Changeset 1716

Timestamp:

Jan 12, 2007, 12:15:26 AM (17 years ago)

Author:

rvelices

Message:

plugins improvements: allow plugins to fail the installation/activation
comments.php improvements:

• no more double sql escaping on author & keyword (once in common.inc.php and

once in comments.php)

• now can search comment content on all special char ( ', ", <, >, & )
• author & keyword are correctly redisplayed in browser when they are MySql

escaped

Location:

trunk

Files:

• admin/plugins.php (modified) (8 diffs)
• comments.php (modified) (7 diffs)

trunk/admin/plugins.php

@@ -2 +2 @@
 // +-----------------------------------------------------------------------+
 // | PhpWebGallery - a PHP based picture gallery                           |
-// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
-// | Copyright (C) 2003-2006 PhpWebGallery Team - http://phpwebgallery.net |
+// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net |
 // +-----------------------------------------------------------------------+
 // | branch        : BSF (Best So Far)
-// | file          : $RCSfile$
+// | file          : $Id$
 // | last update   : $Date$
 // | last modifier : $Author$
@@ -37 +36 @@
 
 
-
 // +-----------------------------------------------------------------------+
 // |                     perform requested actions                         |
@@ -43 +41 @@
 if ( isset($_REQUEST['action']) and isset($_REQUEST['plugin'])  )
 {
-  if (function_exists('mysql_real_escape_string'))
-  {
-    $plugin_id = mysql_real_escape_string($_REQUEST['plugin']);
-  }
-  else
-  {
-    $plugin_id = mysql_escape_string($_REQUEST['plugin']);
-  }
-
+  $plugin_id = $_REQUEST['plugin'];
   $crt_db_plugin = get_db_plugins('', $plugin_id);
   if (!empty($crt_db_plugin))
@@ -62 +52 @@
   }
 
+  $errors = array();
   $file_to_include = PHPWG_PLUGINS_PATH.$plugin_id.'/maintain.inc.php';
 
@@ -69 +60 @@
       if ( !empty($crt_db_plugin))
       {
-        die ('CANNOT install - ALREADY INSTALLED');
+        array_push($errors, 'CANNOT install - ALREADY INSTALLED');
+        break;
       }
       $fs_plugins = get_fs_plugins();
       if ( !isset( $fs_plugins[$plugin_id] ) )
       {
-        die ('CANNOT install - NO SUCH PLUGIN');
-      }
-      $query = '
+        array_push($errors, 'CANNOT install - NO SUCH PLUGIN');
+        break;
+      }
+      if ( file_exists($file_to_include) )
+      {
+        include_once($file_to_include);
+        if ( function_exists('plugin_install') )
+        {
+          plugin_install($plugin_id, $fs_plugins[$plugin_id]['version'], $errors);
+        }
+      }
+      if (empty($errors))
+      {
+        $query = '
 INSERT INTO '.PLUGINS_TABLE.' (id,version) VALUES ("'
 .$plugin_id.'","'.$fs_plugins[$plugin_id]['version'].'"
 )';
-      pwg_query($query);
-
-      // MAYBE TODO HERE = what if we die or we fail ???
-      @include_once($file_to_include);
-      if ( function_exists('plugin_install') )
-      {
-        plugin_install($plugin_id);
-      }
-      break;
-
+        pwg_query($query);
+      }
+      break;
 
     case 'activate':
       if ( !isset($crt_db_plugin) )
       {
-        die ('CANNOT '. $_REQUEST['action'] .' - NOT INSTALLED');
+        array_push($errors, 'CANNOT '. $_REQUEST['action'] .' - NOT INSTALLED');
       }
       if ($crt_db_plugin['state']!='inactive')
       {
-        die('invalid current state '.$crt_db_plugin['state']);
-      }
-      $query = '
+        array_push($errors, 'invalid current state '.$crt_db_plugin['state']);
+      }
+      if ( file_exists($file_to_include) )
+      {
+        include_once($file_to_include);
+        if ( function_exists('plugin_activate') )
+        {
+          plugin_activate($plugin_id, $crt_db_plugin['version'], $errors);
+        }
+      }
+      if (empty($errors))
+      {
+        $query = '
 UPDATE '.PLUGINS_TABLE.' SET state="active" WHERE id="'.$plugin_id.'"';
-      pwg_query($query);
-
-      // MAYBE TODO HERE = what if we die or we fail ???
-      @include_once($file_to_include);
-      if ( function_exists('plugin_activate') )
-      {
-        plugin_activate($plugin_id);
-      }
-      break;
-
+        pwg_query($query);
+      }
+      break;
 
     case 'deactivate':
@@ -126 +125 @@
       pwg_query($query);
 
-      // MAYBE TODO HERE = what if we die or we fail ???
       @include_once($file_to_include);
       if ( function_exists('plugin_deactivate') )
@@ -143 +141 @@
       pwg_query($query);
 
-      // MAYBE TODO HERE = what if we die or we fail ???
       @include_once($file_to_include);
       if ( function_exists('plugin_uninstall') )
@@ -151 +148 @@
       break;
   }
-  // do the redirection so that we allow the plugins to load/unload
-  redirect($my_base_url);
+  if (empty($errors))
+  {
+    // do the redirection so that we allow the plugins to load/unload
+    redirect($my_base_url);
+  }
+  else
+  {
+    $page['errors'] = array_merge($page['errors'], $errors);
+  }
 }
 

trunk/comments.php

@@ -3 +3 @@
 // | PhpWebGallery - a PHP based picture gallery                           |
 // | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
-// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net |
+// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net |
 // +-----------------------------------------------------------------------+
 // | branch        : BSF (Best So Far)
@@ -64 +64 @@
   );
 
-$page['since'] = isset($_GET['since']) ? $_GET['since'] : 3;
+$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
 
 // on which field sorting
@@ -92 +92 @@
 }
 
+$page['where_clauses'] = array();
+
 // which category to filter on ?
-$page['cat_clause'] = '1=1';
 if (isset($_GET['cat']) and 0 != $_GET['cat'])
 {
-  $page['cat_clause'] =
+  $page['where_clauses'][] =
     'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')';
 }
 
 // search a particular author
-$page['author_clause'] = '1=1';
 if (isset($_GET['author']) and !empty($_GET['author']))
 {
-  if (function_exists('mysql_real_escape_string'))
-  {
-    $author = mysql_real_escape_string($_GET['author']);
-  }
-  else
-  {
-    $author = mysql_escape_string($_GET['author']);
-  }
-
-  $page['author_clause'] = 'author = \''.$author.'\'';
+  $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
 }
 
 // search a substring among comments content
-$page['keyword_clause'] = '1=1';
 if (isset($_GET['keyword']) and !empty($_GET['keyword']))
 {
-  if (function_exists('mysql_real_escape_string'))
-  {
-    $keyword = mysql_real_escape_string($_GET['keyword']);
-  }
-  else
-  {
-    $keyword = mysql_escape_string($_GET['keyword']);
-  }
-  $page['keyword_clause'] =
+  // fors some odd reason comment content is htmlspecialchars in the database 
+  $keyword = addslashes( 
+      htmlspecialchars( stripslashes($_GET['keyword']), ENT_QUOTES) 
+    );
+  $page['where_clauses'][] =
     '('.
     implode(' AND ',
@@ -142 +128 @@
 }
 
+$page['where_clauses'][] = $since_options[$page['since']]['clause'];
+
 // which status to filter on ?
-if ( is_admin() )
-{
-  $page['status_clause'] = '1=1';
-}
-else
-{
-  $page['status_clause'] = 'validated="true"';
-}
-
+if ( !is_admin() )
+{
+  $page['where_clauses'][] = 'validated="true"';
+}
+
+$page['where_clauses'][] = get_sql_condition_FandF
+  (
+    array
+      (
+        'forbidden_categories' => 'category_id',
+        'visible_categories' => 'category_id',
+        'visible_images' => 'ic.image_id'
+      ),
+    '', true
+  );
 
 // +-----------------------------------------------------------------------+
@@ -194 +188 @@
 
     'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
-    'F_KEYWORD'=>@htmlentities($_GET['keyword']),
-    'F_AUTHOR'=>@htmlentities($_GET['author']),
+    'F_KEYWORD'=>@htmlentities(stripslashes($_GET['keyword'])),
+    'F_AUTHOR'=>@htmlentities(stripslashes($_GET['author'])),
 
     'U_HOME' => make_index_url(),
@@ -308 +302 @@
     INNER JOIN '.COMMENTS_TABLE.' AS com
     ON ic.image_id = com.image_id
-  WHERE '.$since_options[$page['since']]['clause'].'
-    AND '.$page['cat_clause'].'
-    AND '.$page['author_clause'].'
-    AND '.$page['keyword_clause'].'
-    AND '.$page['status_clause'].'
-'.get_sql_condition_FandF
-  (
-    array
-      (
-        'forbidden_categories' => 'category_id',
-        'visible_categories' => 'category_id',
-        'visible_images' => 'ic.image_id'
-      ),
-    'AND'
-  ).'
+  WHERE '.implode('
+    AND ', $page['where_clauses']).'
 ;';
 list($counter) = mysql_fetch_row(pwg_query($query));
@@ -358 +339 @@
     INNER JOIN '.COMMENTS_TABLE.' AS com
     ON ic.image_id = com.image_id
-  WHERE '.$since_options[$page['since']]['clause'].'
-    AND '.$page['cat_clause'].'
-    AND '.$page['author_clause'].'
-    AND '.$page['keyword_clause'].'
-    AND '.$page['status_clause'].'
-'.get_sql_condition_FandF
-  (
-    array
-      (
-        'forbidden_categories' => 'category_id',
-        'visible_categories' => 'category_id',
-        'visible_images' => 'ic.image_id'
-      ),
-    'AND'
-  ).'
+  WHERE '.implode('
+    AND ', $page['where_clauses']).'
   GROUP BY comment_id
   ORDER BY '.$page['sort_by'].' '.$page['sort_order'];