claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use super globals. Better input checking.

Browse Source
This commit is contained in:
Paul van Schayck
2004-12-29 03:47:48 +00:00
committed by WineHQ
parent d451aeb595
commit 75728a4859
1 changed files with 33 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
admin/addAppNote.php
View File

@@ -8,29 +8,37 @@ include(BASE."include/"."incl.php");
require(BASE."include/"."application.php"); require(BASE."include/"."application.php");
//check for admin privs //check for admin privs
if(!loggedin() || (!havepriv("admin") && !$_SESSION['current']->is_maintainer($appId,$versionId)) ) if(!loggedin() || (!havepriv("admin") && !$_SESSION['current']->is_maintainer($_REQUEST['appId'],$_REQUEST['versionId'])) )
{ {
errorpage("Insufficient Privileges!"); errorpage("Insufficient Privileges!");
exit; exit;
} }
//set link for version //set link for version
if ($versionId != 0) if(is_numeric($_REQUEST['versionId']) and !empty($_REQUEST['versionId']))
{ {
$versionLink = "&versionId=$versionId"; $versionLink = "&versionId={$_REQUEST['versionId']}";
} }
else
exit;
if($sub == "Submit") if(!is_numeric($_REQUEST['appId']))
{
errorpage('Wrong ID');
exit;
}
if($_REQUEST['sub'] == "Submit")
{ {
$query = "INSERT into appNotes VALUES (null, '". $query = "INSERT into appNotes VALUES (null, '".
addslashes($noteTitle)."', '". addslashes($_REQUEST['noteTitle'])."', '".
addslashes($noteDesc)."', ". addslashes($_REQUEST['noteDesc'])."', ".
"$appId , $versionId);"; "{$_REQUEST['appId']}, {$_REQUEST['versionId']})";
if (mysql_query($query)) if (mysql_query($query))
{ {
//successful // successful
$email = getNotifyEmailAddressList($appId, $versionId); $email = getNotifyEmailAddressList($_REQUEST['appId'], $_REQUEST['versionId']);
if($email) if($email)
{ {
$fullAppName = "Application: ".lookupAppName($appId)." Version: ".lookupVersionName($appId, $versionId); $fullAppName = "Application: ".lookupAppName($appId)." Version: ".lookupVersionName($appId, $versionId);
@@ -38,9 +46,9 @@ if($sub == "Submit")
$ms .= "\n"; $ms .= "\n";
$ms .= ($_SESSION['current']->username ? $_SESSION['current']->username : "Anonymous")." added note to ".$fullAppName."\n"; $ms .= ($_SESSION['current']->username ? $_SESSION['current']->username : "Anonymous")." added note to ".$fullAppName."\n";
$ms .= "\n"; $ms .= "\n";
$ms .= "title: ".$noteTitle."\n"; $ms .= "title: ".$_REQUEST['noteTitle']."\n";
$ms .= "\n"; $ms .= "\n";
$ms .= $noteDesc."\n"; $ms .= $_REQUEST['noteDesc']."\n";
$ms .= "\n"; $ms .= "\n";
$ms .= STANDARD_NOTIFY_FOOTER; $ms .= STANDARD_NOTIFY_FOOTER;
@@ -57,49 +65,49 @@ if($sub == "Submit")
} }
else else
{ {
//error // error
addmsg($query,red); addmsg($query,red);
$statusMessage = "<p><b>Database Error!<br>".mysql_error()."</b></p>\n"; $statusMessage = "<p><b>Database Error!<br>".mysql_error()."</b></p>\n";
addmsg($statusMessage,red); addmsg($statusMessage,red);
} }
redirect(apidb_fullurl("appview.php?appId=".$appId.$versionLink)); redirect(apidb_fullurl("appview.php?appId=".$_REQUEST['appId'].$versionLink));
exit; exit;
} }
else else if($_REQUEST['sub'] == 'Preview' OR empty($_REQUEST['submit']))
{ {
apidb_header("Add Application Note"); apidb_header("Add Application Note");
echo "<form method=post action='addAppNote.php'>\n"; echo "<form method=post action='addAppNote.php'>\n";
echo html_frame_start("Add Application Note $appId", "90%","",0); echo html_frame_start("Add Application Note {$_REQUEST['appId']}", "90%","",0);
echo html_table_begin("width='100%' border=0 align=left cellpadding=6 cellspacing=0 class='box-body'"); echo html_table_begin("width='100%' border=0 align=left cellpadding=6 cellspacing=0 class='box-body'");
echo '<input type=hidden name="appId" value='.$appId.'>'; echo "<input type=hidden name='appId' value='{$_REQUEST['appId']}'>";
echo '<input type=hidden name="versionId" value='.$versionId.'>'; echo "<input type=hidden name='versionId' value='{$_REQUEST['versionId']}'>";
echo '<tr><td colspan=2 class=color4>'; echo '<tr><td colspan=2 class=color4>';
echo '<center><b>You can use html to make your Warning, Howto or Note look better.</b></center>'; echo '<center><b>You can use html to make your Warning, Howto or Note look better.</b></center>';
echo '</td></tr>',"\n"; echo '</td></tr>',"\n";
echo add_br($noteDesc); echo add_br($_REQUEST['noteDesc']);
if ($noteTitle == "HOWTO" || $noteTitle == "WARNING") if ($_REQUEST['noteTitle'] == "HOWTO" || $_REQUEST['noteTitle'] == "WARNING")
{ {
echo '<input type=hidden name="noteTitle" value='.$noteTitle.'>'; echo "<input type=hidden name='noteTitle' value='{$_REQUEST['noteTitle']}'>";
echo '<tr><td class=color1>Type</td><td class=color0>'.$noteTitle.'</td></tr>',"\n"; echo "<tr><td class=color1>Type</td><td class=color0>{$_REQUEST['noteTitle']}</td></tr>\n";
} }
else else
{ {
echo '<tr><td class=color1>Title</td><td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$noteTitle.'"></td></tr>',"\n"; echo "<tr><td class=color1>Title</td><td class=color0><input size='80%' type='text' name='noteTitle' type='text' value='{$_REQUEST['noteTitle']}'></td></tr>\n";
} }
echo '<tr><td class=color4>Description</td><td class=color0>', "\n"; echo '<tr><td class=color4>Description</td><td class=color0>', "\n";
echo '<textarea cols=$50 rows=10 name="noteDesc">'.stripslashes($noteDesc).'</textarea></td></tr>',"\n"; echo '<textarea cols=$50 rows=10 name="noteDesc">'.stripslashes($_REQUEST['noteDesc']).'</textarea></td></tr>',"\n";
echo '<tr><td colspan=2 align=center class=color3>',"\n"; echo '<tr><td colspan=2 align=center class=color3>',"\n";
echo '<input type="submit" name=preview value="Preview">&nbsp',"\n"; echo '<input type="submit" name=sub value="Preview">&nbsp',"\n";
echo '<input type="submit" name=sub value="Submit"></td></tr>',"\n"; echo '<input type="submit" name=sub value="Submit"></td></tr>',"\n";
echo html_table_end(); echo html_table_end();
echo html_frame_end(); echo html_frame_end();
echo html_back_link(1,BASE."appview.php?appId=$appId".$versionLink); echo html_back_link(1,BASE."appview.php?appId={$_REQUEST['appId']}$versionLink");
apidb_footer(); apidb_footer();
} }