From 2cb1563f63386b35a69e460051aa9b4a2851d104 Mon Sep 17 00:00:00 2001
From: ftimme <ft@falkotimme.com>
Date: Wed, 30 May 2012 07:30:44 -0400
Subject: [PATCH] - Added (clickable) placeholders to client messaging function. - Added check so that the client password isn't inserted into the message (for security reasons).
---
interface/lib/classes/listform.inc.php | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/interface/lib/classes/listform.inc.php b/interface/lib/classes/listform.inc.php
index b17eb0e..4d836f3 100644
--- a/interface/lib/classes/listform.inc.php
+++ b/interface/lib/classes/listform.inc.php
@@ -126,7 +126,7 @@
public function getSearchSQL($sql_where = '')
{
- global $db;
+ global $app, $db;
//* Get config variable
$list_name = $this->listDef['name'];
@@ -151,9 +151,10 @@
}
//* Store field in session
- if(isset($_REQUEST[$search_prefix.$field])){
+ if(isset($_REQUEST[$search_prefix.$field]) && !stristr($_REQUEST[$search_prefix.$field],"'")){
$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];
- }
+ if(preg_match("/['\\\\]/", $_SESSION['search'][$list_name][$search_prefix.$field])) $_SESSION['search'][$list_name][$search_prefix.$field] = '';
+ }
if(isset($i['formtype']) && $i['formtype'] == 'SELECT'){
if(is_array($i['value'])) {
@@ -181,7 +182,7 @@
$field = $i['field'];
// if($_REQUEST[$search_prefix.$field] != '') $sql_where .= " $field ".$i["op"]." '".$i["prefix"].$_REQUEST[$search_prefix.$field].$i["suffix"]."' and";
if(isset($_SESSION['search'][$list_name][$search_prefix.$field]) && $_SESSION['search'][$list_name][$search_prefix.$field] != ''){
- $sql_where .= " $field ".$i['op']." '".$i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix']."' and";
+ $sql_where .= " $field ".$i['op']." '".$app->db->quote($i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix'])."' and";
}
}
}
@@ -209,12 +210,12 @@
}
//* set PAGE to worth request variable "PAGE" - ? setze page auf wert der request variablen "page"
- if(isset($_REQUEST["page"])) $_SESSION["search"][$list_name]["page"] = $_REQUEST["page"];
+ if(isset($_REQUEST["page"])) $_SESSION["search"][$list_name]["page"] = intval($_REQUEST["page"]);
//* PAGE to 0 set, if look for themselves ? page auf 0 setzen, wenn suche sich ge�ndert hat.
if($this->searchChanged == 1) $_SESSION['search'][$list_name]['page'] = 0;
- $sql_von = $_SESSION['search'][$list_name]['page'] * $records_per_page;
+ $sql_von = intval($_SESSION['search'][$list_name]['page'] * $records_per_page);
$record_count = $app->db->queryOneRecord("SELECT count(*) AS anzahl FROM $table WHERE $sql_where");
$pages = intval(($record_count['anzahl'] - 1) / $records_per_page);
@@ -247,9 +248,9 @@
//* Show Back
if(isset($vars['show_page_back']) && $vars['show_page_back'] == 1){
$content .= '<a href="'."javascript:loadContent('".$vars['list_file'].'?page='.$vars['last_page'].$vars['page_params']."');".'">'
- .'<img src="themes/'.$_SESSION['s']['theme'].'/icons/x16/arrow_180.png"></a> ';
+ .'<img src="themes/'.$_SESSION['s']['theme'].'/icons/x16/arrow_180.png"></a> ';
}
- $content .= ' '.$this->lng('page_txt').' '.$vars['next_page'].' '.$this->lng('page_of_txt').' '.$vars['max_pages'].' ';
+ $content .= ' '.$this->lng('page_txt').' '.$vars['next_page'].' '.$this->lng('page_of_txt').' '.$vars['max_pages'].' ';
//* Show Next
if(isset($vars['show_page_next']) && $vars['show_page_next'] == 1){
$content .= '<a href="'."javascript:loadContent('".$vars['list_file'].'?page='.$vars['next_page'].$vars['page_params']."');".'">'
@@ -428,4 +429,4 @@
}
-?>
+?>
\ No newline at end of file
--
Gitblit v1.9.1