Nucleus CMS日本語版用プラグインのうち、日本語版開発者がサポートしているもの
Revision | bc660848dbab0078f1419bd6d208add3f5ac5e68 (tree) |
---|---|
Time | 2006-11-04 09:21:31 |
Author | kmorimatsu <kmorimatsu@1ca2...> |
Commiter | kmorimatsu |
セキュリティーアップデート(Security update)
git-svn-id: https://svn.sourceforge.jp/svnroot/nucleus-jp/plugin@471 1ca29b6e-896d-4ea0-84a5-967f57386b96
@@ -1,4 +1,5 @@ | ||
1 | 1 | <?php |
2 | +/* NP_SkinSwitcher ver 0.7.2 */ | |
2 | 3 | |
3 | 4 | $strRel = '../../../'; |
4 | 5 | include($strRel . 'config.php'); |
@@ -57,7 +58,7 @@ class NpSkinSwitcher_ADMIN{ | ||
57 | 58 | ?> |
58 | 59 | <form method="post" action="<?php echo $this->url ?>index.php"> |
59 | 60 | <input type="hidden" name="action" value="update" /> |
60 | - <input type="hidden" name="blogid" value="<?php echo $blogid ?>" /> | |
61 | + <input type="hidden" name="blogid" value="<?php echo (int)$blogid ?>" /> | |
61 | 62 | <?php |
62 | 63 | echo '<table>'."\n"; |
63 | 64 | echo '<thead><tr><th>'._SKIN_NAME.'</th><th>'._SKIN_TYPE.'</th><th>'._SKIN_DESC.'</th></tr></thead>'."\n"; |
@@ -71,7 +72,10 @@ class NpSkinSwitcher_ADMIN{ | ||
71 | 72 | if($blogid && in_array($ob->sdnumber,$global_sdnums)) continue; |
72 | 73 | $chtxt = (in_array($ob->sdnumber,$sdnums))? ' checked="checked"': ''; |
73 | 74 | $extxt = ($ob->sdnumber==$defskinid)? '<b> ('._EBLOG_DEFSKIN.')</b>': ''; |
74 | - echo '<tr'." onmouseover='focusRow(this);' onmouseout='blurRow(this);'".'><td><input type="checkbox" id="batch'.$i.'" name="sdnum['.$i.']" value="'.$ob->sdnumber.'"'.$chtxt.' /><label for="batch'.$i.'">'.$ob->sdname.$extxt.'</label></td><td>'.$ob->sdtype.'</td><td>'.$ob->sddesc.'</td></tr>'."\n"; | |
75 | + echo '<tr'." onmouseover='focusRow(this);' onmouseout='blurRow(this);'".'>'. | |
76 | + '<td><input type="checkbox" id="batch'.$i.'" name="sdnum['.$i.']" value="'.(int)$ob->sdnumber.'"'.$chtxt.' />'. | |
77 | + '<label for="batch'.$i.'">'.htmlspecialchars($ob->sdname).$extxt.'</label></td>'. | |
78 | + '<td>'.htmlspecialchars($ob->sdtype).'</td><td>'.htmlspecialchars($ob->sddesc).'</td></tr>'."\n"; | |
75 | 79 | $i++; |
76 | 80 | } |
77 | 81 | echo '<tr><td colspan="3"> |
@@ -94,7 +98,7 @@ class NpSkinSwitcher_ADMIN{ | ||
94 | 98 | } else { |
95 | 99 | $query = 'SELECT bnumber, bname, tadmin, burl, bshortname' |
96 | 100 | . ' FROM ' . sql_table('blog') . ', ' . sql_table('team') |
97 | - . ' WHERE tblog=bnumber and tmember=' . $member->getID() . ' and tadmin=1' | |
101 | + . ' WHERE tblog=bnumber and tmember=' . (int)$member->getID() . ' and tadmin=1' | |
98 | 102 | . ' ORDER BY bname'; |
99 | 103 | } |
100 | 104 | $res = sql_query($query); |
@@ -103,7 +107,10 @@ class NpSkinSwitcher_ADMIN{ | ||
103 | 107 | echo '<table>'."\n"; |
104 | 108 | echo '<tr><th>'._EBLOG_NAME.'</th><th>'._EBLOG_DESC.'</th><th>'._LISTS_ACTIONS.'</th></tr>'."\n"; |
105 | 109 | while($ob = mysql_fetch_object($res)){ |
106 | - echo '<tr'." onmouseover='focusRow(this);' onmouseout='blurRow(this);'".'><td>' . $ob->bname . '</td><td>'.$ob->bdesc.'</td><td><a href="'.$this->url.'index.php?action=blogoverview&blogid='.$ob->bnumber.'">'._PLUG_SKINSWITCHER_BLOGLINK.'</a></td></tr>'; | |
110 | + echo '<tr'." onmouseover='focusRow(this);' onmouseout='blurRow(this);'".'>'. | |
111 | + '<td>' . htmlspecialchars($ob->bname) . '</td>'. | |
112 | + '<td>'.htmlspecialchars($ob->bdesc).'</td>'. | |
113 | + '<td><a href="'.$this->url.'index.php?action=blogoverview&blogid='.(int)$ob->bnumber.'">'._PLUG_SKINSWITCHER_BLOGLINK.'</a></td></tr>'; | |
107 | 114 | } |
108 | 115 | echo '</table>'."\n"; |
109 | 116 |
@@ -147,7 +154,7 @@ class NpSkinSwitcher_ADMIN{ | ||
147 | 154 | $blogid = intRequestVar('blogid'); |
148 | 155 | $sdnums = @join(',',requestVar('sdnum')); |
149 | 156 | |
150 | - $dq = 'DELETE FROM '.sql_table('plug_skinswitcher').' WHERE sblogid='.$blogid; | |
157 | + $dq = 'DELETE FROM '.sql_table('plug_skinswitcher').' WHERE sblogid='.(int)$blogid; | |
151 | 158 | $dres = sql_query($dq); |
152 | 159 | |
153 | 160 | if($sdnums){ |
@@ -155,12 +162,12 @@ class NpSkinSwitcher_ADMIN{ | ||
155 | 162 | INSERT INTO |
156 | 163 | ".sql_table('plug_skinswitcher')." |
157 | 164 | SET |
158 | - sblogid = ".$blogid.", | |
159 | - disskinid = '".$sdnums."' | |
165 | + sblogid = ".(int)$blogid.", | |
166 | + disskinid = '".addslashes($sdnums)."' | |
160 | 167 | "; |
161 | 168 | $res = @mysql_query($iq); |
162 | 169 | if (!$res) { |
163 | - $_SESSION['msg'] = $iq.'Could not save data: ' . mysql_error() . $query; | |
170 | + $_SESSION['msg'] = $iq.'Could not save data: ' . htmlspecialchars( mysql_error().$query ); | |
164 | 171 | }else{ |
165 | 172 | $_SESSION['msg'] = 'Saved.'; |
166 | 173 | } |