diff --git a/admin/addAppNote.php b/admin/addAppNote.php index c4bd82b..eff399a 100644 --- a/admin/addAppNote.php +++ b/admin/addAppNote.php @@ -8,29 +8,37 @@ include(BASE."include/"."incl.php"); require(BASE."include/"."application.php"); //check for admin privs -if(!loggedin() || (!havepriv("admin") && !$_SESSION['current']->is_maintainer($appId,$versionId)) ) +if(!loggedin() || (!havepriv("admin") && !$_SESSION['current']->is_maintainer($_REQUEST['appId'],$_REQUEST['versionId'])) ) { errorpage("Insufficient Privileges!"); exit; } //set link for version -if ($versionId != 0) +if(is_numeric($_REQUEST['versionId']) and !empty($_REQUEST['versionId'])) { - $versionLink = "&versionId=$versionId"; + $versionLink = "&versionId={$_REQUEST['versionId']}"; } +else + exit; -if($sub == "Submit") +if(!is_numeric($_REQUEST['appId'])) +{ + errorpage('Wrong ID'); + exit; +} + +if($_REQUEST['sub'] == "Submit") { $query = "INSERT into appNotes VALUES (null, '". - addslashes($noteTitle)."', '". - addslashes($noteDesc)."', ". - "$appId , $versionId);"; + addslashes($_REQUEST['noteTitle'])."', '". + addslashes($_REQUEST['noteDesc'])."', ". + "{$_REQUEST['appId']}, {$_REQUEST['versionId']})"; if (mysql_query($query)) { - //successful - $email = getNotifyEmailAddressList($appId, $versionId); + // successful + $email = getNotifyEmailAddressList($_REQUEST['appId'], $_REQUEST['versionId']); if($email) { $fullAppName = "Application: ".lookupAppName($appId)." Version: ".lookupVersionName($appId, $versionId); @@ -38,9 +46,9 @@ if($sub == "Submit") $ms .= "\n"; $ms .= ($_SESSION['current']->username ? $_SESSION['current']->username : "Anonymous")." added note to ".$fullAppName."\n"; $ms .= "\n"; - $ms .= "title: ".$noteTitle."\n"; + $ms .= "title: ".$_REQUEST['noteTitle']."\n"; $ms .= "\n"; - $ms .= $noteDesc."\n"; + $ms .= $_REQUEST['noteDesc']."\n"; $ms .= "\n"; $ms .= STANDARD_NOTIFY_FOOTER; @@ -57,49 +65,49 @@ if($sub == "Submit") } else { - //error + // error addmsg($query,red); $statusMessage = "

Database Error!
".mysql_error()."

\n"; addmsg($statusMessage,red); } - redirect(apidb_fullurl("appview.php?appId=".$appId.$versionLink)); + redirect(apidb_fullurl("appview.php?appId=".$_REQUEST['appId'].$versionLink)); exit; } -else +else if($_REQUEST['sub'] == 'Preview' OR empty($_REQUEST['submit'])) { apidb_header("Add Application Note"); echo "
\n"; - echo html_frame_start("Add Application Note $appId", "90%","",0); + echo html_frame_start("Add Application Note {$_REQUEST['appId']}", "90%","",0); echo html_table_begin("width='100%' border=0 align=left cellpadding=6 cellspacing=0 class='box-body'"); - echo ''; - echo ''; + echo ""; + echo ""; echo ''; echo '
You can use html to make your Warning, Howto or Note look better.
'; echo '',"\n"; - echo add_br($noteDesc); + echo add_br($_REQUEST['noteDesc']); - if ($noteTitle == "HOWTO" || $noteTitle == "WARNING") + if ($_REQUEST['noteTitle'] == "HOWTO" || $_REQUEST['noteTitle'] == "WARNING") { - echo ''; - echo 'Type'.$noteTitle.'',"\n"; + echo ""; + echo "Type{$_REQUEST['noteTitle']}\n"; } else { - echo 'Title',"\n"; + echo "Title\n"; } echo 'Description', "\n"; - echo '',"\n"; + echo '',"\n"; echo '',"\n"; - echo ' ',"\n"; + echo ' ',"\n"; echo '',"\n"; echo html_table_end(); echo html_frame_end(); - echo html_back_link(1,BASE."appview.php?appId=$appId".$versionLink); + echo html_back_link(1,BASE."appview.php?appId={$_REQUEST['appId']}$versionLink"); apidb_footer(); }