(('sub')); } // Get count of (maybe) selected menu points diff --git a/inc/modules/admin/what-send_bonus.php b/inc/modules/admin/what-send_bonus.php index 651b6d6816..2c496ee239 100644 --- a/inc/modules/admin/what-send_bonus.php +++ b/inc/modules/admin/what-send_bonus.php @@ -57,7 +57,7 @@ if (IS_FORM_SENT()) { define('__OPTION_LINES', ADD_CATEGORY_OPTIONS(REQUEST_GET('mode'))); // Store send mode - define('__MODE', SQL_ESCAPE(REQUEST_GET('mode'))); + define('__MODE', REQUEST_GET(('mode'))); if (EXT_IS_ACTIVE("html_mail")) { // If HTML extension is active diff --git a/inc/modules/admin/what-theme_edit.php b/inc/modules/admin/what-theme_edit.php index 0f7f4738ce..cf1377e97c 100644 --- a/inc/modules/admin/what-theme_edit.php +++ b/inc/modules/admin/what-theme_edit.php @@ -79,7 +79,7 @@ if ($SEL > 0) { if (empty($OUT)) $OUT = getMessage('ADMIN_THEME_NO_OUTPUT'); } elseif (REQUEST_ISSET_GET(('default_theme'))) { // Escape string from input - $POST['default_theme'] = SQL_ESCAPE(REQUEST_GET('default_theme')); + $POST['default_theme'] = REQUEST_GET(('default_theme')); // Set session set_session('mxchange_theme', $POST['default_theme']); diff --git a/inc/modules/admin/what-usage.php b/inc/modules/admin/what-usage.php index f211bde553..ad62821070 100644 --- a/inc/modules/admin/what-usage.php +++ b/inc/modules/admin/what-usage.php @@ -54,8 +54,8 @@ if (REQUEST_ISSET_GET(('image'))) { $FQFN = sprintf("%s%s/%s_usage_%s.png", constant('PATH'), getConfig('usage_base'), - SQL_ESCAPE(REQUEST_GET('type')), - SQL_ESCAPE(REQUEST_GET('image')) + REQUEST_GET(('type')), + REQUEST_GET(('image')) ); } @@ -75,7 +75,7 @@ if (REQUEST_ISSET_GET(('image'))) { $FQFN = sprintf("%s%s/usage_%s.html", constant('PATH'), getConfig('usage_base'), - SQL_ESCAPE(REQUEST_GET('usage')) + REQUEST_GET(('usage')) ); } diff --git a/inc/modules/frametester.php b/inc/modules/frametester.php index 97d8c32bb6..bd090bdd7e 100644 --- a/inc/modules/frametester.php +++ b/inc/modules/frametester.php @@ -81,7 +81,7 @@ if ((REQUEST_ISSET_POST(('url'))) || (REQUEST_ISSET_GET(('url'))) || (REQUEST_IS // Add missing element $frame = ""; - if (REQUEST_ISSET_GET(('frame'))) $frame = SQL_ESCAPE(REQUEST_GET('frame')); + if (REQUEST_ISSET_GET(('frame'))) $frame = REQUEST_GET(('frame')); switch ($frame) { case "": diff --git a/inc/modules/guest/what-login.php b/inc/modules/guest/what-login.php index 4a2f2a233e..25e28faeef 100644 --- a/inc/modules/guest/what-login.php +++ b/inc/modules/guest/what-login.php @@ -97,7 +97,7 @@ if (IS_MEMBER()) { // Login problems? if (REQUEST_ISSET_GET(('login'))) { // Use code from URL - $ERROR = SQL_ESCAPE(REQUEST_GET('login')); + $ERROR = REQUEST_GET(('login')); } // END - if // Login problems? diff --git a/inc/modules/index.php b/inc/modules/index.php index 94ef4689a7..823f1f3134 100644 --- a/inc/modules/index.php +++ b/inc/modules/index.php @@ -52,7 +52,7 @@ if (REQUEST_ISSET_GET(('msg'))) { $ext = "unknown"; // Is extension given? - if (REQUEST_ISSET_GET(('ext'))) $ext = SQL_ESCAPE(REQUEST_GET('ext')); + if (REQUEST_ISSET_GET(('ext'))) $ext = REQUEST_GET(('ext')); // Which message shall we output? $msg = convertCodeToMessage(REQUEST_GET('msg')); diff --git a/inc/modules/member/what-primera.php b/inc/modules/member/what-primera.php index 648eefb27d..544ac714fd 100644 --- a/inc/modules/member/what-primera.php +++ b/inc/modules/member/what-primera.php @@ -146,7 +146,7 @@ if (REQUEST_GET('mode') == "pay") { SQL_FREERESULT($result); } else { // Invalid mode! - LOAD_TEMPLATE("admin_settings_saved", false, sprintf(PRIMERA_MEMBER_MODE_INVALID, SQL_ESCAPE(REQUEST_GET('mode')))); + LOAD_TEMPLATE("admin_settings_saved", false, sprintf(PRIMERA_MEMBER_MODE_INVALID, REQUEST_GET(('mode')))); return; } @@ -209,13 +209,13 @@ if ((IS_FORM_SENT()) && (REQUEST_ISSET_GET(('mode')))) { default: // Invalid mode! DEBUG_LOG(__FILE__, __LINE__, sprintf("Invalid mode %s detected.", REQUEST_GET('mode'))); - LOAD_TEMPLATE("admin_settings_saved", false, sprintf(PRIMERA_MEMBER_MODE_INVALID, SQL_ESCAPE(REQUEST_GET('mode')))); + LOAD_TEMPLATE("admin_settings_saved", false, sprintf(PRIMERA_MEMBER_MODE_INVALID, REQUEST_GET(('mode')))); return; } } // END - if // Prepare mode for template name -$mode = sprintf("member_primera_mode_%s", SQL_ESCAPE(REQUEST_GET('mode'))); +$mode = sprintf("member_primera_mode_%s", REQUEST_GET(('mode'))); // Load the template LOAD_TEMPLATE($mode, false, $content); diff --git a/inc/modules/member/what-wernis.php b/inc/modules/member/what-wernis.php index 9d3a8c991a..a0697cedce 100644 --- a/inc/modules/member/what-wernis.php +++ b/inc/modules/member/what-wernis.php @@ -191,7 +191,7 @@ if ((!REQUEST_ISSET_GET(('mode'))) || (REQUEST_GET('mode') == "choose")) { SQL_FREERESULT($result); } else { // Invalid mode! - LOAD_TEMPLATE("admin_settings_saved", false, sprintf(WERNIS_MEMBER_MODE_INVALID, SQL_ESCAPE(REQUEST_GET('mode')))); + LOAD_TEMPLATE("admin_settings_saved", false, sprintf(WERNIS_MEMBER_MODE_INVALID, REQUEST_GET(('mode')))); return; } @@ -278,14 +278,14 @@ if ((IS_FORM_SENT()) && (REQUEST_ISSET_GET(('mode')))) { default: // Invalid mode! DEBUG_LOG(__FILE__, __LINE__, sprintf("Invalid mode %s detected.", REQUEST_GET('mode'))); - LOAD_TEMPLATE("admin_settings_saved", false, sprintf(WERNIS_MEMBER_MODE_INVALID, SQL_ESCAPE(REQUEST_GET('mode')))); + LOAD_TEMPLATE("admin_settings_saved", false, sprintf(WERNIS_MEMBER_MODE_INVALID, REQUEST_GET(('mode')))); return; } } } // END - if // Prepare mode for template name -$mode = sprintf("member_wernis_mode_%s", SQL_ESCAPE(REQUEST_GET('mode'))); +$mode = sprintf("member_wernis_mode_%s", REQUEST_GET(('mode'))); // Load the template LOAD_TEMPLATE($mode, false, $content); diff --git a/inc/mysql-connect.php b/inc/mysql-connect.php index 84c9a6a1e3..14ff7074fe 100644 --- a/inc/mysql-connect.php +++ b/inc/mysql-connect.php @@ -66,7 +66,7 @@ if ((empty($MySQL['login'])) && (!defined('mxchange_installing')) && (!REQUEST_I // Please run the installation script (maybe again) mxchange_die("{--DIE_RUN_INSTALL_MYSQL--}"); } -} elseif ((!isBooleanConstantAndTrue('mxchange_installing')) && (!REQUEST_ISSET_GET(('installing'))) && (empty($MySQL['password'])) && (isBooleanConstantAndTrue('warn_no_pass'))) { +} elseif ((!isInstalling()) && (!REQUEST_ISSET_GET(('installing'))) && (empty($MySQL['password'])) && (isBooleanConstantAndTrue('warn_no_pass'))) { // No database password entered!!! OUTPUT_HTML("
{--LANG_WARNING--}:
{--WARN_NULL_PASSWORD--}"); } @@ -85,7 +85,7 @@ $GLOBALS['header_sent'] = 0; initFatalMessages(); // Check if this file is writeable or read-only and warn the user -if ((!isBooleanConstantAndTrue('mxchange_installing')) && (isBooleanConstantAndTrue('mxchange_installed'))) { +if ((!isInstalling()) && (isBooleanConstantAndTrue('mxchange_installed'))) { // Check for write-permission for config.php and inc directory if (empty($GLOBALS['module'])) $GLOBALS['module'] = "index"; diff --git a/inc/mysql-manager.php b/inc/mysql-manager.php index 648e1836c6..c7c7f1062f 100644 --- a/inc/mysql-manager.php +++ b/inc/mysql-manager.php @@ -100,7 +100,7 @@ function CHECK_MODULE ($mod) { $ret = "major"; // Check if script is installed if not return a "done" to prevent some errors - if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isBooleanConstantAndTrue('mxchange_installing')) || (!isBooleanConstantAndTrue('admin_registered'))) { + if ((!isBooleanConstantAndTrue('mxchange_installed')) || (isInstalling()) || (!isBooleanConstantAndTrue('admin_registered'))) { // Not installed or no admin registered or in installation phase return "done"; } // END - if diff --git a/inc/request-functions.php b/inc/request-functions.php index 0066994f26..839a2ffe71 100644 --- a/inc/request-functions.php +++ b/inc/request-functions.php @@ -42,10 +42,16 @@ function REQUEST_GET ($element) { // By default no element is there $value = null; - // Is the element there? - if (REQUEST_ISSET_GET($element)) { - // Then use it - $value = $_GET[$element]; + // Is the element cached or there? + if (isset($GLOBALS['cache_array']['request_get'][$element])) { + // Then use the cache + $value = $GLOBALS['cache_array']['request_get'][$element]; + } elseif (REQUEST_ISSET_GET($element)) { + // Then get it directly + $value = SQL_ESCAPE($_GET[$element]); + + // Store it in cache + $GLOBALS['cache_array']['request_get'][$element] = $value; } // END - if // Return value @@ -54,7 +60,7 @@ function REQUEST_GET ($element) { // Checks if an element in $_GET exists function REQUEST_ISSET_GET ($element) { - return (isset($_GET['element'])); + return (isset($_GET[$element])); } // Removes an element from $_GET @@ -101,7 +107,7 @@ function REQUEST_POST ($element) { // Checks if an element in $_POST exists function REQUEST_ISSET_POST ($element) { - return (isset($_POST['element'])); + return (isset($_POST[$element])); } // Removes an element from $_POST diff --git a/inc/session.php b/inc/session.php index 9e0876c97f..7cf0c60373 100644 --- a/inc/session.php +++ b/inc/session.php @@ -79,7 +79,7 @@ if (isset($_SESSION['userid'])) { } // END - if // Test session if index.php or modules.php is loaded -if ((basename($_SERVER['PHP_SELF']) == "index.php") || (basename($_SERVER['PHP_SELF']) == "modules.php") || (isBooleanConstantAndTrue('mxchange_installing'))) { +if ((basename($_SERVER['PHP_SELF']) == "index.php") || (basename($_SERVER['PHP_SELF']) == "modules.php") || (isInstalling())) { if (count($_SESSION) > 0) { // Session variables accepted! define('__COOKIES', true); diff --git a/inc/stylesheet.php b/inc/stylesheet.php index c523bbda59..dfbe878f02 100644 --- a/inc/stylesheet.php +++ b/inc/stylesheet.php @@ -75,10 +75,10 @@ if (($GLOBALS['output_mode'] == "1") || (getConfig('css_php') == "DIRECT")) { } else { // Now we load all CSS files from css.php! OUTPUT_HTML("