From 1a2cbfbf0cd666af05c28c3a7e51de3fb59bdd99 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Wed, 20 Nov 2013 03:34:56 -0500
Subject: [PATCH] Merge remote-tracking branch 'origin/stable-3.0.5'
---
interface/web/dns/dns_mx_edit.php | 8
interface/web/mail/mail_aliasdomain_edit.php | 4
interface/web/mailuser/index.php | 4
interface/web/admin/software_package_list.php | 4
interface/web/sites/web_aliasdomain_edit.php | 2
interface/web/mail/mail_user_filter_edit.php | 158 -----------
interface/web/mail/spamfilter_users_edit.php | 2
interface/lib/classes/aps_guicontroller.inc.php | 20
interface/web/mail/mail_user_edit.php | 12
interface/web/admin/remote_action_osupdate.php | 2
interface/web/sites/cron_edit.php | 8
interface/web/mailuser/mail_user_password_edit.php | 2
interface/lib/classes/validate_domain.inc.php | 6
interface/web/admin/software_update_list.php | 4
interface/web/dns/dns_alias_edit.php | 4
interface/web/mail/mail_forward_edit.php | 4
interface/lib/classes/plugin_backuplist.inc.php | 4
interface/web/mail/spamfilter_blacklist_edit.php | 2
interface/web/dns/dns_a_edit.php | 6
interface/web/sites/lib/lang/de_web_domain.lng | 1
interface/web/admin/login_as.php | 2
interface/web/sites/lib/lang/en_web_domain.lng | 1
server/lib/classes/plugins.inc.php | 2
interface/web/mail/mail_blacklist_edit.php | 2
interface/web/mail/mail_spamfilter_edit.php | 2
interface/web/dns/dns_import.php | 18
interface/web/vm/openvz_template_edit.php | 8
server/server.php | 4
interface/web/tools/user_settings.php | 10
interface/web/sites/templates/web_domain_advanced.htm | 2
interface/web/tools/dns_import_tupa.php | 22
interface/web/admin/software_package_install.php | 10
interface/web/client/client_message.php | 2
interface/web/mail/mail_whitelist_edit.php | 2
interface/web/dns/dns_ptr_edit.php | 4
interface/web/dns/dns_soa_edit.php | 4
interface/web/mail/spamfilter_config_edit.php | 2
interface/web/sites/web_vhost_subdomain_del.php | 2
interface/lib/classes/tform.inc.php | 5
interface/web/sites/web_domain_edit.php | 50 +-
interface/web/mail/mail_alias_edit.php | 6
interface/web/help/faq_list.php | 2
interface/web/mail/mail_domain_catchall_edit.php | 4
interface/web/mail/mail_mailinglist_edit.php | 16
interface/web/mail/mail_user_stats.php | 8
interface/web/mailuser/mail_user_spamfilter_edit.php | 8
interface/web/mailuser/mail_user_filter_edit.php | 2
interface/web/help/support_message_edit.php | 6
interface/web/dns/dns_srv_edit.php | 2
interface/lib/classes/tform_actions.inc.php | 2
interface/web/dns/dns_wizard.php | 18
interface/web/sites/database_user_edit.php | 6
interface/web/mailuser/mail_user_filter_list.php | 2
interface/web/admin/lib/lang/de_directive_snippets.lng | 1
interface/web/mail/spamfilter_policy_edit.php | 2
interface/web/sites/web_vhost_subdomain_edit.php | 20
interface/web/dns/dns_txt_edit.php | 4
interface/web/dns/dns_slave_edit.php | 8
interface/web/sites/ftp_user_edit.php | 22
interface/web/help/support_message_list.php | 2
interface/web/mail/mail_transport_edit.php | 2
interface/web/dns/dns_rp_edit.php | 2
interface/lib/classes/form.inc.php | 2
interface/web/admin/templates/directive_snippets_edit.htm | 21 +
interface/lib/classes/auth.inc.php | 7
interface/lib/classes/aps_crawler.inc.php | 2
interface/lib/classes/custom_datasource.inc.php | 14
interface/web/sites/web_subdomain_edit.php | 4
interface/web/dashboard/dashlets/limits.php | 4
interface/web/sites/web_sites_stats.php | 8
interface/web/admin/server_php_edit.php | 2
interface/web/admin/server_edit.php | 2
interface/web/dashboard/dashlets/mailquota.php | 2
interface/web/admin/remote_action_ispcupdate.php | 2
interface/web/sites/database_edit.php | 20
interface/web/vm/openvz_action.php | 4
interface/web/dns/dns_aaaa_edit.php | 4
interface/web/admin/server_ip_edit.php | 2
interface/web/dns/dns_ns_edit.php | 4
interface/web/client/client_edit.php | 2
interface/web/sites/shell_user_edit.php | 10
server/plugins-available/nginx_plugin.inc.php | 3
interface/lib/classes/db_mysql.inc.php | 13
interface/web/dns/dns_hinfo_edit.php | 4
interface/web/dns/dns_cname_edit.php | 6
interface/web/client/reseller_edit.php | 8
interface/web/admin/lib/lang/en_directive_snippets.lng | 1
interface/web/vm/openvz_vm_edit.php | 12
interface/web/mail/mail_domain_edit.php | 18
interface/lib/classes/validate_client.inc.php | 2
interface/web/sites/ajax_get_json.php | 4
interface/web/admin/users_edit.php | 2
interface/web/mail/spamfilter_whitelist_edit.php | 2
server/plugins-available/shelluser_base_plugin.inc.php | 22 +
interface/lib/classes/client_templates.inc.php | 12
interface/lib/classes/validate_dns.inc.php | 4
interface/web/mail/mail_get_edit.php | 4
interface/web/dashboard/dashlets/quota.php | 2
interface/web/admin/system_config_edit.php | 2
interface/web/sites/web_domain_del.php | 4
100 files changed, 347 insertions(+), 450 deletions(-)
diff --git a/interface/lib/classes/aps_crawler.inc.php b/interface/lib/classes/aps_crawler.inc.php
index 8260f34..635b812 100644
--- a/interface/lib/classes/aps_crawler.inc.php
+++ b/interface/lib/classes/aps_crawler.inc.php
@@ -595,7 +595,7 @@
foreach($incomplete_pkgs as $incomplete_pkg){
$pkg_url = @file_get_contents($this->interface_pkg_dir.'/'.$incomplete_pkg['path'].'/PKG_URL');
if($pkg_url != ''){
- $app->db->datalogUpdate('aps_packages', "package_url = '".$pkg_url."'", 'id', $incomplete_pkg['id']);
+ $app->db->datalogUpdate('aps_packages', "package_url = '".$app->db->quote($pkg_url)."'", 'id', $incomplete_pkg['id']);
}
}
}
diff --git a/interface/lib/classes/aps_guicontroller.inc.php b/interface/lib/classes/aps_guicontroller.inc.php
index 47f5bd2..a231a5b 100644
--- a/interface/lib/classes/aps_guicontroller.inc.php
+++ b/interface/lib/classes/aps_guicontroller.inc.php
@@ -266,18 +266,18 @@
unset($tmp);
// get information if the webserver is a db server, too
- $web_server = $app->db->queryOneRecord("SELECT server_id,server_name,db_server FROM server WHERE server_id = ".$websrv['server_id']);
+ $web_server = $app->db->queryOneRecord("SELECT server_id,server_name,db_server FROM server WHERE server_id = ".$app->functions->intval($websrv['server_id']));
if($web_server['db_server'] == 1) {
// create database on "localhost" (webserver)
- $mysql_db_server_id = $websrv['server_id'];
+ $mysql_db_server_id = $app->functions->intval($websrv['server_id']);
$mysql_db_host = 'localhost';
$mysql_db_remote_access = 'n';
$mysql_db_remote_ips = '';
} else {
//* get the default database server of the client
- $client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$websrv['sys_groupid']);
+ $client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($websrv['sys_groupid']));
if(is_array($client) && $client['default_dbserver'] > 0 && $client['default_dbserver'] != $websrv['server_id']) {
- $mysql_db_server_id = $client['default_dbserver'];
+ $mysql_db_server_id = $app->functions->intval($client['default_dbserver']);
$dbserver_config = $web_config = $app->getconf->get_server_config($app->functions->intval($mysql_db_server_id), 'server');
$mysql_db_host = $dbserver_config['ip_address'];
$mysql_db_remote_access = 'y';
@@ -301,13 +301,13 @@
//* Find a free db name for the app
for($n = 1; $n <= 1000; $n++) {
- $mysql_db_name = ($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps'));
+ $mysql_db_name = $app->db->quote(($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps')));
$tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = '".$app->db->quote($mysql_db_name)."'");
if($tmp['number'] == 0) break;
}
//* Find a free db username for the app
for($n = 1; $n <= 1000; $n++) {
- $mysql_db_user = ($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps'));
+ $mysql_db_user = $app->db->quote(($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps')));
$tmp = $app->db->queryOneRecord("SELECT count(database_user_id) as number FROM web_database_user WHERE database_user = '".$app->db->quote($mysql_db_user)."'");
if($tmp['number'] == 0) break;
}
@@ -316,12 +316,12 @@
//* Create the mysql database user
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `database_user`, `database_user_prefix`, `database_password`)
- VALUES( ".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', 0, '$mysql_db_user', '".$app->db->quote($dbuser_prefix) . "', PASSWORD('$mysql_db_password'))";
+ VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', 0, '$mysql_db_user', '".$app->db->quote($dbuser_prefix) . "', PASSWORD('$mysql_db_password'))";
$mysql_db_user_id = $app->db->datalogInsert('web_database_user', $insert_data, 'database_user_id');
//* Create the mysql database
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `parent_domain_id`, `type`, `database_name`, `database_name_prefix`, `database_user_id`, `database_ro_user_id`, `database_charset`, `remote_access`, `remote_ips`, `backup_copies`, `active`, `backup_interval`)
- VALUES( ".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', $mysql_db_server_id, ".$websrv['domain_id'].", 'mysql', '$mysql_db_name', '" . $app->db->quote($dbname_prefix) . "', '$mysql_db_user_id', 0, '', '$mysql_db_remote_access', '$mysql_db_remote_ips', ".$websrv['backup_copies'].", 'y', '".$websrv['backup_interval']."')";
+ VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', $mysql_db_server_id, ".$app->functions->intval($websrv['domain_id']).", 'mysql', '$mysql_db_name', '" . $app->db->quote($dbname_prefix) . "', '$mysql_db_user_id', 0, '', '$mysql_db_remote_access', '$mysql_db_remote_ips', ".$app->functions->intval($websrv['backup_copies']).", 'y', '".$app->functions->intval($websrv['backup_interval'])."')";
$app->db->datalogInsert('web_database', $insert_data, 'database_id');
//* Add db details to package settings
@@ -332,7 +332,7 @@
}
//* Insert new package instance
- $insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `customer_id`, `package_id`, `instance_status`) VALUES (".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', ".$app->db->quote($webserver_id).",".$app->db->quote($customerid).", ".$app->db->quote($packageid).", ".INSTANCE_PENDING.")";
+ $insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `customer_id`, `package_id`, `instance_status`) VALUES (".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', ".$app->db->quote($webserver_id).",".$app->db->quote($customerid).", ".$app->db->quote($packageid).", ".INSTANCE_PENDING.")";
$InstanceID = $app->db->datalogInsert('aps_instances', $insert_data, 'id');
//* Insert all package settings
@@ -404,7 +404,7 @@
$app->db->datalogSave('aps', 'INSERT', 'id', $instanceid, array(), $datalog);
*/
- $sql = "SELECT web_database.database_id as database_id FROM aps_instances_settings, web_database WHERE aps_instances_settings.value = web_database.database_name AND aps_instances_settings.value = aps_instances_settings.name = 'main_database_name' AND aps_instances_settings.instance_id = ".$instanceid." LIMIT 0,1";
+ $sql = "SELECT web_database.database_id as database_id FROM aps_instances_settings, web_database WHERE aps_instances_settings.value = web_database.database_name AND aps_instances_settings.value = aps_instances_settings.name = 'main_database_name' AND aps_instances_settings.instance_id = ".$app->db->quote($instanceid)." LIMIT 0,1";
$tmp = $app->db->queryOneRecord($sql);
if($tmp['database_id'] > 0) $app->db->datalogDelete('web_database', 'database_id', $tmp['database_id']);
diff --git a/interface/lib/classes/auth.inc.php b/interface/lib/classes/auth.inc.php
index 96e30b4..706dd04 100644
--- a/interface/lib/classes/auth.inc.php
+++ b/interface/lib/classes/auth.inc.php
@@ -33,7 +33,8 @@
public function get_user_id()
{
- return $_SESSION['s']['user']['userid'];
+ global $app;
+ return $app->functions->intval($_SESSION['s']['user']['userid']);
}
public function is_admin() {
@@ -80,7 +81,9 @@
public function get_client_limit($userid, $limitname)
{
global $app;
-
+
+ $userid = $app->functions->intval($userid);
+
// simple query cache
if($this->client_limits===null)
$this->client_limits = $app->db->queryOneRecord("SELECT client.* FROM sys_user, client WHERE sys_user.userid = $userid AND sys_user.client_id = client.client_id");
diff --git a/interface/lib/classes/client_templates.inc.php b/interface/lib/classes/client_templates.inc.php
index 77f6af5..bdf9b16 100644
--- a/interface/lib/classes/client_templates.inc.php
+++ b/interface/lib/classes/client_templates.inc.php
@@ -49,7 +49,7 @@
if($old_style == true) {
// we have to take care of this in an other way
- $in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $clientId);
+ $in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId));
if(is_array($in_db) && count($in_db) > 0) {
foreach($in_db as $item) {
if(array_key_exists($item['client_template_id'], $needed_types) == false) $needed_types[$item['client_template_id']] = 0;
@@ -61,24 +61,24 @@
if($count > 0) {
// add new template to client (includes those from old-style without assigned_template_id)
for($i = $count; $i > 0; $i--) {
- $app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $clientId . ', ' . $tpl_id . ')');
+ $app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $app->functions->intval($clientId) . ', ' . $app->functions->intval($tpl_id) . ')');
}
} elseif($count < 0) {
// remove old ones
for($i = $count; $i < 0; $i++) {
- $app->db->query('DELETE FROM `client_template_assigned` WHERE client_id = ' . $clientId . ' AND client_template_id = ' . $tpl_id . ' LIMIT 1');
+ $app->db->query('DELETE FROM `client_template_assigned` WHERE client_id = ' . $app->functions->intval($clientId) . ' AND client_template_id = ' . $app->functions->intval($tpl_id) . ' LIMIT 1');
}
}
}
} else {
// we have to take care of this in an other way
- $in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $clientId);
+ $in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId));
if(is_array($in_db) && count($in_db) > 0) {
// check which templates were removed from this client
foreach($in_db as $item) {
if(in_array($item['assigned_template_id'], $used_assigned) == false) {
// delete this one
- $app->db->query('DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ' . $item['assigned_template_id']);
+ $app->db->query('DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ' . $app->functions->intval($item['assigned_template_id']));
}
}
}
@@ -86,7 +86,7 @@
if(count($new_tpl) > 0) {
foreach($new_tpl as $item) {
// add new template to client (includes those from old-style without assigned_template_id)
- $app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $clientId . ', ' . $item . ')');
+ $app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $app->functions->intval($clientId) . ', ' . $app->functions->intval($item) . ')');
}
}
}
diff --git a/interface/lib/classes/custom_datasource.inc.php b/interface/lib/classes/custom_datasource.inc.php
index 5dd2db3..ff01084 100644
--- a/interface/lib/classes/custom_datasource.inc.php
+++ b/interface/lib/classes/custom_datasource.inc.php
@@ -46,9 +46,9 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT default_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
- $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['default_dnsserver'];
+ $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['default_dnsserver']);
} else {
$sql = "SELECT server_id,server_name FROM server WHERE dns_server = 1 ORDER BY server_name";
}
@@ -68,9 +68,9 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
- $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['default_slave_dnsserver'];
+ $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['default_slave_dnsserver']);
} else {
$sql = "SELECT server_id,server_name FROM server WHERE dns_server = 1 ORDER BY server_name";
}
@@ -99,7 +99,7 @@
}
if(count($server_ids) == 0) return array();
$server_ids = implode(',', $server_ids);
- $records = $app->db->queryAllRecords("SELECT web_domain.domain_id, CONCAT(web_domain.domain, ' :: ', server.server_name) AS parent_domain FROM web_domain, server WHERE web_domain.type = 'vhost' AND web_domain.server_id IN (".$server_ids.") AND web_domain.server_id = server.server_id AND ".$app->tform->getAuthSQL('r', 'web_domain')." ORDER BY web_domain.domain");
+ $records = $app->db->queryAllRecords("SELECT web_domain.domain_id, CONCAT(web_domain.domain, ' :: ', server.server_name) AS parent_domain FROM web_domain, server WHERE web_domain.type = 'vhost' AND web_domain.server_id IN (".$app->db->quote($server_ids).") AND web_domain.server_id = server.server_id AND ".$app->tform->getAuthSQL('r', 'web_domain')." ORDER BY web_domain.domain");
$records_new = array();
if(is_array($records)) {
@@ -158,12 +158,12 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$sql = "SELECT $server_type as server_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id";
$client = $app->db->queryOneRecord($sql);
if($client['server_id'] > 0) {
//* Select the default server for the client
- $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['server_id'];
+ $sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['server_id']);
} else {
//* Not able to find the clients defaults, use this as fallback and add a warning message to the log
$app->log('Unable to find default server for client in custom_datasource.inc.php', 1);
diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php
index 1636cab..c9de1de 100644
--- a/interface/lib/classes/db_mysql.inc.php
+++ b/interface/lib/classes/db_mysql.inc.php
@@ -284,7 +284,7 @@
// Insert the server_id, if the record has a server_id
$server_id = (isset($record_old['server_id']) && $record_old['server_id'] > 0)?$record_old['server_id']:0;
if(isset($record_new['server_id'])) $server_id = $record_new['server_id'];
-
+ $server_id = intval($server_id);
if($diff_num > 0) {
//print_r($diff_num);
@@ -306,6 +306,9 @@
//** Inserts a record and saves the changes into the datalog
public function datalogInsert($tablename, $insert_data, $index_field) {
global $app;
+
+ $tablename = $this->quote($tablename);
+ $index_field = $this->quote($index_field);
if(is_array($insert_data)) {
$key_str = '';
@@ -333,6 +336,10 @@
//** Updates a record and saves the changes into the datalog
public function datalogUpdate($tablename, $update_data, $index_field, $index_value, $force_update = false) {
global $app;
+
+ $tablename = $this->quote($tablename);
+ $index_field = $this->quote($index_field);
+ $index_value = $this->quote($index_value);
$old_rec = $this->queryOneRecord("SELECT * FROM $tablename WHERE $index_field = '$index_value'");
@@ -356,6 +363,10 @@
//** Deletes a record and saves the changes into the datalog
public function datalogDelete($tablename, $index_field, $index_value) {
global $app;
+
+ $tablename = $this->quote($tablename);
+ $index_field = $this->quote($index_field);
+ $index_value = $this->quote($index_value);
$old_rec = $this->queryOneRecord("SELECT * FROM $tablename WHERE $index_field = '$index_value'");
$this->query("DELETE FROM $tablename WHERE $index_field = '$index_value'");
diff --git a/interface/lib/classes/form.inc.php b/interface/lib/classes/form.inc.php
index 34c0b62..e6948dd 100644
--- a/interface/lib/classes/form.inc.php
+++ b/interface/lib/classes/form.inc.php
@@ -1,5 +1,7 @@
<?php
+die('Deprecated file: form.inc.php');
+
/*
Copyright (c) 2007, Till Brehm, projektfarm Gmbh
All rights reserved.
diff --git a/interface/lib/classes/plugin_backuplist.inc.php b/interface/lib/classes/plugin_backuplist.inc.php
index 6d3cdd3..9aebf77 100644
--- a/interface/lib/classes/plugin_backuplist.inc.php
+++ b/interface/lib/classes/plugin_backuplist.inc.php
@@ -108,8 +108,8 @@
}
//* Get the data
- $web = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ".$this->form->id);
- $sql = "SELECT * FROM web_backup WHERE parent_domain_id = ".$this->form->id." AND server_id = ".$web['server_id']." ORDER BY tstamp DESC, backup_type ASC";
+ $web = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ".$app->functions->intval($this->form->id));
+ $sql = "SELECT * FROM web_backup WHERE parent_domain_id = ".$app->functions->intval($this->form->id)." AND server_id = ".$app->functions->intval($web['server_id'])." ORDER BY tstamp DESC, backup_type ASC";
$records = $app->db->queryAllRecords($sql);
$bgcolor = "#FFFFFF";
diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
index f334508..639689d 100644
--- a/interface/lib/classes/tform.inc.php
+++ b/interface/lib/classes/tform.inc.php
@@ -69,6 +69,7 @@
function checkPerm($record_id, $perm) {
global $app;
+ $record_id = $app->functions->intval($record_id);
if($record_id > 0) {
// Add backticks for incomplete table names.
if(stristr($this->formDef['db_table'], '.')) {
@@ -163,7 +164,7 @@
if($limit_name == '') $app->error('Limit name missing in function checkClientLimit.');
// Get the limits of the client that is currently logged in
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT $limit_name as number, parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another item
@@ -185,7 +186,7 @@
if($limit_name == '') $app->error('Limit name missing in function checkClientLimit.');
// Get the limits of the client that is currently logged in
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT parent_client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
//* If the client belongs to a reseller, we will check against the reseller Limit too
diff --git a/interface/lib/classes/tform_actions.inc.php b/interface/lib/classes/tform_actions.inc.php
index 336d2fb..bb9e78e 100644
--- a/interface/lib/classes/tform_actions.inc.php
+++ b/interface/lib/classes/tform_actions.inc.php
@@ -81,7 +81,7 @@
// check if the client is locked - he may not change anything, then.
if(!$app->auth->is_admin()) {
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.locked FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($client_group_id));
if(is_array($client) && $client['locked'] == 'y') {
$app->tform->errorMessage .= $app->lng("client_you_are_locked")."<br />";
diff --git a/interface/lib/classes/validate_client.inc.php b/interface/lib/classes/validate_client.inc.php
index 06e39d8..0f90a5b 100644
--- a/interface/lib/classes/validate_client.inc.php
+++ b/interface/lib/classes/validate_client.inc.php
@@ -53,7 +53,7 @@
}
}
} else {
- $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM sys_user WHERE username = '".$app->db->quote($field_value)."' AND client_id != ".$client_id);
+ $num_rec = $app->db->queryOneRecord("SELECT count(*) as number FROM sys_user WHERE username = '".$app->db->quote($field_value)."' AND client_id != ".$app->functions->intval($client_id));
if($num_rec["number"] > 0) {
$errmsg = $validator['errmsg'];
if(isset($app->tform->wordbook[$errmsg])) {
diff --git a/interface/lib/classes/validate_dns.inc.php b/interface/lib/classes/validate_dns.inc.php
index 99ff6c5..413be16 100644
--- a/interface/lib/classes/validate_dns.inc.php
+++ b/interface/lib/classes/validate_dns.inc.php
@@ -104,7 +104,7 @@
}
if(substr($field, -1) == '.' && $area == 'Name'){
- $soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ".$zoneid);
+ $soa = $app->db->queryOneRecord("SELECT * FROM soa WHERE id = ".intval($zoneid));
if(substr($field, (strlen($field) - strlen($soa['origin']))) != $soa['origin']) $error .= $desc." ".$app->tform->wordbook['error_out_of_zone']."<br>\r\n";
}
@@ -267,7 +267,7 @@
global $app, $conf;
// increase serial
- $serial_date = substr($serial, 0, 8);
+ $serial_date = $app->functions->intval(substr($serial, 0, 8));
$count = $app->functions->intval(substr($serial, 8, 2));
$current_date = date("Ymd");
if($serial_date >= $current_date){
diff --git a/interface/lib/classes/validate_domain.inc.php b/interface/lib/classes/validate_domain.inc.php
index 3135c7a..988945d 100644
--- a/interface/lib/classes/validate_domain.inc.php
+++ b/interface/lib/classes/validate_domain.inc.php
@@ -118,7 +118,7 @@
if($domain['ip_address'] == '' || $domain['ipv6_address'] == ''){
if($domain['parent_domain_id'] > 0){
- $parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$domain['parent_domain_id']);
+ $parent_domain = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($domain['parent_domain_id']));
}
}
@@ -217,7 +217,7 @@
// if alias/subdomain: check IP addresses of parent domain
if($check['ip_address'] == '' || $check['ipv6_address'] == ''){
if($check['parent_domain_id'] > 0){
- $check_parent_domain = $app->db->queryOneRecord("SELECT * FROM `web_domain` WHERE `domain_id` = ".$check['parent_domain_id']);
+ $check_parent_domain = $app->db->queryOneRecord("SELECT * FROM `web_domain` WHERE `domain_id` = ".$app->functions->intval($check['parent_domain_id']));
}
}
@@ -282,7 +282,7 @@
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_wildcard FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
if($client["limit_wildcard"] == 'y') return true;
diff --git a/interface/web/admin/lib/lang/de_directive_snippets.lng b/interface/web/admin/lib/lang/de_directive_snippets.lng
index 7a9b756..18ce2d5 100644
--- a/interface/web/admin/lib/lang/de_directive_snippets.lng
+++ b/interface/web/admin/lib/lang/de_directive_snippets.lng
@@ -6,4 +6,5 @@
$wb['active_txt'] = 'Aktiv';
$wb['directive_snippets_name_empty'] = 'Bitte geben Sie einen Namen für den Schnipsel an.';
$wb['directive_snippets_name_error_unique'] = 'Es existiert schon ein Direktiven-Schnipsel mit diesem Namen.';
+$wb['variables_txt'] = 'Variablen';
?>
diff --git a/interface/web/admin/lib/lang/en_directive_snippets.lng b/interface/web/admin/lib/lang/en_directive_snippets.lng
index ee40ab0..9d9b0ae 100644
--- a/interface/web/admin/lib/lang/en_directive_snippets.lng
+++ b/interface/web/admin/lib/lang/en_directive_snippets.lng
@@ -6,4 +6,5 @@
$wb["active_txt"] = 'Active';
$wb["directive_snippets_name_empty"] = 'Please specify a name for the snippet.';
$wb["directive_snippets_name_error_unique"] = 'There is already a directive snippet with this name.';
+$wb['variables_txt'] = 'Variables';
?>
\ No newline at end of file
diff --git a/interface/web/admin/login_as.php b/interface/web/admin/login_as.php
index a5a34f1..3d0fbf8 100644
--- a/interface/web/admin/login_as.php
+++ b/interface/web/admin/login_as.php
@@ -51,7 +51,7 @@
$client_id = $app->functions->intval($_GET['cid']);
$tmp_client = $app->db->queryOneRecord("SELECT username FROM client WHERE client_id = $client_id");
$tmp_sys_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE username = '".$app->db->quote($tmp_client['username'])."'");
- $userId = $tmp_sys_user['userid'];
+ $userId = $app->functions->intval($tmp_sys_user['userid']);
unset($tmp_client);
unset($tmp_sys_user);
$backlink = 'client/client_list.php';
diff --git a/interface/web/admin/remote_action_ispcupdate.php b/interface/web/admin/remote_action_ispcupdate.php
index e8c8b24..32bf0c4 100644
--- a/interface/web/admin/remote_action_ispcupdate.php
+++ b/interface/web/admin/remote_action_ispcupdate.php
@@ -81,7 +81,7 @@
foreach ($servers as $serverId) {
$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " .
"VALUES (".
- (int)$serverId . ", " .
+ $app->functions->intval($serverId) . ", " .
time() . ", " .
"'ispc_update', " .
"'', " .
diff --git a/interface/web/admin/remote_action_osupdate.php b/interface/web/admin/remote_action_osupdate.php
index 08925b0..4000d7f 100644
--- a/interface/web/admin/remote_action_osupdate.php
+++ b/interface/web/admin/remote_action_osupdate.php
@@ -76,7 +76,7 @@
foreach ($servers as $serverId) {
$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " .
"VALUES (".
- (int)$serverId . ", " .
+ $app->functions->intval($serverId) . ", " .
time() . ", " .
"'os_update', " .
"'', " .
diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php
index c81c6ee..caf79ef 100644
--- a/interface/web/admin/server_edit.php
+++ b/interface/web/admin/server_edit.php
@@ -54,7 +54,7 @@
global $app, $conf;
// Getting Servers
- $sql = "SELECT server_id,server_name FROM server WHERE server_id != $this->id ORDER BY server_name";
+ $sql = "SELECT server_id,server_name FROM server WHERE server_id != ".$app->functions->intval($this->id)." ORDER BY server_name";
$mirror_servers = $app->db->queryAllRecords($sql);
$mirror_server_select = '<option value="0">'.$app->tform->lng('- None -').'</option>';
if(is_array($mirror_servers)) {
diff --git a/interface/web/admin/server_ip_edit.php b/interface/web/admin/server_ip_edit.php
index be48434..c3bf380 100644
--- a/interface/web/admin/server_ip_edit.php
+++ b/interface/web/admin/server_ip_edit.php
@@ -56,7 +56,7 @@
//* Check if the server has been changed
// We do this only for the admin or reseller users, as normal clients can not change the server ID anyway
if($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
- $rec = $app->db->queryOneRecord("SELECT server_id from server_ip WHERE server_ip_id = ".$this->id);
+ $rec = $app->db->queryOneRecord("SELECT server_id from server_ip WHERE server_ip_id = ".$app->functions->intval($this->id));
if($rec['server_id'] != $this->dataRecord["server_id"]) {
//* Add a error message and switch back to old server
$app->tform->errorMessage .= $app->lng('The Server can not be changed.');
diff --git a/interface/web/admin/server_php_edit.php b/interface/web/admin/server_php_edit.php
index e88575e..ff65c70 100644
--- a/interface/web/admin/server_php_edit.php
+++ b/interface/web/admin/server_php_edit.php
@@ -56,7 +56,7 @@
//* Check if the server has been changed
// We do this only for the admin or reseller users, as normal clients can not change the server ID anyway
if(($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) && isset($this->dataRecord["server_id"])) {
- $rec = $app->db->queryOneRecord("SELECT server_id from server_php WHERE server_php_id = ".$this->id);
+ $rec = $app->db->queryOneRecord("SELECT server_id from server_php WHERE server_php_id = ".$app->functions->intval($this->id));
if($rec['server_id'] != $this->dataRecord["server_id"]) {
//* Add a error message and switch back to old server
$app->tform->errorMessage .= $app->lng('The Server can not be changed.');
diff --git a/interface/web/admin/software_package_install.php b/interface/web/admin/software_package_install.php
index 6150709..e45f47a 100644
--- a/interface/web/admin/software_package_install.php
+++ b/interface/web/admin/software_package_install.php
@@ -50,7 +50,7 @@
//* verify the key
if($package['package_installable'] == 'key' && $install_key != '') {
- $repo = $app->db->queryOneRecord("SELECT * FROM software_repo WHERE software_repo_id = ".$package['software_repo_id']);
+ $repo = $app->db->queryOneRecord("SELECT * FROM software_repo WHERE software_repo_id = ".$app->db->quote($package['software_repo_id']));
$client = new SoapClient(null, array('location' => $repo['repo_url'],
'uri' => $repo['repo_url']));
@@ -62,7 +62,7 @@
$message_err = 'Verification of the key failed.';
} else {
// Store the verified key into the database
- $app->db->datalogUpdate('software_package', "package_key = '$install_key'", 'package_id', $package['package_id']);
+ $app->db->datalogUpdate('software_package', "package_key = '".$app->db->quote($install_key)."'", 'package_id', $package['package_id']);
}
} else {
$message_ok = 'Please enter the software key for the package.';
@@ -70,7 +70,7 @@
//* Install packages, if all requirements are fullfilled.
if($install_server_id > 0 && $package_name != '' && ($package['package_installable'] == 'yes' || $install_key_verified == true)) {
- $sql = "SELECT software_update_id, package_name, update_title FROM software_update WHERE type = 'full' AND package_name = '$package_name' ORDER BY v1 DESC, v2 DESC, v3 DESC, v4 DESC LIMIT 0,1";
+ $sql = "SELECT software_update_id, package_name, update_title FROM software_update WHERE type = 'full' AND package_name = '".$app->db->quote($package_name)."' ORDER BY v1 DESC, v2 DESC, v3 DESC, v4 DESC LIMIT 0,1";
$tmp = $app->db->queryOneRecord($sql);
$software_update_id = $tmp['software_update_id'];
@@ -118,7 +118,7 @@
$app->db->datalogUpdate('software_package', "package_config = '".$app->db->quote($package_config_str)."'", 'package_id', $package['package_id']);
$sql = "INSERT INTO `remote_user` (`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `remote_username`, `remote_password`, `remote_functions`) VALUES
- (1, 1, 'riud', 'riud', '', '$remote_user', '$remote_password_md5', '$remote_functions');";
+ (1, 1, 'riud', 'riud', '', '".$app->db->quote($remote_user)."', '".$app->db->quote($remote_password_md5)."', '".$app->db->quote($remote_functions)."');";
$app->db->query($sql);
@@ -127,7 +127,7 @@
}
//* Add the record to start the install process
- $insert_data = "(package_name, server_id, software_update_id, status) VALUES ('$package_name', '$install_server_id', '$software_update_id','installing')";
+ $insert_data = "(package_name, server_id, software_update_id, status) VALUES ('".$app->db->quote($package_name)."', '".$app->db->quote($install_server_id)."', '".$app->db->quote($software_update_id)."','installing')";
$app->db->datalogInsert('software_update_inst', $insert_data, 'software_update_inst_id');
$message_ok = 'Starting package installation '."<a href=\"#\" onclick=\"submitForm('pageForm','admin/software_package_list.php');\">".$app->lng('next')."</a>";
diff --git a/interface/web/admin/software_package_list.php b/interface/web/admin/software_package_list.php
index e05ccc9..489b6fb 100644
--- a/interface/web/admin/software_package_list.php
+++ b/interface/web/admin/software_package_list.php
@@ -49,7 +49,7 @@
if(is_array($packages)) {
foreach($packages as $p) {
$package_name = $app->db->quote($p['name']);
- $tmp = $app->db->queryOneRecord("SELECT package_id FROM software_package WHERE package_name = '$package_name'");
+ $tmp = $app->db->queryOneRecord("SELECT package_id FROM software_package WHERE package_name = '".$app->db->quote($package_name)."'");
$package_title = $app->db->quote($p['title']);
$package_description = $app->db->quote($p['description']);
@@ -150,7 +150,7 @@
foreach($packages as $key => $p) {
$installed_txt = '';
foreach($servers as $s) {
- $inst = $app->db->queryOneRecord("SELECT * FROM software_update, software_update_inst WHERE software_update_inst.software_update_id = software_update.software_update_id AND software_update_inst.package_name = '".addslashes($p["package_name"])."' AND server_id = '".$s["server_id"]."'");
+ $inst = $app->db->queryOneRecord("SELECT * FROM software_update, software_update_inst WHERE software_update_inst.software_update_id = software_update.software_update_id AND software_update_inst.package_name = '".$app->db->quote($p["package_name"])."' AND server_id = '".$app->functions->intval($s["server_id"])."'");
$version = $inst['v1'].'.'.$inst['v2'].'.'.$inst['v3'].'.'.$inst['v4'];
if($inst['status'] == 'installed') {
diff --git a/interface/web/admin/software_update_list.php b/interface/web/admin/software_update_list.php
index 9a1df8a..a709e0c 100644
--- a/interface/web/admin/software_update_list.php
+++ b/interface/web/admin/software_update_list.php
@@ -161,11 +161,11 @@
foreach($installed_packages as $ip) {
// Get version number of the latest installed version
- $sql = "SELECT v1, v2, v3, v4 FROM software_update, software_update_inst WHERE software_update.software_update_id = software_update_inst.software_update_id AND server_id = ".$server_id." ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC LIMIT 0,1";
+ $sql = "SELECT v1, v2, v3, v4 FROM software_update, software_update_inst WHERE software_update.software_update_id = software_update_inst.software_update_id AND server_id = ".$app->functions->intval($server_id)." ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC LIMIT 0,1";
$lu = $app->db->queryOneRecord($sql);
// Get all installable updates
- $sql = "SELECT * FROM software_update WHERE v1 >= $lu[v1] AND v2 >= $lu[v2] AND v3 >= $lu[v3] AND v4 >= $lu[v4] AND package_name = '$ip[package_name]' ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC";
+ $sql = "SELECT * FROM software_update WHERE v1 >= ".$app->functions->intval($lu['v1'])." AND v2 >= ".$app->functions->intval($lu['v2'])." AND v3 >= ".$app->functions->intval($lu['v3'])." AND v4 >= ".$app->functions->intval($lu['v4'])." AND package_name = '".$app->db->quote($ip['package_name'])."' ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC";
$updates = $app->db->queryAllRecords($sql);
//die($sql);
diff --git a/interface/web/admin/system_config_edit.php b/interface/web/admin/system_config_edit.php
index d267c8e..eab73f6 100644
--- a/interface/web/admin/system_config_edit.php
+++ b/interface/web/admin/system_config_edit.php
@@ -178,7 +178,7 @@
if($server_config_array['misc']['maintenance_mode'] == 'y'){
//print_r($_SESSION);
//echo $_SESSION['s']['id'];
- $app->db->query("DELETE FROM sys_session WHERE session_id != '".$_SESSION['s']['id']."'");
+ $app->db->query("DELETE FROM sys_session WHERE session_id != '".$app->db->quote($_SESSION['s']['id'])."'");
}
}
diff --git a/interface/web/admin/templates/directive_snippets_edit.htm b/interface/web/admin/templates/directive_snippets_edit.htm
index 0d57c06..6522eb1 100644
--- a/interface/web/admin/templates/directive_snippets_edit.htm
+++ b/interface/web/admin/templates/directive_snippets_edit.htm
@@ -17,7 +17,7 @@
</div>
<div class="ctrlHolder">
<label for="snippet">{tmpl_var name='snippet_txt'}</label>
- <textarea name="snippet" id="snippet" rows='10' cols='50' style="width:400px;">{tmpl_var name='snippet'}</textarea>
+ <textarea name="snippet" id="snippet" rows='10' cols='50' style="width:400px;">{tmpl_var name='snippet'}</textarea><div class="nginx"> {tmpl_var name='variables_txt'}: <a href="javascript:void(0);" class="addPlaceholder">{DOCROOT}</a>, <a href="javascript:void(0);" class="addPlaceholder">{FASTCGIPASS}</a></div>
</div>
<div class="ctrlHolder">
<p class="label">{tmpl_var name='active_txt'}</p>
@@ -35,4 +35,21 @@
</div>
</div>
-</div>
\ No newline at end of file
+</div>
+<script language="JavaScript" type="text/javascript">
+
+ if(jQuery('#type').val() == 'nginx'){
+ jQuery('.nginx:hidden').show();
+ } else {
+ jQuery('.nginx:visible').hide();
+ }
+
+ jQuery('#type').change(function(){
+ if(jQuery(this).val() == 'nginx'){
+ jQuery('.nginx:hidden').show();
+ } else {
+ jQuery('.nginx:visible').hide();
+ }
+ });
+
+</script>
\ No newline at end of file
diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php
index d94ef61..5eab80a 100644
--- a/interface/web/admin/users_edit.php
+++ b/interface/web/admin/users_edit.php
@@ -77,7 +77,7 @@
global $app, $conf;
$client = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ".$this->id);
- $client_id = $client['client_id'];
+ $client_id = $app->functions->intval($client['client_id']);
$username = $app->db->quote($this->dataRecord["username"]);
$old_username = $app->db->quote($this->oldDataRecord['username']);
diff --git a/interface/web/client/client_edit.php b/interface/web/client/client_edit.php
index 7f1b5fb..eb54c2d 100644
--- a/interface/web/client/client_edit.php
+++ b/interface/web/client/client_edit.php
@@ -58,7 +58,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another website.
diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php
index 4275edb..199fc69 100644
--- a/interface/web/client/client_message.php
+++ b/interface/web/client/client_message.php
@@ -65,7 +65,7 @@
$tmp_client_ids = explode(',', $circle['client_ids']);
$where = array();
foreach($tmp_client_ids as $tmp_client_id){
- $where[] = 'client_id = '.$tmp_client_id;
+ $where[] = 'client_id = '.$app->functions->intval($tmp_client_id);
}
if(!empty($where)) $where_clause = ' AND ('.implode(' OR ', $where).')';
$sql = "SELECT * FROM client WHERE email != ''".$where_clause;
diff --git a/interface/web/client/reseller_edit.php b/interface/web/client/reseller_edit.php
index 3007ce0..6c67aee 100644
--- a/interface/web/client/reseller_edit.php
+++ b/interface/web/client/reseller_edit.php
@@ -60,7 +60,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another website.
@@ -83,7 +83,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user' && $this->id == 0) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another website.
@@ -156,7 +156,7 @@
$username = $app->db->quote($this->dataRecord["username"]);
$password = $app->db->quote($this->dataRecord["password"]);
- $modules = $conf['interface_modules_enabled'] . ',client';
+ $modules = $app->db->quote($conf['interface_modules_enabled'] . ',client');
$startmodule = (stristr($modules, 'dashboard'))?'dashboard':'client';
$usertheme = $app->db->quote($this->dataRecord["usertheme"]);
$type = 'user';
@@ -247,7 +247,7 @@
// reseller status changed
if(isset($this->dataRecord["limit_client"]) && $this->dataRecord["limit_client"] != $this->oldDataRecord["limit_client"]) {
- $modules = $conf['interface_modules_enabled'] . ',client';
+ $modules = $app->db->quote($conf['interface_modules_enabled'] . ',client');
$modules = $app->db->quote($modules);
$client_id = $this->id;
$sql = "UPDATE sys_user SET modules = '$modules' WHERE client_id = $client_id";
diff --git a/interface/web/dashboard/dashlets/limits.php b/interface/web/dashboard/dashlets/limits.php
index 2d63925..b361f6e 100644
--- a/interface/web/dashboard/dashlets/limits.php
+++ b/interface/web/dashboard/dashlets/limits.php
@@ -127,7 +127,7 @@
$tpl->setVar('is_admin', $user_is_admin);
if($user_is_admin == false) {
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT * FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
}
@@ -157,7 +157,7 @@
function _get_limit_usage($limit) {
global $app;
- $sql = "SELECT count(sys_userid) as number FROM ".$limit['db_table']." WHERE ";
+ $sql = "SELECT count(sys_userid) as number FROM ".$app->db->quote($limit['db_table'])." WHERE ";
if($limit['db_where'] != '') $sql .= $limit['db_where']." AND ";
$sql .= $app->tform->getAuthSQL('r');
$rec = $app->db->queryOneRecord($sql);
diff --git a/interface/web/dashboard/dashlets/mailquota.php b/interface/web/dashboard/dashlets/mailquota.php
index 956c4e6..68105a5 100644
--- a/interface/web/dashboard/dashlets/mailquota.php
+++ b/interface/web/dashboard/dashlets/mailquota.php
@@ -31,7 +31,7 @@
}
//print_r($monitor_data);
if($_SESSION["s"]["user"]["typ"] != 'admin'){
- $sql_where = " AND sys_groupid = ".$_SESSION['s']['user']['default_group'];
+ $sql_where = " AND sys_groupid = ".intval($_SESSION['s']['user']['default_group']);
}
$has_mailquota = false;
diff --git a/interface/web/dashboard/dashlets/quota.php b/interface/web/dashboard/dashlets/quota.php
index 1cb5671..d0d68fd 100644
--- a/interface/web/dashboard/dashlets/quota.php
+++ b/interface/web/dashboard/dashlets/quota.php
@@ -25,7 +25,7 @@
}
//print_r($monitor_data);
if($_SESSION["s"]["user"]["typ"] != 'admin'){
- $sql_where = " AND sys_groupid = ".$_SESSION['s']['user']['default_group'];
+ $sql_where = " AND sys_groupid = ".$app->functions->intval($_SESSION['s']['user']['default_group']);
}
$has_quota = false;
diff --git a/interface/web/dns/dns_a_edit.php b/interface/web/dns/dns_a_edit.php
index 99d0d99..729c3c3 100644
--- a/interface/web/dns/dns_a_edit.php
+++ b/interface/web/dns/dns_a_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -97,7 +97,7 @@
} // end if user is not admin
//* Check for duplicates where IP and hostname are the same
- $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$this->dataRecord["name"]."' AND zone = '".$this->dataRecord["zone"]."' and data = '".$this->dataRecord["data"]."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$this->dataRecord["name"]."' AND zone = '".$this->dataRecord["zone"]."' and id != ".$this->id.")");
+ $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and data = '".$app->db->quote($this->dataRecord["data"])."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.")");
if($tmp['number'] > 0) $app->tform->errorMessage .= $app->tform->lng("data_error_duplicate")."<br>";
unset($tmp);
diff --git a/interface/web/dns/dns_aaaa_edit.php b/interface/web/dns/dns_aaaa_edit.php
index 02aea58..ba7ae96 100644
--- a/interface/web/dns/dns_aaaa_edit.php
+++ b/interface/web/dns/dns_aaaa_edit.php
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -113,7 +113,7 @@
//* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record
$soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r'));
- $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id);
+ $app->db->datalogUpdate('dns_rr', "sys_groupid = ".intval($soa['sys_groupid']), 'id', $this->id);
//* Update the serial number of the SOA record
$soa_id = $app->functions->intval($_POST["zone"]);
diff --git a/interface/web/dns/dns_alias_edit.php b/interface/web/dns/dns_alias_edit.php
index dc370a6..5613810 100644
--- a/interface/web/dns/dns_alias_edit.php
+++ b/interface/web/dns/dns_alias_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/dns/dns_cname_edit.php b/interface/web/dns/dns_cname_edit.php
index 5d9d19b..8ab1e6b 100644
--- a/interface/web/dns/dns_cname_edit.php
+++ b/interface/web/dns/dns_cname_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -97,7 +97,7 @@
} // end if user is not admin
//* Check for duplicates where IP and hostname are the same
- $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$this->dataRecord["name"]."' AND zone = '".$this->dataRecord["zone"]."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$this->dataRecord["name"]."' AND zone = '".$this->dataRecord["zone"]."' and id != ".$this->id.")");
+ $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE (type = 'A' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.") OR (type = 'CNAME' AND name = '".$app->db->quote($this->dataRecord["name"])."' AND zone = '".$app->db->quote($this->dataRecord["zone"])."' and id != ".$this->id.")");
if($tmp['number'] > 0) $app->tform->errorMessage .= $app->tform->lng("data_error_duplicate")."<br>";
unset($tmp);
diff --git a/interface/web/dns/dns_hinfo_edit.php b/interface/web/dns/dns_hinfo_edit.php
index 0c3f004..ed25dcc 100644
--- a/interface/web/dns/dns_hinfo_edit.php
+++ b/interface/web/dns/dns_hinfo_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/dns/dns_import.php b/interface/web/dns/dns_import.php
index 8d72ea0..b8b4f1b 100644
--- a/interface/web/dns/dns_import.php
+++ b/interface/web/dns/dns_import.php
@@ -52,12 +52,10 @@
if (isset($_POST['server_id'])) {
$server_id = $app->functions->intval($_POST['server_id']);
$post_server_id = true;
-}
-else if (isset($_POST['server_id_value'])) {
- $server_id = $app->functions->intval($_POST['server_id_value']);
- $post_server_id = true;
- }
-else {
+} elseif (isset($_POST['server_id_value'])) {
+ $server_id = $app->functions->intval($_POST['server_id_value']);
+ $post_server_id = true;
+} else {
$server_id = 1;
$post_server_id = false;
}
@@ -106,14 +104,14 @@
if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// load the list of clients
- $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id'];
+ $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".intval($client['client_id']);
$clients = $app->db->queryAllRecords($sql);
- $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
if(is_array($clients)) {
foreach( $clients as $client) {
@@ -681,7 +679,7 @@
foreach($dns_rr as $rr)
{
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `zone`, `name`, `type`, `data`, `aux`, `ttl`, `active`) VALUES
- ('$sys_userid', '$sys_groupid', 'riud', 'riud', '', '$server_id', '$dns_soa_id', '$rr[name]', '$rr[type]', '$rr[data]', '$rr[aux]', '$rr[ttl]', 'Y')";
+ ('$sys_userid', '$sys_groupid', 'riud', 'riud', '', '$server_id', '$dns_soa_id', '".$app->db->quote($rr['name'])."', '".$app->db->quote($rr['type'])."', '".$app->db->quote($rr['data'])."', '".$app->db->quote($rr['aux'])."', '".$app->db->quote($rr['ttl'])."', 'Y')";
$dns_rr_id = $app->db->datalogInsert('dns_rr', $insert_data, 'id');
}
}
diff --git a/interface/web/dns/dns_mx_edit.php b/interface/web/dns/dns_mx_edit.php
index a839f70..7f41b78 100644
--- a/interface/web/dns/dns_mx_edit.php
+++ b/interface/web/dns/dns_mx_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -112,7 +112,7 @@
global $app, $conf;
// Check if record is existing already
- $duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$this->dataRecord["name"]."' AND type = '".$this->dataRecord["type"]."' AND data = '".$this->dataRecord["data"]."' AND ".$app->tform->getAuthSQL('r'));
+ $duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$app->db->quote($this->dataRecord["name"])."' AND type = '".$app->db->quote($this->dataRecord["type"])."' AND data = '".$app->db->quote($this->dataRecord["data"])."' AND ".$app->tform->getAuthSQL('r'));
if(is_array($duplicate_mx) && !empty($duplicate_mx)) $app->error($app->tform->wordbook["duplicate_mx_record_txt"]);
@@ -123,7 +123,7 @@
global $app, $conf;
// Check if record is existing already
- $duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$this->dataRecord["name"]."' AND type = '".$this->dataRecord["type"]."' AND data = '".$this->dataRecord["data"]."' AND id != ".$app->functions->intval($this->dataRecord["id"])." AND ".$app->tform->getAuthSQL('r'));
+ $duplicate_mx = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$app->db->quote($this->dataRecord["name"])."' AND type = '".$app->db->quote($this->dataRecord["type"])."' AND data = '".$app->db->quote($this->dataRecord["data"])."' AND id != ".$app->functions->intval($this->dataRecord["id"])." AND ".$app->tform->getAuthSQL('r'));
if(is_array($duplicate_mx) && !empty($duplicate_mx)) $app->error($app->tform->wordbook["duplicate_mx_record_txt"]);
diff --git a/interface/web/dns/dns_ns_edit.php b/interface/web/dns/dns_ns_edit.php
index 31df6ef..b61254d 100644
--- a/interface/web/dns/dns_ns_edit.php
+++ b/interface/web/dns/dns_ns_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/dns/dns_ptr_edit.php b/interface/web/dns/dns_ptr_edit.php
index 323d76c..4e26f22 100644
--- a/interface/web/dns/dns_ptr_edit.php
+++ b/interface/web/dns/dns_ptr_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/dns/dns_rp_edit.php b/interface/web/dns/dns_rp_edit.php
index a4f81a0..62bf1a9 100644
--- a/interface/web/dns/dns_rp_edit.php
+++ b/interface/web/dns/dns_rp_edit.php
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php
index a968804..ecf825d 100644
--- a/interface/web/dns/dns_slave_edit.php
+++ b/interface/web/dns/dns_slave_edit.php
@@ -87,7 +87,7 @@
} else if($app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, sys_group.name, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Fill the client select field
@@ -122,7 +122,7 @@
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_slave_zone, default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// When the record is updated
@@ -150,7 +150,7 @@
if(strlen($this->dataRecord["origin"]) > 0 && substr($this->dataRecord["origin"], -1, 1) != '.') $this->dataRecord["origin"] .= '.';
//* Check if a primary zone with the same name already exists
- $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_soa WHERE origin = \"".$this->dataRecord["origin"]."\" AND server_id= \"".$this->dataRecord["server_id"]."\"");
+ $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_soa WHERE origin = \"".$app->db->quote($this->dataRecord["origin"])."\" AND server_id= \"".$app->db->quote($this->dataRecord["server_id"])."\"");
if($tmp["number"] > 0) {
$app->error($app->tform->wordbook["origin_error_unique"]);
}
@@ -162,7 +162,7 @@
global $app, $conf;
// Check if record is existing already
- $duplicate_slave = $app->db->queryOneRecord("SELECT * FROM dns_slave WHERE origin = '".$this->dataRecord["origin"]."' AND server_id = ".$app->functions->intval($this->dataRecord["server_id"])." AND ".$app->tform->getAuthSQL('r'));
+ $duplicate_slave = $app->db->queryOneRecord("SELECT * FROM dns_slave WHERE origin = '".$app->db->quote($this->dataRecord["origin"])."' AND server_id = ".$app->functions->intval($this->dataRecord["server_id"])." AND ".$app->tform->getAuthSQL('r'));
if(is_array($duplicate_slave) && !empty($duplicate_slave)) $app->error($app->tform->wordbook["origin_error_unique"]);
diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php
index 3d2b6ee..08f6d3d 100644
--- a/interface/web/dns/dns_soa_edit.php
+++ b/interface/web/dns/dns_soa_edit.php
@@ -97,7 +97,7 @@
} else if($app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Fill the client select field
@@ -212,7 +212,7 @@
$this->dataRecord["also_notify"] = preg_replace('/\s+/', '', $this->dataRecord["also_notify"]);
//* Check if a secondary zone with the same name already exists
- $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = \"".$this->dataRecord["origin"]."\" AND server_id = \"".$this->dataRecord["server_id"]."\"");
+ $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = ? AND server_id = ?", $this->dataRecord["origin"], $this->dataRecord["server_id"]);
if($tmp["number"] > 0) {
$app->error($app->tform->wordbook["origin_error_unique"]);
}
diff --git a/interface/web/dns/dns_srv_edit.php b/interface/web/dns/dns_srv_edit.php
index a382e61..e2d0bea 100644
--- a/interface/web/dns/dns_srv_edit.php
+++ b/interface/web/dns/dns_srv_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/dns/dns_txt_edit.php b/interface/web/dns/dns_txt_edit.php
index 2bacd35..ca5b838 100644
--- a/interface/web/dns/dns_txt_edit.php
+++ b/interface/web/dns/dns_txt_edit.php
@@ -57,7 +57,7 @@
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php
index 2b657a1..f01cb57 100644
--- a/interface/web/dns/dns_wizard.php
+++ b/interface/web/dns/dns_wizard.php
@@ -49,12 +49,10 @@
if (isset($_POST['server_id'])) {
$server_id = $app->functions->intval($_POST['server_id']);
$post_server_id = true;
-}
-else if (isset($_POST['server_id_value'])) {
- $server_id = $app->functions->intval($_POST['server_id_value']);
- $post_server_id = true;
- }
-else {
+} elseif (isset($_POST['server_id_value'])) {
+ $server_id = $app->functions->intval($_POST['server_id_value']);
+ $post_server_id = true;
+} else {
$server_id = 1;
$post_server_id = false;
}
@@ -102,14 +100,14 @@
if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// load the list of clients
- $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id'];
+ $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id']);
$clients = $app->db->queryAllRecords($sql);
- $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
if(is_array($clients)) {
foreach( $clients as $client) {
@@ -149,7 +147,7 @@
}
-$template_record = $app->db->queryOneRecord("SELECT * FROM dns_template WHERE template_id = '$template_id'");
+$template_record = $app->db->queryOneRecord("SELECT * FROM dns_template WHERE template_id = '".$app->functions->intval($template_id)."'");
$fields = explode(',', $template_record['fields']);
if(is_array($fields)) {
foreach($fields as $field) {
diff --git a/interface/web/help/faq_list.php b/interface/web/help/faq_list.php
index 2f48b4d..53b2992 100644
--- a/interface/web/help/faq_list.php
+++ b/interface/web/help/faq_list.php
@@ -18,7 +18,7 @@
// Optional limit
$hf_section = 0;
if(isset($_GET['hfs_id']))
- $hf_section = preg_replace("/[^0-9]/", "", $_GET['hfs_id']);
+ $hf_section = $app->functions->intval(preg_replace("/[^0-9]/", "", $_GET['hfs_id']));
// if section id is not specified in the url, choose the first existing section
if(!$hf_section)
diff --git a/interface/web/help/support_message_edit.php b/interface/web/help/support_message_edit.php
index a3b6fa5..2d47bbf 100644
--- a/interface/web/help/support_message_edit.php
+++ b/interface/web/help/support_message_edit.php
@@ -33,7 +33,7 @@
//* Get recipient email address
if($this->dataRecord['recipient_id'] > 1){
- $sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$this->dataRecord['recipient_id']." AND sys_user.client_id = client.client_id";
+ $sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$app->functions->intval($this->dataRecord['recipient_id'])." AND sys_user.client_id = client.client_id";
$client = $app->db->queryOneRecord($sql);
$recipient_email = $client['email'];
} else {
@@ -44,7 +44,7 @@
//* Get sender email address
if($this->dataRecord['sender_id'] > 1){
- $sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$this->dataRecord['sender_id']." AND sys_user.client_id = client.client_id";
+ $sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$app->functions->intval($this->dataRecord['sender_id'])." AND sys_user.client_id = client.client_id";
$client = $app->db->queryOneRecord($sql);
$sender_email = $client['email'];
} else {
@@ -113,7 +113,7 @@
global $app, $conf;
if($_SESSION['s']['user']['typ'] == 'admin') {
- $app->db->query("UPDATE support_message SET sys_userid = ".$this->dataRecord['recipient_id']." WHERE support_message_id = ".$this->id);
+ $app->db->query("UPDATE support_message SET sys_userid = ".$app->functions->intval($this->dataRecord['recipient_id'])." WHERE support_message_id = ".$this->id);
}
}
diff --git a/interface/web/help/support_message_list.php b/interface/web/help/support_message_list.php
index 42db17d..02b50aa 100644
--- a/interface/web/help/support_message_list.php
+++ b/interface/web/help/support_message_list.php
@@ -12,7 +12,7 @@
$app->uses('listform_actions');
//* Optional limit
-$app->listform_actions->SQLExtWhere = "support_message.recipient_id = ".$_SESSION['s']['user']['userid'];
+$app->listform_actions->SQLExtWhere = "support_message.recipient_id = ".$app->functions->intval($_SESSION['s']['user']['userid']);
//* Start the form rendering and action ahndling
$app->listform_actions->onLoad();
diff --git a/interface/web/mail/mail_alias_edit.php b/interface/web/mail/mail_alias_edit.php
index 30eae14..ba08717 100644
--- a/interface/web/mail/mail_alias_edit.php
+++ b/interface/web/mail/mail_alias_edit.php
@@ -107,7 +107,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailalias FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -124,7 +124,7 @@
// compose the email field
$this->dataRecord["source"] = $_POST["email_local_part"]."@".$app->functions->idn_encode($_POST["email_domain"]);
// Set the server id of the mailbox = server ID of mail domain.
- $this->dataRecord["server_id"] = $domain["server_id"];
+ $this->dataRecord["server_id"] = $app->functions->intval($domain["server_id"]);
unset($this->dataRecord["email_local_part"]);
unset($this->dataRecord["email_domain"]);
@@ -150,7 +150,7 @@
global $app;
$domain = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
- $app->db->query("update mail_forwarding SET sys_groupid = ".$domain['sys_groupid']." WHERE forwarding_id = ".$this->id);
+ $app->db->query("update mail_forwarding SET sys_groupid = ".$app->functions->intval($domain['sys_groupid'])." WHERE forwarding_id = ".$this->id);
}
diff --git a/interface/web/mail/mail_aliasdomain_edit.php b/interface/web/mail/mail_aliasdomain_edit.php
index 0f2c684..25e0484 100644
--- a/interface/web/mail/mail_aliasdomain_edit.php
+++ b/interface/web/mail/mail_aliasdomain_edit.php
@@ -120,7 +120,7 @@
$this->dataRecord["source"] = "@".$app->db->quote($this->dataRecord["source"]);
$this->dataRecord["destination"] = "@".$app->db->quote($this->dataRecord["destination"]);
// Set the server id of the mailbox = server ID of mail domain.
- $this->dataRecord["server_id"] = $domain["server_id"];
+ $this->dataRecord["server_id"] = $app->functions->intval($domain["server_id"]);
parent::onSubmit();
}
@@ -129,7 +129,7 @@
global $app;
$domain = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["destination"]))."' AND ".$app->tform->getAuthSQL('r'));
- $app->db->query("update mail_forwarding SET sys_groupid = ".$domain['sys_groupid']." WHERE forwarding_id = ".$this->id);
+ $app->db->query("update mail_forwarding SET sys_groupid = ".$app->functions->intval($domain['sys_groupid'])." WHERE forwarding_id = ".$this->id);
}
diff --git a/interface/web/mail/mail_blacklist_edit.php b/interface/web/mail/mail_blacklist_edit.php
index 2358ef9..23f7516 100644
--- a/interface/web/mail/mail_blacklist_edit.php
+++ b/interface/web/mail/mail_blacklist_edit.php
@@ -89,7 +89,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/mail/mail_domain_catchall_edit.php b/interface/web/mail/mail_domain_catchall_edit.php
index db49e46..8072949 100644
--- a/interface/web/mail/mail_domain_catchall_edit.php
+++ b/interface/web/mail/mail_domain_catchall_edit.php
@@ -100,7 +100,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailcatchall FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another catchall
@@ -128,7 +128,7 @@
global $app;
$domain = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
- $app->db->query("update mail_forwarding SET sys_groupid = ".$domain['sys_groupid']." WHERE forwarding_id = ".$this->id);
+ $app->db->query("update mail_forwarding SET sys_groupid = ".$app->functions->intval($domain['sys_groupid'])." WHERE forwarding_id = ".$this->id);
}
diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php
index 04ec475..ed6ee53 100644
--- a/interface/web/mail/mail_domain_edit.php
+++ b/interface/web/mail/mail_domain_edit.php
@@ -97,9 +97,9 @@
unset($tmp);
// Fill the client select field
- $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY sys_group.name";
+ $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id'])." ORDER BY sys_group.name";
$clients = $app->db->queryAllRecords($sql);
- $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
//$tmp_data_record = $app->tform->getDataRecord($this->id);
if(is_array($clients)) {
@@ -175,7 +175,7 @@
// Get the spamfilter policys for the user
- $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = '@".$this->dataRecord["domain"]."'");
+ $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = '@".$app->db->quote($this->dataRecord["domain"])."'");
$sql = "SELECT id, policy_name FROM spamfilter_policy WHERE ".$app->tform->getAuthSQL('r');
$policys = $app->db->queryAllRecords($sql);
$policy_select = "<option value='0'>".$app->tform->wordbook["no_policy"]."</option>";
@@ -219,8 +219,8 @@
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
- $client = $app->db->queryOneRecord("SELECT limit_maildomain, mail_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
+ $client = $app->db->queryOneRecord("SELECT limit_maildomain, default_mailserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// When the record is updated
if($this->id > 0) {
// restore the server ID if the user is not admin and record is edited
@@ -280,7 +280,7 @@
$tmp_domain = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_domain WHERE domain_id = ".$this->id);
// We create a new record
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `priority`, `policy_id`, `email`, `fullname`, `local`)
- VALUES (".$_SESSION["s"]["user"]["userid"].", ".$tmp_domain["sys_groupid"].", 'riud', 'riud', '', ".$this->dataRecord["server_id"].", 5, ".$policy_id.", '@".$app->db->quote($this->dataRecord["domain"])."', '@".$app->db->quote($this->dataRecord["domain"])."', 'Y')";
+ VALUES (".$_SESSION["s"]["user"]["userid"].", ".$app->functions->intval($tmp_domain["sys_groupid"]).", 'riud', 'riud', '', ".$app->functions->intval($this->dataRecord["server_id"]).", 5, ".$app->functions->intval($policy_id).", '@".$app->db->quote($this->dataRecord["domain"])."', '@".$app->db->quote($this->dataRecord["domain"])."', 'Y')";
$app->db->datalogInsert('spamfilter_users', $insert_data, 'id');
unset($tmp_domain);
}
@@ -344,7 +344,7 @@
$tmp_domain = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_domain WHERE domain_id = ".$this->id);
// We create a new record
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `priority`, `policy_id`, `email`, `fullname`, `local`)
- VALUES (".$_SESSION["s"]["user"]["userid"].", ".$tmp_domain["sys_groupid"].", 'riud', 'riud', '', ".$this->dataRecord["server_id"].", 5, ".$policy_id.", '@".$app->db->quote($this->dataRecord["domain"])."', '@".$app->db->quote($this->dataRecord["domain"])."', 'Y')";
+ VALUES (".$_SESSION["s"]["user"]["userid"].", ".$tmp_domain["sys_groupid"].", 'riud', 'riud', '', ".$app->functions->intval($this->dataRecord["server_id"]).", 5, ".$app->functions->intval($policy_id).", '@".$app->db->quote($this->dataRecord["domain"])."', '@".$app->db->quote($this->dataRecord["domain"])."', 'Y')";
$app->db->datalogInsert('spamfilter_users', $insert_data, 'id');
unset($tmp_domain);
}
@@ -361,9 +361,9 @@
//* Update the mailboxes
$mailusers = $app->db->queryAllRecords("SELECT * FROM mail_user WHERE email like '%@".$app->db->quote($this->oldDataRecord['domain'])."'");
- $sys_groupid = (isset($this->dataRecord['client_group_id']))?$this->dataRecord['client_group_id']:$this->oldDataRecord['sys_groupid'];
+ $sys_groupid = $app->functions->intval((isset($this->dataRecord['client_group_id']))?$this->dataRecord['client_group_id']:$this->oldDataRecord['sys_groupid']);
$tmp = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE default_group = $client_group_id");
- $client_user_id = ($tmp['userid'] > 0)?$tmp['userid']:1;
+ $client_user_id = $app->functions->intval(($tmp['userid'] > 0)?$tmp['userid']:1);
if(is_array($mailusers)) {
foreach($mailusers as $rec) {
// setting Maildir, Homedir, UID and GID
diff --git a/interface/web/mail/mail_forward_edit.php b/interface/web/mail/mail_forward_edit.php
index 808e394..8add148 100644
--- a/interface/web/mail/mail_forward_edit.php
+++ b/interface/web/mail/mail_forward_edit.php
@@ -99,7 +99,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailforward FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
@@ -132,7 +132,7 @@
global $app;
$domain = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
- $app->db->query("update mail_forwarding SET sys_groupid = ".$domain['sys_groupid']." WHERE forwarding_id = ".$this->id);
+ $app->db->query("update mail_forwarding SET sys_groupid = ".$app->functions->intval($domain['sys_groupid'])." WHERE forwarding_id = ".$this->id);
}
diff --git a/interface/web/mail/mail_get_edit.php b/interface/web/mail/mail_get_edit.php
index 815990f..70d1fb2 100644
--- a/interface/web/mail/mail_get_edit.php
+++ b/interface/web/mail/mail_get_edit.php
@@ -78,7 +78,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_fetchmail FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another transport.
@@ -109,7 +109,7 @@
global $app;
$tmp = $app->db->queryOneRecord("SELECT sys_groupid FROM mail_user WHERE email = '".$app->db->quote($this->dataRecord["destination"])."'");
- $app->db->query("update mail_get SET sys_groupid = ".$tmp['sys_groupid']." WHERE mailget_id = ".$this->id);
+ $app->db->query("update mail_get SET sys_groupid = ".$app->functions->intval($tmp['sys_groupid'])." WHERE mailget_id = ".$this->id);
}
diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php
index 837995c..3c9cf95 100644
--- a/interface/web/mail/mail_mailinglist_edit.php
+++ b/interface/web/mail/mail_mailinglist_edit.php
@@ -92,9 +92,9 @@
$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.default_mailserver, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id order by contact_name");
// Fill the client select field
- $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY sys_group.name";
+ $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".intval($client['client_id'])." ORDER BY sys_group.name";
$clients = $app->db->queryAllRecords($sql);
- $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
$tmp_data_record = $app->tform->getDataRecord($this->id);
if(is_array($clients)) {
@@ -137,29 +137,29 @@
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailmailinglist, default_mailserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
//* Check if Domain belongs to user
if(isset($_POST["domain"])) {
- $domain = $app->db->queryOneRecord("SELECT domain FROM mail_domain WHERE domain = '".$this->dataRecord["domain"]."' AND ".$app->tform->getAuthSQL('r'));
+ $domain = $app->db->queryOneRecord("SELECT domain FROM mail_domain WHERE domain = '".$app->db->quote($this->dataRecord["domain"])."' AND ".$app->tform->getAuthSQL('r'));
if($domain["domain"] != $this->dataRecord["domain"]) $app->tform->errorMessage .= $app->tform->lng("no_domain_perm");
}
// When the record is updated
if($this->id == 0) {
//Check if email is in use
- $check = $app->db->queryOneRecord("SELECT count(source) as number FROM mail_forwarding WHERE source = '".$this->dataRecord["listname"]."@".$this->dataRecord["domain"]."'");
+ $check = $app->db->queryOneRecord("SELECT count(source) as number FROM mail_forwarding WHERE source = '".$app->db->quote($this->dataRecord["listname"])."@".$app->db->quote($this->dataRecord["domain"])."'");
if($check['number'] != 0) {
$app->error($app->tform->wordbook["email_in_use_txt"]);
}
- $check = $app->db->queryOneRecord("SELECT count(email) as number FROM mail_user WHERE email = '".$this->dataRecord["listname"]."@".$this->dataRecord["domain"]."'");
+ $check = $app->db->queryOneRecord("SELECT count(email) as number FROM mail_user WHERE email = '".$app->db->quote($this->dataRecord["listname"])."@".$app->db->quote($this->dataRecord["domain"])."'");
if($check['number'] != 0) {
$app->error($app->tform->wordbook["email_in_use_txt"]);
}
- $check = $app->db->queryOneRecord("SELECT count(mailinglist_id) as number FROM mail_mailinglist WHERE listname = '".$this->dataRecord["listname"]."' AND domain = '".$this->dataRecord["domain"]."'");
+ $check = $app->db->queryOneRecord("SELECT count(mailinglist_id) as number FROM mail_mailinglist WHERE listname = '".$app->db->quote($this->dataRecord["listname"])."' AND domain = '".$app->db->quote($this->dataRecord["domain"])."'");
if($check['number'] != 0) {
$app->error($app->tform->wordbook["email_in_use_txt"]);
}
@@ -187,7 +187,7 @@
global $app, $conf;
// Set the server id of the mailinglist = server ID of mail domain.
- $domain = $app->db->queryOneRecord("SELECT server_id FROM mail_domain WHERE domain = '".$this->dataRecord["domain"]."'");
+ $domain = $app->db->queryOneRecord("SELECT server_id FROM mail_domain WHERE domain = '".$app->db->quote($this->dataRecord["domain"])."'");
$this->dataRecord["server_id"] = $domain['server_id'];
}
diff --git a/interface/web/mail/mail_spamfilter_edit.php b/interface/web/mail/mail_spamfilter_edit.php
index 50ecb4f..1219f9f 100644
--- a/interface/web/mail/mail_spamfilter_edit.php
+++ b/interface/web/mail/mail_spamfilter_edit.php
@@ -76,7 +76,7 @@
}
// Changing maildir to mailbox_id
- $sql = "SELECT mailbox_id FROM mail_box WHERE maildir = '".$this->dataRecord["spam_redirect_maildir"]."' AND ".$app->tform->getAuthSQL('r');
+ $sql = "SELECT mailbox_id FROM mail_box WHERE maildir = '".$app->db->quote($this->dataRecord["spam_redirect_maildir"])."' AND ".$app->tform->getAuthSQL('r');
$mailbox = $app->db->queryOneRecord($sql);
$this->dataRecord["spam_redirect_maildir"] = $mailbox["mailbox_id"];
diff --git a/interface/web/mail/mail_transport_edit.php b/interface/web/mail/mail_transport_edit.php
index 51abd68..d9ce8e8 100644
--- a/interface/web/mail/mail_transport_edit.php
+++ b/interface/web/mail/mail_transport_edit.php
@@ -133,7 +133,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailrouting FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another transport.
diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php
index 7e983ae..f71aa7d 100644
--- a/interface/web/mail/mail_user_edit.php
+++ b/interface/web/mail/mail_user_edit.php
@@ -92,7 +92,7 @@
unset($domain_select);
// Get the spamfilter policys for the user
- $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = '".$this->dataRecord["email"]."'");
+ $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = '".$app->db->quote($this->dataRecord["email"])."'");
$sql = "SELECT id, policy_name FROM spamfilter_policy WHERE ".$app->tform->getAuthSQL('r');
$policys = $app->db->queryAllRecords($sql);
$policy_select = "<option value='0'>".$app->tform->lng("no_policy")."</option>";
@@ -152,7 +152,7 @@
//* Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailbox, limit_mailquota FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
@@ -234,7 +234,7 @@
// Set the domain owner as mailbox owner
$domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
- $app->db->query("UPDATE mail_user SET sys_groupid = ".$domain["sys_groupid"]." WHERE mailuser_id = ".$this->id);
+ $app->db->query("UPDATE mail_user SET sys_groupid = ".$app->functions->intval($domain["sys_groupid"])." WHERE mailuser_id = ".$this->id);
// Spamfilter policy
$policy_id = $app->functions->intval($this->dataRecord["policy"]);
@@ -246,7 +246,7 @@
} else {
// We create a new record
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `priority`, `policy_id`, `email`, `fullname`, `local`)
- VALUES (".$_SESSION["s"]["user"]["userid"].", ".$domain["sys_groupid"].", 'riud', 'riud', '', ".$domain["server_id"].", 10, ".$policy_id.", '".$app->db->quote($this->dataRecord["email"])."', '".$app->db->quote($this->dataRecord["email"])."', 'Y')";
+ VALUES (".$app->functions->intval($_SESSION["s"]["user"]["userid"]).", ".$app->functions->intval($domain["sys_groupid"]).", 'riud', 'riud', '', ".$app->functions->intval($domain["server_id"]).", 10, ".$app->functions->intval($policy_id).", '".$app->db->quote($this->dataRecord["email"])."', '".$app->db->quote($this->dataRecord["email"])."', 'Y')";
$app->db->datalogInsert('spamfilter_users', $insert_data, 'id');
}
} // endif spamfilter policy
@@ -270,7 +270,7 @@
// Set the domain owner as mailbox owner
if(isset($_POST["email_domain"])) {
$domain = $app->db->queryOneRecord("SELECT sys_groupid, server_id FROM mail_domain WHERE domain = '".$app->db->quote($app->functions->idn_encode($_POST["email_domain"]))."' AND ".$app->tform->getAuthSQL('r'));
- $app->db->query("UPDATE mail_user SET sys_groupid = ".$domain["sys_groupid"]." WHERE mailuser_id = ".$this->id);
+ $app->db->query("UPDATE mail_user SET sys_groupid = ".$app->functions->intval($domain["sys_groupid"])." WHERE mailuser_id = ".$this->id);
// Spamfilter policy
$policy_id = $app->functions->intval($this->dataRecord["policy"]);
@@ -282,7 +282,7 @@
} else {
// We create a new record
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `priority`, `policy_id`, `email`, `fullname`, `local`)
- VALUES (".$_SESSION["s"]["user"]["userid"].", ".$domain["sys_groupid"].", 'riud', 'riud', '', ".$domain["server_id"].", 10, ".$policy_id.", '".$app->db->quote($this->dataRecord["email"])."', '".$app->db->quote($this->dataRecord["email"])."', 'Y')";
+ VALUES (".$app->functions->intval($_SESSION["s"]["user"]["userid"]).", ".$app->functions->intval($domain["sys_groupid"]).", 'riud', 'riud', '', ".$app->functions->intval($domain["server_id"]).", 10, ".$app->functions->intval($policy_id).", '".$app->db->quote($this->dataRecord["email"])."', '".$app->db->quote($this->dataRecord["email"])."', 'Y')";
$app->db->datalogInsert('spamfilter_users', $insert_data, 'id');
}
}else {
diff --git a/interface/web/mail/mail_user_filter_edit.php b/interface/web/mail/mail_user_filter_edit.php
index be62674..c4331a2 100644
--- a/interface/web/mail/mail_user_filter_edit.php
+++ b/interface/web/mail/mail_user_filter_edit.php
@@ -84,7 +84,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another filter
@@ -99,162 +99,6 @@
parent::onSubmit();
}
-
- /*
- function onAfterInsert() {
- global $app, $conf;
-
- $this->onAfterUpdate();
-
- $app->db->query("UPDATE mail_user_filter SET sys_groupid = ".$mailuser['sys_groupid']." WHERE filter_id = ".$this->id);
- }
-
- function onAfterUpdate() {
- global $app, $conf;
-
- $mailuser = $app->db->queryOneRecord("SELECT custom_mailfilter FROM mail_user WHERE mailuser_id = ".$this->dataRecord["mailuser_id"]);
- $skip = false;
- $lines = explode("\n",$mailuser['custom_mailfilter']);
- $out = '';
- $found = false;
-
- foreach($lines as $line) {
- $line = rtrim($line);
- if($line == '### BEGIN FILTER_ID:'.$this->id) {
- $skip = true;
- $found = true;
- }
- if($skip == false && $line != '') $out .= $line ."\n";
- if($line == '### END FILTER_ID:'.$this->id) {
- $out .= $this->getRule();
- $skip = false;
- }
- }
-
- // We did not found our rule, so we add it now as first rule.
- if($found == false) {
- $new_rule = $this->getRule();
- $out = $new_rule . $out;
- }
-
- $out = $app->db->quote($out);
- $app->db->datalogUpdate('mail_user', "custom_mailfilter = '$out'", 'mailuser_id', $this->dataRecord["mailuser_id"]);
-
- }
-
- function getRule() {
-
- global $app,$conf;
-
- $app->uses("getconf");
- $mailuser_rec = $app->db->queryOneRecord("SELECT server_id FROM mail_user WHERE mailuser_id = ".$app->functions->intval($this->dataRecord["mailuser_id"]));
- $mail_config = $app->getconf->get_server_config($app->functions->intval($mailuser_rec["server_id"]),'mail');
-
- if($mail_config['mail_filter_syntax'] == 'sieve') {
-
- // #######################################################
- // Filter in Sieve Syntax
- // #######################################################
-
- $content = '';
- $content .= '### BEGIN FILTER_ID:'.$this->id."\n";
-
- //$content .= 'require ["fileinto", "regex", "vacation"];'."\n";
-
- $content .= 'if header :regex ["'.strtolower($this->dataRecord["source"]).'"] ["';
-
- $searchterm = preg_quote($this->dataRecord["searchterm"]);
-
- if($this->dataRecord["op"] == 'contains') {
- $content .= ".*".$searchterm;
- } elseif ($this->dataRecord["op"] == 'is') {
- $content .= $searchterm."$";
- } elseif ($this->dataRecord["op"] == 'begins') {
- $content .= " ".$searchterm."";
- } elseif ($this->dataRecord["op"] == 'ends') {
- $content .= ".*".$searchterm."$";
- }
-
- $content .= '"] {'."\n";
-
- if($this->dataRecord["action"] == 'move') {
- $content .= ' fileinto "'.$this->dataRecord["target"].'";' . "\n";
- } else {
- $content .= " discard;\n";
- }
-
- $content .= " stop;\n}\n";
-
- $content .= '### END FILTER_ID:'.$this->id."\n";
-
- } else {
-
- // #######################################################
- // Filter in Maildrop Syntax
- // #######################################################
- $content = '';
- $content .= '### BEGIN FILTER_ID:'.$this->id."\n";
-
- $TargetNoQuotes = $this->dataRecord["target"];
- $TargetQuotes = "\"$TargetNoQuotes\"";
-
- $TestChDirNoQuotes = '$DEFAULT/.'.$TargetNoQuotes;
- $TestChDirQuotes = "\"$TestChDirNoQuotes\"";
-
- $MailDirMakeNoQuotes = $TargetQuotes.' $DEFAULT';
-
- $EchoTargetFinal = $TargetNoQuotes;
-
-
- if($this->dataRecord["action"] == 'move') {
-
- $content .= "
-`test -e ".$TestChDirQuotes." && exit 1 || exit 0`
-if ( ".'$RETURNCODE'." != 1 )
-{
- `maildirmake -f $MailDirMakeNoQuotes`
- `chmod -R 0700 ".$TestChDirQuotes."`
- `echo \"INBOX.$EchoTargetFinal\" >> ".'$DEFAULT'."/courierimapsubscribed`
-}
-";
- }
-
- $content .= "if (/^".$this->dataRecord["source"].":";
-
- $searchterm = preg_quote($this->dataRecord["searchterm"]);
-
- if($this->dataRecord["op"] == 'contains') {
- $content .= ".*".$searchterm."/:h)\n";
- } elseif ($this->dataRecord["op"] == 'is') {
- $content .= $searchterm."$/:h)\n";
- } elseif ($this->dataRecord["op"] == 'begins') {
- $content .= " ".$searchterm."/:h)\n";
- } elseif ($this->dataRecord["op"] == 'ends') {
- $content .= ".*".$searchterm."$/:h)\n";
- }
-
- $content .= "{\n";
- $content .= "exception {\n";
-
- if($this->dataRecord["action"] == 'move') {
- $content .= 'ID' . "$this->id" . 'EndFolder = "$DEFAULT/.' . $this->dataRecord['target'] . '/"' . "\n";
- $content .= "to ". '$ID' . "$this->id" . 'EndFolder' . "\n";
- } else {
- $content .= "to /dev/null\n";
- }
-
- $content .= "}\n";
- $content .= "}\n";
-
- //}
-
- $content .= '### END FILTER_ID:'.$this->id."\n";
-
- }
-
- return $content;
- }
- */
}
diff --git a/interface/web/mail/mail_user_stats.php b/interface/web/mail/mail_user_stats.php
index 2e385e7..e922e3d 100644
--- a/interface/web/mail/mail_user_stats.php
+++ b/interface/web/mail/mail_user_stats.php
@@ -32,22 +32,22 @@
//* Set the statistics colums
//** Traffic of the current month
$tmp_date = date('Y-m');
- $tmp_rec = $app->db->queryOneRecord("SELECT traffic as t FROM mail_traffic WHERE mailuser_id = ".$rec['mailuser_id']." AND month = '$tmp_date'");
+ $tmp_rec = $app->db->queryOneRecord("SELECT traffic as t FROM mail_traffic WHERE mailuser_id = ".$app->functions->intval($rec['mailuser_id'])." AND month = '$tmp_date'");
$rec['this_month'] = number_format($app->functions->intval($tmp_rec['t'])/1024/1024, 0, '.', ' ');
//** Traffic of the current year
$tmp_date = date('Y');
- $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic) as t FROM mail_traffic WHERE mailuser_id = ".$rec['mailuser_id']." AND month like '$tmp_date%'");
+ $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic) as t FROM mail_traffic WHERE mailuser_id = ".$app->functions->intval($rec['mailuser_id'])." AND month like '$tmp_date%'");
$rec['this_year'] = number_format($app->functions->intval($tmp_rec['t'])/1024/1024, 0, '.', ' ');
//** Traffic of the last month
$tmp_date = date('Y-m', mktime(0, 0, 0, date("m")-1, date("d"), date("Y")));
- $tmp_rec = $app->db->queryOneRecord("SELECT traffic as t FROM mail_traffic WHERE mailuser_id = ".$rec['mailuser_id']." AND month = '$tmp_date'");
+ $tmp_rec = $app->db->queryOneRecord("SELECT traffic as t FROM mail_traffic WHERE mailuser_id = ".$app->functions->intval($rec['mailuser_id'])." AND month = '$tmp_date'");
$rec['last_month'] = number_format($app->functions->intval($tmp_rec['t'])/1024/1024, 0, '.', ' ');
//** Traffic of the last year
$tmp_date = date('Y', mktime(0, 0, 0, date("m"), date("d"), date("Y")-1));
- $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic) as t FROM mail_traffic WHERE mailuser_id = ".$rec['mailuser_id']." AND month like '$tmp_date%'");
+ $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic) as t FROM mail_traffic WHERE mailuser_id = ".$app->functions->intval($rec['mailuser_id'])." AND month like '$tmp_date%'");
$rec['last_year'] = number_format($app->functions->intval($tmp_rec['t'])/1024/1024, 0, '.', ' ');
//* The variable "id" contains always the index variable
diff --git a/interface/web/mail/mail_whitelist_edit.php b/interface/web/mail/mail_whitelist_edit.php
index 67075e2..b55db9c 100644
--- a/interface/web/mail/mail_whitelist_edit.php
+++ b/interface/web/mail/mail_whitelist_edit.php
@@ -88,7 +88,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/mail/spamfilter_blacklist_edit.php b/interface/web/mail/spamfilter_blacklist_edit.php
index a601674..b7b6391 100644
--- a/interface/web/mail/spamfilter_blacklist_edit.php
+++ b/interface/web/mail/spamfilter_blacklist_edit.php
@@ -89,7 +89,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_spamfilter_wblist FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/mail/spamfilter_config_edit.php b/interface/web/mail/spamfilter_config_edit.php
index aeba3f4..3584c2f 100644
--- a/interface/web/mail/spamfilter_config_edit.php
+++ b/interface/web/mail/spamfilter_config_edit.php
@@ -83,7 +83,7 @@
$server_config_array[$section] = $app->tform->encode($this->dataRecord, $section);
$server_config_str = $app->ini_parser->get_ini_string($server_config_array);
- $sql = "UPDATE server SET config = '".$app->db->quote($server_config_str)."' WHERE server_id = ".$server_id;
+ $sql = "UPDATE server SET config = '".$app->db->quote($server_config_str)."' WHERE server_id = ".$app->functions->intval($server_id);
$app->db->query($sql);
}
diff --git a/interface/web/mail/spamfilter_policy_edit.php b/interface/web/mail/spamfilter_policy_edit.php
index 0321cb5..0b94d5d 100644
--- a/interface/web/mail/spamfilter_policy_edit.php
+++ b/interface/web/mail/spamfilter_policy_edit.php
@@ -71,7 +71,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_spamfilter_policy FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/mail/spamfilter_users_edit.php b/interface/web/mail/spamfilter_users_edit.php
index c1e50f3..488d951 100644
--- a/interface/web/mail/spamfilter_users_edit.php
+++ b/interface/web/mail/spamfilter_users_edit.php
@@ -87,7 +87,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_spamfilter_user FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/mail/spamfilter_whitelist_edit.php b/interface/web/mail/spamfilter_whitelist_edit.php
index f73023f..227f538 100644
--- a/interface/web/mail/spamfilter_whitelist_edit.php
+++ b/interface/web/mail/spamfilter_whitelist_edit.php
@@ -89,7 +89,7 @@
// Check the client limits, if user is not the admin
if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_spamfilter_wblist FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another mailbox.
diff --git a/interface/web/mailuser/index.php b/interface/web/mailuser/index.php
index 05f150b..73505ae 100644
--- a/interface/web/mailuser/index.php
+++ b/interface/web/mailuser/index.php
@@ -17,7 +17,7 @@
include $lng_file;
$app->tpl->setVar($wb);
-$sql = "SELECT * FROM mail_user WHERE mailuser_id = ".$_SESSION['s']['user']['mailuser_id'];
+$sql = "SELECT * FROM mail_user WHERE mailuser_id = ".$app->functions->intval($_SESSION['s']['user']['mailuser_id']);
$rec = $app->db->queryOneRecord($sql);
if($rec['quota'] == 0) {
@@ -30,7 +30,7 @@
$app->tpl->setVar($rec);
-$sql2 = "SELECT * FROM server WHERE server_id = ".$rec['server_id'];
+$sql2 = "SELECT * FROM server WHERE server_id = ".$app->functions->intval($rec['server_id']);
$rec2 = $app->db->queryOneRecord($sql2);
$app->tpl->setVar($rec2);
diff --git a/interface/web/mailuser/mail_user_filter_edit.php b/interface/web/mailuser/mail_user_filter_edit.php
index 9274e3d..ff93bd9 100644
--- a/interface/web/mailuser/mail_user_filter_edit.php
+++ b/interface/web/mailuser/mail_user_filter_edit.php
@@ -83,7 +83,7 @@
// Check the client limits if the email address is assigned to a client
if($_SESSION["s"]["user"]["default_group"] > 0) { // if user is not admin
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_mailfilter FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another filter
diff --git a/interface/web/mailuser/mail_user_filter_list.php b/interface/web/mailuser/mail_user_filter_list.php
index cda05d3..6dad087 100644
--- a/interface/web/mailuser/mail_user_filter_list.php
+++ b/interface/web/mailuser/mail_user_filter_list.php
@@ -24,7 +24,7 @@
$list = new list_action;
-$list->SQLExtWhere = "mail_user_filter.mailuser_id = ".$_SESSION['s']['user']['mailuser_id'];
+$list->SQLExtWhere = "mail_user_filter.mailuser_id = ".$app->functions->intval($_SESSION['s']['user']['mailuser_id']);
$list->onLoad();
diff --git a/interface/web/mailuser/mail_user_password_edit.php b/interface/web/mailuser/mail_user_password_edit.php
index 5bbcedb..f6d6d78 100644
--- a/interface/web/mailuser/mail_user_password_edit.php
+++ b/interface/web/mailuser/mail_user_password_edit.php
@@ -52,7 +52,7 @@
function onSubmit() {
- $this->id = $_SESSION['s']['user']['mailuser_id'];
+ $this->id = $app->functions->intval($_SESSION['s']['user']['mailuser_id']);
parent::onSubmit();
diff --git a/interface/web/mailuser/mail_user_spamfilter_edit.php b/interface/web/mailuser/mail_user_spamfilter_edit.php
index 632a507..dfc397d 100644
--- a/interface/web/mailuser/mail_user_spamfilter_edit.php
+++ b/interface/web/mailuser/mail_user_spamfilter_edit.php
@@ -52,7 +52,7 @@
function onShow() {
- $this->id = $_SESSION['s']['user']['mailuser_id'];
+ $this->id = $app->functions->intval($_SESSION['s']['user']['mailuser_id']);
parent::onShow();
@@ -61,7 +61,7 @@
function onSubmit() {
global $app;
- $this->id = $_SESSION['s']['user']['mailuser_id'];
+ $this->id = $app->functions->intval($_SESSION['s']['user']['mailuser_id']);
parent::onSubmit();
@@ -85,7 +85,7 @@
} else {
// We create a new record
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `priority`, `policy_id`, `email`, `fullname`, `local`)
- VALUES (".$domain["sys_userid"].", ".$domain["sys_groupid"].", 'riud', 'riud', '', ".$domain["server_id"].", 10, ".$policy_id.", '".$app->db->quote($rec["email"])."', '".$app->db->quote($rec["email"])."', 'Y')";
+ VALUES (".$app->functions->intval($domain["sys_userid"]).", ".$app->functions->intval($domain["sys_groupid"]).", 'riud', 'riud', '', ".$app->functions->intval($domain["server_id"]).", 10, ".$app->functions->intval($policy_id).", '".$app->db->quote($rec["email"])."', '".$app->db->quote($rec["email"])."', 'Y')";
$app->db->datalogInsert('spamfilter_users', $insert_data, 'id');
}
}else {
@@ -103,7 +103,7 @@
$app->tpl->setVar("email", $rec['email']);
// Get the spamfilter policys for the user
- $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = '".$rec['email']."'");
+ $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = '".$app->db->quote($rec['email'])."'");
$sql = "SELECT id, policy_name FROM spamfilter_policy WHERE ".$app->tform->getAuthSQL('r');
$policys = $app->db->queryAllRecords($sql);
$policy_select = "<option value='0'>".$app->tform->lng("no_policy")."</option>";
diff --git a/interface/web/sites/ajax_get_json.php b/interface/web/sites/ajax_get_json.php
index 6800897..ddf7d85 100644
--- a/interface/web/sites/ajax_get_json.php
+++ b/interface/web/sites/ajax_get_json.php
@@ -74,7 +74,7 @@
//* Client: If the logged in user is not admin and has no sub clients (no reseller)
if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
- $sql_where = " AND (client_id = 0 OR client_id = ".$_SESSION["s"]["user"]["client_id"] . ")";
+ $sql_where = " AND (client_id = 0 OR client_id = ".$app->functions->intval($_SESSION["s"]["user"]["client_id"]) . ")";
//* Reseller: If the logged in user is not admin and has sub clients (is a reseller)
} elseif ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
$client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE groupid = $client_group_id");
@@ -158,7 +158,7 @@
$sql = "SELECT sys_groupid FROM web_domain WHERE domain_id = $web_id AND ".$app->tform->getAuthSQL('r');
$group = $app->db->queryOneRecord($sql);
if($group) {
- $sql = "SELECT database_user_id, database_user FROM web_database_user WHERE sys_groupid = '" . $group['sys_groupid'] . "'";
+ $sql = "SELECT database_user_id, database_user FROM web_database_user WHERE sys_groupid = '" . $app->functions->intval($group['sys_groupid']) . "'";
$records = $app->db->queryAllRecords($sql);
$tmp_array = array();
diff --git a/interface/web/sites/cron_edit.php b/interface/web/sites/cron_edit.php
index 76733ff..092c7dd 100644
--- a/interface/web/sites/cron_edit.php
+++ b/interface/web/sites/cron_edit.php
@@ -86,7 +86,7 @@
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_cron, limit_cron_type FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// When the record is updated
@@ -139,7 +139,7 @@
//* last chance to stop this, so check frequency limit!
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_cron_frequency FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
if($client["limit_cron_frequency"] > 1) {
@@ -164,7 +164,7 @@
//* last chance to stop this, so check frequency limit!
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_cron_frequency FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
if($client["limit_cron_frequency"] > 1) {
@@ -190,7 +190,7 @@
$server_id = $web["server_id"];
// The cron shall be owned by the same group then the website
- $sys_groupid = $web['sys_groupid'];
+ $sys_groupid = $app->functions->intval($web['sys_groupid']);
$sql = "UPDATE cron SET server_id = $server_id, sys_groupid = '$sys_groupid' WHERE id = ".$this->id;
$app->db->query($sql);
diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php
index 9a1c9d8..139c971 100644
--- a/interface/web/sites/database_edit.php
+++ b/interface/web/sites/database_edit.php
@@ -269,11 +269,11 @@
}
//* Check for duplicates
- $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = '".$this->dataRecord['database_name']."' AND server_id = '".$this->dataRecord["server_id"]."' AND database_id != '".$this->id."'");
+ $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = '".$app->db->quote($this->dataRecord['database_name'])."' AND server_id = '".$app->functions->intval($this->dataRecord["server_id"])."' AND database_id != '".$this->id."'");
if($tmp['dbnum'] > 0) $app->tform->errorMessage .= $app->lng('database_name_error_unique').'<br />';
// get the web server ip (parent domain)
- $tmp = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = '".$this->dataRecord['parent_domain_id']."'");
+ $tmp = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = '".$app->functions->intval($this->dataRecord['parent_domain_id'])."'");
if($tmp['server_id'] && $tmp['server_id'] != $this->dataRecord['server_id']) {
// we need remote access rights for this server, so get it's ip address
$server_config = $app->getconf->get_server_config($tmp['server_id'], 'server');
@@ -337,11 +337,11 @@
}
//* Check for duplicates
- $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = '".$this->dataRecord['database_name']."' AND server_id = '".$this->dataRecord["server_id"]."'");
+ $tmp = $app->db->queryOneRecord("SELECT count(database_id) as dbnum FROM web_database WHERE database_name = '".$app->db->quote($this->dataRecord['database_name'])."' AND server_id = '".$app->functions->intval($this->dataRecord["server_id"])."'");
if($tmp['dbnum'] > 0) $app->tform->errorMessage .= $app->tform->lng('database_name_error_unique').'<br />';
// get the web server ip (parent domain)
- $tmp = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = '".$this->dataRecord['parent_domain_id']."'");
+ $tmp = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = '".$app->functions->intval($this->dataRecord['parent_domain_id'])."'");
if($tmp['server_id'] && $tmp['server_id'] != $this->dataRecord['server_id']) {
// we need remote access rights for this server, so get it's ip address
$server_config = $app->getconf->get_server_config($tmp['server_id'], 'server');
@@ -407,9 +407,9 @@
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"]));
//* The Database user shall be owned by the same group then the website
- $sys_groupid = $web['sys_groupid'];
- $backup_interval = $web['backup_interval'];
- $backup_copies = $web['backup_copies'];
+ $sys_groupid = $app->functions->intval($web['sys_groupid']);
+ $backup_interval = $app->functions->intval($web['backup_interval']);
+ $backup_copies = $app->functions->intval($web['backup_copies']);
$sql = "UPDATE web_database SET sys_groupid = '$sys_groupid', backup_interval = '$backup_interval', backup_copies = '$backup_copies' WHERE database_id = ".$this->id;
$app->db->query($sql);
@@ -423,9 +423,9 @@
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"]));
//* The Database user shall be owned by the same group then the website
- $sys_groupid = $web['sys_groupid'];
- $backup_interval = $web['backup_interval'];
- $backup_copies = $web['backup_copies'];
+ $sys_groupid = $app->functions->intval($web['sys_groupid']);
+ $backup_interval = $app->functions->intval($web['backup_interval']);
+ $backup_copies = $app->functions->intval($web['backup_copies']);
$sql = "UPDATE web_database SET sys_groupid = '$sys_groupid', backup_interval = '$backup_interval', backup_copies = '$backup_copies' WHERE database_id = ".$this->id;
$app->db->query($sql);
diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php
index 4cb78f9..30996e5 100644
--- a/interface/web/sites/database_user_edit.php
+++ b/interface/web/sites/database_user_edit.php
@@ -65,13 +65,13 @@
if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.company_name, client.contact_name, client.client_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Fill the client select field
- $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY sys_group.name";
+ $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id'])." ORDER BY sys_group.name";
$records = $app->db->queryAllRecords($sql);
- $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contact_name'].'</option>';
//$tmp_data_record = $app->tform->getDataRecord($this->id);
if(is_array($records)) {
diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php
index 4f71118..0346201 100644
--- a/interface/web/sites/ftp_user_edit.php
+++ b/interface/web/sites/ftp_user_edit.php
@@ -134,13 +134,13 @@
global $app, $conf;
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"]));
- $server_id = $web["server_id"];
- $dir = $web["document_root"];
- $uid = $web["system_user"];
- $gid = $web["system_group"];
+ $server_id = $app->functions->intval($web["server_id"]);
+ $dir = $app->db->quote($web["document_root"]);
+ $uid = $app->db->quote($web["system_user"]);
+ $gid = $app->db->quote($web["system_group"]);
// The FTP user shall be owned by the same group then the website
- $sys_groupid = $web['sys_groupid'];
+ $sys_groupid = $app->functions->intval($web['sys_groupid']);
$sql = "UPDATE ftp_user SET server_id = $server_id, dir = '$dir', uid = '$uid', gid = '$gid', sys_groupid = '$sys_groupid' WHERE ftp_user_id = ".$this->id;
$app->db->query($sql);
@@ -173,13 +173,13 @@
//* When the site of the FTP user has been changed
if(isset($this->dataRecord['parent_domain_id']) && $this->oldDataRecord['parent_domain_id'] != $this->dataRecord['parent_domain_id']) {
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"]));
- $server_id = $web["server_id"];
- $dir = $web["document_root"];
- $uid = $web["system_user"];
- $gid = $web["system_group"];
+ $server_id = $app->functions->intval($web["server_id"]);
+ $dir = $app->db->quote($web["document_root"]);
+ $uid = $app->db->quote($web["system_user"]);
+ $gid = $app->db->quote($web["system_group"]);
// The FTP user shall be owned by the same group then the website
- $sys_groupid = $web['sys_groupid'];
+ $sys_groupid = $app->functions->intval($web['sys_groupid']);
$sql = "UPDATE ftp_user SET server_id = $server_id, dir = '$dir', uid = '$uid', gid = '$gid', sys_groupid = '$sys_groupid' WHERE ftp_user_id = ".$this->id;
$app->db->query($sql);
@@ -194,7 +194,7 @@
if($error_message != '') {
$ftp_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM ftp_user WHERE ftp_user_id = '".$app->db->quote($app->tform->primary_id)."'");
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($ftp_data["parent_domain_id"]));
- $dir = $web["document_root"];
+ $dir = $app->db->quote($web["document_root"]);
$sql = "UPDATE ftp_user SET dir = '$dir' WHERE ftp_user_id = ".$this->id;
$app->db->query($sql);
$app->log("Error in FTP path settings of FTP user ".$this->dataRecord['username'], 1);
diff --git a/interface/web/sites/lib/lang/de_web_domain.lng b/interface/web/sites/lib/lang/de_web_domain.lng
index d5e32d0..5c14553 100644
--- a/interface/web/sites/lib/lang/de_web_domain.lng
+++ b/interface/web/sites/lib/lang/de_web_domain.lng
@@ -120,4 +120,5 @@
$wb['invalid_rewrite_rules_txt'] = 'Unzulässige Rewrite Rules';
$wb['allowed_rewrite_rule_directives_txt'] = 'Erlaubte Direktiven:';
$wb['configuration_error_txt'] = 'KONFIGURATIONSFEHLER';
+$wb['variables_txt'] = 'Variablen';
?>
diff --git a/interface/web/sites/lib/lang/en_web_domain.lng b/interface/web/sites/lib/lang/en_web_domain.lng
index a5c1e35..1a7a02b 100644
--- a/interface/web/sites/lib/lang/en_web_domain.lng
+++ b/interface/web/sites/lib/lang/en_web_domain.lng
@@ -121,4 +121,5 @@
$wb['allowed_rewrite_rule_directives_txt'] = 'Allowed Directives:';
$wb['configuration_error_txt'] = "CONFIGURATION ERROR";
$wb['server_chosen_not_ok'] = 'The selected server is not allowed for this account.';
+$wb['variables_txt'] = 'Variables';
?>
\ No newline at end of file
diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php
index 24ef093..9a8f266 100644
--- a/interface/web/sites/shell_user_edit.php
+++ b/interface/web/sites/shell_user_edit.php
@@ -158,13 +158,13 @@
global $app, $conf;
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".$app->functions->intval($this->dataRecord["parent_domain_id"]));
- $server_id = $web["server_id"];
- $dir = $web["document_root"];
- $puser = $web["system_user"];
- $pgroup = $web["system_group"];
+ $server_id = $app->functions->intval($web["server_id"]);
+ $dir = $app->db->quote($web["document_root"]);
+ $uid = $app->db->quote($web["system_user"]);
+ $gid = $app->db->quote($web["system_group"]);
// The FTP user shall be owned by the same group then the website
- $sys_groupid = $web['sys_groupid'];
+ $sys_groupid = $app->functions->intval($web['sys_groupid']);
$sql = "UPDATE shell_user SET server_id = $server_id, dir = '$dir', puser = '$puser', pgroup = '$pgroup', sys_groupid = '$sys_groupid' WHERE shell_user_id = ".$this->id;
$app->db->query($sql);
diff --git a/interface/web/sites/templates/web_domain_advanced.htm b/interface/web/sites/templates/web_domain_advanced.htm
index 2f5136e..3cc7d2e 100644
--- a/interface/web/sites/templates/web_domain_advanced.htm
+++ b/interface/web/sites/templates/web_domain_advanced.htm
@@ -84,7 +84,7 @@
</div>
<div class="ctrlHolder nginx">
<label for="nginx_directives">{tmpl_var name='nginx_directives_txt'}</label>
- <textarea name="nginx_directives" id="nginx_directives" rows='10' cols='50' style="width:400px;">{tmpl_var name='nginx_directives'}</textarea> <b>{tmpl_var name="available_nginx_directive_snippets_txt"}</b><br><br> {tmpl_var name="nginx_directive_snippets_txt"}
+ <textarea name="nginx_directives" id="nginx_directives" rows='10' cols='50' style="width:400px;">{tmpl_var name='nginx_directives'}</textarea> <b>{tmpl_var name="available_nginx_directive_snippets_txt"}</b><br><br> {tmpl_var name="nginx_directive_snippets_txt"}<br>----<br><b> {tmpl_var name='variables_txt'}:</b> <a href="javascript:void(0);" class="addPlaceholder">{DOCROOT}</a>, <a href="javascript:void(0);" class="addPlaceholder">{FASTCGIPASS}</a>
</div>
<div class="ctrlHolder proxy">
<label for="proxy_directives">{tmpl_var name='proxy_directives_txt'}</label>
diff --git a/interface/web/sites/web_aliasdomain_edit.php b/interface/web/sites/web_aliasdomain_edit.php
index 5dbcb12..02e11d5 100644
--- a/interface/web/sites/web_aliasdomain_edit.php
+++ b/interface/web/sites/web_aliasdomain_edit.php
@@ -177,7 +177,7 @@
//* Update the old website, so that the vhost alias gets removed
//* We force the update by inserting a transaction record without changes manually.
- $old_website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = '.$this->oldDataRecord['domain_id']);
+ $old_website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = '.$app->functions->intval($this->oldDataRecord['domain_id']));
$app->db->datalogSave('web_domain', 'UPDATE', 'domain_id', $this->oldDataRecord['parent_domain_id'], $old_website, $old_website, true);
}
diff --git a/interface/web/sites/web_domain_del.php b/interface/web/sites/web_domain_del.php
index f451813..7ee5d13 100644
--- a/interface/web/sites/web_domain_del.php
+++ b/interface/web/sites/web_domain_del.php
@@ -94,7 +94,7 @@
//* Delete all records that belog to this web.
$web_domain = $app->db->queryOneRecord("SELECT domain FROM web_domain WHERE domain_id = ".$app->functions->intval($this->id));
if($web_domain['domain'] != ''){
- $aps_instances = $app->db->queryAllRecords("SELECT instance_id FROM aps_instances_settings WHERE name = 'main_domain' AND value = '".$web_domain['domain']."'");
+ $aps_instances = $app->db->queryAllRecords("SELECT instance_id FROM aps_instances_settings WHERE name = 'main_domain' AND value = '".$app->db->quote($web_domain['domain'])."'");
if(is_array($aps_instances) && !empty($aps_instances)){
foreach($aps_instances as $aps_instance){
if($aps_instance['instance_id'] > 0){
@@ -109,7 +109,7 @@
$records = $app->db->queryAllRecords("SELECT web_folder_id FROM web_folder WHERE parent_domain_id = '".$app->functions->intval($this->id)."'");
foreach($records as $rec) {
//* Delete all web folder users
- $records2 = $app->db->queryAllRecords("SELECT web_folder_user_id FROM web_folder_user WHERE web_folder_id = '".$rec['web_folder_id']."'");
+ $records2 = $app->db->queryAllRecords("SELECT web_folder_user_id FROM web_folder_user WHERE web_folder_id = '".$app->functions->intval($rec['web_folder_id'])."'");
foreach($records2 as $rec2) {
$app->db->datalogDelete('web_folder_user', 'web_folder_user_id', $rec2['web_folder_user_id']);
}
diff --git a/interface/web/sites/web_domain_edit.php b/interface/web/sites/web_domain_edit.php
index 98bb9f4..dde0b09 100644
--- a/interface/web/sites/web_domain_edit.php
+++ b/interface/web/sites/web_domain_edit.php
@@ -169,10 +169,10 @@
if(!empty($web_config['server_type'])) $server_type = $web_config['server_type'];
if($server_type == 'nginx' && $this->dataRecord['php'] == 'fast-cgi') $this->dataRecord['php'] = 'php-fpm';
if($this->dataRecord['php'] == 'php-fpm'){
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = ".($this->id > 0 ? $this->dataRecord['server_id'] : intval($client['default_webserver']))." AND (client_id = 0 OR client_id=".$_SESSION['s']['user']['client_id'].")");
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = ".($this->id > 0 ? $app->functions->intval($this->dataRecord['server_id']) : $app->functions->intval($client['default_webserver']))." AND (client_id = 0 OR client_id=".$app->functions->intval($_SESSION['s']['user']['client_id']).")");
}
if($this->dataRecord['php'] == 'fast-cgi'){
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".($this->id > 0 ? $this->dataRecord['server_id'] : intval($client['default_webserver']))." AND (client_id = 0 OR client_id=".$_SESSION['s']['user']['client_id'].")");
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".($this->id > 0 ? $app->functions->intval($this->dataRecord['server_id']) : $app->functions->intval($client['default_webserver']))." AND (client_id = 0 OR client_id=".$app->functions->intval($_SESSION['s']['user']['client_id']).")");
}
$php_select = "<option value=''>Default</option>";
if(is_array($php_records) && !empty($php_records)) {
@@ -197,7 +197,7 @@
} elseif ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_domain, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
//* Get global web config
@@ -220,7 +220,7 @@
// Fill the client select field
$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY sys_group.name";
$records = $app->db->queryAllRecords($sql);
- $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
//$tmp_data_record = $app->tform->getDataRecord($this->id);
if(is_array($records)) {
@@ -268,14 +268,14 @@
$server_type = 'apache';
if(!empty($web_config['server_type'])) $server_type = $web_config['server_type'];
if($server_type == 'nginx' && $this->dataRecord['php'] == 'fast-cgi') $this->dataRecord['php'] = 'php-fpm';
- $selected_client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE groupid = $selected_client_group_id");
+ $selected_client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE groupid = ".$app->functions->intval($selected_client_group_id));
//$sql_where = " AND (client_id = 0 OR client_id=".$_SESSION['s']['user']['client_id']." OR client_id = ".intval($selected_client['client_id']).")";
$sql_where = " AND (client_id = 0 OR client_id = ".intval($selected_client['client_id']).")";
if($this->dataRecord['php'] == 'php-fpm'){
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = ".($this->id > 0 ? $this->dataRecord['server_id'] : intval($client['default_webserver'])).$sql_where);
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = ".($this->id > 0 ? $app->functions->intval($this->dataRecord['server_id']) : $app->functions->intval($client['default_webserver'])).$sql_where);
}
if($this->dataRecord['php'] == 'fast-cgi') {
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".($this->id > 0 ? $this->dataRecord['server_id'] : intval($client['default_webserver'])).$sql_where);
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".($this->id > 0 ? $app->functions->intval($this->dataRecord['server_id']) : $app->functions->intval($client['default_webserver'])).$sql_where);
}
$php_select = "<option value=''>Default</option>";
if(is_array($php_records) && !empty($php_records)) {
@@ -364,7 +364,7 @@
$web_config = $app->getconf->get_server_config($server_id, 'web');
//* Fill the IPv4 select field
- $sql = "SELECT ip_address FROM server_ip WHERE ip_type = 'IPv4' AND server_id = $server_id";
+ $sql = "SELECT ip_address FROM server_ip WHERE ip_type = 'IPv4' AND server_id = ".$app->functions->intval($server_id);
$ips = $app->db->queryAllRecords($sql);
$ip_select = ($web_config['enable_ip_wildcard'] == 'y')?"<option value='*'>*</option>":"";
//$ip_select = "";
@@ -379,7 +379,7 @@
unset($ips);
//* Fill the IPv6 select field
- $sql = "SELECT ip_address FROM server_ip WHERE ip_type = 'IPv6' AND server_id = $server_id";
+ $sql = "SELECT ip_address FROM server_ip WHERE ip_type = 'IPv6' AND server_id = ".$app->functions->intval($server_id);
$ips = $app->db->queryAllRecords($sql);
$ip_select = "<option value=''></option>";
//$ip_select = "";
@@ -414,14 +414,14 @@
$server_type = 'apache';
if(!empty($web_config['server_type'])) $server_type = $web_config['server_type'];
if($server_type == 'nginx' && $this->dataRecord['php'] == 'fast-cgi') $this->dataRecord['php'] = 'php-fpm';
- $selected_client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE groupid = $selected_client_group_id");
+ $selected_client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE groupid = ".$app->functions->intval($selected_client_group_id));
//$sql_where = " AND (client_id = 0 OR client_id=".$_SESSION['s']['user']['client_id']." OR client_id = ".intval($selected_client['client_id']).")";
- $sql_where = " AND (client_id = 0 OR client_id = ".intval($selected_client['client_id']).")";
+ $sql_where = " AND (client_id = 0 OR client_id = ".$app->functions->intval($selected_client['client_id']).")";
if($this->dataRecord['php'] == 'php-fpm'){
$php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = $server_id".$sql_where);
}
if($this->dataRecord['php'] == 'fast-cgi') {
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = $server_id".$sql_where);
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".$app->functions->intval($server_id).$sql_where);
}
$php_select = "<option value=''>Default</option>";
if(is_array($php_records) && !empty($php_records)) {
@@ -545,7 +545,7 @@
// check for configuration errors in sys_datalog
if($this->id > 0) {
- $datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'web_domain' AND sys_datalog.dbidx = 'domain_id:".$this->id."' AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC");
+ $datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'web_domain' AND sys_datalog.dbidx = 'domain_id:".$app->functions->intval($this->id)."' AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC");
if(is_array($datalog) && !empty($datalog)){
if(trim($datalog['error']) != ''){
$app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error'])));
@@ -834,7 +834,7 @@
// get the ID of the client
if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = $client_group_id");
$client_id = $app->functions->intval($client["client_id"]);
} else {
@@ -935,7 +935,7 @@
// get the ID of the client
if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client_id FROM sys_group WHERE sys_group.groupid = $client_group_id");
$client_id = $app->functions->intval($client["client_id"]);
} elseif (isset($this->dataRecord["client_group_id"])) {
@@ -966,7 +966,7 @@
// Update the FTP user(s) too
$records = $app->db->queryAllRecords("SELECT ftp_user_id FROM ftp_user WHERE parent_domain_id = ".$this->id);
foreach($records as $rec) {
- $app->db->datalogUpdate('ftp_user', "sys_userid = '".$web_rec['sys_userid']."', sys_groupid = '".$web_rec['sys_groupid']."', uid = '$system_user', gid = '$system_group', dir = '$document_root'", 'ftp_user_id', $rec['ftp_user_id']);
+ $app->db->datalogUpdate('ftp_user', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."', uid = '$system_user', gid = '$system_group', dir = '$document_root'", 'ftp_user_id', $app->functions->intval($rec['ftp_user_id']));
}
unset($records);
unset($rec);
@@ -974,7 +974,7 @@
// Update the Shell user(s) too
$records = $app->db->queryAllRecords("SELECT shell_user_id FROM shell_user WHERE parent_domain_id = ".$this->id);
foreach($records as $rec) {
- $app->db->datalogUpdate('shell_user', "sys_userid = '".$web_rec['sys_userid']."', sys_groupid = '".$web_rec['sys_groupid']."', puser = '$system_user', pgroup = '$system_group', dir = '$document_root'", 'shell_user_id', $rec['shell_user_id']);
+ $app->db->datalogUpdate('shell_user', "sys_userid = '".$web_rec['sys_userid']."', sys_groupid = '".$web_rec['sys_groupid']."', puser = '$system_user', pgroup = '$system_group', dir = '$document_root'", 'shell_user_id', $app->functions->intval($rec['shell_user_id']));
}
unset($records);
unset($rec);
@@ -999,7 +999,7 @@
//* Update all databases
$records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE parent_domain_id = ".$this->id);
foreach($records as $rec) {
- $app->db->datalogUpdate('web_database', "sys_userid = '".$web_rec['sys_userid']."', sys_groupid = '".$web_rec['sys_groupid']."'", 'database_id', $rec['database_id']);
+ $app->db->datalogUpdate('web_database', "sys_userid = '".$app->functions->intval($web_rec['sys_userid'])."', sys_groupid = '".$app->functions->intval($web_rec['sys_groupid'])."'", 'database_id', $app->functions->intval($rec['database_id']));
}
unset($records);
unset($rec);
@@ -1018,10 +1018,10 @@
unset($subdomain);
// Update APS instances
- $records = $app->db->queryAllRecords("SELECT id, instance_id FROM aps_instances_settings WHERE name = 'main_domain' AND value = '".$this->oldDataRecord["domain"]."'");
+ $records = $app->db->queryAllRecords("SELECT id, instance_id FROM aps_instances_settings WHERE name = 'main_domain' AND value = '".$app->db->quote($this->oldDataRecord["domain"])."'");
if(is_array($records) && !empty($records)){
foreach($records as $rec){
- $app->db->datalogUpdate('aps_instances_settings', "value = '".$this->dataRecord["domain"]."'", 'id', $rec['id']);
+ $app->db->datalogUpdate('aps_instances_settings', "value = '".$app->db->quote($this->dataRecord["domain"])."'", 'id', $rec['id']);
// Reinstall of package needed?
//$app->db->datalogUpdate('aps_instances', "instance_status = '1'", 'id', $rec['instance_id']);
}
@@ -1040,7 +1040,7 @@
if(empty($web_rec['php_open_basedir']) ||
(!empty($this->dataRecord["domain"]) && !empty($this->oldDataRecord["domain"]) && $this->dataRecord["domain"] != $this->oldDataRecord["domain"])) {
$php_open_basedir = $web_rec['php_open_basedir'];
- $php_open_basedir = str_replace($this->oldDataRecord['domain'], $web_rec['domain'], $php_open_basedir);
+ $php_open_basedir = $app->db->quote(str_replace($this->oldDataRecord['domain'], $web_rec['domain'], $php_open_basedir));
$sql = "UPDATE web_domain SET php_open_basedir = '$php_open_basedir' WHERE domain_id = ".$this->id;
$app->db->query($sql);
}
@@ -1056,8 +1056,8 @@
//* Change database backup options when web backup options have been changed
if(isset($this->dataRecord['backup_interval']) && ($this->dataRecord['backup_interval'] != $this->oldDataRecord['backup_interval'] || $this->dataRecord['backup_copies'] != $this->oldDataRecord['backup_copies'])) {
//* Update all databases
- $backup_interval = $this->dataRecord['backup_interval'];
- $backup_copies = $this->dataRecord['backup_copies'];
+ $backup_interval = $app->functions->intval($this->dataRecord['backup_interval']);
+ $backup_copies = $app->functions->intval($this->dataRecord['backup_copies']);
$records = $app->db->queryAllRecords("SELECT database_id FROM web_database WHERE parent_domain_id = ".$this->id);
foreach($records as $rec) {
$app->db->datalogUpdate('web_database', "backup_interval = '$backup_interval', backup_copies = '$backup_copies'", 'database_id', $rec['database_id']);
@@ -1072,7 +1072,7 @@
if(isset($this->dataRecord['ip_address']) && ($this->dataRecord['ip_address'] != $this->oldDataRecord['ip_address'] || $this->dataRecord['ipv6_address'] != $this->oldDataRecord['ipv6_address'])) {
$records = $app->db->queryAllRecords("SELECT domain_id FROM web_domain WHERE type = 'vhostsubdomain' AND parent_domain_id = ".$this->id);
foreach($records as $rec) {
- $app->db->datalogUpdate('web_domain', "ip_address = '".$web_rec['ip_address']."', ipv6_address = '".$web_rec['ipv6_address']."'", 'domain_id', $rec['domain_id']);
+ $app->db->datalogUpdate('web_domain', "ip_address = '".$app->db->quote($web_rec['ip_address'])."', ipv6_address = '".$app->db->quote($web_rec['ipv6_address'])."'", 'domain_id', $rec['domain_id']);
}
unset($records);
unset($rec);
@@ -1090,7 +1090,7 @@
$app->tform->datalogSave('DELETE', $d["domain_id"], $d, array());
}
- $app->db->query("DELETE FROM web_domain WHERE domain_id = ".$d["domain_id"]." LIMIT 0,1");
+ $app->db->query("DELETE FROM web_domain WHERE domain_id = ".$app->functions->intval($d["domain_id"])." LIMIT 0,1");
}
unset($child_domains);
unset($d);
diff --git a/interface/web/sites/web_sites_stats.php b/interface/web/sites/web_sites_stats.php
index cc7d4e6..f5eb927 100644
--- a/interface/web/sites/web_sites_stats.php
+++ b/interface/web/sites/web_sites_stats.php
@@ -38,25 +38,25 @@
//** Traffic of the current month
$tmp_year = date('Y');
$tmp_month = date('m');
- $tmp_rec = $app->db->queryOneRecord("SELECT SUM(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$rec['domain']."' AND YEAR(traffic_date) = '$tmp_year' AND MONTH(traffic_date) = '$tmp_month'");
+ $tmp_rec = $app->db->queryOneRecord("SELECT SUM(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."' AND YEAR(traffic_date) = '$tmp_year' AND MONTH(traffic_date) = '$tmp_month'");
$rec['this_month'] = number_format($tmp_rec['t']/1024/1024, 0, '.', ' ');
$this->sum_this_month += ($tmp_rec['t']/1024/1024);
//** Traffic of the current year
- $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$rec['domain']."' AND YEAR(traffic_date) = '$tmp_year'");
+ $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."' AND YEAR(traffic_date) = '$tmp_year'");
$rec['this_year'] = number_format($tmp_rec['t']/1024/1024, 0, '.', ' ');
$this->sum_this_year += ($tmp_rec['t']/1024/1024);
//** Traffic of the last month
$tmp_year = date('Y', mktime(0, 0, 0, date("m")-1, date("d"), date("Y")));
$tmp_month = date('m', mktime(0, 0, 0, date("m")-1, date("d"), date("Y")));
- $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$rec['domain']."' AND YEAR(traffic_date) = '$tmp_year' AND MONTH(traffic_date) = '$tmp_month'");
+ $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."' AND YEAR(traffic_date) = '$tmp_year' AND MONTH(traffic_date) = '$tmp_month'");
$rec['last_month'] = number_format($tmp_rec['t']/1024/1024, 0, '.', ' ');
$this->sum_last_month += ($tmp_rec['t']/1024/1024);
//** Traffic of the last year
$tmp_year = date('Y', mktime(0, 0, 0, date("m"), date("d"), date("Y")-1));
- $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$rec['domain']."' AND YEAR(traffic_date) = '$tmp_year'");
+ $tmp_rec = $app->db->queryOneRecord("SELECT sum(traffic_bytes) as t FROM web_traffic WHERE hostname = '".$app->db->quote($rec['domain'])."' AND YEAR(traffic_date) = '$tmp_year'");
$rec['last_year'] = number_format($tmp_rec['t']/1024/1024, 0, '.', ' ');
$this->sum_last_year += ($tmp_rec['t']/1024/1024);
diff --git a/interface/web/sites/web_subdomain_edit.php b/interface/web/sites/web_subdomain_edit.php
index 1e5bfa7..1ed4344 100644
--- a/interface/web/sites/web_subdomain_edit.php
+++ b/interface/web/sites/web_subdomain_edit.php
@@ -184,8 +184,8 @@
//* Update the old website, so that the vhost alias gets removed
//* We force the update by inserting a transaction record without changes manually.
- $old_website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = '.$this->oldDataRecord['domain_id']);
- $app->db->datalogSave('web_domain', 'UPDATE', 'domain_id', $this->oldDataRecord['parent_domain_id'], $old_website, $old_website, true);
+ $old_website = $app->db->queryOneRecord('SELECT * FROM web_domain WHERE domain_id = '.$app->functions->intval($this->oldDataRecord['domain_id']));
+ $app->db->datalogSave('web_domain', 'UPDATE', 'domain_id', $app->functions->intval($this->oldDataRecord['parent_domain_id']), $old_website, $old_website, true);
}
}
diff --git a/interface/web/sites/web_vhost_subdomain_del.php b/interface/web/sites/web_vhost_subdomain_del.php
index 04987e6..f64ff66 100644
--- a/interface/web/sites/web_vhost_subdomain_del.php
+++ b/interface/web/sites/web_vhost_subdomain_del.php
@@ -56,7 +56,7 @@
$records = $app->db->queryAllRecords("SELECT web_folder_id FROM web_folder WHERE parent_domain_id = '".$app->functions->intval($this->id)."'");
foreach($records as $rec) {
//* Delete all web folder users
- $records2 = $app->db->queryAllRecords("SELECT web_folder_user_id FROM web_folder_user WHERE web_folder_id = '".$rec['web_folder_id']."'");
+ $records2 = $app->db->queryAllRecords("SELECT web_folder_user_id FROM web_folder_user WHERE web_folder_id = '".$app->functions->intval($rec['web_folder_id'])."'");
foreach($records2 as $rec2) {
$app->db->datalogDelete('web_folder_user', 'web_folder_user_id', $rec2['web_folder_user_id']);
}
diff --git a/interface/web/sites/web_vhost_subdomain_edit.php b/interface/web/sites/web_vhost_subdomain_edit.php
index 48ac56d..3a228c5 100644
--- a/interface/web/sites/web_vhost_subdomain_edit.php
+++ b/interface/web/sites/web_vhost_subdomain_edit.php
@@ -91,7 +91,7 @@
if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.limit_web_subdomain, client.default_webserver, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
//* Get global web config
@@ -102,10 +102,10 @@
if(!empty($web_config['server_type'])) $server_type = $web_config['server_type'];
if($server_type == 'nginx' && $this->dataRecord['php'] == 'fast-cgi') $this->dataRecord['php'] = 'php-fpm';
if($this->dataRecord['php'] == 'php-fpm'){
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = ".$parent_domain['server_id']." AND (client_id = 0 OR client_id=".$_SESSION['s']['user']['client_id'].")");
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = ".$app->functions->intval($parent_domain['server_id'])." AND (client_id = 0 OR client_id=".$app->functions->intval($_SESSION['s']['user']['client_id']).")");
}
if($this->dataRecord['php'] == 'fast-cgi'){
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".$parent_domain['server_id']." AND (client_id = 0 OR client_id=".$_SESSION['s']['user']['client_id'].")");
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".$app->functions->intval($parent_domain['server_id'])." AND (client_id = 0 OR client_id=".$app->functions->intval($_SESSION['s']['user']['client_id']).")");
}
$php_select = "<option value=''>Default</option>";
if(is_array($php_records) && !empty($php_records)) {
@@ -130,7 +130,7 @@
} elseif ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_subdomain, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
//* Get global web config
@@ -141,10 +141,10 @@
if(!empty($web_config['server_type'])) $server_type = $web_config['server_type'];
if($server_type == 'nginx' && $this->dataRecord['php'] == 'fast-cgi') $this->dataRecord['php'] = 'php-fpm';
if($this->dataRecord['php'] == 'php-fpm'){
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = ".$parent_domain['server_id']." AND (client_id = 0 OR client_id=".$_SESSION['s']['user']['client_id'].")");
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = ".$app->functions->intval($parent_domain['server_id'])." AND (client_id = 0 OR client_id=".$app->functions->intval($_SESSION['s']['user']['client_id']).")");
}
if($this->dataRecord['php'] == 'fast-cgi') {
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".$parent_domain['server_id']." AND (client_id = 0 OR client_id=".$_SESSION['s']['user']['client_id'].")");
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = ".$app->functions->intval($parent_domain['server_id'])." AND (client_id = 0 OR client_id=".$app->functions->intval($_SESSION['s']['user']['client_id']).")");
}
$php_select = "<option value=''>Default</option>";
if(is_array($php_records) && !empty($php_records)) {
@@ -223,10 +223,10 @@
if(!empty($web_config['server_type'])) $server_type = $web_config['server_type'];
if($server_type == 'nginx' && $this->dataRecord['php'] == 'fast-cgi') $this->dataRecord['php'] = 'php-fpm';
if($this->dataRecord['php'] == 'php-fpm'){
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = " . $parent_domain['server_id']);
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fpm_init_script != '' AND php_fpm_ini_dir != '' AND php_fpm_pool_dir != '' AND server_id = " . $app->functions->intval($parent_domain['server_id']));
}
if($this->dataRecord['php'] == 'fast-cgi') {
- $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = " . $parent_domain['server_id']);
+ $php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = " . $app->functions->intval($parent_domain['server_id']));
}
$php_select = "<option value=''>Default</option>";
if(is_array($php_records) && !empty($php_records)) {
@@ -428,7 +428,7 @@
if($_SESSION["s"]["user"]["typ"] != 'admin') {
// Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_traffic_quota, limit_web_subdomain, default_webserver, parent_client_id, limit_web_quota, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
if($client['limit_cgi'] != 'y') $this->dataRecord['cgi'] = '-';
@@ -466,7 +466,7 @@
if($client['parent_client_id'] > 0) {
// Get the limits of the reseller
- $reseller = $app->db->queryOneRecord("SELECT limit_traffic_quota, limit_web_subdomain, default_webserver, limit_web_quota FROM client WHERE client_id = ".$client['parent_client_id']);
+ $reseller = $app->db->queryOneRecord("SELECT limit_traffic_quota, limit_web_subdomain, default_webserver, limit_web_quota FROM client WHERE client_id = ".$app->functions->intval($client['parent_client_id']));
//* Check the traffic quota of the client
if(isset($_POST["traffic_quota"]) && $reseller["limit_traffic_quota"] > 0 && $_POST["traffic_quota"] != $old_web_values["traffic_quota"]) {
diff --git a/interface/web/tools/dns_import_tupa.php b/interface/web/tools/dns_import_tupa.php
index 940a851..775d515 100644
--- a/interface/web/tools/dns_import_tupa.php
+++ b/interface/web/tools/dns_import_tupa.php
@@ -89,15 +89,15 @@
$soa = $exdb->queryOneRecord("SELECT * FROM records WHERE type = 'SOA' AND domain_id = ".$domain['id']);
if(is_array($soa)) {
$parts = explode(' ', $soa['content']);
- $origin = addot($soa['name']);
- $ns = addot($parts[0]);
- $mbox = addot($parts[1]);
- $serial = $parts[2];
+ $origin = $app->db->quote(addot($soa['name']));
+ $ns = $app->db->quote(addot($parts[0]));
+ $mbox = $app->db->quote(addot($parts[1]));
+ $serial = $app->db->quote($parts[2]);
$refresh = 7200;
$retry = 540;
$expire = 604800;
$minimum = 86400;
- $ttl = $soa['ttl'];
+ $ttl = $app->db->quote($soa['ttl']);
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `origin`, `ns`, `mbox`, `serial`, `refresh`, `retry`, `expire`, `minimum`, `ttl`, `active`, `xfer`) VALUES
('$sys_userid', '$sys_groupid', 'riud', 'riud', '', '$server_id', '$origin', '$ns', '$mbox', '$serial', '$refresh', '$retry', '$expire', '$minimum', '$ttl', 'Y', '')";
@@ -111,15 +111,15 @@
foreach($records as $rec) {
$rr = array();
- $rr['name'] = addot($rec['name']);
- $rr['type'] = $rec['type'];
- $rr['aux'] = $rec['prio'];
- $rr['ttl'] = $rec['ttl'];
+ $rr['name'] = $app->db->quote(addot($rec['name']));
+ $rr['type'] = $app->db->quote($rec['type']);
+ $rr['aux'] = $app->db->quote($rec['prio']);
+ $rr['ttl'] = $app->db->quote($rec['ttl']);
if($rec['type'] == 'NS' || $rec['type'] == 'MX' || $rec['type'] == 'CNAME') {
- $rr['data'] = addot($rec['content']);
+ $rr['data'] = $app->db->quote(addot($rec['content']));
} else {
- $rr['data'] = $rec['content'];
+ $rr['data'] = $app->db->quote($rec['content']);
}
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `zone`, `name`, `type`, `data`, `aux`, `ttl`, `active`) VALUES
diff --git a/interface/web/tools/user_settings.php b/interface/web/tools/user_settings.php
index 42e5559..95018ac 100644
--- a/interface/web/tools/user_settings.php
+++ b/interface/web/tools/user_settings.php
@@ -63,7 +63,7 @@
$app->tform->loadFormDef($tform_def_file);
// Importing ID
- $this->id = $_SESSION['s']['user']['userid'];
+ $this->id = $app->functions->intval($_SESSION['s']['user']['userid']);
$_POST['id'] = $_SESSION['s']['user']['userid'];
if(count($_POST) > 1) {
@@ -86,8 +86,12 @@
if($_POST['passwort'] != $_POST['repeat_password']) {
$app->tform->errorMessage = $app->tform->lng('password_mismatch');
}
- $_SESSION['s']['user']['language'] = $_POST['language'];
- $_SESSION['s']['language'] = $_POST['language'];
+ if(preg_match('/[a-z]{2}/',$_POST['language'])) {
+ $_SESSION['s']['user']['language'] = $_POST['language'];
+ $_SESSION['s']['language'] = $_POST['language'];
+ } else {
+ $app->error('Invalid language.');
+ }
}
diff --git a/interface/web/vm/openvz_action.php b/interface/web/vm/openvz_action.php
index 31c23ac..6e090d7 100644
--- a/interface/web/vm/openvz_action.php
+++ b/interface/web/vm/openvz_action.php
@@ -18,8 +18,8 @@
if($vm_id == 0) die('Invalid VM ID');
$vm = $app->db->queryOneRecord("SELECT server_id, veid FROM openvz_vm WHERE vm_id = $vm_id");
-$veid = $vm['veid'];
-$server_id = $vm['server_id'];
+$veid = $app->functions->intval($vm['veid']);
+$server_id = $app->functions->intval($vm['server_id']);
//* Loading classes
$app->uses('tpl');
diff --git a/interface/web/vm/openvz_template_edit.php b/interface/web/vm/openvz_template_edit.php
index 73d004e..ec520d0 100644
--- a/interface/web/vm/openvz_template_edit.php
+++ b/interface/web/vm/openvz_template_edit.php
@@ -54,8 +54,8 @@
function onAfterInsert() {
global $app, $conf;
- $guar_ram = $this->dataRecord['ram']*256;
- $burst_ram = $this->dataRecord['ram_burst']*256;
+ $guar_ram = $app->functions->intval($this->dataRecord['ram']*256);
+ $burst_ram = $app->functions->intval($this->dataRecord['ram_burst']*256);
$sql = "UPDATE openvz_template SET shmpages = '$guar_ram:$guar_ram',vmguarpages = '$guar_ram:$guar_ram', oomguarpages = '$guar_ram:$guar_ram',privvmpages = '$burst_ram:$burst_ram' WHERE template_id = $this->id";
$app->db->query($sql);
}
@@ -63,8 +63,8 @@
function onAfterUpdate() {
global $app, $conf;
- $guar_ram = $this->dataRecord['ram']*256;
- $burst_ram = $this->dataRecord['ram_burst']*256;
+ $guar_ram = $app->functions->intval($this->dataRecord['ram']*256);
+ $burst_ram = $app->functions->intval($this->dataRecord['ram_burst']*256);
$sql = "UPDATE openvz_template SET shmpages = '$guar_ram:$guar_ram',vmguarpages = '$guar_ram:$guar_ram', oomguarpages = '$guar_ram:$guar_ram',privvmpages = '$burst_ram:$burst_ram' WHERE template_id = $this->id";
$app->db->query($sql);
}
diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php
index c9ba892..c49396e 100644
--- a/interface/web/vm/openvz_vm_edit.php
+++ b/interface/web/vm/openvz_vm_edit.php
@@ -73,14 +73,14 @@
if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
//* Get the limits of the client
- $client_group_id = $_SESSION["s"]["user"]["default_group"];
+ $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.limit_openvz_vm_template_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
//* Fill the template_id field
if($client['limit_openvz_vm_template_id'] == 0) {
$sql = 'SELECT template_id,template_name FROM openvz_template WHERE 1 ORDER BY template_name';
} else {
- $sql = 'SELECT template_id,template_name FROM openvz_template WHERE template_id = '.$client['limit_openvz_vm_template_id'].' ORDER BY template_name';
+ $sql = 'SELECT template_id,template_name FROM openvz_template WHERE template_id = '.$app->functions->intval($client['limit_openvz_vm_template_id']).' ORDER BY template_name';
}
$records = $app->db->queryAllRecords($sql);
if(is_array($records)) {
@@ -100,9 +100,9 @@
//* Fill the client select field
- $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id']." ORDER BY sys_group.name";
+ $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id'])." ORDER BY sys_group.name";
$records = $app->db->queryAllRecords($sql);
- $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$client['client_id']);
+ $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
//$tmp_data_record = $app->tform->getDataRecord($this->id);
if(is_array($records)) {
@@ -117,7 +117,7 @@
if($client['limit_openvz_vm_template_id'] == 0) {
$sql = 'SELECT template_id,template_name FROM openvz_template WHERE 1 ORDER BY template_name';
} else {
- $sql = 'SELECT template_id,template_name FROM openvz_template WHERE template_id = '.$client['limit_openvz_vm_template_id'].' ORDER BY template_name';
+ $sql = 'SELECT template_id,template_name FROM openvz_template WHERE template_id = '.$app->functions->intval($client['limit_openvz_vm_template_id']).' ORDER BY template_name';
}
$records = $app->db->queryAllRecords($sql);
if(is_array($records)) {
@@ -164,7 +164,7 @@
$vm_server_id = $app->functions->intval($this->dataRecord["server_id"]);
} else {
$tmp = $app->db->queryOneRecord('SELECT server_id FROM server WHERE vserver_server = 1 AND mirror_server_id = 0 ORDER BY server_name LIMIT 0,1');
- $vm_server_id = $tmp['server_id'];
+ $vm_server_id = $app->functions->intval($tmp['server_id']);
}
$sql = "SELECT ip_address FROM openvz_ip WHERE reserved = 'n' AND (vm_id = 0 or vm_id = '".$this->id."') AND server_id = ".$app->functions->intval($vm_server_id)." ORDER BY ip_address";
$ips = $app->db->queryAllRecords($sql);
diff --git a/server/lib/classes/plugins.inc.php b/server/lib/classes/plugins.inc.php
index 4808a56..4771487 100644
--- a/server/lib/classes/plugins.inc.php
+++ b/server/lib/classes/plugins.inc.php
@@ -134,7 +134,7 @@
function registerAction($action_name, $plugin_name, $function_name) {
global $app;
$this->subscribed_actions[$action_name][] = array('plugin' => $plugin_name, 'function' => $function_name);
- if($this->debug) $app->log("Registered function '$function_name' from plugin '$plugin_name' for action '$event_name'.", LOGLEVEL_DEBUG);
+ if($this->debug) $app->log("Registered function '$function_name' from plugin '$plugin_name' for action '$action_name'.", LOGLEVEL_DEBUG);
}
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index 2e93944..b49f2d2 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -1041,8 +1041,9 @@
$nginx_directives = str_replace("\r", "\n", $nginx_directives);
$nginx_directive_lines = explode("\n", $nginx_directives);
if(is_array($nginx_directive_lines) && !empty($nginx_directive_lines)){
+ $trans = array('{DOCROOT}' => $vhost_data['web_document_root_www'], '{FASTCGIPASS}' => 'fastcgi_pass '.($data['new']['php_fpm_use_socket'] == 'y'? 'unix:'.$fpm_socket : '127.0.0.1:'.$vhost_data['fpm_port']).';');
foreach($nginx_directive_lines as $nginx_directive_line){
- $final_nginx_directives[] = array('nginx_directive' => $nginx_directive_line);
+ $final_nginx_directives[] = array('nginx_directive' => strtr($nginx_directive_line, $trans));
}
}
$tpl->setLoop('nginx_directives', $final_nginx_directives);
diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php
index 33d8875..6df3d06 100755
--- a/server/plugins-available/shelluser_base_plugin.inc.php
+++ b/server/plugins-available/shelluser_base_plugin.inc.php
@@ -74,8 +74,12 @@
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
- if(substr(realpath($data['new']['dir']), 0, strlen($web['document_root'])) != $web['document_root']) {
- $app->log('Directory of the shell user is outside of website docroot.', LOGLEVEL_WARN);
+ if(substr($data['new']['dir'],0,strlen($web['document_root'])) != $web['document_root']) {
+ $app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
+ return false;
+ }
+ if(strpos($data['new']['dir'], '/../') !== false || substr($data['new']['dir'],-3) == '/..') {
+ $app->log('Directory of the shell user is not valid.',LOGLEVEL_WARN);
return false;
}
@@ -137,8 +141,13 @@
//* Check if the resulting path is inside the docroot
$web = $app->db->queryOneRecord("SELECT * FROM web_domain WHERE domain_id = ".intval($data['new']['parent_domain_id']));
- if(substr(realpath($data['new']['dir']), 0, strlen($web['document_root'])) != $web['document_root']) {
- $app->log('Directory of the shell user is outside of website docroot.', LOGLEVEL_WARN);
+ if(substr($data['new']['dir'],0,strlen($web['document_root'])) != $web['document_root']) {
+ $app->log('Directory of the shell user is outside of website docroot.',LOGLEVEL_WARN);
+ return false;
+ }
+
+ if(strpos($data['new']['dir'], '/../') !== false || substr($data['new']['dir'],-3) == '/..') {
+ $app->log('Directory of the shell user is not valid.',LOGLEVEL_WARN);
return false;
}
@@ -163,6 +172,11 @@
$app->log("Executed command: $command ",LOGLEVEL_DEBUG);
*/
//$groupinfo = $app->system->posix_getgrnam($data['new']['pgroup']);
+ if($data['new']['dir'] != $data['old']['dir'] && !is_dir($data['new']['dir'])){
+ $app->file->mkdirs(escapeshellcmd($data['new']['dir']), '0700');
+ $app->system->chown(escapeshellcmd($data['new']['dir']),escapeshellcmd($data['new']['username']));
+ $app->system->chgrp(escapeshellcmd($data['new']['dir']),escapeshellcmd($data['new']['pgroup']));
+ }
$app->system->usermod($data['old']['username'], 0, $app->system->getgid($data['new']['pgroup']), $data['new']['dir'], $data['new']['shell'], $data['new']['password'], $data['new']['username']);
$app->log("Updated shelluser: ".$data['old']['username'], LOGLEVEL_DEBUG);
diff --git a/server/server.php b/server/server.php
index 60251e3..ab25404 100644
--- a/server/server.php
+++ b/server/server.php
@@ -172,9 +172,9 @@
$app->modules->loadModules('all');
//** Load the plugins that are in the plugins-enabled folder
$app->plugins->loadPlugins('all');
-
+
$app->plugins->raiseAction('server_plugins_loaded', '');
-
+
if ($tmp_num_records > 0) {
$app->log("Found $tmp_num_records changes, starting update process.", LOGLEVEL_DEBUG);
//** Go through the sys_datalog table and call the processing functions
--
Gitblit v1.9.1