From baf5dda4cc07aa35eb9e41dda90aee0d2cdecf23 Mon Sep 17 00:00:00 2001
From: Sergio Cambra <sergio@programatica.es>
Date: Tue, 08 Jul 2014 09:53:13 -0400
Subject: [PATCH] fix escaping in sql query
---
interface/web/dns/dns_wizard.php | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 files changed, 51 insertions(+), 5 deletions(-)
diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php
index 1b7da09..8549a6b 100644
--- a/interface/web/dns/dns_wizard.php
+++ b/interface/web/dns/dns_wizard.php
@@ -157,6 +157,39 @@
}
}
+/*
+ * Now we have to check, if we should use the domain-module to select the domain
+ * or not
+ */
+$app->uses('ini_parser,getconf');
+$settings = $app->getconf->get_global_config('domains');
+if ($settings['use_domain_module'] == 'y') {
+ /*
+ * The domain-module is in use.
+ */
+ $domains = $app->tools_sites->getDomainModuleDomains("dns_soa");
+ $domain_select = '';
+ if(is_array($domains) && sizeof($domains) > 0) {
+ /* We have domains in the list, so create the drop-down-list */
+ foreach( $domains as $domain) {
+ $domain_select .= "<option value=" . $domain['domain_id'] ;
+ if ($domain['domain'] == $_POST['domain']) {
+ $domain_select .= " selected";
+ }
+ $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".</option>\r\n";
+ }
+ }
+ else {
+ /*
+ * We have no domains in the domain-list. This means, we can not add ANY new domain.
+ * To avoid, that the variable "domain_option" is empty and so the user can
+ * free enter a domain, we have to create a empty option!
+ */
+ $domain_select .= "<option value=''></option>\r\n";
+ }
+ $app->tpl->setVar("domain_option", $domain_select);
+}
+
if($_POST['create'] == 1) {
$error = '';
@@ -180,8 +213,19 @@
// apply filters
if(isset($_POST['domain']) && $_POST['domain'] != ''){
- $_POST['domain'] = $app->functions->idn_encode($_POST['domain']);
- $_POST['domain'] = strtolower($_POST['domain']);
+ /* check if the domain module is used - and check if the selected domain can be used! */
+ if ($settings['use_domain_module'] == 'y') {
+ $domain_check = $app->tools_sites->checkDomainModuleDomain($_POST['domain']);
+ if(!$domain_check) {
+ // invalid domain selected
+ $_POST['domain'] = '';
+ } else {
+ $_POST['domain'] = $domain_check;
+ }
+ } else {
+ $_POST['domain'] = $app->functions->idn_encode($_POST['domain']);
+ $_POST['domain'] = strtolower($_POST['domain']);
+ }
}
if(isset($_POST['ns1']) && $_POST['ns1'] != ''){
$_POST['ns1'] = $app->functions->idn_encode($_POST['ns1']);
@@ -245,10 +289,12 @@
if($_POST['ns2'] != '') $tpl_content = str_replace('{NS2}', $_POST['ns2'], $tpl_content);
if($_POST['email'] != '') $tpl_content = str_replace('{EMAIL}', $_POST['email'], $tpl_content);
if(isset($_POST['dkim']) && preg_match('/^[\w\.\-\/]{2,255}\.[a-zA-Z0-9\-]{2,30}[\.]{0,1}$/', $_POST['domain'])) {
- $public_key=$app->db->queryOneRecord("SELECT dkim_public FROM mail_domain WHERE domain = ? AND dkim = 'y' AND ".$app->tform->getAuthSQL('r'), $_POST['domain']);
+ $sql = $app->db->queryOneRecord("SELECT dkim_public, dkim_selecotr FROM mail_domain WHERE domain = ? AND dkim = 'y' AND ".$app->tform->getAuthSQL('r'), $_POST['domain']);
+ $public_key = $sql['dkim_public'];
if ($public_key!='') {
- $dns_record=str_replace(array("\r\n", "\n", "\r", "-----BEGIN PUBLIC KEY-----", "-----END PUBLIC KEY-----"), '', $public_key['dkim_public']);
- $tpl_content .= "\n".'TXT|default._domainkey.'.$_POST['domain'].'.|v=DKIM1; t=s; p='.$dns_record;
+ if (empty($sql['dkim_selector'])) $sql['dkim_selector'] = 'default';
+ $dns_record=str_replace(array("\r\n", "\n", "\r", "-----BEGIN PUBLIC KEY-----", "-----END PUBLIC KEY-----"), '', $public_key);
+ $tpl_content .= "\n".'TXT|'.$sql['dkim_selector'].'._domainkey.'.$_POST['domain'].'.|v=DKIM1; t=s; p='.$dns_record;
}
}
--
Gitblit v1.9.1