claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Filter all user input to reduce the security impact of manipulated data

Browse Source
This commit is contained in:
EA Durbin
2006-06-17 06:10:10 +00:00
committed by WineHQ
parent 02c5682c01
commit f982c8459e
53 changed files with 988 additions and 542 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
account.php
View File

@@ -11,11 +11,15 @@ require(BASE."include/mail.php");
header("Pragma: no-cache");
header("Cache-control: no-cache");
$aClean = array(); //array of filtered user input
// check command and process
if(isset($_POST['cmd']))
do_account($_POST['cmd']);
if(!empty($_POST['cmd']))
$aClean['cmd'] = makeSafe( $_POST['cmd'] );
else
do_account($_GET['cmd']);
$aClean['cmd'] = makeSafe( $_GET['cmd'] );
do_account($aClean['cmd']);
/**
@@ -76,25 +80,31 @@ function retry($cmd, $msg)
*/
function cmd_do_new()
{
$aClean = array(); //array of filtered user input
if(!ereg("^.+@.+\\..+$", $_POST['ext_email']))
$aClean['ext_email'] = makeSafe($_POST['ext_email']);
$aClean['ext_password'] = makeSafe($_POST['ext_password']);
$aClean['ext_password2'] = makeSafe($_POST['ext_password2']);
$aClean['CVSrelease'] = makeSafe($_POST['CVSrelease']);
$aClean['ext_realname']= makeSafe($_POST['ext_realname']);
if(!ereg("^.+@.+\\..+$", $aClean['ext_email']))
{
$_POST['ext_email'] = "";
$aClean['ext_email'] = "";
retry("new", "Invalid email address");
return;
}
if(strlen($_POST['ext_password']) < 5)
if(strlen($aClean['ext_password']) < 5)
{
retry("new", "Password must be at least 5 characters");
return;
}
if($_POST['ext_password'] != $_POST['ext_password2'])
if($aClean['ext_password'] != $aClean['ext_password2'])
{
retry("new", "Passwords don't match");
return;
}
$_POST['ext_realname']=trim($_POST['ext_realname']);
if(empty($_POST['ext_realname']))
if(empty($aClean['ext_realname']))
{
retry("new", "You don't have a Real name?");
return;
@@ -102,15 +112,15 @@ function cmd_do_new()
$user = new User();
$result = $user->create($_POST['ext_email'], $_POST['ext_password'], $_POST['ext_realname'], $_POST['CVSrelease'] );
$result = $user->create($aClean['ext_email'], $aClean['ext_password'], $aClean['ext_realname'], $aClean['CVSrelease'] );
if($result == true)
{
/* if we can log the user in, log them in automatically */
if($user->login($_POST['ext_email'], $_POST['ext_password']))
if($user->login($aClean['ext_email'], $aClean['ext_password']))
$_SESSION['current'] = $user;
addmsg("Account created! (".$_POST['ext_email'].")", "green");
addmsg("Account created! (".$aClean['ext_email'].")", "green");
redirect(apidb_fullurl());
}
else
@@ -126,10 +136,14 @@ function cmd_do_new()
function cmd_send_passwd()
{
$aClean = array(); //array of filtered user input
$aClean['ext_email'] = makeSafe($_POST['ext_email']);
$note = '(<b>Note</b>: accounts for <b>appdb</b>.winehq.org and <b>bugs</b>.winehq.org '
.'are separated, so You might need to <b>create second</b> account for appdb.)';
$userid = user_exists($_POST['ext_email']);
$userid = user_exists($aClean['ext_email']);
$passwd = generate_passwd();
$user = new User($userid);
if ($userid)
@@ -159,7 +173,7 @@ function cmd_send_passwd()
}
else
{
addmsg("Sorry, that user (".$_POST['ext_email'].") does not exist.<br><br>"
addmsg("Sorry, that user (".$aClean['ext_email'].") does not exist.<br><br>"
.$note, "red");
}
@@ -171,8 +185,13 @@ function cmd_send_passwd()
*/
function cmd_do_login()
{
$aClean = array(); //array of filtered user input
$aClean['ext_email'] = makeSafe($_POST['ext_email']);
$aClean['ext_password'] = makeSafe($_POST['ext_password']);
$user = new User();
$result = $user->login($_POST['ext_email'], $_POST['ext_password']);
$result = $user->login($aClean['ext_email'], $aClean['ext_password']);
if($result == true)
{

43
addcomment.php
View File

@@ -1,4 +1,16 @@
<?php
include("path.php");
require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['thread'] = makeSafe($_REQUEST['thread']);
$aClean['body'] = makeSafe($_REQUEST['body']);
$aClean['subject'] = makeSafe($_REQUEST['subject']);
/********************************/
/* code to submit a new comment */
/********************************/
@@ -6,11 +18,6 @@
/*
* application environment
*/
include("path.php");
require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
// you must be logged in to submit comments
if(!$_SESSION['current']->isLoggedIn())
{
@@ -19,24 +26,24 @@ if(!$_SESSION['current']->isLoggedIn())
exit;
}
if(!is_numeric($_REQUEST['versionId']))
if( !is_numeric($aClean['versionId']) )
{
errorpage('Internal Database Access Error');
exit;
}
if(!is_numeric($_REQUEST['thread']))
if(!is_numeric($aClean['thread']))
{
$_REQUEST['thread'] = 0;
$aClean['thread'] = 0;
}
############################
# ADDS COMMENT TO DATABASE #
############################
if(isset($_REQUEST['body']))
if(!empty($aClean['body']))
{
$oComment = new Comment();
$oComment->create($_REQUEST['subject'], $_REQUEST['body'], $_REQUEST['thread'], $_REQUEST['versionId']);
$oComment->create($aClean['subject'], $aClean['body'], $aClean['thread'], $aClean['versionId']);
redirect(apidb_fullurl("appview.php?versionId=".$oComment->iVersionId));
}
@@ -49,9 +56,9 @@ else
$mesTitle = "<b>Post New Comment</b>";
if($_REQUEST['thread'] > 0)
if($aClean['thread'] > 0)
{
$result = query_appdb("SELECT * FROM appComments WHERE commentId = ".$_REQUEST['thread']);
$result = query_appdb("SELECT * FROM appComments WHERE commentId = ".$aClean['thread']);
$ob = mysql_fetch_object($result);
if($ob)
{
@@ -71,8 +78,8 @@ else
echo "<tr class=\"color0\"><td align=right><b>From:</b>&nbsp;</td>\n";
echo " <td>&nbsp;".$_SESSION['current']->sRealname."</td></tr>\n";
echo "<tr class=\"color0\"><td align=right><b>Subject:</b>&nbsp;</td>\n";
echo " <td>&nbsp;<input type=\"text\" size=\"35\" name=\"subject\" value=\"".$_REQUEST['subject']."\" /> </td></tr>\n";
echo "<tr class=\"color1\"><td colspan=2><textarea name=\"body\" cols=\"70\" rows=\"15\" wrap=\"virtual\">".$_REQUEST['body']."</textarea></td></tr>\n";
echo " <td>&nbsp;<input type=\"text\" size=\"35\" name=\"subject\" value=\"".$aClean['subject']."\" /> </td></tr>\n";
echo "<tr class=\"color1\"><td colspan=2><textarea name=\"body\" cols=\"70\" rows=\"15\" wrap=\"virtual\">".$aClean['body']."</textarea></td></tr>\n";
echo "<tr class=\"color1\"><td colspan=2 align=center>\n";
echo " <input type=\"SUBMIT\" value=\"Post Comment\" class=\"button\" />\n";
echo " <input type=\"RESET\" value=\"Reset\" class=\"button\" />\n";
@@ -81,10 +88,10 @@ else
echo html_frame_end();
echo "<input type=\"HIDDEN\" name=\"thread\" value=\"".$_REQUEST['thread']."\" />\n";
echo "<input type=\"HIDDEN\" name=\"appId\" value=\"".$_REQUEST['appId']."\" />\n";
echo "<input type=\"HIDDEN\" name=\"versionId\" value=\"".$_REQUEST['versionId']."\" />\n";
if (isset($_REQUEST['thread']))
echo "<input type=\"HIDDEN\" name=\"thread\" value=\"".$aClean['thread']."\" />\n";
echo "<input type=\"HIDDEN\" name=\"appId\" value=\"".$aClean['appId']."\" />\n";
echo "<input type=\"HIDDEN\" name=\"versionId\" value=\"".$aClean['versionId']."\" />\n";
if (!empty($aClean['thread']))
{
echo "<input type=\"HIDDEN\" name=\"originator\" value=\"$originator\" />\n";
}

39
admin/addAppNote.php
View File

@@ -8,36 +8,45 @@ require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['appId'] = makeSafe( $_REQUEST['appId']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
$aClean['noteTitle'] = makeSafe($_REQUEST['noteTitle']);
$aClean['noteDesc'] = makeSafe($_REQUEST['noteDesc']);
//FIXME: get rid of appId references everywhere, as version is enough.
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '".$_REQUEST['versionId']."'";
$sQuery = "SELECT appId FROM appVersion WHERE versionId = '".$aClean['versionId']."'";
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult);
$appId = $oRow->appId;
//check for admin privs
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($_REQUEST['versionId']) && !$_SESSION['current']->isSuperMaintainer($_REQUEST['appId']))
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($aClean['versionId']) && !$_SESSION['current']->isSuperMaintainer($aClean['appId']))
{
errorpage("Insufficient Privileges!");
exit;
}
//set link for version
if(is_numeric($_REQUEST['versionId']) and !empty($_REQUEST['versionId']))
if(is_numeric($aClean['versionId']) and !empty($aClean['versionId']))
{
$versionLink = "versionId={$_REQUEST['versionId']}";
$versionLink = "versionId={$aClean['versionId']}";
}
else
exit;
if($_REQUEST['sub'] == "Submit")
if($aClean['sub'] == "Submit")
{
$oNote = new Note();
$oNote->create($_REQUEST['noteTitle'], $_REQUEST['noteDesc'], $_REQUEST['versionId']);
$oNote->create($aClean['noteTitle'], $aClean['noteDesc'], $aClean['versionId']);
redirect(apidb_fullurl("appview.php?".$versionLink));
exit;
}
else if($_REQUEST['sub'] == 'Preview' OR empty($_REQUEST['submit']))
else if($aClean['sub'] == 'Preview' OR empty($aClean['submit']))
{
HtmlAreaLoaderScript(array("editor"));
@@ -47,22 +56,22 @@ else if($_REQUEST['sub'] == 'Preview' OR empty($_REQUEST['submit']))
echo html_frame_start("Add Application Note", "90%","",0);
echo html_table_begin("width='100%' border=0 align=left cellpadding=6 cellspacing=0 class='box-body'");
echo "<input type=\"hidden\" name=\"versionId\" value=\"{$_REQUEST['versionId']}\">";
echo add_br($_REQUEST['noteDesc']);
echo "<input type=\"hidden\" name=\"versionId\" value=\"{$aClean['versionId']}\">";
echo add_br($aClean['noteDesc']);
if ($_REQUEST['noteTitle'] == "HOWTO" || $_REQUEST['noteTitle'] == "WARNING")
if ($aClean['noteTitle'] == "HOWTO" || $aClean['noteTitle'] == "WARNING")
{
echo "<input type=hidden name='noteTitle' value='{$_REQUEST['noteTitle']}'>";
echo "<tr><td class=color1>Type</td><td class=color0>{$_REQUEST['noteTitle']}</td></tr>\n";
echo "<input type=hidden name='noteTitle' value='{$aClean['noteTitle']}'>";
echo "<tr><td class=color1>Type</td><td class=color0>{$aClean['noteTitle']}</td></tr>\n";
}
else
{
echo "<tr><td class=color1>Title</td><td class=color0><input size='80%' type='text' name='noteTitle' type='text' value='{$_REQUEST['noteTitle']}'></td></tr>\n";
echo "<tr><td class=color1>Title</td><td class=color0><input size='80%' type='text' name='noteTitle' type='text' value='{$aClean['noteTitle']}'></td></tr>\n";
}
echo '<tr><td class="color4">Description</td><td class="color0">', "\n";
if(trim(strip_tags($_REQUEST['noteDesc']))=="") $_REQUEST['noteDesc']="<p>Enter note here</p>";
if ( $aClean['noteDesc'] == "" ) $aClean['noteDesc']="<p>Enter note here</p>";
echo '<p style="width:700px">', "\n";
echo '<textarea cols="80" rows="20" id="editor" name="noteDesc">'.stripslashes($_REQUEST['noteDesc']).'</textarea>',"\n";
echo '<textarea cols="80" rows="20" id="editor" name="noteDesc">'.stripslashes($aClean['noteDesc']).'</textarea>',"\n";
echo '</p>';
echo '</td></tr><tr><td colspan="2" align="center" class="color3">',"\n";
echo '<input type="submit" name="sub" value="Preview">&nbsp',"\n";

16
admin/addCategory.php
View File

@@ -3,21 +3,29 @@ include("path.php");
require(BASE."include/incl.php");
require(BASE."include/category.php");
$aClean = array(); //array of filtered user input
$aClean['catId'] = makeSafe($_REQUEST['catId']);
$aClean['name'] = makeSafe($_REQUEST['name']);
$aClean['description'] = makeSafe($_REQUEST['description']);
$aClean['parentId'] = makeSafe($_REQUEST['parentId']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
if(!$_SESSION['current']->hasPriv("admin"))
{
errorpage();
exit;
}
$oCat = new Category($_REQUEST['catId']);
if($_REQUEST['submit'])
$oCat = new Category($aClean['catId']);
if($aClean['submit'])
{
$oCat->update($_REQUEST['name'],$_REQUEST['description'],$_REQUEST['parentId']);
$oCat->update($aClean['name'],$aClean['description'],$aClean['parentId']);
redirect(apidb_fullurl("appbrowse.php?catId=".$oCat->iCatId));
}
else
{
apidb_header("Add Category");
$sQuery = "SELECT catId, catName FROM appCategory WHERE catId!='".$_REQUEST['catId']."'";
$sQuery = "SELECT catId, catName FROM appCategory WHERE catId!='".$aClean['catId']."'";
$hResult = query_appdb($sQuery);
while($oRow = mysql_fetch_object($hResult))
{

27
admin/adminAppDataQueue.php
View File

@@ -9,6 +9,15 @@ require(BASE."include/mail.php");
require(BASE."include/tableve.php");
require(BASE."include/application.php");
$aClean = array(); //array of user input
$aClean['id'] = makeSafe($_REQUEST['id']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['add'] = makeSafe($_REQUEST['add']);
$aClean['description'] = makeSafe($_REQUEST['description']);
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
$aClean['reject'] = makeSafe($_REQUEST['reject']);
// deny access if not admin or at least some kind of maintainer
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer())
{
@@ -17,7 +26,7 @@ if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintaine
}
// shows the list of appdata in queue
if (!$_REQUEST['id'])
if (!$aClean['id'])
{
apidb_header("Admin Application Data Queue");
@@ -76,10 +85,10 @@ if (!$_REQUEST['id'])
}
} else // shows a particular appdata
{
$hResult = $_SESSION['current']->getAppDataQuery($_REQUEST['id'], false, false);
$hResult = $_SESSION['current']->getAppDataQuery($aClean['id'], false, false);
$obj_row = mysql_fetch_object($hResult);
if(!$_REQUEST['sub']=="inside_form")
if(!$aClean['sub']=="inside_form")
{
apidb_header("Admin Application Data Queue");
@@ -146,9 +155,9 @@ if (!$_REQUEST['id'])
echo '</table>',"\n";
echo '<input type=hidden name="sub" value="inside_form" />',"\n";
echo '<input type=hidden name="id" value="'.$_REQUEST['id'].'" />',"\n";
echo '<input type=hidden name="id" value="'.$aClean['id'].'" />',"\n";
echo '</form>';
} elseif ($_REQUEST['add']) // we accepted the request
} elseif ($aClean['add']) // we accepted the request
{
$statusMessage = "";
$goodtogo = 0;
@@ -161,7 +170,7 @@ if (!$_REQUEST['id'])
elseif ($obj_row->type == "url")
{ // FIXME: use Link class
$query = "INSERT INTO appData VALUES (null, ".$obj_row->versionId.", 'url', ".
"'".addslashes($_REQUEST['description'])."', '".$obj_row->url."')";
"'".$aClean['description']."', '".$obj_row->url."')";
if (query_appdb($sQuery))
{
$statusMessage = "<p>The application data was successfully added into the database</p>\n";
@@ -175,7 +184,7 @@ if (!$_REQUEST['id'])
{
$sSubject = "Application Data Request Report";
$sMsg = "Your submission of an application data for ".lookup_app_name($obj_row->appId).lookup_version_name($obj_row->versionId)." has been accepted. ";
$sMsg .= $_REQUEST['replyText'];
$sMsg .= $aClean['replyText'];
$sMsg .= "We appreciate your help in making the Application Database better for all users.\r\n";
mail_appdb($oUser->sEmail, $sSubject ,$sMsg);
@@ -183,7 +192,7 @@ if (!$_REQUEST['id'])
}
}
redirect(apidb_fullurl("admin/adminAppDataQueue.php"));
} elseif ($_REQUEST['reject'])
} elseif ($aClean['reject'])
{
if($obj_row->type == "image")
{
@@ -197,7 +206,7 @@ if (!$_REQUEST['id'])
{
$sSubject = "Application Data Request Report";
$sMsg = "Your submission of an application data for ".lookup_app_name($obj_row->appId).lookup_version_name($obj_row->versionId)." was rejected. ";
$sMsg .= $_REQUEST['replyText'];
$sMsg .= $aClean['replyText'];
mail_appdb($oUser->sEmail, $sSubject ,$sMsg);
}

86
admin/adminAppQueue.php
View File

@@ -10,6 +10,20 @@ require(BASE."include/application.php");
require(BASE."include/mail.php");
require_once(BASE."include/testResults.php");
$aClean = array(); //array of filtered user input
$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
$aClean['sub'] = makeSafe($_REQUEST['sub'] );
$aClean['apptype'] = makeSafe($_REQUEST['apptype']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['appVendorName'] = makeSafe($_REQUEST['appVendorName']);
$aClean['appVendorId'] = makeSafe($_REQUEST['appVendorId']);
$aClean['appWebpage'] = makeSafe($_REQUEST['appWebpage']);
$aClean['appIdMergeTo'] = makeSafe($_REQUEST['appIdMergeTo']);
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
$aClean['versionIdMergeTo'] = makeSafe($_REQUEST['versionIdMergeTo']);
$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
function get_vendor_from_keywords($sKeywords)
{
@@ -120,11 +134,11 @@ if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isSuperMain
errorpage("Insufficient privileges.");
exit;
}
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if($_REQUEST['apptype'] == 'application')
if($aClean['apptype'] == 'application')
{
/* make sure the user is authorized to view this application request */
if(!$_SESSION['current']->hasPriv("admin"))
@@ -133,21 +147,21 @@ if ($_REQUEST['sub'])
exit;
}
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
// if we are processing a queued application there MUST be an implicitly queued
// version to go along with it.
$sQuery = "Select versionId from appVersion where appId='".$_REQUEST['appId']."';";
$sQuery = "Select versionId from appVersion where appId='".$aClean['appId']."';";
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult);
$oVersion = new Version($oRow->versionId);
}
else if($_REQUEST['apptype'] == 'version')
else if($aClean['apptype'] == 'version')
{
/* make sure the user has permission to view this version */
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
if(!$_SESSION['current']->hasAppVersionModifyPermission($oVersion))
{
errorpage("Insufficient privileges.");
@@ -173,21 +187,21 @@ if ($_REQUEST['sub'])
$oTest = new testResult();
}
if($_REQUEST['sub'] == 'add')
if($aClean['sub'] == 'add')
{
$oVersion = new Version($_REQUEST['versionId']);
$oTest = new testData($_REQUEST['iTestingId']);
$oVersion = new Version($aClean['versionId']);
$oTest = new testData($aClean['iTestingId']);
$oVersion->GetOutputEditorValues();
$oTest->GetOutputEditorValues();
if ($_REQUEST['apptype'] == "application") // application
if ($aClean['apptype'] == "application") // application
{
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$oApp->GetOutputEditorValues(); // load the values from $_REQUEST
// add new vendor
if($_REQUEST['appVendorName'] and !$_REQUEST['appVendorId'])
if($aClean['appVendorName'] and !$aClean['appVendorId'])
{
$oVendor = new Vendor();
$oVendor->create($_REQUEST['appVendorName'],$_REQUEST['appWebpage']);
$oVendor->create($aClean['appVendorName'],$aClean['appWebpage']);
$oApp->iVendorId = $oVendor->iVendorId;
}
$oApp->update(true);
@@ -199,16 +213,16 @@ if ($_REQUEST['sub'])
$oTest->unQueue();
redirect($_SERVER['PHP_SELF']);
}
else if ($_REQUEST['sub'] == 'duplicate')
else if ($aClean['sub'] == 'duplicate')
{
if(is_numeric($_REQUEST['appIdMergeTo']))
if(is_numeric($aClean['appIdMergeTo']))
{
/* move this version submission under the existing app */
$oVersion->iAppId = $_REQUEST['appIdMergeTo'];
$oVersion->iAppId = $aClean['appIdMergeTo'];
$oVersion->update();
/* delete the appId that is the duplicate */
$_REQUEST['replyText'] = "Your Vesion information was moved to an existing Application";
$aClean['replyText'] = "Your Vesion information was moved to an existing Application";
$oAppDelete = new Application($oApp->iAppId);
$oAppDelete->delete();
}
@@ -216,51 +230,51 @@ if ($_REQUEST['sub'])
/* redirect back to the main page */
redirect(apidb_fullurl("admin/adminAppQueue.php"));
}
else if ($_REQUEST['sub'] == 'movetest')
else if ($aClean['sub'] == 'movetest')
{
if(is_numeric($_REQUEST['versionIdMergeTo']))
if(is_numeric($aClean['versionIdMergeTo']))
{
// move this Test submission under the existing version //
$oTest->iVersionId = $_REQUEST['versionIdMergeTo'];
$oTest->iVersionId = $aClean['versionIdMergeTo'];
$oTest->update();
// delete the Version entry
$_REQUEST['replyText'] = "Your Test results were moved to existing version";
$oVersion = new Version($_REQUEST['versionId']);
$aClean['replyText'] = "Your Test results were moved to existing version";
$oVersion = new Version($aClean['versionId']);
$oVersion->delete();
}
// redirect back to the main page
redirect(apidb_fullurl("admin/adminAppQueue.php"));
}
else if ($_REQUEST['sub'] == 'Delete')
else if ($aClean['sub'] == 'Delete')
{
if (($_REQUEST['apptype'] == "application") && is_numeric($_REQUEST['appId'])) // application
if (($aClean['apptype'] == "application") && is_numeric($aClean['appId'])) // application
{
// delete the application entry
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$oApp->delete();
} else if(($_REQUEST['apptype'] == "version") && is_numeric($_REQUEST['versionId'])) // version
} else if(($aClean['apptype'] == "version") && is_numeric($aClean['versionId'])) // version
{
// delete the Version entry
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
$oVersion->delete();
}
redirect(apidb_fullurl("admin/adminAppQueue.php"));
}
else if ($_REQUEST['sub'] == 'Reject')
else if ($aClean['sub'] == 'Reject')
{
$oVersion = new Version($_REQUEST['versionId']);
$oTest = new testData($_REQUEST['iTestingId']);
$oVersion = new Version($aClean['versionId']);
$oTest = new testData($aClean['iTestingId']);
$oVersion->GetOutputEditorValues();
$oTest->GetOutputEditorValues();
if ($_REQUEST['apptype'] == "application") // application
if ($aClean['apptype'] == "application") // application
{
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$oApp->GetOutputEditorValues(); // load the values from $_REQUEST
$oApp->update(true);
$oApp->reject();
@@ -273,7 +287,7 @@ if ($_REQUEST['sub'])
}
//process according to sub flag
if ($_REQUEST['sub'] == 'view')
if ($aClean['sub'] == 'view')
{
$x = new TableVE("view");
apidb_header("Admin App Queue");
@@ -385,7 +399,7 @@ if ($_REQUEST['sub'])
{
$oVersion->OutputEditor(false, false);
}
$oTest->OutputEditor($_REQUEST['sDistribution']);
$oTest->OutputEditor($aClean['sDistribution']);
echo html_frame_start("Reply text", "90%", "", 0);
echo "<table width='100%' border=0 cellpadding=2 cellspacing=0>\n";
@@ -418,7 +432,7 @@ if ($_REQUEST['sub'])
redirect(apidb_fullurl("admin/adminAppQueue.php"));
}
}
else /* if ($_REQUEST['sub']) is not defined, display the main app queue page */
else /* if ($aClean['sub']) is not defined, display the main app queue page */
{
apidb_header("Admin App Queue");

31
admin/adminBugs.php
View File

@@ -11,6 +11,15 @@ require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['buglinkId'] = makeSafe($_REQUEST['buglinkId']);
$aClean['ItemsPerPage'] = makeSafe($_REQUEST['ItemsPerPage']);
$aClean['QueuedOnly'] = makeSafe($_REQUEST['QueuedOnly']);
$aClean['page'] = makeSafe($_REQUEST['page']);
// deny access if not logged in
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -18,19 +27,19 @@ if(!$_SESSION['current']->hasPriv("admin"))
exit;
}
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if(($_REQUEST['sub'] == 'delete' ) && ($_REQUEST['buglinkId']))
if(($aClean['sub'] == 'delete' ) && ($aClean['buglinkId']))
{
$oBuglink = new bug($_REQUEST['buglinkId']);
$oBuglink = new bug($aClean['buglinkId']);
$oBuglink->delete();
}
if(($_REQUEST['sub'] == 'unqueue' ) && ($_REQUEST['buglinkId']))
if(($aClean['sub'] == 'unqueue' ) && ($aClean['buglinkId']))
{
$oBuglink = new bug($_REQUEST['buglinkId']);
$oBuglink = new bug($aClean['buglinkId']);
$oBuglink->unqueue();
}
redirect($_SERVER['PHP_SELF']."?ItemsPerPage=".$_REQUEST['ItemsPerPage']."&QueuedOnly=".$_REQUEST['QueuedOnly']."&page=".$_REQUEST['page']);
redirect($_SERVER['PHP_SELF']."?ItemsPerPage=".$aClean['ItemsPerPage']."&QueuedOnly=".$aClean['QueuedOnly']."&page=".$aClean['page']);
exit;
}
@@ -40,13 +49,13 @@ if ($_REQUEST['sub'])
$pageRange = 10;
$ItemsPerPage = 10;
$currentPage = 1;
$QueuedOnly = !isset($_REQUEST['QueuedOnly'])? NULL: $_REQUEST['QueuedOnly'];
$QueuedOnly = empty($aClean['QueuedOnly'])? NULL: $aClean['QueuedOnly'];
$BugLinks = ($QueuedOnly == 'on')?getNumberOfQueuedBugLinks():getNumberOfBugLinks();
if($_REQUEST['ItemsPerPage'])
$ItemsPerPage = $_REQUEST['ItemsPerPage'];
if($aClean['ItemsPerPage'])
$ItemsPerPage = $aClean['ItemsPerPage'];
if($_REQUEST['page'])
$currentPage = $_REQUEST['page'];
if($aClean['page'])
$currentPage = $aClean['page'];
$ItemsPerPage = min($ItemsPerPage,100);
$totalPages = max(ceil($BugLinks/$ItemsPerPage),1);

13
admin/adminCommentView.php
View File

@@ -15,10 +15,15 @@ $pageRange = 10;
$ItemsPerPage = 10;
$currentPage = 1;
if($_REQUEST['ItemsPerPage'])
$ItemsPerPage = $_REQUEST['ItemsPerPage'];
if($_REQUEST['page'])
$currentPage = $_REQUEST['page'];
$aClean = array(); //array of filtered user input
$aClean['ItemsPerPage'] = makeSafe($_REQUEST['ItemsPerPage']);
$aClean['page'] = makeSafe($_REQUEST['page']);
if($aClean['ItemsPerPage'])
$ItemsPerPage = $aClean['ItemsPerPage'];
if($aClean['page'])
$currentPage = $aClean['page'];
$totalPages = ceil(getNumberOfComments()/$ItemsPerPage);

28
admin/adminMaintainerQueue.php
View File

@@ -11,21 +11,29 @@ require(BASE."include/maintainer.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['sub'] = makeSafe( $_REQUEST['sub'] );
$aClean['queueId'] = makeSafe( $_REQUEST['queueId'] );
$aClean['add'] = makeSafe( $_REQUEST['add'] );
$aClean['reject'] = makeSafe( $_REQUEST'reject'] );
$aClean['replyText'] = makeSafe( $_REQUEST['replyText'] );
if(!$_SESSION['current']->hasPriv("admin"))
{
errorpage("Insufficient privileges.");
exit;
}
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if ($_REQUEST['queueId'])
if ($aClean['queueId'])
{
//get data
$query = "SELECT queueId, appId, versionId,".
"userId, maintainReason, superMaintainer,".
"UNIX_TIMESTAMP(submitTime) as submitTime ".
"FROM appMaintainerQueue WHERE queueId = ".$_REQUEST['queueId'].";";
"FROM appMaintainerQueue WHERE queueId = ".$aClean['queueId'].";";
$result = query_appdb($query);
$ob = mysql_fetch_object($result);
$oUser = new User($ob->userId);
@@ -38,7 +46,7 @@ if ($_REQUEST['sub'])
}
//process according to which request was submitted and optionally the sub flag
if (!$_REQUEST['add'] && !$_REQUEST['reject'] && $_REQUEST['queueId'])
if (!$aClean['add'] && !$aClean['reject'] && $aClean['queueId'])
{
apidb_header("Admin Maintainer Queue");
echo '<form name="qform" action="adminMaintainerQueue.php" method="post" enctype="multipart/form-data">',"\n";
@@ -163,7 +171,7 @@ if ($_REQUEST['sub'])
echo '</table>',"\n";
echo '<input type=hidden name="sub" value="inside_form" />',"\n";
echo '<input type=hidden name="queueId" value="'.$_REQUEST['queueId'].'" />',"\n";
echo '<input type=hidden name="queueId" value="'.$aClean['queueId'].'" />',"\n";
echo html_frame_end("&nbsp;");
echo html_back_link(1,'adminMaintainerQueue.php');
@@ -172,7 +180,7 @@ if ($_REQUEST['sub'])
exit;
}
else if ($_REQUEST['add'] && $_REQUEST['queueId'])
else if ($aClean['add'] && $aClean['queueId'])
{
/* create a new user object for the maintainer */
$maintainerUser = new User($ob->userId);
@@ -180,11 +188,11 @@ if ($_REQUEST['sub'])
/* add the user as a maintainer and return the statusMessage */
$statusMessage = $maintainerUser->addAsMaintainer($ob->appId, $ob->versionId,
$ob->superMaintainer,
$_REQUEST['queueId']);
$aClean['queueId']);
//done
addmsg("<p><b>$statusMessage</b></p>", 'green');
}
else if (($_REQUEST['reject'] || ($_REQUEST['sub'] == 'reject')) && $_REQUEST['queueId'])
else if (($aClean['reject'] || ($aClean['sub'] == 'reject')) && $aClean['queueId'])
{
$sEmail = $oUser->sEmail;
if ($sEmail)
@@ -193,7 +201,7 @@ if ($_REQUEST['sub'])
$oVersion = new Version($ob->versionId);
$sSubject = "Application Maintainer Request Report";
$sMsg = "Your application to be the maintainer of ".$oApp->sName." ".$oVersion->sName." was rejected. ";
$sMsg .= $_REQUEST['replyText'];
$sMsg .= $aClean['replyText'];
$sMsg .= "";
$sMsg .= "-The AppDB admins\n";
@@ -201,7 +209,7 @@ if ($_REQUEST['sub'])
}
//delete main item
$query = "DELETE from appMaintainerQueue where queueId = ".$_REQUEST['queueId'].";";
$query = "DELETE from appMaintainerQueue where queueId = ".$aClean['queueId'].";";
$result = query_appdb($query,"unable to delete selected maintainer application");
echo html_frame_start("Delete maintainer application",400,"",0);
if($result)

13
admin/adminMaintainers.php
View File

@@ -9,6 +9,11 @@
include("path.php");
require(BASE."include/incl.php");
$aClean = array(); //array of filtered user input
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['maintainerId'] = makeSafe($_REQUEST['maintainerId']);
// deny access if not logged in
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -19,13 +24,13 @@ if(!$_SESSION['current']->hasPriv("admin"))
apidb_header("Admin Maintainers");
echo '<form name="qform" action="adminMaintainers.php" method="post" enctype="multipart/form-data">',"\n";
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if($_REQUEST['sub'] == 'delete')
if($aClean['sub'] == 'delete')
{
$sQuery = "DELETE FROM appMaintainers WHERE maintainerId = ".$_REQUEST['maintainerId'].";";
$sQuery = "DELETE FROM appMaintainers WHERE maintainerId = ".$aClean['maintainerId'].";";
$hResult = query_appdb($sQuery);
echo html_frame_start("Delete maintainer: ".$_REQUEST['maintainerId'],400,"",0);
echo html_frame_start("Delete maintainer: ".$aClean['maintainerId'],400,"",0);
if($hResult)
{
// success

31
admin/adminScreenshots.php
View File

@@ -10,6 +10,15 @@ require_once(BASE."include/screenshot.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['cmd'] = makeSafe($_REQUEST['cmd']);
$aClean['imageId'] = makeSafe($_REQUEST['imageId']);
$aClean['ItemsPerPage'] = makeSafe($_REQUEST['ItemsPerPage']);
$aClean['page'] = makeSafe($_REQUEST['page']);
$aClean['regenerate'] = makeSafe($_REQUEST['regenerate']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
// deny access if not admin
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -19,18 +28,18 @@ if(!$_SESSION['current']->hasPriv("admin"))
/*
* We issued a delete command.
*/
if($_REQUEST['cmd'])
if($aClean['cmd'])
{
// process screenshot deletion
if($_REQUEST['cmd'] == "delete" && is_numeric($_REQUEST['imageId']))
if($aClean['cmd'] == "delete" && is_numeric($aClean['imageId']))
{
$oScreenshot = new Screenshot($_REQUEST['imageId']);
$oScreenshot = new Screenshot($aClean['imageId']);
$oScreenshot->delete();
$oScreenshot->free();
}
redirect($_SERVER['PHP_SELF'].
"?ItemsPerPage=".$_REQUEST['ItemsPerPage'].
"&page=".$_REQUEST['page']);
"?ItemsPerPage=".$aClean['ItemsPerPage'].
"&page=".$aClean['page']);
exit;
}
@@ -38,7 +47,7 @@ if($_REQUEST['cmd'])
apidb_header("Screenshots");
// regenerate all screenshots
if($_REQUEST['regenerate'])
if($aClean['regenerate'])
{
$sQuery = "SELECT id FROM appData WHERE type = 'image'";
$hResult = query_appdb($sQuery);
@@ -63,10 +72,10 @@ $pageRange = 10;
$ItemsPerPage = 6;
$currentPage = 1;
if($_REQUEST['ItemsPerPage'])
$ItemsPerPage = $_REQUEST['ItemsPerPage'];
if($_REQUEST['page'])
$currentPage = $_REQUEST['page'];
if($aClean['ItemsPerPage'])
$ItemsPerPage = $aClean['ItemsPerPage'];
if($aClean['page'])
$currentPage = $aClean['page'];
$ItemsPerPage = min($ItemsPerPage,100);
$totalPages = ceil(getNumberOfImages()/$ItemsPerPage);
@@ -130,7 +139,7 @@ while ($oRow = mysql_fetch_object($Ids))
//show admin delete link
if($_SESSION['current']->isLoggedIn() &&
($_SESSION['current']->hasPriv("admin") ||
$_SESSION['current']->isMaintainer($_REQUEST['versionId'])))
$_SESSION['current']->isMaintainer($aClean['versionId'])))
{
echo "<br />[<a href='".$_SERVER['PHP_SELF'];
echo "?cmd=delete&imageId=$oRow->id";

31
admin/adminTestResults.php
View File

@@ -11,11 +11,14 @@ require(BASE."include/mail.php");
require_once(BASE."include/testResults.php");
require_once(BASE."include/distributions.php");
$aClean = array();
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
$oVersion = new Version($oTest->iVersionId);
if(!($_SESSION['current']->hasAppVersionModifyPermission($oVersion)))
{
@@ -23,26 +26,26 @@ if ($_REQUEST['sub'])
exit;
}
if(($_REQUEST['sub'] == 'Submit') || ($_REQUEST['sub'] == 'Save') ||
($_REQUEST['sub'] == 'Reject') || ($_REQUEST['sub'] == 'Delete'))
if(($aClean['sub'] == 'Submit') || ($aClean['sub'] == 'Save') ||
($aClean['sub'] == 'Reject') || ($aClean['sub'] == 'Delete'))
{
if(is_numeric($_REQUEST['iTestingId']))
if(is_numeric($aClean['iTestingId']))
{
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
$oTest->GetOutputEditorValues();
if($_REQUEST['sub'] == 'Submit') // submit the testing results
if($aClean['sub'] == 'Submit') // submit the testing results
{
$oTest->update(true);
$oTest->unQueue();
} else if($_REQUEST['sub'] == 'Save') // save the testing results
} else if($aClean['sub'] == 'Save') // save the testing results
{
$oTest->update();
} else if($_REQUEST['sub'] == 'Reject') // reject testing results
} else if($aClean['sub'] == 'Reject') // reject testing results
{
$oTest->update(true);
$oTest->Reject();
} else if($_REQUEST['sub'] == 'Delete') // delete testing results
} else if($aClean['sub'] == 'Delete') // delete testing results
{
$oTest->delete();
}
@@ -51,15 +54,15 @@ if ($_REQUEST['sub'])
}
}
if(is_numeric($_REQUEST['iTestingId']))
if(is_numeric($aClean['iTestingId']))
{
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
}
$oVersion = new Version($oTest->iVersionId);
$oApp = new application($oVersion->iAppId);
$sVersionInfo = $oApp->sName." ".$oVersion->sName;
if ($_REQUEST['sub'] == 'view')
if ($aClean['sub'] == 'view')
{
switch($oTest->sQueued)
{
@@ -141,7 +144,7 @@ if ($_REQUEST['sub'])
redirect($_SERVER['PHP_SELF']);
}
}
else // if ($_REQUEST['sub']) is not defined, display the Testing results queue page
else // if ($aClean['sub']) is not defined, display the Testing results queue page
{
$oTest = new TestData();
apidb_header("Testing Results");

39
admin/adminUsers.php
View File

@@ -6,6 +6,15 @@
include("path.php");
include(BASE."include/incl.php");
$aClean = array(); //filtered user input
$aClean['action'] = makeSafe($_REQUEST['action']);
$aClean['userId'] = makeSafe($_REQUEST['userId']);
$aClean['sSearch'] = makeSafe($_REQUEST['sSearch']);
$aClean['iLimit'] = makeSafe($_REQUEST['iLimit']);
$aClean['sOrderBy'] = makeSafe($_REQUEST['sOrderBy']);
$aClean['sSubmit'] = makeSafe($_REQUEST['sSubmit']);
apidb_header("Admin Users Management");
if(!$_SESSION['current']->hasPriv("admin"))
@@ -15,9 +24,9 @@ if(!$_SESSION['current']->hasPriv("admin"))
}
// we want to delete a user
if($_REQUEST['action'] == "delete" && is_numeric($_REQUEST['userId']))
if($aClean['action'] == "delete" && is_numeric($aClean['userId']))
{
$oUser = new User($_REQUEST['userId']);
$oUser = new User($aClean['userId']);
$oUser->delete();
}
@@ -28,15 +37,15 @@ echo html_frame_start("Users Management","400","",0)
<table width="100%" border=0 cellpadding=0 cellspacing=0>
<tr>
<td class="color1">Pattern</td>
<td><input type="text" name="sSearch" value="<?php echo$_REQUEST['sSearch'];?>"/><br /><small>(leave blank to match all)</small></td>
<td><input type="text" name="sSearch" value="<?php echo $aClean['sSearch'];?>"/><br /><small>(leave blank to match all)</small></td>
</tr>
<tr>
<td class="color1">Show first</td>
<td>
<select name="iLimit">
<option value="100"<?php if($_REQUEST['iLimit']=="100")echo" SELECTED";?>>100 results</option>
<option value="200"<?php if($_REQUEST['iLimit']=="200")echo" SELECTED";?>>200 results</option>
<option value="500"<?php if($_REQUEST['iLimit']=="500")echo" SELECTED";?>>500 result</option>
<option value="100"<?php if($aClean['iLimit']=="100")echo" SELECTED";?>>100 results</option>
<option value="200"<?php if($aClean['iLimit']=="200")echo" SELECTED";?>>200 results</option>
<option value="500"<?php if($aClean['iLimit']=="500")echo" SELECTED";?>>500 result</option>
</select>
</td>
</tr>
@@ -44,9 +53,9 @@ echo html_frame_start("Users Management","400","",0)
<td class="color1">Order by</td>
<td>
<select NAME="sOrderBy">
<option value="email"<?php if($_REQUEST['sOrderBy']=="email")echo" SELECTED";?>>e-mail</option>
<option value="realname"<?php if($_REQUEST['sOrderBy']=="realname")echo" SELECTED";?>>real name</option>
<option value="created"<?php if($_REQUEST['sOrderBy']=="created")echo" SELECTED";?>>creation date</option>
<option value="email"<?php if($aClean['sOrderBy']=="email")echo" SELECTED";?>>e-mail</option>
<option value="realname"<?php if($aClean['sOrderBy']=="realname")echo" SELECTED";?>>real name</option>
<option value="created"<?php if($aClean['sOrderBy']=="created")echo" SELECTED";?>>creation date</option>
</select>
</td>
</tr>
@@ -59,7 +68,7 @@ echo html_frame_start("Users Management","400","",0)
echo html_frame_end();
// if the search form was submitted
if($_REQUEST['sSubmit'])
if($aClean['sSubmit'])
{
echo html_frame_start("Query Results","90%","",0);
echo "<table width='100%' border=0 cellpadding=3 cellspacing=0>\n\n";
@@ -71,13 +80,13 @@ if($_REQUEST['sSubmit'])
echo " <td>Roles</td>\n";
echo " <td align=\"center\">Action</td>\n";
echo "</tr>\n\n";
if(is_numeric($_REQUEST['iLimit']) && in_array($_REQUEST['sOrderBy'],array("email","realname","created")))
if(is_numeric($aClean['iLimit']) && in_array($aClean['sOrderBy'],array("email","realname","created")))
{
$sSearch = addslashes($_REQUEST['sSearch']);
$sSearch = $aClean['sSearch'];
$sQuery = "SELECT * FROM user_list
WHERE realname LIKE '%".$sSearch."%' OR email LIKE '%".$sSearch."%'
ORDER BY ".$_REQUEST['sOrderBy']."
LIMIT ".$_REQUEST['iLimit'];
ORDER BY ".$aClean['sOrderBy']."
LIMIT ".$aClean['iLimit'];
$hResult = query_appdb($sQuery);
$i=0;
while($hResult && $oRow = mysql_fetch_object($hResult))
@@ -93,7 +102,7 @@ if($_REQUEST['sSubmit'])
if($oUser->hasPriv("admin")) echo "A";
if($oUser->isMaintainer()) echo "M";
echo " </td>\n";
echo " <td align=\"center\">[<a href=\"../preferences.php?userId=".$oRow->userid."&sSearch=".$sSearch."&iLimit=".$_REQUEST['iLimit']."&sOrderBy=".$_REQUEST['sOrderBy']."\">edit</a>]&nbsp;[<a onclick=\"if(!confirm('".$sAreYouSure."'))return false;\" \"href=\"".$_SERVER['PHP_SELF']."?action=delete&userId=".$oRow->userid."&sSearch=".$sSearch."&iLimit=".$_REQUEST['iLimit']."&sOrderBy=".$_REQUEST['sOrderBy']."&sSubmit=true\">delete</a>]</td>\n";
echo " <td align=\"center\">[<a href=\"../preferences.php?userId=".$oRow->userid."&sSearch=".$sSearch."&iLimit=".$aClean['iLimit']."&sOrderBy=".$aClean['sOrderBy']."\">edit</a>]&nbsp;[<a onclick=\"if(!confirm('".$sAreYouSure."'))return false;\" \"href=\"".$_SERVER['PHP_SELF']."?action=delete&userId=".$oRow->userid."&sSearch=".$sSearch."&iLimit=".$aClean['iLimit']."&sOrderBy=".$aClean['sOrderBy']."&sSubmit=true\">delete</a>]</td>\n";
echo "</tr>\n\n";
}
}

21
admin/deleteAny.php
View File

@@ -14,8 +14,15 @@ require_once(BASE."include/mail.php");
require_once(BASE."include/monitor.php");
require_once(BASE."include/testResults.php");
$aClean = array(); //filtered user input
if($_REQUEST['confirmed'] != "yes")
$aClean['confirmed'] = makeSafe($_REQUEST['confirmed']);
$aClean['what'] = makeSafe($_REQUEST['what']);
$aClean['catId'] = makeSafe($_REQUEST['catId']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
if($aClean['confirmed'] != "yes")
{
// ask for confirmation
// could do some Real Damage if someone accidently hits the delete button on the main category :)
@@ -25,13 +32,13 @@ if($_REQUEST['confirmed'] != "yes")
errorpage("Not confirmed");
}
if($_REQUEST['what'])
if($aClean['what'])
{
switch($_REQUEST['what'])
switch($aClean['what'])
{
case "category":
// delete category and the apps in it
$oCategory = new Category($_REQUEST['catId']);
$oCategory = new Category($aClean['catId']);
if(!$oCategory->delete())
errorpage();
else
@@ -39,18 +46,18 @@ if($_REQUEST['what'])
break;
case "appFamily":
// delete app family & all its versions
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
if(!$oApp->delete())
errorpage();
else
redirect(BASE."appbrowse.php");
break;
case "appVersion":
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
if(!$oVersion->delete())
errorpage();
else
redirect(BASE."appview.php?appId=".$_REQUEST['appId']);
redirect(BASE."appview.php?appId=".$aClean['appId']);
break;
}
}

15
admin/editAppFamily.php
View File

@@ -10,22 +10,27 @@ require(BASE."include/application.php");
require(BASE."include/category.php");
require(BASE."include/mail.php");
if(!is_numeric($_REQUEST['appId']))
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
if(!is_numeric($aClean['appId']))
{
errorpage("Wrong ID");
exit;
}
if(!($_SESSION['current']->hasPriv("admin") || $_SESSION['current']->isSuperMaintainer($_REQUEST['appId'])))
if(!($_SESSION['current']->hasPriv("admin") || $_SESSION['current']->isSuperMaintainer($aClean['appId'])))
{
errorpage("Insufficient Privileges!");
exit;
}
if(isset($_REQUEST['submit']))
if(!empty($aClean['submit']))
{
process_app_version_changes(false);
redirect(apidb_fullurl("appview.php?appId={$_REQUEST['appId']}"));
redirect(apidb_fullurl("appview.php?appId={$aClean['appId']}"));
}
else
// Show the form for editing the Application Family
@@ -33,7 +38,7 @@ else
$family = new TableVE("edit");
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
if(!$oApp)
{

46
admin/editAppNote.php
View File

@@ -8,14 +8,24 @@ require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
if(!is_numeric($_REQUEST['noteId']))
$aClean = array(); //array of filtered user input
$aClean['noteId'] = makeSafe($_REQUEST['noteId']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['noteTitle'] = makeSafe($_REQUEST['noteTitle']);
$aClean['noteDesc'] = makeSafe($_REQUEST['noteDesc']);
$aClean['preview'] = makeSafe($_REQUEST['preview']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
if(!is_numeric($aClean['noteId']))
{
errorpage('Wrong note ID');
exit;
}
/* Get note data */
$oNote = new Note($_REQUEST['noteId']);
$oNote = new Note($aClean['noteId']);
/* Check for privs */
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($oNote->iVersionId) && !$_SESSION['current']->isSuperMaintainer($oNote->iAppId))
@@ -24,26 +34,26 @@ if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintaine
exit;
}
if(isset($_REQUEST['sub']))
if(!empty($aClean['sub']))
{
if ($_REQUEST['sub'] == 'Delete')
if ($aClean['sub'] == 'Delete')
{
$oNote->delete();
}
else if ($_REQUEST['sub'] == 'Update')
else if ($aClean['sub'] == 'Update')
{
$oNote->update($_REQUEST['noteTitle'],$_REQUEST['noteDesc']);
$oNote->update($aClean['noteTitle'],$aClean['noteDesc']);
}
redirect(apidb_fullurl("appview.php?versionId={$oNote->iVersionId}"));
}
else
{
if (!isset($_REQUEST['preview']))
if (empty($aClean['preview']))
{
$_REQUEST['noteTitle'] = $oNote->sTitle;
$_REQUEST['noteDesc'] = $oNote->sDescription;
$_REQUEST['appId'] = $oNote->iAppId;
$_REQUEST['versionId'] = $oNote->iVersionId;
$aClean['noteTitle'] = $oNote->sTitle;
$aClean['noteDesc'] = $oNote->sDescription;
$aClean['appId'] = $oNote->iAppId;
$aClean['versionId'] = $oNote->iVersionId;
}
HtmlAreaLoaderScript(array("editor"));
@@ -52,24 +62,24 @@ else
apidb_header("Edit Application Note");
echo "<form method=post action='editAppNote.php'>\n";
echo html_frame_start("Edit Application Note {$_REQUEST['noteId']}", "90%","",0);
echo html_frame_start("Edit Application Note {$aClean['noteId']}", "90%","",0);
echo html_table_begin("width='100%' border=0 align=left cellpadding=6 cellspacing=0 class='box-body'");
echo add_br($_REQUEST['noteDesc']);
echo add_br($aClean['noteDesc']);
echo '<input type="hidden" name="noteId" value='.$_REQUEST['noteId'].'>';
echo '<input type="hidden" name="noteId" value='.$aClean['noteId'].'>';
if ($_REQUEST['noteTitle'] == "HOWTO" || $_REQUEST['noteTitle'] == "WARNING")
if ($aClean['noteTitle'] == "HOWTO" || $aClean['noteTitle'] == "WARNING")
{
echo '<tr><td class=color1>Title (Do not change)</td>';
echo '<td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$_REQUEST['noteTitle'].'"></td></tr>',"\n";
echo '<td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$aClean['noteTitle'].'"></td></tr>',"\n";
}
else
{
echo '<tr><td class=color1>Title</td><td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$_REQUEST['noteTitle'].'"></td></tr>',"\n";
echo '<tr><td class=color1>Title</td><td class=color0><input size=80% type="text" name="noteTitle" type="text" value="'.$aClean['noteTitle'].'"></td></tr>',"\n";
}
echo '<tr><td class=color4>Description</td><td class=color0>', "\n";
echo '<p style="width:700px">', "\n";
echo '<textarea cols="80" rows="20" id="editor" name="noteDesc">'.$_REQUEST['noteDesc'].'</textarea>',"\n";
echo '<textarea cols="80" rows="20" id="editor" name="noteDesc">'.$aClean['noteDesc'].'</textarea>',"\n";
echo '</p>';
echo '</td></tr><tr><td colspan="2" align="center" class="color3">',"\n";
echo '<input type="submit" name=preview value="Preview">&nbsp',"\n";

16
admin/editAppVersion.php
View File

@@ -5,28 +5,34 @@ require(BASE."include/tableve.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
if(!is_numeric($_REQUEST['appId']) OR !is_numeric($_REQUEST['versionId']))
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
if(!is_numeric($aClean['appId']) OR !is_numeric($aClean['versionId']))
{
errorpage("Wrong ID");
exit;
}
/* Check for admin privs */
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($_REQUEST['versionId']) && !$_SESSION['current']->isSuperMaintainer($_REQUEST['appId']))
if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer($aClean['versionId']) && !$_SESSION['current']->isSuperMaintainer($aClean['appId']))
{
errorpage("Insufficient Privileges!");
exit;
}
/* process the changes the user entered into the web form */
if(isset($_REQUEST['submit']))
if(!empty($aClean['submit']))
{
process_app_version_changes(true);
redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
} else /* or display the webform for making changes */
{
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
apidb_header("Edit Application Version");

9
admin/editDistribution.php
View File

@@ -3,6 +3,11 @@ include("path.php");
require(BASE."include/incl.php");
require(BASE."include/distributions.php");
$aClean = array(); //array of filtered user input
$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
$aClean['submit'] = makeSafe($_REQUEST['submit']);
if(!$_SESSION['current']->hasPriv("admin"))
{
errorpage("Insufficient privileges.");
@@ -10,8 +15,8 @@ if(!$_SESSION['current']->hasPriv("admin"))
}
$oDistribution = new distribution($_REQUEST['iDistributionId']);
if($_REQUEST['Submit'])
$oDistribution = new distribution($aClean['iDistributionId']);
if($aClean['Submit'])
{
$oDistribution->GetOutputEditorValues();

12
admin/editVendor.php
View File

@@ -3,16 +3,22 @@ include("path.php");
require_once(BASE."include/incl.php");
require_once(BASE."include/vendor.php");
$aClean = array(); //array of filtered user input
$aClean['iVendorId'] = makeSafe($_REQUEST['iVendorId']);
$aClean['Submit'] = makeSafe($_REQUEST['Submit']);
$aClean['sName'] = makeSafe($_REQUEST['sName']);
$aClean['sWebpage'] = makeSafe($_REQUEST['sWebpage']);
if(!$_SESSION['current']->hasPriv("admin"))
{
errorpage();
exit;
}
$oVendor = new Vendor($_REQUEST['iVendorId']);
if($_REQUEST['Submit'])
$oVendor = new Vendor($aClean['iVendorId']);
if($aClean['Submit'])
{
$oVendor->update($_REQUEST['sName'],$_REQUEST['sWebpage']);
$oVendor->update($aClean['sName'],$aClean['sWebpage']);
redirect(apidb_fullurl("vendorview.php"));
}
else

18
admin/moveAppVersion.php
View File

@@ -5,7 +5,13 @@ require(BASE."include/tableve.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
if(!is_numeric($_REQUEST['appId']) OR !is_numeric($_REQUEST['versionId']))
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['action'] = makeSafe($_REQUEST['action']);
if(!is_numeric($aClean['appId']) OR !is_numeric($aClean['versionId']))
{
errorpage("Wrong ID");
exit;
@@ -18,20 +24,20 @@ if(!$_SESSION['current']->hasPriv("admin"))
exit;
}
if(isset($_REQUEST['action']))
if(!empty($aClean['action']))
{
/* move this version to the given application */
$oVersion = new Version($_REQUEST['versionId']);
$oVersion->update(null, null, null, null, $_REQUEST['appId']);
$oVersion = new Version($aClean['versionId']);
$oVersion->update(null, null, null, null, $aClean['appId']);
/* redirect to the application we just moved this version to */
redirect(apidb_fullurl("appview.php?appId=".$_REQUEST['appId']));
redirect(apidb_fullurl("appview.php?appId=".$aClean['appId']));
} else /* or display the webform for making changes */
{
?>
<link rel="stylesheet" href="./application.css" type="text/css">
<?php
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
$oApp = new Application($oVersion->iAppId);
apidb_header("Choose application to move this version under");

27
appbrowse.php
View File

@@ -8,36 +8,43 @@ require(BASE."include/"."incl.php");
require(BASE."include/"."appdb.php");
require(BASE."include/"."category.php");
$aClean = array(); //array of filtered user input
$aClean['catId'] = makeSafe($_REQUEST['catId']);
function admin_menu()
{
if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
else $catId="";
if( empty( $aClean['catId'] ) )
{
$aClean['catId'] = "";
}
$m = new htmlmenu("Admin");
$m->add("Edit this Category", BASE."admin/addCategory.php?catId=$catId");
$url = BASE."admin/deleteAny.php?what=category&catId=$catId&confirmed=yes";
$m->add("Edit this Category", BASE."admin/addCategory.php?catId']}");
$url = BASE."admin/deleteAny.php?what=category&catId={$aClean['catId']}&confirmed=yes";
$m->add("Delete this Category", "javascript:deleteURL(\"Are you sure?\", \"".$url."\")");
$m->done();
}
if(isset($_REQUEST['catId'])) $catId=$_REQUEST['catId'];
else $catId=0; // ROOT
if( empty( $aClean['catId'] ) )
{
$aClean['catId'] = 0; // ROOT
}
if( !is_numeric($catId) )
if( !is_numeric($aClean['catId']) )
{
errorpage("Something went wrong with the category ID");
exit;
}
// list sub categories
$cat = new Category($catId);
$cat = new Category($aClean['catId']);
$catFullPath = make_cat_path($cat->getCategoryPath());
$subs = $cat->aSubcatsIds;
//display admin box
if($_SESSION['current']->hasPriv("admin") && $catId != 0)
if($_SESSION['current']->hasPriv("admin") && $aClean['catId'] != 0)
apidb_sidebar_add("admin_menu");
//output header
@@ -125,7 +132,7 @@ if($apps)
}
// Disabled for now
//if ($catId != 0)
//if ($aClean['catId'] != 0)
//{
// log_category_visit($cat->id);
//}

19
appimage.php
View File

@@ -7,22 +7,28 @@ include("path.php");
require(BASE."include/"."incl.php");
require_once(BASE."include/"."screenshot.php");
$aClean = array(); //array of filtered user input
$aClean['id'] = makeSafe($_REQUEST['id']);
$aClean['REQUEST_METHOD'] = makeSafe($_REQUEST['REQUEST_METHOD']);
$aClean['thumbnail'] = makeSafe($_REQUEST['thumbnail']);
/* an image doesn't have a link, so a cookie makes no sense */
header("Set-Cookie: ");
header("Pragma: ");
/* if the user isn't supposed to be viewing this image */
/* display an error message and exit */
if(!$_SESSION['current']->canViewImage($_REQUEST['id']))
if(!$_SESSION['current']->canViewImage($aClean['id']))
{
errorpage("Insufficient privileges.");
exit;
}
if ($_REQUEST['REQUEST_METHOD']='HEAD')
if ($aClean['REQUEST_METHOD']='HEAD')
{
/* WARNING! optimization of logic in include/screenshots.php */
if (sscanf($_REQUEST['id'],"%d", &$iId) < 1)
if (sscanf($aClean['id'],"%d", &$iId) < 1)
{
errorpage("Bad parameter");
exit;
@@ -67,12 +73,12 @@ if ($_REQUEST['REQUEST_METHOD']='HEAD')
header("Expires: ");
header("Last-Modified: ".fHttpDate($iModTime));
}
$oScreenshot = new Screenshot($_REQUEST['id']);
$oScreenshot = new Screenshot($aClean['id']);
/* at this point, we know that .../screenshots/$id and
* .../screenshots/thumbnails/$id both exist as normally
* they would both be created at the same time. */
$fstat_val = stat(appdb_fullpath("data/screenshots/".$_REQUEST['id']));
$fstat_val = stat(appdb_fullpath("data/screenshots/".$aClean['id']));
$iModTime = $fstat_val['mtime'];
header("Cache-Control: public");
@@ -90,9 +96,8 @@ if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) &&
header("Last-Modified: ".fHttpDate($iModTime));
if(!$_REQUEST['thumbnail'])
if(!$aClean['thumbnail'])
$oScreenshot->oScreenshotImage->output_to_browser(1);
else
$oScreenshot->oThumbnailImage->output_to_browser(1);
?>

87
appsubmit.php
View File

@@ -10,6 +10,19 @@ require_once(BASE."include/application.php");
require_once(BASE."include/mail.php");
require_once(BASE."include/testResults.php");
$aClean = array(); //array of filtered user input
$aClean['apptype'] = makeSafe($_REQUEST['apptype']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
$aClean['appVendorName'] = makeSafe($_REQUEST['appVendorName']);
$aClean['vendorId'] = makeSafe($_REQUEST['vendorId']);
$aClean['appWebpage'] = makeSafe($_REQUEST['appWebpage']);
$aClean['appKeywords'] = makeSafe($_REQUEST['appKeywords']);
$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
function get_vendor_from_keywords($sKeywords)
{
@@ -27,7 +40,7 @@ function newSubmition($errors)
echo "and you will be notified via e-mail if it is added to the database or rejected.</p>\n";
echo "<p><h2>Before continuing, please ensure that you have</h2>\n";
echo "<ul>\n";
if ($_REQUEST['apptype'] == 1)
if ($aClean['apptype'] == 1)
{
echo " <li>Searched for this application in the database. Duplicate submissions will be rejected</li>\n";
echo " <li>Really want to submit an application instead of a new version of an application\n";
@@ -58,18 +71,18 @@ if(!$_SESSION['current']->isLoggedIn())
}
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if($_REQUEST['apptype'] == 'application')
if($aClean['apptype'] == 'application')
{
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application( $aClean['appId']);
if($oApp->iAppId)
{
// if we are processing a queued application there MUST be an implicitly queued
// version to go along with it. Find this version so we can display its information
// during application processing so the admin can make a better choice about
// whether to accept or reject the overall application
$sQuery = "Select versionId from appVersion where appId='".$_REQUEST['appId']."';";
$sQuery = "Select versionId from appVersion where appId='".$aClean['appId']."';";
$hResult = query_appdb($sQuery);
$oRow = mysql_fetch_object($hResult);
@@ -89,9 +102,9 @@ if ($_REQUEST['sub'])
}
}
else if($_REQUEST['apptype'] == 'version')
else if($aClean['apptype'] == 'version')
{
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
// make sure the user has permission to view this version
if(!$_SESSION['current']->hasAppVersionModifyPermission($oVersion) &&
@@ -123,35 +136,35 @@ if ($_REQUEST['sub'])
}
//process according to sub flag
if ($_REQUEST['sub'] == 'Submit')
if ($aClean['sub'] == 'Submit')
{
$errors = "";
$oVersion = new Version($_REQUEST['versionId']);
$oTest = new testData($_REQUEST['iTestingId']);
$oVersion = new Version($aClean['versionId']);
$oTest = new testData($aClean['iTestingId']);
$errors .= $oVersion->CheckOutputEditorInput();
$errors .= $oTest->CheckOutputEditorInput();
$oVersion->GetOutputEditorValues();
$oTest->GetOutputEditorValues();
if ($_REQUEST['apptype'] == "application") // application
if ($aClean['apptype'] == "application") // application
{
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$errors .= $oApp->CheckOutputEditorInput();
$oApp->GetOutputEditorValues(); // load the values from $_REQUEST
if(empty($errors))
{
if($_REQUEST['appVendorName'])
if($aClean['appVendorName'])
{
$_REQUEST['vendorId']="";
$aClean['vendorId']="";
//FIXME: fix this when we fix vendor submission
if($_SESSION['current']->hasPriv("admin"))
{
$oVendor = new Vendor();
$oVendor->create($_REQUEST['appVendorName'],$_REQUEST['appWebpage']);
$oVendor->create($aClean['appVendorName'],$aClean['appWebpage']);
}
}
//FIXME: remove this when we fix vendor submission
$oApp->sKeywords = $_REQUEST['appKeywords']." *** ".$_REQUEST['appVendorName'];
$oApp->sKeywords = $aClean['appKeywords']." *** ".$aClean['appVendorName'];
if(is_numeric($oApp->iAppId))
{
$oApp->update();
@@ -167,7 +180,7 @@ if ($_REQUEST['sub'])
if(!empty($errors))
{
addmsg("we've got Errors???:".$errors.":");
$_REQUEST['sub'] = 'view';
$aClean['sub'] = 'view';
}
else
{
@@ -180,10 +193,10 @@ if ($_REQUEST['sub'])
{
$oVersion->create();
}
if(!$_REQUEST['iDistributionId'])
if(!$aClean['iDistributionId'])
{
$sDistribution = trim($_REQUEST['sDistribution']);
if(!empty($sDistribution))
$sDistribution = $aClean['sDistribution'];
if( !empty($sDistribution) )
{
$oDistribution = new distribution();
$oDistribution->sName = $sDistribution;
@@ -203,13 +216,13 @@ if ($_REQUEST['sub'])
redirect($_SERVER['PHP_SELF']);
}
}
if ($_REQUEST['sub'] == 'Delete')
if ($aClean['sub'] == 'Delete')
{
if (($_REQUEST['apptype'] == "application") && is_numeric($_REQUEST['appId'])) // application
if (($aClean['apptype'] == "application") && is_numeric($aClean['appId'])) // application
{
// get the queued versions that refers to the application entry we just removed
// and delete them as we implicitly added a version entry when adding a new application
$sQuery = "SELECT versionId FROM appVersion WHERE appVersion.appId = '".$_REQUEST['appId']."' AND appVersion.queued = 'rejected';";
$sQuery = "SELECT versionId FROM appVersion WHERE appVersion.appId = '".$aClean['appId']."' AND appVersion.queued = 'rejected';";
$hResult = query_appdb($sQuery);
if($hResult)
{
@@ -221,17 +234,17 @@ if ($_REQUEST['sub'])
}
// delete the application entry
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$oApp->delete();
} else if(($_REQUEST['apptype'] == "version") && is_numeric($_REQUEST['versionId'])) // version
} else if(($aClean['apptype'] == "version") && is_numeric($aClean['versionId'])) // version
{
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
$oVersion->delete();
}
redirect($_SERVER['PHP_SELF']);
}
if ($_REQUEST['sub'] == 'view')
if ($aClean['sub'] == 'view')
{
$x = new TableVE("view");
apidb_header("Application Queue");
@@ -241,7 +254,7 @@ if ($_REQUEST['sub'])
echo html_back_link(1,$_SERVER['PHP_SELF']);
if($_REQUEST['apptype'] == 'application') // application
if($aClean['apptype'] == 'application') // application
{
if ($oApp->sName != "")
{
@@ -275,7 +288,7 @@ if ($_REQUEST['sub'])
if(!$iVendorId)
{
$sVendor = get_vendor_from_keywords($oApp->sKeywords);
$sQuery = "SELECT vendorId FROM vendor WHERE vendorname = '".$_REQUEST['appVendorName']."';";
$sQuery = "SELECT vendorId FROM vendor WHERE vendorname = '".$aClean['appVendorName']."';";
$hResult = query_appdb($sQuery);
if($hResult)
{
@@ -287,7 +300,7 @@ if ($_REQUEST['sub'])
// try for a partial match
if(!$iVendorId)
{
$sQuery = "select * from vendor where vendorname like '%".$_REQUEST['appVendorName']."%';";
$sQuery = "select * from vendor where vendorname like '%".$aClean['appVendorName']."%';";
$hResult = query_appdb($sQuery);
if($hResult)
{
@@ -297,7 +310,7 @@ if ($_REQUEST['sub'])
}
//vendor field
if($iVendorId)
$_REQUEST['appVendorName'] = "";
$aClean['appVendorName'] = "";
} else //app version
{
if(is_numeric($oVersion->iVersionId))
@@ -330,20 +343,20 @@ if ($_REQUEST['sub'])
if(!($oTest->sTestedDate))
$oTest->sTestedDate = date('Y-m-d H:i:s');
if($_REQUEST['apptype'] == 'application')
if($aClean['apptype'] == 'application')
{
$oApp->OutputEditor($_REQUEST['appVendorName']);
$oApp->OutputEditor($aClean['appVendorName']);
$oVersion->OutputEditor(false, false);
} else
{
$oVersion->OutputEditor(false, false);
}
$oTest->OutputEditor($_REQUEST['sDistribution'],true);
$oTest->OutputEditor($aClean['sDistribution'],true);
echo "<table width='100%' border=0 cellpadding=2 cellspacing=2>\n";
if($_REQUEST['apptype'] == 'application') // application
if($aClean['apptype'] == 'application') // application
{
echo '<input type="hidden" name="apptype" value="application" />';
if(is_numeric($oApp->iAppId))
@@ -359,7 +372,7 @@ if ($_REQUEST['sub'])
} else // version
{
echo '<input type="hidden" name="apptype" value="version" />';
echo '<input type="hidden" name="appId" value="'.$_REQUEST['appId'].'" />';
echo '<input type="hidden" name="appId" value="'.$aClean['appId'].'" />';
if(is_numeric($oVersion->iVersionId))
{
echo '<tr valign=top><td class=color3 align=center colspan=2>' ,"\n";
@@ -384,7 +397,7 @@ if ($_REQUEST['sub'])
redirect($_SERVER['PHP_SELF']);
}
}
else // if ($_REQUEST['sub']) is not defined, display the main app queue page
else // if ($aClean['sub']) is not defined, display the main app queue page
{
apidb_header("Resubmit application");

52
appview.php
View File

@@ -17,9 +17,15 @@ require(BASE."include/mail.php");
require(BASE."include/monitor.php");
require_once(BASE."include/testResults.php");
$aClean = array(); //array of filtered user input
$oApp = new Application($_REQUEST['appId']);
$oVersion = new Version($_REQUEST['versionId']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['buglinkId'] = makeSafe($_REQUEST['buglinkId']);
$oApp = new Application($aClean['appId']);
$oVersion = new Version($aClean['versionId']);
/**
* display the full path of the Category we are looking at
@@ -122,63 +128,63 @@ function show_note($sType,$oData){
return $s;
}
if(!is_numeric($_REQUEST['appId']) && !is_numeric($_REQUEST['versionId']))
if(!is_numeric($aClean['appId']) && !is_numeric($aClean['versionId']))
{
errorpage("Something went wrong with the application or version id");
exit;
}
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
if(($_REQUEST['sub'] == 'delete' ) && ($_REQUEST['buglinkId']))
if(($aClean['sub'] == 'delete' ) && ($aClean['buglinkId']))
{
if(($_SESSION['current']->hasPriv("admin") ||
$_SESSION['current']->isMaintainer($oVersion->iVersionId) ||
$_SESSION['current']->isSuperMaintainer($oVersion->iAppId)))
{
$oBuglink = new bug($_REQUEST['buglinkId']);
$oBuglink = new bug($aClean['buglinkId']);
$oBuglink->delete();
redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
}
if(($_REQUEST['sub'] == 'unqueue' ) && ($_REQUEST['buglinkId']))
if(($aClean['sub'] == 'unqueue' ) && ($aClean['buglinkId']))
{
if(($_SESSION['current']->hasPriv("admin") ||
$_SESSION['current']->isMaintainer($oVersion->iVersionId) ||
$_SESSION['current']->isSuperMaintainer($oVersion->iAppId)))
{
$oBuglink = new bug($_REQUEST['buglinkId']);
$oBuglink = new bug($aClean['buglinkId']);
$oBuglink->unqueue();
redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
}
if(($_REQUEST['sub'] == 'Submit a new bug link.' ) && ($_REQUEST['buglinkId']))
if(($aClean['sub'] == 'Submit a new bug link.' ) && ($aClean['buglinkId']))
{
$oBuglink = new bug();
$oBuglink->create($_REQUEST['versionId'],$_REQUEST['buglinkId']);
redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
$oBuglink->create($aClean['versionId'],$aClean['buglinkId']);
redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
if($_REQUEST['sub'] == 'StartMonitoring')
if($aClean['sub'] == 'StartMonitoring')
{
$oMonitor = new Monitor();
$oMonitor->create($_SESSION['current']->iUserId,$_REQUEST['appId'],$_REQUEST['versionId']);
redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
$oMonitor->create($_SESSION['current']->iUserId,$aClean['appId'],$aClean['versionId']);
redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
if($_REQUEST['sub'] == 'StopMonitoring')
if($aClean['sub'] == 'StopMonitoring')
{
$oMonitor = new Monitor();
$oMonitor->find($_SESSION['current']->iUserId,$_REQUEST['appId'],$_REQUEST['versionId']);
$oMonitor->find($_SESSION['current']->iUserId,$aClean['appId'],$aClean['versionId']);
if($oMonitor->iMonitorId)
{
$oMonitor->delete();
}
redirect(apidb_fullurl("appview.php?versionId=".$_REQUEST['versionId']));
redirect(apidb_fullurl("appview.php?versionId=".$aClean['versionId']));
exit;
}
@@ -187,13 +193,13 @@ if ($_REQUEST['sub'])
/**
* We want to see an application family (=no version).
*/
if($_REQUEST['appId'])
if($aClean['appId'])
{
$oApp = new Application($_REQUEST['appId']);
$oApp = new Application($aClean['appId']);
$oApp->display();
} else if($_REQUEST['versionId']) // We want to see a particular version.
} else if($aClean['versionId']) // We want to see a particular version.
{
$oVersion = new Version($_REQUEST['versionId']);
$oVersion = new Version($aClean['versionId']);
$oVersion->display();
} else
{

11
commentview.php
View File

@@ -12,15 +12,22 @@ include("path.php");
include(BASE."include/incl.php");
require_once(BASE."include/comment.php");
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['threadId'] = makeSafe($_REQUEST['threadId']);
apidb_header("Comments");
if(!is_numeric($_REQUEST['appId']) OR !is_numeric($_REQUEST['versionId']) OR (isset($_REQUEST['threadId']) AND !is_numeric($_REQUEST['threadId'])))
if(!is_numeric($aClean['appId']) OR !is_numeric($aClean['versionId']) OR (!empty($aClean['threadId']) AND !is_numeric($aClean['threadId'])))
{
errorpage("Wrong IDs");
exit;
}
view_app_comments($_REQUEST['versionId'], $_REQUEST['threadId']);
view_app_comments($aClean['versionId'], $aClean['threadId']);
apidb_footer();
?>

12
deletecomment.php
View File

@@ -11,7 +11,13 @@ require(BASE."include/incl.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$oComment = new Comment($_REQUEST['commentId']);
$aClean = array(); //array of filtered user input
$aClean['str_why'] = makeSafe($_REQUEST['str_why']);
$aClean['commentId'] = makeSafe($_REQUEST['commentId']);
$aClean['int_delete_it'] = makeSafe($_REQUEST['int_delete_it']);
$oComment = new Comment($aClean['commentId']);
/* if we aren't an admin or the maintainer of this app we shouldn't be */
/* allowed to delete any comments */
@@ -23,7 +29,7 @@ if (!$_SESSION['current']->hasPriv("admin")
exit;
}
if($_SESSION['current']->getPref("confirm_comment_deletion") != "no" && !isset($_REQUEST['int_delete_it']))
if($_SESSION['current']->getPref("confirm_comment_deletion") != "no" && !isset($aClean['int_delete_it']))
{
apidb_header("Delete Comment");
$mesTitle = "<b>Please state why you are deleting the following comment</b>";
@@ -47,7 +53,7 @@ if($_SESSION['current']->getPref("confirm_comment_deletion") != "no" && !isset($
apidb_footer();
} else
{
$oComment->delete($_REQUEST['str_why']);
$oComment->delete($aClean['str_why']);
redirect(apidb_fullurl("appview.php?versionId=".$oComment->iVersionId));
}
?>

14
distributionView.php
View File

@@ -11,7 +11,13 @@ require(BASE."include/incl.php");
require(BASE."include/distributions.php");
require(BASE."include/testResults.php");
if ($_REQUEST['sub'])
$aClean = array(); //array of filtered user input
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['iDistributionId'] = makeSafe( $_REQUEST['iDistributionId']);
if ($aClean['sub'])
{
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -19,14 +25,14 @@ if ($_REQUEST['sub'])
exit;
}
if($_REQUEST['sub'] == 'delete')
if($aClean['sub'] == 'delete')
{
$oDistribution = new distribution($_REQUEST['iDistributionId']);
$oDistribution = new distribution($aClean['iDistributionId']);
$oDistribution->delete();
redirect($_SERVER['PHP_SELF']);
}
}
$oDistribution = new distribution($_REQUEST['iDistributionId']);
$oDistribution = new distribution($aClean['iDistributionId']);
//exit with error if no vendor
if(!$oDistribution->iDistributionId)

88
include/application.php
View File

@@ -6,6 +6,7 @@
require_once(BASE."include/version.php");
require_once(BASE."include/vendor.php");
require_once(BASE."include/url.php");
require_once(BASE."include/util.php");
/**
* Application class for handling applications.
@@ -308,6 +309,10 @@ class Application {
function mailSubmitter($sAction="add")
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
if($this->iSubmitterId)
{
$oSubmitter = new User($this->iSubmitterId);
@@ -332,7 +337,7 @@ class Application {
$sMsg .= "Reason given:\n";
break;
$sMsg .= $_REQUEST['replyText']."\n";
$sMsg .= $aClean['replyText']."\n";
$sMsg .= "We appreciate your help in making the Application Database better for all users.";
}
mail_appdb($oSubmitter->sEmail, $sSubject ,$sMsg);
@@ -342,6 +347,10 @@ class Application {
function SendNotificationMail($sAction="add",$sMsg=null)
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
switch($sAction)
{
case "add":
@@ -355,10 +364,10 @@ class Application {
$sMsg .= "This application has been submitted by ".$oSubmitter->sRealname.".";
$sMsg .= "\n";
}
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Appdb admin reply text:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("The application was successfully added into the database.", "green");
@@ -379,10 +388,10 @@ class Application {
$sSubject = $this->sName." has been deleted by ".$_SESSION['current']->sRealname;
// if replyText is set we should report the reason the application was deleted
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("Application deleted.", "green");
@@ -392,10 +401,10 @@ class Application {
$sMsg .= APPDB_ROOT."appsubmit.php?apptype=application&sub=view&appId=".$this->iAppId."\n";
// if replyText is set we should report the reason the application was rejected
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("Application rejected.", "green");
@@ -457,22 +466,31 @@ class Application {
function CheckOutputEditorInput()
{
$aClean = array(); //array of filtered user input
$aClean['appCatId'] = makeSafe($_REQUEST['appCatId']);
$aClean['appName'] = makeSafe($_REQUEST['appName']);
$aClean['appVendorName'] = makeSafe($_REQUEST['appVendorName']);
$aClean['appVendorId'] = makeSafe($_REQUEST['appVendorId']);
$aClean['appDescription'] = makeSafe($_REQUEST['appDescription']);
$errors = "";
if (empty($_REQUEST['appCatId']))
if (empty($aClean['appCatId']))
$errors .= "<li>Please enter a category for your application.</li>\n";
if (strlen($_REQUEST['appName']) > 200 )
if (strlen($aClean['appName']) > 200 )
$errors .= "<li>Your application name is too long.</li>\n";
if (empty($_REQUEST['appName']))
if (empty($aClean['appName']))
$errors .= "<li>Please enter an application name.</li>\n";
// No vendor entered, and nothing in the list is selected
if (empty($_REQUEST['appVendorName']) && !$_REQUEST['appVendorId'])
if (empty($aClean['appVendorName']) && !$aClean['appVendorId'])
$errors .= "<li>Please enter a vendor.</li>\n";
if (empty($_REQUEST['appDescription']))
if (empty($aClean['appDescription']))
$errors .= "<li>Please enter a description of your application.</li>\n";
return $errors;
@@ -481,30 +499,44 @@ class Application {
/* retrieves values from $_REQUEST that were output by OutputEditor() */
function GetOutputEditorValues()
{
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
$aClean['appVendorId'] = makeSafe($_REQUEST['appVendorId']);
$aClean['appName'] = makeSafe($_REQUEST['appName']);
$aClean['appDescription'] = makeSafe($_REQUEST['appDescription']);
$aClean['appCatId'] = makeSafe($_REQUEST['appCatId']);
$aClean['appWebpage'] = makeSafe($_REQUEST['appWebpage']);
$aClean['appKeywords'] = makeSafe($_REQUEST['appKeywords']);
if(get_magic_quotes_gpc())
{
$this->iAppId = stripslashes($_REQUEST['appId']);
$this->sName = stripslashes($_REQUEST['appName']);
$this->sDescription = stripslashes($_REQUEST['appDescription']);
$this->iCatId = stripslashes($_REQUEST['appCatId']);
$this->iVendorId = stripslashes($_REQUEST['appVendorId']);
$this->sWebpage = stripslashes($_REQUEST['appWebpage']);
$this->sKeywords = stripslashes($_REQUEST['appKeywords']);
$this->iAppId = stripslashes($aClean['appId']);
$this->sName = stripslashes($aClean['appName']);
$this->sDescription = stripslashes($aClean['appDescription']);
$this->iCatId = stripslashes($aClean['appCatId']);
$this->iVendorId = stripslashes($aClean['appVendorId']);
$this->sWebpage = stripslashes($aClean['appWebpage']);
$this->sKeywords = stripslashes($aClean['appKeywords']);
} else
{
$this->iAppId = $_REQUEST['appId'];
$this->sName = $_REQUEST['appName'];
$this->sDescription = $_REQUEST['appDescription'];
$this->iCatId = $_REQUEST['appCatId'];
$this->iVendorId = $_REQUEST['appVendorId'];
$this->sWebpage = $_REQUEST['appWebpage'];
$this->sKeywords = $_REQUEST['appKeywords'];
$this->iAppId = $aClean['appId'];
$this->sName = $aClean['appName'];
$this->sDescription = $aClean['appDescription'];
$this->iCatId = $aClean['appCatId'];
$this->iVendorId = $aClean['appVendorId'];
$this->sWebpage = $aClean['appWebpage'];
$this->sKeywords = $aClean['appKeywords'];
}
}
/* display this application */
function display()
{
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_REQUEST['appId']);
/* is this user supposed to view this version? */
if(!$_SESSION['current']->canViewApplication($this))
{
@@ -546,7 +578,7 @@ class Application {
echo " <tr class=\"color1\"><td><b>URL</b></td><td>".$appLinkURL."</td></tr>\n";
// optional links
$result = query_appdb("SELECT * FROM appData WHERE appId = ".$_REQUEST['appId']." AND versionID = 0 AND type = 'url'");
$result = query_appdb("SELECT * FROM appData WHERE appId = ".$aClean['appId']." AND versionID = 0 AND type = 'url'");
if($result && mysql_num_rows($result) > 0)
{
echo " <tr class=\"color1\"><td> <b>Links</b></td><td>\n";
@@ -603,7 +635,7 @@ class Application {
if($_SESSION['current']->isSuperMaintainer($this->iAppId) || $_SESSION['current']->hasPriv("admin"))
{
echo ' <form method="post" name="edit" action="admin/editAppFamily.php"><input type="hidden" name="appId" value="'.$_REQUEST['appId'].'"><input type="submit" value="Edit Application" class="button"></form>';
echo ' <form method="post" name="edit" action="admin/editAppFamily.php"><input type="hidden" name="appId" value="'.$aClean['appId'].'"><input type="submit" value="Edit Application" class="button"></form>';
}
if($_SESSION['current']->isLoggedIn())
{

13
include/bugs.php
View File

@@ -1,4 +1,5 @@
<?php
require_once(BASE."include/util.php");
/******************************************/
/* bug class and related functions */
/******************************************/
@@ -190,6 +191,10 @@ class Bug {
function mailSubmitter($bRejected=false)
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
if($this->iSubmitterId)
{
$oSubmitter = new User($this->iSubmitterId);
@@ -202,7 +207,7 @@ class Bug {
$sSubject = "Submitted Bug Link rejected";
$sMsg = "The Bug Link you submitted for ".lookup_app_name($this->iAppId)." ".lookup_version_name($this->iVersionId)." has been rejected.";
}
$sMsg .= $_REQUEST['replyText']."\n";
$sMsg .= $aClean['replyText']."\n";
$sMsg .= "We appreciate your help in making the Application Database better for all users.";
mail_appdb($oSubmitter->sEmail, $sSubject ,$sMsg);
@@ -255,6 +260,10 @@ class Bug {
function view_version_bugs($iVersionId = null, $aBuglinkIds)
{
$aClean = array(); //array of filtered user input
$aClean['buglinkId'] = makeSafe($_REQUEST['buglinkId']);
$bCanEdit = FALSE;
$oVersion = new Version($iVersionId);
@@ -325,7 +334,7 @@ function view_version_bugs($iVersionId = null, $aBuglinkIds)
{
echo '<input type="hidden" name="versionId" value="'.$iVersionId.'">',"\n";
echo '<tr class=color3><td align=center>',"\n";
echo '<input type="text" name="buglinkId" value="'.$_REQUEST['buglinkId'].'" size="8"></td>',"\n";
echo '<input type="text" name="buglinkId" value="'.$aClean['buglinkId'].'" size="8"></td>',"\n";
echo '<td><input type="submit" name="sub" value="Submit a new bug link."></td>',"\n";
echo '<td colspan=6></td></tr></form>',"\n";
}

12
include/comment.php
View File

@@ -367,6 +367,12 @@ function display_comments_flat($versionId)
function view_app_comments($versionId, $threadId = 0)
{
$aClean = array(); //array of filtered user input
$aClean['cmode'] = makeSafe($_REQUEST['cmode']);
$aClean['mode'] = makeSafe($_REQUEST['mode']);
// count posts
$result = query_appdb("SELECT commentId FROM appComments WHERE versionId = $versionId");
$messageCount = mysql_num_rows($result);
@@ -381,8 +387,8 @@ function view_app_comments($versionId, $threadId = 0)
if ($_SESSION['current']->isLoggedIn())
{
// FIXME we need to change this so not logged in users can change current view as well
if (isset($_REQUEST['cmode']))
$_SESSION['current']->setPref("comments:mode", $_REQUEST['cmode']);
if (!empty($aClean['cmode']))
$_SESSION['current']->setPref("comments:mode", $aClean['cmode']);
$sel[$_SESSION['current']->getPref("comments:mode", "threaded")] = 'selected';
echo '<td><form method="post" name="smode" action="appview.php">',"\n";
@@ -422,7 +428,7 @@ function view_app_comments($versionId, $threadId = 0)
else
$mode = "threaded"; /* default non-logged in users to threaded comment display mode */
if ($_REQUEST['mode']=="nested")
if ($aClean['mode']=="nested")
$mode = "nested";
switch ($mode)

42
include/distributions.php
View File

@@ -3,6 +3,7 @@
/* this class represents Distributions */
/***************************************/
require_once(BASE."include/mail.php");
require_once(BASE."include/util.php");
// Testing class for handling Distributions.
@@ -231,6 +232,11 @@ class distribution{
function mailSubmitter($sAction="add")
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
if($this->iSubmitterId)
{
$oSubmitter = new User($this->iSubmitterId);
@@ -248,7 +254,7 @@ class distribution{
$sMsg = "The Distribution you submitted (".$this->sName.") has been rejected.";
$sMsg .= APPDB_ROOT."testingData.php?sub=view&versionId=".$this->iVersionId."\n";
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
break;
@@ -257,7 +263,7 @@ class distribution{
$sSubject = "Submitted Distribution deleted";
$sMsg = "The Distribution you submitted (".$this->sName.") has been deleted.";
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
break;
}
@@ -270,6 +276,9 @@ class distribution{
function SendNotificationMail($sAction="add",$sMsg=null)
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
switch($sAction)
{
case "add":
@@ -283,7 +292,7 @@ class distribution{
$sMsg .= "This Distribution has been submitted by ".$oSubmitter->sRealname.".";
$sMsg .= "\n";
$sMsg .= "Appdb admin reply text:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("The Distribution was successfully added into the database.", "green");
} else // testing data queued.
@@ -303,10 +312,10 @@ class distribution{
$sSubject = "Distribution ".$this->sName." has been deleted by ".$_SESSION['current']->sRealname;
// if replyText is set we should report the reason the data was deleted
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("Distribution deleted.", "green");
@@ -316,10 +325,10 @@ class distribution{
$sMsg = APPDB_ROOT."distributionView.php?iDistributionId=".$this->iDistributionId."\n";
// if replyText is set we should report the reason the data was rejected
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("Distribution rejected.", "green");
@@ -351,16 +360,23 @@ class distribution{
/* retrieves values from $_REQUEST that were output by OutputEditor() */
function GetOutputEditorValues()
{
$aClean = array(); //array of filtered user input
$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
$aClean['sName'] = makeSafe($_REQUEST['sName']);
$aClean['sUrl'] = makeSafe($_REQUEST['sUrl']);
if(get_magic_quotes_gpc())
{
$this->iDistributionId = stripslashes($_REQUEST['iDistributionId']);
$this->sName = stripslashes($_REQUEST['sName']);
$this->sUrl = stripslashes($_REQUEST['sUrl']);
$this->iDistributionId = stripslashes($aClean['iDistributionId']);
$this->sName = stripslashes($aClean['sName']);
$this->sUrl = stripslashes($aClean['sUrl']);
} else
{
$this->iDistributionId = $_REQUEST['iDistributionId'];
$this->sName = $_REQUEST['sName'];
$this->sUrl = $_REQUEST['sUrl'];
$this->iDistributionId = $aClean['iDistributionId'];
$this->sName = $aClean['sName'];
$this->sUrl = $aClean['sUrl'];
}
}

7
include/form_edit.php
View File

@@ -1,4 +1,9 @@
<?php
require_once(BASE."include/util.php");
$aClean = array(); //array of filtered user input
$aClean['userId'] = makeSafe($_REQUEST['userId']);
/*********************/
/* Edit Account Form */
/*********************/
@@ -23,7 +28,7 @@
</tr>
<?php
// if we manage another user we can give him administrator rights
if($oUser->iUserId == $_REQUEST['userId'])
if($oUser->iUserId == $aClean['userId'])
{
?>
<tr>

8
include/form_login.php
View File

@@ -1,4 +1,10 @@
<?php
require_once(BASE."include/util.php");
$aClean = array(); //array of filtered user input
$aClean['ext_email'] = makeSafe($_POST['ext_email']);
/**************/
/* Login Form */
/**************/
@@ -19,7 +25,7 @@ function cmd_send_passwd() {
<table border="0" width="100%" cellspacing=0 cellpadding="10">
<tr>
<td class=color1> E-mail </td>
<td class=color0> <input type="text" name="ext_email" value='<?php if(isset($_POST['ext_email'])) echo $_POST['ext_email']?>'> </td>
<td class=color0> <input type="text" name="ext_email" value='<?php if(!empty($aClean['ext_email'])) echo $aClean['ext_email']?>'> </td>
</tr>
<tr>
<td class=color1> Password </td>

12
include/form_new.php
View File

@@ -1,4 +1,12 @@
<?php
require_once(BASE."include/util.php");
$aClean = array(); //array of filtered user input
$aClean['ext_email'] = makeSafe($_POST['ext_email']);
$aClean['ext_realname'] = makeSafe($_POST['realname']);
/********************/
/* New Account Form */
/********************/
@@ -11,7 +19,7 @@ echo html_frame_start("Create New Application DB Account","400","",0)
<table border=0 width="100%" cellspacing=0 cellpadding=20>
<tr>
<td class=color1> E-mail </td>
<td class=color0> <input type="text" name="ext_email" value='<?php if(isset($_POST['ext_email'])) echo $_POST['ext_email']?>'> </td>
<td class=color0> <input type="text" name="ext_email" value='<?php if(!empty($aClean['ext_email'])) echo $aClean['ext_email']?>'> </td>
</tr>
<tr>
<td class=color1> Password </td>
@@ -23,7 +31,7 @@ echo html_frame_start("Create New Application DB Account","400","",0)
</tr>
<tr>
<td class=color1> Real Name </td>
<td class=color0> <input type="text" name="ext_realname" value='<?php if(isset($_POST['ext_realname'])) echo $_POST['ext_realname']?>'> </td>
<td class=color0> <input type="text" name="ext_realname" value='<?php if(!empty($aClean['ext_realname'])) echo $aClean['ext_realname']?>'> </td>
</tr>
<?php

9
include/note.php
View File

@@ -1,4 +1,9 @@
<?php
require_once(BASE."include/util.php");
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe( $_REQUEST['replyText'] );
/************************************/
/* note class and related functions */
/************************************/
@@ -140,8 +145,8 @@ class Note {
$sMsg .= $this->sBody."\n";
$sMsg .= "\n";
$sMsg .= "Because:\n";
if($_REQUEST['replyText'])
$sMsg .= $_REQUEST['replyText']."\n";
if($aClean['replyText'])
$sMsg .= $aClean['replyText']."\n";
else
$sMsg .= "No reason given.\n";

8
include/screenshot.php
View File

@@ -3,7 +3,9 @@
/* screenshot class and related functions */
/******************************************/
require_once(BASE."include/util.php");
require_once(BASE."include/image.php");
// load the watermark
$watermark = new image("/images/watermark.png");
@@ -233,6 +235,10 @@ class Screenshot {
function mailSubmitter($bRejected=false)
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
if($this->iSubmitterId)
{
$oSubmitter = new User($this->iSubmitterId);
@@ -245,7 +251,7 @@ class Screenshot {
$sSubject = "Submitted screenshot rejected";
$sMsg = "The screenshot you submitted for ".lookup_app_name($this->iAppId)." ".lookup_version_name($this->iVersionId)." has been rejected.";
}
$sMsg .= $_REQUEST['replyText']."\n";
$sMsg .= $aClean['replyText']."\n";
$sMsg .= "We appreciate your help in making the Application Database better for all users.";
mail_appdb($oSubmitter->sEmail, $sSubject ,$sMsg);

7
include/sidebar.php
View File

@@ -4,9 +4,14 @@
/***********/
require_once(BASE."include/distributions.php");
require_once(BASE."include/vendor.php");
require_once(BASE."include/util.php");
function global_sidebar_menu() {
$aClean = array(); //array of filtered user input
$aClean['q'] = makeSafe($_REQUEST['q']);
$g = new htmlmenu(APPDB_OWNER." Menu");
$g->add(APPDB_OWNER, APPDB_OWNER_URL);
$g->add("AppDB", BASE);
@@ -29,7 +34,7 @@ function global_sidebar_menu() {
$g->done();
$g = new htmlmenu("Search");
$g->addmisc(app_search_box(isset($_REQUEST['q']) ? $_REQUEST['q'] : ''));
$g->addmisc(app_search_box(!empty($aClean['q']) ? $aClean['q'] : ''));
$g->done();
}

129
include/testResults.php
View File

@@ -3,7 +3,7 @@
/* this class represents Testing results */
/*****************************************/
require_once(BASE."include/distributions.php");
require_once(BASE."include/util.php");
// Testing class for handling Testing History.
class testData{
@@ -228,6 +228,11 @@ class testData{
function mailSubmitter($sAction="add")
{
$aClean = array(); //array of filtered user input
$aClean = makeSafe($_REQUEST['replyText']);
if($this->iSubmitterId)
{
$oSubmitter = new User($this->iSubmitterId);
@@ -251,7 +256,7 @@ class testData{
$sMsg .= "Reason given:\n";
break;
}
$sMsg .= $_REQUEST['replyText']."\n";
$sMsg .= $aClean['replyText']."\n";
$sMsg .= "We appreciate your help in making the Application Database better for all users.";
mail_appdb($oSubmitter->sEmail, $sSubject ,$sMsg);
@@ -261,6 +266,10 @@ class testData{
function SendNotificationMail($sAction="add",$sMsg=null)
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
$oVersion = new Version($this->iVersionId);
$oApp = new Application($oVersion->iAppId);
switch($sAction)
@@ -276,10 +285,10 @@ class testData{
$sMsg .= "This Testing data has been submitted by ".$oSubmitter->sRealname.".";
$sMsg .= "\n";
}
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Appdb admin reply text:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("The testing data was successfully added into the database.", "green");
} else // testing data queued.
@@ -299,10 +308,10 @@ class testData{
case "delete":
$sSubject = "Test Results deleted for version ".$oVersion->sName." of ".$oApp->sName." submitted by ".$_SESSION['current']->sRealname;
// if replyText is set we should report the reason the data was deleted
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("testing data deleted.", "green");
@@ -311,10 +320,10 @@ class testData{
$sSubject = "Test Results rejected for version ".$oVersion->sName." of ".$oApp->sName." submitted by ".$_SESSION['current']->sRealname;
$sMsg .= APPDB_ROOT."admin/adminTestResults.php?sub=view&iTestingId=".$this->iTestingId."\n";
// if replyText is set we should report the reason the data was rejected
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("testing data rejected.", "green");
break;
@@ -351,7 +360,10 @@ class testData{
// Show the Test results for a application version
function ShowVersionsTestingTable($iVersionId, $iCurrentTest, $link, $iDisplayLimit)
{
$showAll = $_REQUEST['showAll'];
$aClean = array(); //array of filtered user input
$aClean['showAll'] = makeSafe($_REQUEST['showAll']);
$showAll = $aClean['showAll'];
$sQuery = "SELECT *
FROM testResults
@@ -500,38 +512,46 @@ class testData{
function CheckOutputEditorInput($sDistribution="")
{
$errors = "";
$sWhatWorks = trim($_REQUEST['sWhatWorks']);
$sWhatDoesnt = trim($_REQUEST['sWhatDoesnt']);
$sWhatNotTested = trim($_REQUEST['sWhatNotTested']);
$sDistribution = trim($_REQUEST['sDistribution']);
$aClean = array(); //array of filtered user input
$aClean['sWhatWorks'] = makeSafe($_REQUEST['sWhatWorks']);
$aClean['sWhatDoesnt'] = makeSafe($_REQUEST['sWhatDoesnt']);
$aClean['sWhatNotTested'] = makeSafe($_REQUEST['sWhatNotTested']);
$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
$aClean['sTestedDate'] = makeSafe($_REQUEST['sTestedDate']);
$aClean['sTestedRelease'] = makeSafe($_REQUEST['sTestedRelease']);
$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
$aClean['sInstalls'] = makeSafe($_REQUEST['sInstalls']);
$aClean['sRuns'] = makeSafe($_REQUEST['sRuns']);
$aClean['sTestedRating'] = makeSafe($_REQUEST['sTestedRating']);
if (empty($sWhatWorks))
$errors = "";
if (empty($aClean['sWhatWorks']))
$errors .= "<li>Please enter what worked.</li>\n";
if (empty($sWhatDoesnt))
if (empty($aClean['sWhatDoesnt']))
$errors .= "<li>Please enter what did not work.</li>\n";
if (empty($sWhatNotTested))
if (empty($aClean['sWhatNotTested']))
$errors .= "<li>Please enter what was not tested.</li>\n";
if (empty($_REQUEST['sTestedDate']))
if (empty($aClean['sTestedDate']))
$errors .= "<li>Please enter the date and time when you tested.</li>\n";
if (empty($_REQUEST['sTestedRelease']))
if (empty($aClean['sTestedRelease']))
$errors .= "<li>Please enter the version of Wine that you tested with.</li>\n";
// No Distribution entered, and nothing in the list is selected
if (empty($sDistribution) && !$_REQUEST['iDistributionId'])
if (empty($sDistribution) && !$aClean['iDistributionId'])
$errors .= "<li>Please enter a distribution.</li>\n";
if (empty($_REQUEST['sInstalls']))
if (empty($aClean['sInstalls']))
$errors .= "<li>Please enter whether this application installs or not.</li>\n";
if (empty($_REQUEST['sRuns']))
if (empty($aClean['sRuns']))
$errors .= "<li>Please enter whether this application runs or not.</li>\n";
if (empty($_REQUEST['sTestedRating']))
if (empty($aClean['sTestedRating']))
$errors .= "<li>Please enter a rating based on how well this application runs.</li>\n";
return $errors;
@@ -541,34 +561,49 @@ class testData{
/* retrieves values from $_REQUEST that were output by OutputEditor() */
function GetOutputEditorValues()
{
$aClean = array(); //array of filtered user input
$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
$aClean['sWhatWorks'] = makeSafe($_REQUEST['sWhatWorks']);
$aClean['sWhatDoesnt'] = makeSafe($_REQUEST['sWhatDoesnt']);
$aClean['sWhatNotTested'] = makeSafe($_REQUEST['sWhatNotTested']);
$aClean['sTestedDate'] = makeSafe($_REQUEST['sTestedDate']);
$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
$aClean['sTestedRelease'] = makeSafe($_REQUEST['sTestedRelease']);
$aClean['sInstalls'] = makeSafe($_REQUEST['sInstalls']);
$aClean['sRuns'] = makeSafe($_REQUEST['sRuns']);
$aClean['sTestedRating'] = makeSafe($_REQUEST['sTestedRating']);
$aClean['sComments'] = makeSafe($_REQUEST['sComments']);
if(get_magic_quotes_gpc())
{
$this->iTestingId = stripslashes($_REQUEST['iTestingId']);
$this->iVersionId = stripslashes($_REQUEST['iVersionId']);
$this->sWhatWorks = stripslashes($_REQUEST['sWhatWorks']);
$this->sWhatDoesnt = stripslashes($_REQUEST['sWhatDoesnt']);
$this->sWhatNotTested = stripslashes($_REQUEST['sWhatNotTested']);
$this->sTestedDate = stripslashes($_REQUEST['sTestedDate']);
$this->iDistributionId = stripslashes($_REQUEST['iDistributionId']);
$this->sTestedRelease = stripslashes($_REQUEST['sTestedRelease']);
$this->sInstalls = stripslashes($_REQUEST['sInstalls']);
$this->sRuns = stripslashes($_REQUEST['sRuns']);
$this->sTestedRating = stripslashes($_REQUEST['sTestedRating']);
$this->sComments = stripslashes($_REQUEST['sComments']);
$this->iTestingId = stripslashes($aClean['iTestingId']);
$this->iVersionId = stripslashes($aClean['iVersionId']);
$this->sWhatWorks = stripslashes($aClean['sWhatWorks']);
$this->sWhatDoesnt = stripslashes($aClean['sWhatDoesnt']);
$this->sWhatNotTested = stripslashes($aClean['sWhatNotTested']);
$this->sTestedDate = stripslashes($aClean['sTestedDate']);
$this->iDistributionId = stripslashes($aClean['iDistributionId']);
$this->sTestedRelease = stripslashes($aClean['sTestedRelease']);
$this->sInstalls = stripslashes($aClean['sInstalls']);
$this->sRuns = stripslashes($aClean['sRuns']);
$this->sTestedRating = stripslashes($aClean['sTestedRating']);
$this->sComments = stripslashes($aClean['sComments']);
} else
{
$this->iTestingId = $_REQUEST['iTestingId'];
$this->iVersionId = $_REQUEST['iVersionId'];
$this->sWhatWorks = $_REQUEST['sWhatWorks'];
$this->sWhatDoesnt = $_REQUEST['sWhatDoesnt'];
$this->sWhatNotTested = $_REQUEST['sWhatNotTested'];
$this->sTestedDate = $_REQUEST['sTestedDate'];
$this->iDistributionId = $_REQUEST['iDistributionId'];
$this->sTestedRelease = $_REQUEST['sTestedRelease'];
$this->sInstalls = $_REQUEST['sInstalls'];
$this->sRuns = $_REQUEST['sRuns'];
$this->sTestedRating = $_REQUEST['sTestedRating'];
$this->sComments = $_REQUEST['sComments'];
$this->iTestingId = $aClean['iTestingId'];
$this->iVersionId = $aClean['iVersionId'];
$this->sWhatWorks = $aClean['sWhatWorks'];
$this->sWhatDoesnt = $aClean['sWhatDoesnt'];
$this->sWhatNotTested = $aClean['sWhatNotTested'];
$this->sTestedDate = $aClean['sTestedDate'];
$this->iDistributionId = $aClean['iDistributionId'];
$this->sTestedRelease = $aClean['sTestedRelease'];
$this->sInstalls = $aClean['sInstalls'];
$this->sRuns = $aClean['sRuns'];
$this->sTestedRating = $aClean['sTestedRating'];
$this->sComments = $aClean['sComments'];
}
}

14
include/url.php
View File

@@ -2,7 +2,7 @@
/***************************************/
/* url class and related functions */
/***************************************/
require_once(BASE."include/util.php");
/**
* Url class for handling urls
@@ -51,8 +51,13 @@ class Url {
*/
function create($sDescription = null, $sUrl = null, $iVersionId = null, $iAppId = null)
{
$aClean = array(); //array of filtered user input
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
// Security, if we are not an administrator or a maintainer, the url must be queued.
if(!($_SESSION['current']->hasPriv("admin") || $_SESSION['current']->isMaintainer($_REQUEST['versionId']) || $_SESSION['current']->isSupermaintainer($_REQUEST['appId'])))
if(!($_SESSION['current']->hasPriv("admin") || $_SESSION['current']->isMaintainer($aClean['versionId']) || $_SESSION['current']->isSupermaintainer($aClean['appId'])))
{
$this->bQueued = true;
}
@@ -177,6 +182,9 @@ class Url {
function mailSubmitter($bRejected=false)
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
if($this->iSubmitterId)
{
$oSubmitter = new User($this->iSubmitterId);
@@ -189,7 +197,7 @@ class Url {
$sSubject = "Submitted url rejected";
$sMsg = "The url you submitted for ".lookup_app_name($this->appId)." ".lookup_version_name($this->versionId)." has been rejected.";
}
$sMsg .= $_REQUEST['replyText']."\n";
$sMsg .= $aClean['replyText']."\n";
$sMsg .= "We appreciate your help in making the Application Database better for all users.";
mail_appdb($oSubmitter->sEmail, $sSubject ,$sMsg);

7
include/user.php
View File

@@ -4,6 +4,7 @@
/************************************/
require_once(BASE."include/version.php");
require_once(BASE."include/util.php");
/**
* User class for handling users
@@ -267,6 +268,10 @@ class User {
*/
function addAsMaintainer($iAppId, $iVersionId, $bSuperMaintainer, $iQueueId)
{
$aClean = array();
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
/* if the user isn't already a supermaintainer of the application and */
/* if they are trying to become a maintainer and aren't already a maintainer of */
/* the version, then continue processing the request */
@@ -295,7 +300,7 @@ class User {
{
$sSubject = "Application Maintainer Request Report";
$sMsg = "Your application to be the maintainer of ".$oApp->sName." ".$oVersion->sName." has been accepted. ";
$sMsg .= $_REQUEST['replyText'];
$sMsg .= $aClean['replyText'];
$sMsg .= "We appreciate your help in making the Application Database better for all users.\n\n";
mail_appdb($sEmail, $sSubject ,$sMsg);

7
include/util.php
View File

@@ -1,4 +1,11 @@
<?php
function makeSafe($var)
{
$var = trim(addslashes($var));
return $var;
}
function build_urlarg($vars)
{
$arr = array();

69
include/version.php
View File

@@ -8,6 +8,7 @@ require_once(BASE."include/comment.php");
require_once(BASE."include/url.php");
require_once(BASE."include/screenshot.php");
require_once(BASE."include/bugs.php");
require_once(BASE."include/util.php");
/**
* Version class for handling versions.
@@ -414,6 +415,9 @@ class Version {
function mailSubmitter($sAction="add")
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
if($this->iSubmitterId)
{
$oApp = new Application($this->iAppId);
@@ -439,7 +443,7 @@ class Version {
$sMsg .= "Reason given:\n";
break;
}
$sMsg .= $_REQUEST['replyText']."\n";
$sMsg .= $aClean['replyText']."\n";
$sMsg .= "We appreciate your help in making the Version Database better for all users.";
mail_appdb($oSubmitter->sEmail, $sSubject ,$sMsg);
@@ -449,6 +453,9 @@ class Version {
function SendNotificationMail($sAction="add",$sMsg=null)
{
$aClean = array(); //array of filtered user input
$aClean['replyText'] = makeSafe($_REQUEST['replyText']);
$oApp = new Application($this->iAppId);
switch($sAction)
{
@@ -463,10 +470,10 @@ class Version {
$sMsg .= "This version has been submitted by ".$oSubmitter->sRealname.".";
$sMsg .= "\n";
}
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Appdb admin reply text:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("The version was successfully added into the database.", "green");
@@ -487,10 +494,10 @@ class Version {
$sSubject = "Version '".$this->sName."' of '".$oApp->sName."' has been deleted by ".$_SESSION['current']->sRealname;
// if replyText is set we should report the reason the application was deleted
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("Version deleted.", "green");
@@ -500,10 +507,10 @@ class Version {
$sMsg .= APPDB_ROOT."appsubmit.php?apptype=application&sub=view&versionId=".$this->iVersionId."\n";
// if replyText is set we should report the reason the version was rejected
if($_REQUEST['replyText'])
if($aClean['replyText'])
{
$sMsg .= "Reason given:\n";
$sMsg .= $_REQUEST['replyText']."\n"; // append the reply text, if there is any
$sMsg .= $aClean['replyText']."\n"; // append the reply text, if there is any
}
addmsg("Version rejected.", "green");
@@ -580,12 +587,17 @@ class Version {
function CheckOutputEditorInput()
{
$aClean = array(); //array of filtered user input
$aClean['versionName'] = makeSafe($_REQUEST['versionName']);
$aClean['versionDescription'] = makeSafe($_REQUEST['versionDescription']);
$errors = "";
if (empty($_REQUEST['versionName']))
if (empty($aClean['versionName']))
$errors .= "<li>Please enter an application version.</li>\n";
if (empty($_REQUEST['versionDescription']))
if (empty($aClean['versionDescription']))
$errors .= "<li>Please enter a version description.</li>\n";
return $errors;
@@ -594,29 +606,40 @@ class Version {
/* retrieves values from $_REQUEST that were output by OutputEditor() */
function GetOutputEditorValues()
{
$aClean = array(); //array of filtered user input
$aClean['appid'] = makeSafe($_REQUEST['appId']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['versionName'] = makeSafe($_REQUEST['versionName']);
$aClean['versionDescription'] = makeSafe($_REQUEST['versionDescription']);
$aClean['maintainer_rating'] = makeSafe($_REQUEST['maintainer_rating']);
$aClean['maintainer_release'] = makeSafe($_REQUEST['maintainer_release']);
if(get_magic_quotes_gpc())
{
$this->iAppId = stripslashes($_REQUEST['appId']);
$this->iVersionId = stripslashes($_REQUEST['versionId']);
$this->sName = stripslashes($_REQUEST['versionName']);
$this->sDescription = stripslashes($_REQUEST['versionDescription']);
$this->sTestedRating = stripslashes($_REQUEST['maintainer_rating']);
$this->sTestedRelease = stripslashes($_REQUEST['maintainer_release']);
$this->iAppId = stripslashes($aClean['appId']);
$this->iVersionId = stripslashes($aClean['versionId']);
$this->sName = stripslashes($aClean['versionName']);
$this->sDescription = stripslashes($aClean['versionDescription']);
$this->sTestedRating = stripslashes($aClean['maintainer_rating']);
$this->sTestedRelease = stripslashes($aClean['maintainer_release']);
} else
{
$this->iAppId = $_REQUEST['appId'];
$this->iVersionId = $_REQUEST['versionId'];
$this->sName = $_REQUEST['versionName'];
$this->sDescription = $_REQUEST['versionDescription'];
$this->iAppId = $aClean['appId'];
$this->iVersionId = $aClean['versionId'];
$this->sName = $aClean['versionName'];
$this->sDescription = $aClean['versionDescription'];
$this->sTestedRating = $_REQUEST['maintainer_rating'];
$this->sTestedRelease = $_REQUEST['maintainer_release'];
$this->sTestedRating = $aClean['maintainer_rating'];
$this->sTestedRelease = $aClean['maintainer_release'];
}
}
function display()
{
$aClean = array(); //array of filtered user input
$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
/* is this user supposed to view this version? */
if(!$_SESSION['current']->canViewVersion($this))
{
@@ -801,7 +824,7 @@ class Version {
echo $this->sDescription;
// Show testing data
$oTest = new TestData($_REQUEST['iTestingId']);
$oTest = new TestData($aClean['iTestingId']);
$iCurrentTest = $oTest->ShowTestResult($oTest->iTestingId, $this->iVersionId);
if($iCurrentTest)
{

8
include/vote.php
View File

@@ -1,5 +1,5 @@
<?php
require_once(BASE."include/util.php");
/* max votes per user */
define('MAX_VOTES',3);
@@ -111,6 +111,10 @@ function vote_get_user_votes($userId = null)
function vote_menu()
{
$aClean = array(); //array of filtered user input
$aClean['appid'] = makeSafe($_REQUEST['appId']);
$m = new htmlmenu("Votes","updatevote.php");
$votes = vote_get_user_votes();
@@ -132,7 +136,7 @@ function vote_menu()
$m->add("<input type=submit name=clear value=' Clear Vote ' class=votebutton>");
$m->add("<input type=submit name=vote value='Vote for App' class=votebutton>");
$m->addmisc("<input type=hidden name=appId value={$_REQUEST['appId']}>");
$m->addmisc("<input type=hidden name=appId value={$aClean['appId']}>");
$m->add("View Results", BASE."votestats.php");
$m->add("Voting Help", BASE."help/?topic=voting");

31
maintainerdelete.php
View File

@@ -11,27 +11,30 @@ require(BASE."include/incl.php");
require(BASE."include/category.php");
require(BASE."include/application.php");
$aClean = array(); //array of filtered user input
$aClean['appId'] = makeSafe($_POST['appId']);
$aClean['versionId'] = makeSafe($_POST['versionId']);
$aClean['confirmed'] = makeSafe($_POST['confirmed']);
$aClean['superMaintainer'] = makeSafe($_POST['superMaintainer']);
if(!$_SESSION['current']->isLoggedIn())
{
errorpage("You need to be logged in to resign from being a maintainer.");
exit;
}
$appId = strip_tags($_POST['appId']);
$versionId = strip_tags($_POST['versionId']);
$confirmed = strip_tags($_POST['confirmed']);
$superMaintainer = strip_tags($_POST['superMaintainer']);
if($confirmed)
if($aClean['confirmed'])
{
$oApp = new Application($appId);
if($superMaintainer)
$oApp = new Application($aClean['appId']);
if($aClean['superMaintainer'])
{
apidb_header("You have resigned as super maintainer of ".$oApp->sName);
$result = $_SESSION['current']->deleteMaintainer($oApp->iAppId, null);
} else
{
$oVersion = new Version($versionId);
$oVersion = new Version($aClean['versionId']);
apidb_header("You have resigned as maintainer of ".$oApp->sName." ".$oVersion->sName);
$result = $_SESSION['current']->deleteMaintainer($oApp->iAppId, $oVersion->iVersionId);
}
@@ -39,14 +42,14 @@ if($confirmed)
*/
if($result)
{
if($superMaintainer)
if($aClean['superMaintainer'])
echo "You were removed as a super maintainer of ".$oApp->sName;
else
echo "You were removed as a maintainer of ".$oApp->sName." ".$oVersion->sName;
}
} else
{
if($superMaintainer)
if($aClean['superMaintainer'])
apidb_header("Confirm super maintainer resignation of ".$oApp->sName);
else
apidb_header("Confirm maintainer resignation of ".$oApp->sName." ".$oVersion->sName);
@@ -56,12 +59,12 @@ if($confirmed)
echo html_frame_start("Confirm",400,"",0);
echo "<table width='100%' border=0 cellpadding=2 cellspacing=0>\n";
echo "<input type=hidden name='appId' value=$appId>";
echo "<input type=hidden name='versionId' value=$versionId>";
echo "<input type=hidden name='superMaintainer' value=$superMaintainer>";
echo "<input type=hidden name='appId' value={$aClean['appId']}>";
echo "<input type=hidden name='versionId' value={$aClean['versionId']}>";
echo "<input type=hidden name='superMaintainer' value={$aClean['superMaintainer']}>";
echo "<input type=hidden name='confirmed' value=1>";
if($superMaintainer)
if($aClean['superMaintainer'])
{
echo "<tr><td>Are you sure that you want to be removed as a super maintainer of this application?</tr></td>\n";
echo '<tr><td align=center><input type=submit value=" Confirm resignation as supermaintainer " class=button>', "\n";

53
maintainersubmit.php
View File

@@ -11,15 +11,23 @@ require(BASE."include/incl.php");
require(BASE."include/category.php");
require(BASE."include/application.php");
$aClean = array(); //array of filtered user input
$aClean['maintainReason'] = makeSafe($_REQUEST['maintainReason']);
$aClean['appId'] = makeSafe($_POST['appId']);
$aClean['versionId'] = makeSafe(strip_tags($_POST['versionId']));
$aClean['superMaintainer'] = makeSafe($_POST['superMaintainer']);
/**
* Check the input of a submitted form. And output with a list
* of errors. (<ul></ul>)
*/
function checkAppMaintainerInput( $fields )
function checkAppMaintainerInput( $maintainReason )
{
$errors = "";
if ( empty( $fields['maintainReason']) )
if ( empty( $maintainReason ) )
{
$errors .= "<li>Please enter why you would like to be an application maintainer.</li>\n";
}
@@ -41,29 +49,26 @@ if(!$_SESSION['current']->isLoggedIn())
exit;
}
$appId = strip_tags($_POST['appId']);
$versionId = strip_tags($_POST['versionId']);
$superMaintainer = strip_tags($_POST['superMaintainer']);
/* if we have a versionId to check against see if */
/* the user is already a maintainer */
if(!$superMaintainer && $_SESSION['current']->isMaintainer($versionId))
if(!$aClean['superMaintainer'] && $_SESSION['current']->isMaintainer($aClean['versionId']))
{
echo "You are already a maintainer of this app!";
exit;
}
/* if this user is a super maintainer they maintain all of the versionIds of this appId */
if($_SESSION['current']->isSuperMaintainer($appId))
if($_SESSION['current']->isSuperMaintainer($aClean['appId']))
{
echo "You are already a supermaintainer of the whole application family!";
exit;
}
if($_REQUEST['maintainReason'])
if( $aClean['maintainReason'] )
{
// check the input for empty/invalid fields
$errors = checkAppMaintainerInput($_REQUEST);
$errors = checkAppMaintainerInput($aClean['maintainReason']);
if(!empty($errors))
{
errorpage("We found the following errors:","<ul>$errors</ul><br />Please go back and correct them.");
@@ -71,18 +76,18 @@ if($_REQUEST['maintainReason'])
}
// header
if($superMaintainer)
if($aClean['superMaintainer'])
apidb_header("Submit SuperMaintainer Request");
else
apidb_header("Submit Maintainer Request");
// add to queue
$query = "INSERT INTO appMaintainerQueue VALUES (null, '".
addslashes($_REQUEST['appId'])."', '".
addslashes($_REQUEST['versionId'])."', '".
$aClean['appId']."', '".
$aClean['versionId']."', '".
addslashes($_SESSION['current']->iUserId)."', '".
addslashes($_REQUEST['maintainReason'])."', '".
addslashes($_REQUEST['superMaintainer'])."',".
$aClean['maintainReason']."', '".
$aClean['superMaintainer']."',".
"NOW()".");";
if (query_appdb($query))
@@ -93,15 +98,15 @@ if($_REQUEST['maintainReason'])
} else
{
// header
if($versionId)
if($aClean['versionId'])
{
$oVersion = new Version($versionId);
$oVersion = new Version($aClean['versionId']);
$oApp = new Application($oVersion->iAppId);
apidb_header("Request to become an application maintainer of ".$oApp->sName." ".$oVersion->sName);
}
else
{
$oApp = new Application($appId);
$oApp = new Application($aClean['appId']);
apidb_header("Request to become an application super maintainer of ".$oApp->sName);
}
@@ -123,7 +128,7 @@ if($_REQUEST['maintainReason'])
echo "don't have the experience with Wine that is necessary to help other users out.</p>\n";
/* Special message for super maintainer applications */
if($superMaintainer)
if($aClean['superMaintainer'])
{
echo "<p>Super maintainers are just like normal maintainers but they can modify EVERY version of\n";
echo "this application (and the application itself). We don't expect you to run every version but at least to help keep\n";
@@ -131,7 +136,7 @@ if($_REQUEST['maintainReason'])
}
echo "<br /><br />";
if($superMaintainer)
if($aClean['superMaintainer'])
echo html_frame_start("New Super Maintainer Form",400,"",0);
else
echo html_frame_start("New Maintainer Form",400,"",0);
@@ -140,17 +145,17 @@ if($_REQUEST['maintainReason'])
echo "<tr valign=top><td class=color0>";
echo '<b>Application</b></td><td>'.$oApp->sName;
echo '</td></tr>',"\n";
if($versionId)
if($aClean['versionId'])
{
echo "<tr valign=top><td class=color0>";
echo '<b>Version</b></td><td>'.$oVersion->sName;
echo '</td></tr>',"\n";
}
echo "<input type=hidden name='appId' value=$appId>";
echo "<input type=hidden name='versionId' value=$versionId>";
echo "<input type=hidden name='superMaintainer' value=$superMaintainer>";
echo "<input type=hidden name='appId' value={$aClean['appId']}>";
echo "<input type=hidden name='versionId' value={$aClean['versionId']}>";
echo "<input type=hidden name='superMaintainer' value={$aClean['superMaintainer>']}";
if($superMaintainer)
if($aClean['superMaintainer'])
echo '<tr valign=top><td class=color0><b>Why you want to and should be an application super maintainer</b></td><td><textarea name="maintainReason" rows=15 cols=70></textarea></td></tr>',"\n";
else
echo '<tr valign=top><td class=color0><b>Why you want to and should be an application maintainer</b></td><td><textarea name="maintainReason" rows=15 cols=70></textarea></td></tr>',"\n";

49
preferences.php
View File

@@ -9,6 +9,19 @@
include("path.php");
include(BASE."include/"."incl.php");
$aClean = array(); //array of filtered user input
$aClean['userId'] = makeSafe($REQUEST['userId']);
$aClean['iLimit'] = makeSafe($REQUEST['iLimit']);
$aClean['sOrderBy'] = makeSafe($REQUEST['sOrderBy']);
$aClean['ext_password'] = makeSafe($REQUEST['ext_password']);
$aClean['ext_password2'] = makeSafe($REQUEST['ext_password2']);
$aClean['ext_email'] = makeSafe($REQUEST['ext_email']);
$aClean['ext_realname'] = makeSafe($REQUEST['ext_realname']);
$aClean['CVSrelease'] = makeSafe($REQUEST['CVSrelease']);
$aClean['ext_hasadmin'] = makeSafe($POST['ext_hasadmin']);
if(!$_SESSION['current']->isLoggedIn())
{
errorpage("You must be logged in to edit preferences");
@@ -17,12 +30,12 @@ if(!$_SESSION['current']->isLoggedIn())
// we come from the administration to edit an user
if($_SESSION['current']->hasPriv("admin") &&
is_numeric($_REQUEST['userId']) &&
is_numeric($_REQUEST['iLimit']) &&
in_array($_REQUEST['sOrderBy'],array("email","realname","created"))
is_numeric($aClean['userId']) &&
is_numeric($aClean['iLimit']) &&
in_array($aClean['sOrderBy'],array("email","realname","created"))
)
{
$oUser = new User($_REQUEST['userId']);
$oUser = new User($aClean['userId']);
} else
{
$oUser = &$_SESSION['current'];
@@ -80,32 +93,32 @@ function show_user_fields()
if($_POST)
{
while(list($key, $value) = each($_REQUEST))
while(list($key, $value) = each($aClean))
{
if(!ereg("^pref_(.+)$", $key, $arr))
continue;
$oUser->setPref($arr[1], $value);
}
if ($_REQUEST['ext_password'] == $_REQUEST['ext_password2'])
if ($aClean['ext_password'] == $aClean['ext_password2'])
{
$str_passwd = $_REQUEST['ext_password'];
$str_passwd = $aClean['ext_password'];
}
else if ($_REQUEST['ext_password'])
else if ($aClean['ext_password'])
{
addmsg("The Passwords you entered did not match.", "red");
}
if ($oUser->update($_REQUEST['ext_email'], $str_passwd, $_REQUEST['ext_realname'], $_REQUEST['CVSrelease']))
if ($oUser->update($aClean['ext_email'], $str_passwd, $aClean['ext_realname'], $aClean['CVSrelease']))
{
addmsg("Preferences Updated", "green");
// we were managing an user, let's go back to the admin after updating tha admin status
if($oUser->iUserId == $_REQUEST['userId'] && $_SESSION['current']->hasPriv("admin"))
if($oUser->iUserId == $aClean['userId'] && $_SESSION['current']->hasPriv("admin"))
{
if($_POST['ext_hasadmin']=="on")
if($aClean['ext_hasadmin']=="on")
$oUser->addPriv("admin");
else
$oUser->delPriv("admin");
redirect(BASE."admin/adminUsers.php?userId=".$oUser->iUserId."&sSearch=".$_REQUEST['sSearch']."&iLimit=".$_REQUEST['iLimit']."&sOrderBy=".$_REQUEST['sOrderBy']."&sSubmit=true");
redirect(BASE."admin/adminUsers.php?userId=".$oUser->iUserId."&sSearch=".$aClean['sSearch']."&iLimit=".$aClean['iLimit']."&sOrderBy=".$aClean['sOrderBy']."&sSubmit=true");
}
}
else
@@ -119,12 +132,12 @@ apidb_header("User Preferences");
echo "<form method=\"post\" action=\"preferences.php\">\n";
// if we manage another user we give the parameters to go back to the admin
if($oUser->iUserId == $_REQUEST['userId'])
if($oUser->iUserId == $aClean['userId'])
{
echo "<input type=\"hidden\" name=\"iLimit\" value=\"".$_REQUEST['iLimit']."\">\n";
echo "<input type=\"hidden\" name=\"sOrderBy\" value=\"".$_REQUEST['sOrderBy']."\">\n";
echo "<input type=\"hidden\" name=\"sSearch\" value=\"".addslashes($_REQUEST['sSearch'])."\">\n";
echo "<input type=\"hidden\" name=\"userId\" value=\"".$_REQUEST['userId']."\">\n";
echo "<input type=\"hidden\" name=\"iLimit\" value=\"".$aClean['iLimit']."\">\n";
echo "<input type=\"hidden\" name=\"sOrderBy\" value=\"".$aClean['sOrderBy']."\">\n";
echo "<input type=\"hidden\" name=\"sSearch\" value=\"".$aClean['sSearch']."\">\n";
echo "<input type=\"hidden\" name=\"userId\" value=\"".$aClean['userId']."\">\n";
}
echo html_frame_start("Preferences for ".$oUser->sRealname, "80%");
@@ -133,7 +146,7 @@ echo html_table_begin("width='100%' border=0 align=left cellspacing=0 class='box
show_user_fields();
// if we don't manage another user
if($oUser->iUserId != $_REQUEST['userId']) build_prefs_list();
if($oUser->iUserId != $aClean['userId']) build_prefs_list();
echo html_table_end();
echo html_frame_end();

35
screenshots.php
View File

@@ -14,14 +14,21 @@ require_once(BASE."include/screenshot.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['cmd'] = makeSafe($_REQUEST['cmd']);
$aClean['versionId'] = makeSafe($_REQUEST['versionId']);
$aClean['screenshot_desc'] = makeSafe($_REQUEST['screenshot_desc']);
$aClean['imageId'] = makeSafe($_REQUEST['imageId']);
$aClean['appId'] = makeSafe($_REQUEST['appId']);
/*
* We issued a command.
*/
if($_REQUEST['cmd'])
if($aClean['cmd'])
{
// process screenshot upload
if($_REQUEST['cmd'] == "screenshot_upload")
if($aClean['cmd'] == "screenshot_upload")
{
if($_FILES['imagefile']['size']>600000)
{
@@ -29,26 +36,26 @@ if($_REQUEST['cmd'])
} else
{
$oScreenshot = new Screenshot();
$oScreenshot->create($_REQUEST['versionId'], $_REQUEST['screenshot_desc'], $_FILES['imagefile']);
$oScreenshot->create($aClean['versionId'], $aClean['screenshot_desc'], $_FILES['imagefile']);
$oScreenshot->free();
}
} elseif($_REQUEST['cmd'] == "delete" && is_numeric($_REQUEST['imageId'])) // process screenshot deletion
} elseif($aClean['cmd'] == "delete" && is_numeric($aClean['imageId'])) // process screenshot deletion
{
$oScreenshot = new Screenshot($_REQUEST['imageId']);
$oScreenshot = new Screenshot($aClean['imageId']);
$oScreenshot->delete();
$oScreenshot->free();
}
redirect(apidb_fullurl("screenshots.php?appId=".$_REQUEST['appId']."&versionId=".$_REQUEST['versionId']));
redirect(apidb_fullurl("screenshots.php?appId=".$aClean['appId']."&versionId=".$aClean['versionId']));
}
/*
* We didn't issued any command.
*/
$hResult = get_screenshots($_REQUEST['appId'], $_REQUEST['versionId']);
$hResult = get_screenshots($aClean['appId'], $aClean['versionId']);
apidb_header("Screenshots");
$oApp = new Application($_REQUEST['appId']);
$oVersion = new Version($_REQUEST['versionId']);
$oApp = new Application($aClean['appId']);
$oVersion = new Version($aClean['versionId']);
if($hResult && mysql_num_rows($hResult))
{
@@ -59,7 +66,7 @@ if($hResult && mysql_num_rows($hResult))
echo "<div align=center><table><tr>\n";
while($oRow = mysql_fetch_object($hResult))
{
if(!$_REQUEST['versionId'] && $oRow->versionId != $currentVersionId)
if(!$aClean['versionId'] && $oRow->versionId != $currentVersionId)
{
if($currentVersionId)
{
@@ -79,9 +86,9 @@ if($hResult && mysql_num_rows($hResult))
//show admin delete link
if($_SESSION['current']->isLoggedIn() && ($_SESSION['current']->hasPriv("admin") ||
$_SESSION['current']->isMaintainer($_REQUEST['versionId'])))
$_SESSION['current']->isMaintainer($aClean['versionId'])))
{
echo "<br />[<a href='screenshots.php?cmd=delete&imageId=$oRow->id&appId=".$_REQUEST['appId']."&versionId=".$_REQUEST['versionId']."'>Delete Image</a>]";
echo "<br />[<a href='screenshots.php?cmd=delete&imageId=$oRow->id&appId=".$aClean['appId']."&versionId=".$aClean['versionId']."'>Delete Image</a>]";
}
echo "</div></td>\n";
@@ -99,7 +106,7 @@ if($hResult && mysql_num_rows($hResult))
echo "<br />Please consider submitting a screenshot for the selected version yourself.</p>";
}
if($_REQUEST['versionId'])
if($aClean['versionId'])
{
//image upload box
echo '<form enctype="multipart/form-data" action="screenshots.php" name="imageForm" method="post">',"\n";
@@ -114,7 +121,7 @@ if($_REQUEST['versionId'])
echo html_frame_end();
echo '<input type="hidden" name="MAX_FILE_SIZE" value="4000000" />',"\n";
echo '<input type="hidden" name="cmd" value="screenshot_upload" />',"\n";
echo '<input type="hidden" name="versionId" value="'.$_REQUEST['versionId'].'"></form />',"\n";
echo '<input type="hidden" name="versionId" value="'.$aClean['versionId'].'"></form />',"\n";
}
echo html_back_link(1);
apidb_footer();

5
search.php
View File

@@ -10,8 +10,11 @@ include("path.php");
require(BASE."include/incl.php");
require(BASE."include/application.php");
$aClean = array(); //array of filtered user input
$aClean['q'] = makeSafe($_REQUEST['q']);
apidb_header("Search Results");
perform_search_and_output_results($_REQUEST['q']);
perform_search_and_output_results($aClean['q']);
apidb_footer();
?>

49
testResults.php
View File

@@ -11,37 +11,44 @@ require(BASE."include/mail.php");
require_once(BASE."include/testResults.php");
require_once(BASE."include/distributions.php");
$aClean = array(); //array of filtered user input
$aClean['sub'] = makeSafe($_REQUEST['sub']);
$aClean['iTestingId'] = makeSafe($_REQUEST['iTestingId']);
$aClean['iVersionId'] = makeSafe($_REQUEST['iVersionId']);
$aClean['iDistributionId'] = makeSafe($_REQUEST['iDistributionId']);
$aClean['sDistribution'] = makeSafe($_REQUEST['sDistribution']);
if ($_REQUEST['sub'])
if ($aClean['sub'])
{
$oTest = new testData($_REQUEST['iTestingId']);
if($_REQUEST['iVersionId'])
$oTest->iVersionId = $_REQUEST['iVersionId'];
$oTest = new testData($aClean['iTestingId']);
if($aClean['iVersionId'])
$oTest->iVersionId = $aClean['iVersionId'];
$errors = "";
// Submit or Resubmit the new testing results
if (($_REQUEST['sub'] == 'Submit') || ($_REQUEST['sub'] == 'Resubmit'))
if (($aClean['sub'] == 'Submit') || ($aClean['sub'] == 'Resubmit'))
{
$errors = $oTest->CheckOutputEditorInput();
$oTest->GetOutputEditorValues(); // retrieve the values from the current $_REQUEST
if(empty($errors))
{
if(!$_REQUEST['iDistributionId'])
if(!$aClean['iDistributionId'])
{
$sDistribution = trim($_REQUEST['sDistribution']);
if(!empty($sDistribution))
if(!empty($aClean['sDistribution']) )
{
$oDistribution = new distribution();
$oDistribution->sName = $sDistribution;
$oDistribution->sName = $aClean['sDistribution'];
$oDistribution->create();
$oTest->iDistributionId = $oDistribution->iDistributionId;
}
}
if($_REQUEST['sub'] == 'Submit')
if($aClean['sub'] == 'Submit')
{
$oTest->create();
} else if($_REQUEST['sub'] == 'Resubmit')
} else if($aClean['sub'] == 'Resubmit')
{
$oTest->update(true);
$oTest->ReQueue();
@@ -49,16 +56,16 @@ if ($_REQUEST['sub'])
redirect($_SERVER['PHP_SELF']);
} else
{
$_REQUEST['sub'] = 'view';
$aClean['sub'] = 'view';
}
}
// Delete testing results
if ($_REQUEST['sub'] == 'Delete')
if ($aClean['sub'] == 'Delete')
{
if(is_numeric($_REQUEST['iTestingId']))
if(is_numeric($aClean['iTestingId']))
{
$oTest = new testData($_REQUEST['iTestingId']);
$oTest = new testData($aClean['iTestingId']);
$oTest->delete();
}
@@ -66,7 +73,7 @@ if ($_REQUEST['sub'])
}
// is this an old test?
if(is_numeric($_REQUEST['iTestingId']))
if(is_numeric($aClean['iTestingId']))
{
// make sure the user has permission to view this testing result
$oVersion = new Version($oTest->iVersionId);
@@ -80,11 +87,11 @@ if ($_REQUEST['sub'])
$oVersion = new version($oTest->iVersionId);
} else
{
$oTest->iVersionId = $_REQUEST['iVersionId'];
$oVersion = new version($_REQUEST['iVersionId']);
$oTest->iVersionId = $aClean['iVersionId'];
$oVersion = new version($aClean['iVersionId']);
$oTest->sQueued = "new";
}
if ($_REQUEST['sub'] == 'view')
if ($aClean['sub'] == 'view')
{
$oApp = new application($oVersion->iAppId);
$sVersionInfo = $oApp->sName." ".$oVersion->sName;
@@ -126,7 +133,7 @@ if ($_REQUEST['sub'])
}
// View Testing Details
$oTest->OutputEditor($_REQUEST['sDistribution'],true);
$oTest->OutputEditor($aClean['sDistribution'],true);
echo '<a href="'.BASE."appview.php?versionId=".$oTest->iVersionId.'">Back to Version</a>';
@@ -158,7 +165,7 @@ if ($_REQUEST['sub'])
redirect($_SERVER['PHP_SELF']);
}
}
else // if ($_REQUEST['sub']) is not defined, display the Testing results queue page
else // if ($aClean['sub']) is not defined, display the Testing results queue page
{
apidb_header("Testing Results");

12
vendorview.php
View File

@@ -11,9 +11,13 @@ require_once(BASE."include/incl.php");
require_once(BASE."include/application.php");
require_once(BASE."include/vendor.php");
$oVendor = new Vendor($_REQUEST['vendorId']);
$aClean = array(); //array of filtered user input
$aClean['vendorId'] = makeSafe($_REQUEST['vendorId']);
$aClean['sub'] = makeSafe($_REQUEST['sub']);
if ($_REQUEST['sub'])
$oVendor = new Vendor($aClean['vendorId']);
if ($aClean['sub'])
{
if(!$_SESSION['current']->hasPriv("admin"))
{
@@ -21,7 +25,7 @@ if ($_REQUEST['sub'])
exit;
}
if($_REQUEST['sub'] == 'delete')
if($aClean['sub'] == 'delete')
{
$oVendor->delete();
redirect($_SERVER['PHP_SELF']);
@@ -55,7 +59,7 @@ if($oVendor->iVendorId)
$oApp = new application($iAppId);
echo '<li> <a href="appview.php?appId='.$oApp->iAppId.'">'.$oApp->sName.'</a> </li>',"\n";
}
echo '.</ol>',"\n";
echo '</ol>',"\n";
}

14
viewScreenshots.php
View File

@@ -10,6 +10,12 @@ require_once(BASE."include/screenshot.php");
require(BASE."include/application.php");
require(BASE."include/mail.php");
$aClean = array(); //array of filtered user input
$aClean['ItemsPerPage'] = makeSafe($_REQUEST['ItemsPerPage']);
$aClean['page'] = makeSafe($_REQUEST['page']);
apidb_header("View Screenshots");
/* display a range of 10 pages */
$pageRange = 10;
@@ -17,10 +23,10 @@ $pageRange = 10;
$ItemsPerPage = 6;
$currentPage = 1;
if($_REQUEST['ItemsPerPage'])
$ItemsPerPage = $_REQUEST['ItemsPerPage'];
if($_REQUEST['page'])
$currentPage = $_REQUEST['page'];
if($aClean['ItemsPerPage'])
$ItemsPerPage = $aClean['ItemsPerPage'];
if($aClean['page'])
$currentPage = $aClean['page'];
$ItemsPerPage = min($ItemsPerPage,100);
$totalPages = ceil(getNumberOfImages()/$ItemsPerPage);

17
viewbugs.php
View File

@@ -6,17 +6,20 @@
include("path.php");
require(BASE."include/incl.php");
/* code to View versions affected by a Bug */
$bug_id = $_REQUEST['bug_id'];
$aClean = array(); //array of filtered user input
if(!is_numeric($bug_id))
$aClean['bug_id'] = makeSafe($_REQUEST['bug_id']);
/* code to View versions affected by a Bug */
if( !is_numeric($aClean['bug_id']))
{
errorpage("Something went wrong with the bug ID");
exit;
}
{
apidb_header("Applications affected by Bug #".$bug_id);
echo '<form method=post action="viewbugs.php?bug_id='.$bug_id.'">',"\n";
apidb_header("Applications affected by Bug #".$aClean['bug_id']);
echo '<form method=post action="viewbugs.php?bug_id='.$aClean['bug_id'].'">',"\n";
echo '<table width=100% border=0 cellpadding=3 cellspacing=1>',"\n";
echo '<tr class=color4>',"\n";
@@ -32,7 +35,7 @@ if(!is_numeric($bug_id))
FROM appFamily, appVersion, buglinks
WHERE appFamily.appId = appVersion.appId
and buglinks.versionId = appVersion.versionId
AND buglinks.bug_id = ".$bug_id."
AND buglinks.bug_id = ".$aClean['bug_id']."
ORDER BY versionName";
$c = 0;
@@ -66,7 +69,7 @@ if(!is_numeric($bug_id))
echo '<tr class=color3>',"\n";
echo ' <td align=center>',"\n";
echo ' <input type="text" name="bug_id" value="'.$bug_id.'" size="8"></td>',"\n";
echo ' <input type="text" name="bug_id" value="'.$aClean['bug_id'].'" size="8"></td>',"\n";
echo ' <td colspan=2><input type="submit" name="sub" value="Search"></td>',"\n";
echo '</tr>',"\n";

14
votestats.php
View File

@@ -10,15 +10,21 @@ include("path.php");
include(BASE."include/incl.php");
require(BASE."include/category.php");
$aClean = array(); //array of filtered user input
$aClean['topNumber'] = makeSafe($_REQUEST['topNumber']);
$aClean['categoryId'] = makeSafe($_REQUEST['categoryId']);
/* default to 25 apps, main categories */
$topNumber = 25;
$categoryId = "any"; /* default to all categories */
/* process the post variables to override the default settings */
if( isset($_REQUEST['topNumber']) AND is_numeric($_REQUEST['topNumber']))
$topNumber = $_REQUEST['topNumber'];
if( isset($_REQUEST['categoryId']) AND is_numeric($_REQUEST['categoryId']))
$categoryId = $_REQUEST['categoryId'];
if( !empty($aClean['topNumber']) AND is_numeric($aClean['topNumber']))
$topNumber = $aClean['topNumber'];
if( !empty($aClean['categoryId']) AND is_numeric($aClean['categoryId']))
$categoryId = $aClean['categoryId'];
/* Check if the value makes sense */
if($topNumber > 200 || $topNumber < 1)