--- a/includes/clientside/sbedit.js	Wed Oct 17 21:54:11 2007 -0400
+++ b/includes/clientside/sbedit.js	Fri Oct 19 21:07:54 2007 -0400
@@ -123,3 +123,71 @@
     });
 }
 
+function ajaxRenameSidebarStage1(parent, id)
+{
+  var oldname = parent.firstChild.nodeValue;
+  parent.removeChild(parent.firstChild);
+  parent.ondblclick = function() {};
+  parent._idcache = id;
+  var input = document.createElement('input');
+  input.type = 'text';
+  input.sbedit_id = id;
+  input.oldvalue = oldname;
+  input.onkeyup = function(e)
+  {
+    if ( typeof(e) != 'object' )
+      return false;
+    if ( !e.keyCode )
+      return false;
+    if ( e.keyCode == 13 )
+    {
+      ajaxRenameSidebarStage2(this);
+    }
+    if ( e.keyCode == 27 )
+    {
+      ajaxRenameSidebarCancel(this);
+    }
+  };
+  input.onblur = function()
+  {
+    ajaxRenameSidebarCancel(this);
+  };
+  input.value = oldname;
+  input.style.fontSize = '7pt';
+  parent.appendChild(input);
+  input.focus();
+}
+
+function ajaxRenameSidebarStage2(input)
+{
+  var newname = input.value;
+  var id = input.sbedit_id;
+  var parent = input.parentNode;
+  parent.removeChild(input);
+  parent.appendChild(document.createTextNode(newname));
+  parent.ondblclick = function() { ajaxRenameSidebarStage1(this, this._idcache); return false; };
+  var img = document.createElement('img');
+  img.src = scriptPath + '/images/loading.gif';
+  parent.appendChild(img);
+  newname = ajaxEscape(newname);
+  ajaxPost(makeUrlNS('Special', 'EditSidebar', 'ajax&noheaders&action=rename&id='+id), 'newname=' +newname, function()
+    {
+      if ( ajax.readyState == 4 )
+      {
+        parent.removeChild(img);
+        if ( ajax.responseText != 'GOOD' )
+          new messagebox(MB_OK|MB_ICONSTOP, 'Error renaming block', ajax.responseText);
+      }
+    });
+}
+
+function ajaxRenameSidebarCancel(input)
+{
+  var newname = input.oldvalue;
+  var id = input.sbedit_id;
+  var parent = input.parentNode;
+  parent.removeChild(input);
+  parent.appendChild(document.createTextNode(newname));
+  parent.ondblclick = function() { ajaxRenameSidebarStage1(this, this._idcache); return false; };
+}
+

--- a/plugins/SpecialAdmin.php	Wed Oct 17 21:54:11 2007 -0400
+++ b/plugins/SpecialAdmin.php	Fri Oct 19 21:07:54 2007 -0400
@@ -2979,7 +2979,7 @@
             echo '<div class="warning-box" style="margin: 10px 0;">$_GET[\'side\'] contained an SQL injection attempt</div>';
             break;
           }
-          $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . $db->escape($_GET['id']) . ';');
+          $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . intval($_GET['id']) . ';');
           if(!$query)
           {
             echo $db->get_error();
@@ -2989,7 +2989,7 @@
           echo '<div class="info-box" style="margin: 10px 0;">Item moved.</div>';
           break;
         case 'delete':
-          $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); // Already checked for injection attempts ;-)
+          $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); // Already checked for injection attempts ;-)
           if(!$query)
           {
             echo $db->get_error();
@@ -3004,7 +3004,7 @@
           echo '<div class="error-box" style="margin: 10px 0;">Item deleted.</div>';
           break;
         case 'disenable';
-          $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
+          $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
           if(!$q)
           {
             echo $db->get_error();
@@ -3014,7 +3014,22 @@
           $r = $db->fetchrow();
           $db->free_result();
           $e = ( $r['item_enabled'] == 1 ) ? '0' : '1';
-          $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . $db->escape($_GET['id']) . ';');
+          $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . intval($_GET['id']) . ';');
+          if(!$q)
+          {
+            echo $db->get_error();
+            $template->footer();
+            exit;
+          }
+          if(isset($_GET['ajax']))
+          {
+            ob_end_clean();
+            die('GOOD');
+          }
+          break;
+        case 'rename';
+          $newname = $db->escape($_POST['newname']);
+          $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_name=\''.$newname.'\' WHERE item_id=' . intval($_GET['id']) . ';');
           if(!$q)
           {
             echo $db->get_error();
@@ -3028,7 +3043,7 @@
           }
           break;
         case 'getsource':
-          $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
+          $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
           if(!$q)
           {
             echo $db->get_error();
@@ -3044,7 +3059,7 @@
         case 'save':
           if ( defined('ENANO_DEMO_MODE') )
           {
-            $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
+            $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
             if(!$q)
             {
               echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
@@ -3060,13 +3075,13 @@
               $_POST['content'] = sanitize_html($_POST['content'], true);
             }
           }
-          $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . $db->escape($_GET['id']) . ';');
+          $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . intval($_GET['id']) . ';');
           if(!$q)
           {
             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
             exit;
           }
-          $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
+          $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
           if(!$q)
           {
             echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
@@ -3179,7 +3194,7 @@
           $c = ($template->fetch_block($row['block_content'])) ? $template->fetch_block($row['block_content']) : 'Can\'t find plugin block';
           break;
       }
-      $t = $template->tplWikiFormat($row['block_name']);
+      $t = '<span title="Double-click to rename this block" id="sbrename_' . $row['item_id'] . '" ondblclick="ajaxRenameSidebarStage1(this, \''.$row['item_id'].'\'); return false;">' . $template->tplWikiFormat($row['block_name']) . '</span>';
       if($row['item_enabled'] == 0) $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red;">(disabled)</span>';
       else           $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red; display: none;">(disabled)</span>';
       $side = ( $row['sidebar_id'] == SIDEBAR_LEFT ) ? SIDEBAR_RIGHT : SIDEBAR_LEFT;