[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-cvs] ged/inc class.ged_ui.inc.php class.ged_dm.inc.php
From: |
Pascal Vilarem |
Subject: |
[Phpgroupware-cvs] ged/inc class.ged_ui.inc.php class.ged_dm.inc.php |
Date: |
Mon, 26 Mar 2007 14:04:33 +0000 |
CVSROOT: /sources/phpgroupware
Module name: ged
Changes by: Pascal Vilarem <maat> 07/03/26 14:04:33
Modified files:
inc : class.ged_ui.inc.php class.ged_dm.inc.php
Log message:
added security fix for quotes in sql
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/ged/inc/class.ged_ui.inc.php?cvsroot=phpgroupware&r1=1.15&r2=1.16
http://cvs.savannah.gnu.org/viewcvs/ged/inc/class.ged_dm.inc.php?cvsroot=phpgroupware&r1=1.11&r2=1.12
Patches:
Index: class.ged_ui.inc.php
===================================================================
RCS file: /sources/phpgroupware/ged/inc/class.ged_ui.inc.php,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -b -r1.15 -r1.16
--- class.ged_ui.inc.php 23 Mar 2007 16:07:14 -0000 1.15
+++ class.ged_ui.inc.php 26 Mar 2007 14:04:33 -0000 1.16
@@ -491,12 +491,16 @@
$this->t->fp('relations_list_handle', 'relations_list',
True);
}
+
+
$this->t->set_block('file_tpl', 'versions_list',
'versions_list_handle');
$versions_numcol=2;
$file_version_odd_even='odd';
if ($list_versions !="")
+ {
+ $list_versions=array_reverse($list_versions, true);
foreach ($list_versions as $version_info)
{
if ( $file_version_odd_even=='odd' )
@@ -566,6 +570,7 @@
$versions_numcol ++;
}
+ }
if ( $this->debug('draw_file_panel') )
print ( "draw_file_panel: end of version list<br/>\n");
Index: class.ged_dm.inc.php
===================================================================
RCS file: /sources/phpgroupware/ged/inc/class.ged_dm.inc.php,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -b -r1.11 -r1.12
--- class.ged_dm.inc.php 23 Mar 2007 16:14:08 -0000 1.11
+++ class.ged_dm.inc.php 26 Mar 2007 14:04:33 -0000 1.12
@@ -98,6 +98,22 @@
return false;
}
+ function cleanstr ( $the_str )
+ {
+ $the_str2=$this->db->db_addslashes($the_str);
+ return ($the_str2);
+ }
+
+ function cleanint ( $the_int )
+ {
+ if ( is_int($the_int))
+ $the_int2=$the_int;
+ else
+ $the_int2=0;
+
+ return ($the_int2);
+ }
+
function get_file_extention($filename)
{
$ext=strtolower(substr(strrchr($filename, "."), 1));
@@ -182,10 +198,15 @@
print ( "update_file: entering.<br>\n");
// DONE : add 'validity_period'
- $sql_model="UPDATE %s set name='%s', description='%s',
validity_period='%s' WHERE ";
+ $sql_model="UPDATE %s set name='%s', description='%s',
validity_period=%d, reference='%s' WHERE ";
$sql_model.=" element_id=%d";
- $sql=sprintf($sql_model, $this->tables['elements'],
$new_file['name'], addslashes($new_file['description']),
$new_file['validity_period'], $new_file['element_id']);
+ if ( array_key_exists('validity_period', $new_file) )
+
$new_file2['validity_period']=$this->cleanint($new_file['validity_period']);
+ else
+ $new_file2['validity_period']=null;
+
+ $sql=sprintf($sql_model, $this->tables['elements'],
$this->cleanstr($new_file['name']), $this->cleanstr($new_file['description']),
$new_file2['validity_period'], $this->cleanstr($new_file['reference']),
$new_file['element_id']);
// TODO gestion des slashes !
//print ($sql);