From b388c40cda1ade46cd3b5b14851b5d56466fb1c8 Mon Sep 17 00:00:00 2001 From: Isaac Flores Date: Fri, 1 May 2009 14:33:08 +0200 Subject: [PATCH] [svn r20249] style changes - added Security::remove_XSS - (partial FS#4132) --- main/dropbox/dropbox_functions.inc.php | 16 ++++++++-------- main/dropbox/index.php | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/main/dropbox/dropbox_functions.inc.php b/main/dropbox/dropbox_functions.inc.php index 9faddb82ea..9f046f1c19 100644 --- a/main/dropbox/dropbox_functions.inc.php +++ b/main/dropbox/dropbox_functions.inc.php @@ -375,15 +375,15 @@ function store_addcategory() if (!$_POST['edit_id']) { // step 3a, we check if the category doesn't already exist - $sql="SELECT * FROM ".$dropbox_cnf['tbl_category']." WHERE user_id='".$_user['user_id']."' AND cat_name='".Database::escape_string($_POST['category_name'])."' AND received='".$received."' AND sent='".$sent."'"; + $sql="SELECT * FROM ".$dropbox_cnf['tbl_category']." WHERE user_id='".$_user['user_id']."' AND cat_name='".Database::escape_string(Security::remove_XSS($_POST['category_name']))."' AND received='".$received."' AND sent='".$sent."'"; $result=api_sql_query($sql); // step 3b, we add the category if it does not exist yet. - if (mysql_num_rows($result)==0) + if (Database::num_rows($result)==0) { $sql="INSERT INTO ".$dropbox_cnf['tbl_category']." (cat_name, received, sent, user_id) - VALUES ('".Database::escape_string($_POST['category_name'])."', '".Database::escape_string($received)."', '".Database::escape_string($sent)."', '".Database::escape_string($_user['user_id'])."')"; + VALUES ('".Database::escape_string(Security::remove_XSS($_POST['category_name']))."', '".Database::escape_string($received)."', '".Database::escape_string($sent)."', '".Database::escape_string($_user['user_id'])."')"; api_sql_query($sql); return get_lang('CategoryStored'); } @@ -394,9 +394,9 @@ function store_addcategory() } else { - $sql="UPDATE ".$dropbox_cnf['tbl_category']." SET cat_name='".Database::escape_string($_POST['category_name'])."', received='".Database::escape_string($received)."' , sent='".Database::escape_string($sent)."' + $sql="UPDATE ".$dropbox_cnf['tbl_category']." SET cat_name='".Database::escape_string(Security::remove_XSS($_POST['category_name']))."', received='".Database::escape_string($received)."' , sent='".Database::escape_string($sent)."' WHERE user_id='".Database::escape_string($_user['user_id'])."' - AND cat_id='".Database::escape_string($_POST['edit_id'])."'"; + AND cat_id='".Database::escape_string(Security::remove_XSS($_POST['edit_id']))."'"; api_sql_query($sql); return get_lang('CategoryModified'); } @@ -422,7 +422,7 @@ function display_addcategory_form($category_name='', $id='') // retrieve the category we are editing $sql="SELECT * FROM ".$dropbox_cnf['tbl_category']." WHERE cat_id='".Database::escape_string($id)."'"; $result=api_sql_query($sql); - $row=mysql_fetch_array($result); + $row=Database::fetch_array($result); if ($category_name=='') // after an edit with an error we do not want to return to the original name but the name we already modified. (happens when createinrecievedfiles AND createinsentfiles are not checked) { @@ -456,10 +456,10 @@ function display_addcategory_form($category_name='', $id='') } - echo "
\n"; + echo "\n"; if (isset($id) AND $id<>'') { - echo ''; + echo ''; } echo ''; diff --git a/main/dropbox/index.php b/main/dropbox/index.php index 59caada958..3e321acb6b 100644 --- a/main/dropbox/index.php +++ b/main/dropbox/index.php @@ -237,7 +237,7 @@ if (!$_GET['view'] OR $_GET['view']=='received' OR $dropbox_cnf['sent_received_t // This is for the categories if (isset($_GET['view_received_category']) AND $_GET['view_received_category']<>'') { - $view_dropbox_category_received=$_GET['view_received_category']; + $view_dropbox_category_received=Security::remove_XSS($_GET['view_received_category']); } else { $view_dropbox_category_received=0; } @@ -247,7 +247,7 @@ if (!$_GET['view'] OR $_GET['view']=='received' OR $dropbox_cnf['sent_received_t echo '
'; if ($view_dropbox_category_received<>0) { echo get_lang('CurrentlySeeing').': '.$dropbox_categories[$view_dropbox_category_received]['cat_name'].' '; - echo ''.get_lang('Up').''.get_lang('Root')."\n"; + echo ''.get_lang('Up').''.get_lang('Root')."\n"; $movelist[0] = 'Root'; // move_received selectbox content } else { echo ' '.get_lang('AddNewCategory').''; @@ -558,7 +558,7 @@ if ($_GET['view']=='sent' OR $dropbox_cnf['sent_received_tabs']==false) { } } // Displaying the table - $additional_get_parameters=array('view'=>$_GET['view'], 'view_received_category'=>$_GET['view_received_category'],'view_sent_category'=>$_GET['view_sent_category']); + $additional_get_parameters=array('view'=>Security::remove_XSS($_GET['view']), 'view_received_category'=>Security::remove_XSS($_GET['view_received_category']),'view_sent_category'=>Security::remove_XSS($_GET['view_sent_category'])); Display::display_sortable_config_table($column_header, $dropbox_data_sent, $sorting_options, $paging_options, $additional_get_parameters,$column_show,$column_order, array ('delete_received' => get_lang('Delete'),'download_received'=>get_lang('Download'))); } }