From 7eade0da5ec04ec86a89aed3c98e27cba3dae491 Mon Sep 17 00:00:00 2001
From: Florian Schaal <florian@schaal-24.de>
Date: Thu, 07 May 2015 08:33:08 -0400
Subject: [PATCH]  avoid the second use of query in install.php

---
 interface/web/client/client_message.php |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php
index 4275edb..0e3bd2e 100644
--- a/interface/web/client/client_message.php
+++ b/interface/web/client/client_message.php
@@ -60,12 +60,12 @@
 	//* Send message
 	if($error == '') {
 		if($app->functions->intval($_POST['recipient']) > 0){
-			$circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ".$app->functions->intval($_POST['recipient'])." AND ".$app->tform->getAuthSQL('r'));
+			$circle = $app->db->queryOneRecord("SELECT client_ids FROM client_circle WHERE active = 'y' AND circle_id = ? AND ".$app->tform->getAuthSQL('r'), $_POST['recipient']);
 			if(isset($circle['client_ids']) && $circle['client_ids'] != ''){
 				$tmp_client_ids = explode(',', $circle['client_ids']);
 				$where = array();
 				foreach($tmp_client_ids as $tmp_client_id){
-					$where[] = 'client_id = '.$tmp_client_id;
+					$where[] = 'client_id = '.$app->functions->intval($tmp_client_id);
 				}
 				if(!empty($where)) $where_clause = ' AND ('.implode(' OR ', $where).')';
 				$sql = "SELECT * FROM client WHERE email != ''".$where_clause;
@@ -120,8 +120,8 @@
 	if($_SESSION["s"]["user"]["typ"] != 'admin'){
 		$client_id = $app->functions->intval($_SESSION['s']['user']['client_id']);
 		if($client_id > 0){
-			$sql = "SELECT email FROM client WHERE client_id = ".$client_id;
-			$client = $app->db->queryOneRecord($sql);
+			$sql = "SELECT email FROM client WHERE client_id = ?";
+			$client = $app->db->queryOneRecord($sql, $client_id);
 			if($client['email'] != '') $app->tpl->setVar('sender', $client['email']);
 		}
 	}
@@ -146,7 +146,7 @@
 
 //message variables
 $message_variables = '';
-$sql = "SHOW COLUMNS FROM client WHERE Field NOT IN ('client_id', 'sys_userid', 'sys_groupid', 'sys_perm_user', 'sys_perm_group', 'sys_perm_other', 'password', 'parent_client_id', 'id_rsa', 'ssh_rsa', 'created_at', 'default_mailserver', 'default_webserver', 'web_php_options', 'ssh_chroot', 'default_dnsserver', 'default_dbserver', 'template_master', 'template_additional') AND Field NOT LIKE 'limit_%'";
+$sql = "SHOW COLUMNS FROM client WHERE Field NOT IN ('client_id', 'sys_userid', 'sys_groupid', 'sys_perm_user', 'sys_perm_group', 'sys_perm_other', 'password', 'parent_client_id', 'id_rsa', 'ssh_rsa', 'created_at', 'default_mailserver', 'default_webserver', 'web_php_options', 'ssh_chroot', 'default_dnsserver', 'default_dbserver', 'template_master', 'template_additional', 'force_suexec', 'default_slave_dnsserver', 'usertheme', 'locked', 'canceled', 'can_use_api', 'tmp_data', 'customer_no_template', 'customer_no_start', 'customer_no_counter', 'added_date', 'added_by') AND Field NOT LIKE 'limit_%'";
 $field_names = $app->db->queryAllRecords($sql);
 if(!empty($field_names) && is_array($field_names)){
 	foreach($field_names as $field_name){

--
Gitblit v1.9.1