Changeset 4304 for trunk/admin


Ignore:
Timestamp:
Nov 18, 2009, 9:07:20 PM (14 years ago)
Author:
Eric
Message:

Escape all login and username characters in database
Display correctly usernames

(I hope not to have made mistakes)

Location:
trunk/admin
Files:
9 edited

Legend:

Unmodified
Added
Removed

  • trunk/admin/comments.php

    r3452 r4304  
    161161  else
    162162  {
    163     $author_name = $row['username'];
     163    $author_name = stripslashes($row['username']);
    164164  }
    165165  $template->append(

  • trunk/admin/history.php

    r4265 r4304  
    260260    while ($row = mysql_fetch_assoc($result))
    261261    {
    262       $username_of[$row['id']] = $row['username'];
     262      $username_of[$row['id']] = stripslashes($row['username']);
    263263    }
    264264  }

  • trunk/admin/include/c13y_internal.class.php

    r4265 r4304  
    196196              array(
    197197                'id'       => $id,
    198                 'username' => $name,
     198                'username' => addslashes($name),
    199199                'password' => $password
    200200                ),

  • trunk/admin/include/functions.php

    r4265 r4304  
    21132113  }
    21142114
    2115   return $username;
     2115  return stripslashes($username);
    21162116}
    21172117

  • trunk/admin/include/functions_notification_by_mail.inc.php

    r4265 r4304  
    289289
    290290  $env_nbm['sent_mail_count'] += 1;
    291   array_push($page['infos'], sprintf($env_nbm['msg_info'], $nbm_user['username'], $nbm_user['mail_address']));
     291  array_push($page['infos'], sprintf($env_nbm['msg_info'], stripslashes($nbm_user['username']), $nbm_user['mail_address']));
    292292}
    293293
     
    302302
    303303  $env_nbm['error_on_mail_count'] += 1;
    304   array_push($page['errors'], sprintf($env_nbm['msg_error'], $nbm_user['username'], $nbm_user['mail_address']));
     304  array_push($page['errors'], sprintf($env_nbm['msg_error'], stripslashes($nbm_user['username']), $nbm_user['mail_address']));
    305305}
    306306
     
    339339    array
    340340    (
    341       'USERNAME' => $nbm_user['username'],
     341      'USERNAME' => stripslashes($nbm_user['username']),
    342342
    343343      'SEND_AS_NAME' => $env_nbm['send_as_name'],
     
    428428        if (pwg_mail
    429429            (
    430               format_email($nbm_user['username'], $nbm_user['mail_address']),
     430              format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']),
    431431              array
    432432              (
     
    466466        );
    467467        $updated_data_count += 1;
    468         array_push($page['infos'], sprintf($msg_info, $nbm_user['username'], $nbm_user['mail_address']));
     468        array_push($page['infos'], sprintf($msg_info, stripslashes($nbm_user['username']), $nbm_user['mail_address']));
    469469      }
    470470      else
    471471      {
    472472        $error_on_updated_data_count += 1;
    473         array_push($page['errors'], sprintf($msg_error, $nbm_user['username'], $nbm_user['mail_address']));
     473        array_push($page['errors'], sprintf($msg_error, stripslashes($nbm_user['username']), $nbm_user['mail_address']));
    474474      }
    475475

  • trunk/admin/notification_by_mail.php

    r4265 r4304  
    176176        sprintf(
    177177          l10n('nbm_user_x_added'),
    178           $nbm_user['username'],
     178          stripslashes($nbm_user['username']),
    179179          get_email_address_as_display_text($nbm_user['mail_address'])
    180180        )
     
    389389              if (pwg_mail
    390390                  (
    391                     format_email($nbm_user['username'], $nbm_user['mail_address']),
     391                    format_email(stripslashes($nbm_user['username']), $nbm_user['mail_address']),
    392392                    array
    393393                    (
     
    666666      if (get_boolean($nbm_user['enabled']))
    667667      {
    668         $opt_true[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
     668        $opt_true[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
    669669        if ((isset($_POST['falsify']) and isset($_POST['cat_true']) and in_array($nbm_user['check_key'], $_POST['cat_true'])))
    670670        {
     
    674674      else
    675675      {
    676         $opt_false[ $nbm_user['check_key'] ] = $nbm_user['username'].'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
     676        $opt_false[ $nbm_user['check_key'] ] = stripslashes($nbm_user['username']).'['.get_email_address_as_display_text($nbm_user['mail_address']).']';
    677677        if (isset($_POST['trueify']) and isset($_POST['cat_false']) and in_array($nbm_user['check_key'], $_POST['cat_false']))
    678678        {
     
    719719                              !in_array($nbm_user['check_key'], $_POST['send_selection']) // not selected
    720720                            )   ? '' : 'checked="checked"',
    721               'USERNAME'=> $nbm_user['username'],
     721              'USERNAME'=> stripslashes($nbm_user['username']),
    722722              'EMAIL' => get_email_address_as_display_text($nbm_user['mail_address']),
    723723              'LAST_SEND'=> $nbm_user['last_send']

  • trunk/admin/rating.php

    r4265 r4304  
    9797while ($row = mysql_fetch_assoc($result))
    9898{
    99   $users[$row['id']]=$row['username'];
     99  $users[$row['id']]=stripslashes($row['username']);
    100100}
    101101

  • trunk/admin/upload.php

    r4265 r4304  
    178178      'PREVIEW_URL_IMG'=>$preview_url,
    179179      'UPLOAD_EMAIL'=>get_email_address_as_display_text($row['mail_address']),
    180       'UPLOAD_USERNAME'=>$row['username']
     180      'UPLOAD_USERNAME'=>stripslashes($row['username'])
    181181    );
    182182

  • trunk/admin/user_list.php

    r4265 r4304  
    703703      'U_PROFILE' => $profile_url.$local_user['id'],
    704704      'U_PERM' => $perm_url.$local_user['id'],
    705       'USERNAME' => $local_user['username']
     705      'USERNAME' => stripslashes($local_user['username'])
    706706        .($local_user['id'] == $conf['guest_id']
    707707          ? '<br>['.l10n('is_the_guest').']' : '')
Note: See TracChangeset for help on using the changeset viewer.