Mercurial Mercurial > repos > enano-1.1 / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
plugins/SpecialAdmin.php
changeset 208 c75ad574b56d
parent 204 473cc747022a
child 210 2b283402e4e4
equal deleted inserted replaced
205:c4542792db2b 208:c75ad574b56d 
  2156     return;
 
  2156     return;
 
  2157   }
 
  2157   }
 
  2158   
  2158   
  2159   if(isset($_GET['action']) && $_GET['action'] == 'delete' && isset($_GET['id']) && $_GET['id'] != '')
 
  2159   if(isset($_GET['action']) && $_GET['action'] == 'delete' && isset($_GET['id']) && $_GET['id'] != '')
 
  2160   {
 
  2160   {
 
  2161     $e = $db->sql_query('DELETE FROM '.table_prefix.'banlist WHERE ban_id=' . $db->escape($_GET['id']) . '');
 
  2161     $e = $db->sql_query('DELETE FROM '.table_prefix.'banlist WHERE ban_id=' . intval($_GET['id']) . '');
 
  2162     if(!$e) $db->_die('The ban list entry was not deleted.');
 
  2162     if(!$e) $db->_die('The ban list entry was not deleted.');
 
  2163   }
 
  2163   }
 
  2164   if(isset($_POST['create']) && !defined('ENANO_DEMO_MODE'))
 
  2164   if(isset($_POST['create']) && !defined('ENANO_DEMO_MODE'))
 
  2165   {
 
  2165   {
 
  2166     $type = intval($_POST['type']);
 
  2166     $type = intval($_POST['type']);
 
  3024           if( !isset($_GET['side']) || ( isset($_GET['side']) && !preg_match('#^([0-9]+)$#', $_GET['side']) ) )
 
  3024           if( !isset($_GET['side']) || ( isset($_GET['side']) && !preg_match('#^([0-9]+)$#', $_GET['side']) ) )
 
  3025           {
 
  3025           {
 
  3026             echo '<div class="warning-box" style="margin: 10px 0;">$_GET[\'side\'] contained an SQL injection attempt</div>';
 
  3026             echo '<div class="warning-box" style="margin: 10px 0;">$_GET[\'side\'] contained an SQL injection attempt</div>';
 
  3027             break;
 
  3027             break;
 
  3028           }
 
  3028           }
 
  3029           $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . $db->escape($_GET['id']) . ';');
 
  3029           $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . intval($_GET['side']) . ' WHERE item_id=' . intval($_GET['id']) . ';');
 
  3030           if(!$query)
 
  3030           if(!$query)
 
  3031           {
 
  3031           {
 
  3032             echo $db->get_error();
 
  3032             echo $db->get_error();
 
  3033             $template->footer();
 
  3033             $template->footer();
 
  3034             exit;
 
  3034             exit;
 
  3035           }
 
  3035           }
 
  3036           echo '<div class="info-box" style="margin: 10px 0;">Item moved.</div>';
 
  3036           echo '<div class="info-box" style="margin: 10px 0;">Item moved.</div>';
 
  3037           break;
 
  3037           break;
 
  3038         case 'delete':
 
  3038         case 'delete':
 
  3039           $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); // Already checked for injection attempts ;-)
 
  3039           $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); // Already checked for injection attempts ;-)
 
  3040           if(!$query)
 
  3040           if(!$query)
 
  3041           {
 
  3041           {
 
  3042             echo $db->get_error();
 
  3042             echo $db->get_error();
 
  3043             $template->footer();
 
  3043             $template->footer();
 
  3044             exit;
 
  3044             exit;
 
  3049             die('GOOD');
 
  3049             die('GOOD');
 
  3050           }
 
  3050           }
 
  3051           echo '<div class="error-box" style="margin: 10px 0;">Item deleted.</div>';
 
  3051           echo '<div class="error-box" style="margin: 10px 0;">Item deleted.</div>';
 
  3052           break;
 
  3052           break;
 
  3053         case 'disenable';
 
  3053         case 'disenable';
 
  3054           $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
 
  3054           $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
 
  3055           if(!$q)
 
  3055           if(!$q)
 
  3056           {
 
  3056           {
 
  3057             echo $db->get_error();
 
  3057             echo $db->get_error();
 
  3058             $template->footer();
 
  3058             $template->footer();
 
  3059             exit;
 
  3059             exit;
 
  3060           }
 
  3060           }
 
  3061           $r = $db->fetchrow();
 
  3061           $r = $db->fetchrow();
 
  3062           $db->free_result();
 
  3062           $db->free_result();
 
  3063           $e = ( $r['item_enabled'] == 1 ) ? '0' : '1';
 
  3063           $e = ( $r['item_enabled'] == 1 ) ? '0' : '1';
 
  3064           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . $db->escape($_GET['id']) . ';');
 
  3064           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . intval($_GET['id']) . ';');
 
  3065           if(!$q)
 
  3065           if(!$q)
 
  3066           {
 
  3066           {
 
  3067             echo $db->get_error();
 
  3067             echo $db->get_error();
 
  3068             $template->footer();
 
  3068             $template->footer();
 
  3069             exit;
 
  3069             exit;
 
  3073             ob_end_clean();
 
  3073             ob_end_clean();
 
  3074             die('GOOD');
 
  3074             die('GOOD');
 
  3075           }
 
  3075           }
 
  3076           break;
 
  3076           break;
 
  3077         case 'getsource':
 
  3077         case 'getsource':
 
  3078           $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
 
  3078           $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
 
  3079           if(!$q)
 
  3079           if(!$q)
 
  3080           {
 
  3080           {
 
  3081             echo $db->get_error();
 
  3081             echo $db->get_error();
 
  3082             $template->footer();
 
  3082             $template->footer();
 
  3083             exit;
 
  3083             exit;
 
  3089           die($r['block_content']);
 
  3089           die($r['block_content']);
 
  3090           break;
 
  3090           break;
 
  3091         case 'save':
 
  3091         case 'save':
 
  3092           if ( defined('ENANO_DEMO_MODE') )
 
  3092           if ( defined('ENANO_DEMO_MODE') )
 
  3093           {
 
  3093           {
 
  3094             $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
 
  3094             $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
 
  3095             if(!$q)
 
  3095             if(!$q)
 
  3096             {
 
  3096             {
 
  3097               echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
 
  3097               echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
 
  3098               exit;
 
  3098               exit;
 
  3099             }
 
  3099             }
 
  3105             else
 
  3105             else
 
  3106             {
 
  3106             {
 
  3107               $_POST['content'] = sanitize_html($_POST['content'], true);
 
  3107               $_POST['content'] = sanitize_html($_POST['content'], true);
 
  3108             }
 
  3108             }
 
  3109           }
 
  3109           }
 
  3110           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . $db->escape($_GET['id']) . ';');
 
  3110           $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . intval($_GET['id']) . ';');
 
  3111           if(!$q)
 
  3111           if(!$q)
 
  3112           {
 
  3112           {
 
  3113             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
 
  3113             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
 
  3114             exit;
 
  3114             exit;
 
  3115           }
 
  3115           }
 
  3116           $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
 
  3116           $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
 
  3117           if(!$q)
 
  3117           if(!$q)
 
  3118           {
 
  3118           {
 
  3119             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
 
  3119             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
 
  3120             exit;
 
  3120             exit;
 
  3121           }
 
  3121           }
Enano CMS (1.1.x)