Changeset 20762


Ignore:
Timestamp:
Feb 15, 2013, 2:04:39 PM (7 years ago)
Author:
nikrou
Message:

Fix issue that altering picture page content
Fix possible sql injections issues

Location:
extensions/user_tags
Files:
11 edited

Legend:

Unmodified
Added
Removed
  • extensions/user_tags/CHANGELOG

    r20252 r20762  
     1User Tags 0.7.3 - 2013-02-15
     2================================
     3* Fix issue that altering picture page content
     4* Fix possible sql injections issues
     5
    16User Tags 0.7.2 - 2013-01-18
    27================================
  • extensions/user_tags/admin.php

    r20251 r20762  
    6262
    6363$template->assign('U_HELP', get_root_url().'admin/popuphelp.php?page=readme');
    64 ?>
  • extensions/user_tags/include/constants.inc.php

    r20251 r20762  
    2727define('T4U_JS', PHPWG_PLUGINS_PATH . basename(T4U_PLUGIN_ROOT). '/js');
    2828define('T4U_WS', 'user_tags.tags.');
    29 ?>
  • extensions/user_tags/include/default_values.inc.php

    r20251 r20762  
    2222$default_values = array();
    2323$default_values['t4u_permission_update'] = null;
    24 ?>
  • extensions/user_tags/include/t4u_config.class.php

    r20252 r20762  
    8989       and is_autorize_status(get_access_type_status($this->getPermission($permission))));
    9090  }
    91 
     91 
    9292  public static function plugin_admin_menu($menu) {
    9393    $menu[] = array('NAME' => T4U_PLUGIN_NAME,
    9494                    'URL' => get_admin_plugin_menu_link(T4U_PLUGIN_ROOT .'/admin.php')
    9595                    );
    96 
     96   
    9797    return $menu;
    9898  }
     
    122122  }
    123123}
    124 ?>
  • extensions/user_tags/include/t4u_content.class.php

    r20251 r20762  
    4747      $related_tags = array();
    4848      if (!empty($template->smarty->_tpl_vars['related_tags'])) {
    49         foreach ($template->smarty->_tpl_vars['related_tags'] as $id => $tag_infos) {
    50           $related_tags['~~'.$tag_infos['id'].'~~'] = $tag_infos['name'];
    51         }
    52         $template->assign('T4U_RELATED_TAGS', $related_tags);
     49        foreach ($template->smarty->_tpl_vars['related_tags'] as $id => $tag_infos) {
     50          $related_tags['~~'.$tag_infos['id'].'~~'] = $tag_infos['name'];
     51        }
     52        $template->assign('T4U_RELATED_TAGS', $related_tags);
    5353      }
    5454
     
    5656      $template->assign_var_from_handle('PLUGIN_PICTURE_AFTER', 'add_tags');
    5757    }
     58
     59    return $content;
    5860  }
    5961
     
    6567  }
    6668}
    67 ?>
  • extensions/user_tags/include/t4u_ws.class.php

    r20252 r20762  
    4343    $query = 'SELECT id AS tag_id, name AS tag_name FROM '.TAGS_TABLE;
    4444    if (!empty($params['q'])) {
    45       $query .= sprintf(' WHERE name like \'%%%s%%\'', $params['q']);
     45      $query .= sprintf(' WHERE name like \'%%%s%%\'', pwg_db_real_escape_string($params['q']));
    4646    }
    4747   
     
    6868    $message = '';
    6969
    70     $query = '
    71 SELECT
    72     tag_id,
    73     name AS tag_name
    74   FROM '.IMAGE_TAG_TABLE.' AS it
    75     JOIN '.TAGS_TABLE.' AS t ON t.id = it.tag_id
    76   WHERE image_id = '.(int) $params['image_id'].'
    77 ;';
     70    $query = 'SELECT tag_id, name AS tag_name';
     71    $query .= ' FROM '.IMAGE_TAG_TABLE.' AS it';
     72    $query .= ' JOIN '.TAGS_TABLE.' AS t ON t.id = it.tag_id';
     73    $query .= sprintf(' WHERE image_id = %s', pwg_db_real_escape_string($params['image_id']));
    7874   
    7975    $current_tags = $this->__makeTagsList($query);
     
    107103      if (empty($tags_to_associate)) { // remove all tags for an image
    108104        $query = 'DELETE FROM '.IMAGE_TAG_TABLE;
    109         $query .= sprintf(' WHERE image_id = %d', $params['image_id']);
     105        $query .= sprintf(' WHERE image_id = %d', pwg_db_real_escape_string($params['image_id']));
    110106        pwg_query($query);
    111107      } else {
  • extensions/user_tags/init.php

    r20252 r20762  
    4646
    4747set_plugin_data($plugin['id'], $plugin_config);
    48 ?>
  • extensions/user_tags/main.inc.php

    r20252 r20762  
    2222/*
    2323Plugin Name: User Tags
    24 Version: 0.7.2
     24Version: 0.7.3
    2525Description: Allow visitors to add tag to images
    2626Plugin URI: http://piwigo.org/ext/extension_view.php?eid=441
     
    3434
    3535include_once(dirname(__FILE__).'/init.php');
    36 ?>
  • extensions/user_tags/maintain.inc.php

    r20252 r20762  
    4040  }
    4141}
    42 ?>
  • extensions/user_tags/public.php

    r20251 r20762  
    3535                  array($t4u_ws, 'addMethods')
    3636                  );
    37 ?>
Note: See TracChangeset for help on using the changeset viewer.