Commit 604c0c24 authored by Till Brehm's avatar Till Brehm
Browse files

Code review.

parent 938baf07
......@@ -595,7 +595,7 @@ class ApsCrawler extends ApsBase
foreach($incomplete_pkgs as $incomplete_pkg){
$pkg_url = @file_get_contents($this->interface_pkg_dir.'/'.$incomplete_pkg['path'].'/PKG_URL');
if($pkg_url != ''){
$app->db->datalogUpdate('aps_packages', "package_url = '".$pkg_url."'", 'id', $incomplete_pkg['id']);
$app->db->datalogUpdate('aps_packages', "package_url = '".$app->db->quote($pkg_url)."'", 'id', $incomplete_pkg['id']);
}
}
}
......
......@@ -266,18 +266,18 @@ class ApsGUIController extends ApsBase
unset($tmp);
// get information if the webserver is a db server, too
$web_server = $app->db->queryOneRecord("SELECT server_id,server_name,db_server FROM server WHERE server_id = ".$websrv['server_id']);
$web_server = $app->db->queryOneRecord("SELECT server_id,server_name,db_server FROM server WHERE server_id = ".$app->functions->intval($websrv['server_id']));
if($web_server['db_server'] == 1) {
// create database on "localhost" (webserver)
$mysql_db_server_id = $websrv['server_id'];
$mysql_db_server_id = $app->functions->intval($websrv['server_id']);
$mysql_db_host = 'localhost';
$mysql_db_remote_access = 'n';
$mysql_db_remote_ips = '';
} else {
//* get the default database server of the client
$client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$websrv['sys_groupid']);
$client = $app->db->queryOneRecord("SELECT default_dbserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($websrv['sys_groupid']));
if(is_array($client) && $client['default_dbserver'] > 0 && $client['default_dbserver'] != $websrv['server_id']) {
$mysql_db_server_id = $client['default_dbserver'];
$mysql_db_server_id = $app->functions->intval($client['default_dbserver']);
$dbserver_config = $web_config = $app->getconf->get_server_config($app->functions->intval($mysql_db_server_id), 'server');
$mysql_db_host = $dbserver_config['ip_address'];
$mysql_db_remote_access = 'y';
......@@ -301,13 +301,13 @@ class ApsGUIController extends ApsBase
//* Find a free db name for the app
for($n = 1; $n <= 1000; $n++) {
$mysql_db_name = ($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps'));
$mysql_db_name = $app->db->quote(($dbname_prefix != '' ? $dbname_prefix.'aps'.$n : uniqid('aps')));
$tmp = $app->db->queryOneRecord("SELECT count(database_id) as number FROM web_database WHERE database_name = '".$app->db->quote($mysql_db_name)."'");
if($tmp['number'] == 0) break;
}
//* Find a free db username for the app
for($n = 1; $n <= 1000; $n++) {
$mysql_db_user = ($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps'));
$mysql_db_user = $app->db->quote(($dbuser_prefix != '' ? $dbuser_prefix.'aps'.$n : uniqid('aps')));
$tmp = $app->db->queryOneRecord("SELECT count(database_user_id) as number FROM web_database_user WHERE database_user = '".$app->db->quote($mysql_db_user)."'");
if($tmp['number'] == 0) break;
}
......@@ -316,12 +316,12 @@ class ApsGUIController extends ApsBase
//* Create the mysql database user
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `database_user`, `database_user_prefix`, `database_password`)
VALUES( ".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', 0, '$mysql_db_user', '".$app->db->quote($dbuser_prefix) . "', PASSWORD('$mysql_db_password'))";
VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', 0, '$mysql_db_user', '".$app->db->quote($dbuser_prefix) . "', PASSWORD('$mysql_db_password'))";
$mysql_db_user_id = $app->db->datalogInsert('web_database_user', $insert_data, 'database_user_id');
//* Create the mysql database
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `parent_domain_id`, `type`, `database_name`, `database_name_prefix`, `database_user_id`, `database_ro_user_id`, `database_charset`, `remote_access`, `remote_ips`, `backup_copies`, `active`, `backup_interval`)
VALUES( ".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', $mysql_db_server_id, ".$websrv['domain_id'].", 'mysql', '$mysql_db_name', '" . $app->db->quote($dbname_prefix) . "', '$mysql_db_user_id', 0, '', '$mysql_db_remote_access', '$mysql_db_remote_ips', ".$websrv['backup_copies'].", 'y', '".$websrv['backup_interval']."')";
VALUES( ".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', $mysql_db_server_id, ".$app->functions->intval($websrv['domain_id']).", 'mysql', '$mysql_db_name', '" . $app->db->quote($dbname_prefix) . "', '$mysql_db_user_id', 0, '', '$mysql_db_remote_access', '$mysql_db_remote_ips', ".$app->functions->intval($websrv['backup_copies']).", 'y', '".$app->functions->intval($websrv['backup_interval'])."')";
$app->db->datalogInsert('web_database', $insert_data, 'database_id');
//* Add db details to package settings
......@@ -332,7 +332,7 @@ class ApsGUIController extends ApsBase
}
//* Insert new package instance
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `customer_id`, `package_id`, `instance_status`) VALUES (".$websrv['sys_userid'].", ".$websrv['sys_groupid'].", 'riud', '".$websrv['sys_perm_group']."', '', ".$app->db->quote($webserver_id).",".$app->db->quote($customerid).", ".$app->db->quote($packageid).", ".INSTANCE_PENDING.")";
$insert_data = "(`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `server_id`, `customer_id`, `package_id`, `instance_status`) VALUES (".$app->functions->intval($websrv['sys_userid']).", ".$app->functions->intval($websrv['sys_groupid']).", 'riud', '".$app->functions->intval($websrv['sys_perm_group'])."', '', ".$app->db->quote($webserver_id).",".$app->db->quote($customerid).", ".$app->db->quote($packageid).", ".INSTANCE_PENDING.")";
$InstanceID = $app->db->datalogInsert('aps_instances', $insert_data, 'id');
//* Insert all package settings
......@@ -404,7 +404,7 @@ class ApsGUIController extends ApsBase
$app->db->datalogSave('aps', 'INSERT', 'id', $instanceid, array(), $datalog);
*/
$sql = "SELECT web_database.database_id as database_id FROM aps_instances_settings, web_database WHERE aps_instances_settings.value = web_database.database_name AND aps_instances_settings.value = aps_instances_settings.name = 'main_database_name' AND aps_instances_settings.instance_id = ".$instanceid." LIMIT 0,1";
$sql = "SELECT web_database.database_id as database_id FROM aps_instances_settings, web_database WHERE aps_instances_settings.value = web_database.database_name AND aps_instances_settings.value = aps_instances_settings.name = 'main_database_name' AND aps_instances_settings.instance_id = ".$app->db->quote($instanceid)." LIMIT 0,1";
$tmp = $app->db->queryOneRecord($sql);
if($tmp['database_id'] > 0) $app->db->datalogDelete('web_database', 'database_id', $tmp['database_id']);
......
......@@ -33,7 +33,7 @@ class auth {
public function get_user_id()
{
return $_SESSION['s']['user']['userid'];
return $app->functions->intval($_SESSION['s']['user']['userid']);
}
public function is_admin() {
......@@ -80,7 +80,9 @@ class auth {
public function get_client_limit($userid, $limitname)
{
global $app;
$userid = $app->functions->intval($userid);
// simple query cache
if($this->client_limits===null)
$this->client_limits = $app->db->queryOneRecord("SELECT client.* FROM sys_user, client WHERE sys_user.userid = $userid AND sys_user.client_id = client.client_id");
......
......@@ -49,7 +49,7 @@ class client_templates {
if($old_style == true) {
// we have to take care of this in an other way
$in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $clientId);
$in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId));
if(is_array($in_db) && count($in_db) > 0) {
foreach($in_db as $item) {
if(array_key_exists($item['client_template_id'], $needed_types) == false) $needed_types[$item['client_template_id']] = 0;
......@@ -61,24 +61,24 @@ class client_templates {
if($count > 0) {
// add new template to client (includes those from old-style without assigned_template_id)
for($i = $count; $i > 0; $i--) {
$app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $clientId . ', ' . $tpl_id . ')');
$app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $app->functions->intval($clientId) . ', ' . $app->functions->intval($tpl_id) . ')');
}
} elseif($count < 0) {
// remove old ones
for($i = $count; $i < 0; $i++) {
$app->db->query('DELETE FROM `client_template_assigned` WHERE client_id = ' . $clientId . ' AND client_template_id = ' . $tpl_id . ' LIMIT 1');
$app->db->query('DELETE FROM `client_template_assigned` WHERE client_id = ' . $app->functions->intval($clientId) . ' AND client_template_id = ' . $app->functions->intval($tpl_id) . ' LIMIT 1');
}
}
}
} else {
// we have to take care of this in an other way
$in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $clientId);
$in_db = $app->db->queryAllRecords('SELECT `assigned_template_id`, `client_template_id` FROM `client_template_assigned` WHERE `client_id` = ' . $app->functions->intval($clientId));
if(is_array($in_db) && count($in_db) > 0) {
// check which templates were removed from this client
foreach($in_db as $item) {
if(in_array($item['assigned_template_id'], $used_assigned) == false) {
// delete this one
$app->db->query('DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ' . $item['assigned_template_id']);
$app->db->query('DELETE FROM `client_template_assigned` WHERE `assigned_template_id` = ' . $app->functions->intval($item['assigned_template_id']));
}
}
}
......@@ -86,7 +86,7 @@ class client_templates {
if(count($new_tpl) > 0) {
foreach($new_tpl as $item) {
// add new template to client (includes those from old-style without assigned_template_id)
$app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $clientId . ', ' . $item . ')');
$app->db->query('INSERT INTO `client_template_assigned` (`client_id`, `client_template_id`) VALUES (' . $app->functions->intval($clientId) . ', ' . $app->functions->intval($item) . ')');
}
}
}
......
......@@ -46,9 +46,9 @@ class custom_datasource {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT default_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['default_dnsserver'];
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['default_dnsserver']);
} else {
$sql = "SELECT server_id,server_name FROM server WHERE dns_server = 1 ORDER BY server_name";
}
......@@ -68,9 +68,9 @@ class custom_datasource {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT default_slave_dnsserver FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['default_slave_dnsserver'];
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['default_slave_dnsserver']);
} else {
$sql = "SELECT server_id,server_name FROM server WHERE dns_server = 1 ORDER BY server_name";
}
......@@ -99,7 +99,7 @@ class custom_datasource {
}
if(count($server_ids) == 0) return array();
$server_ids = implode(',', $server_ids);
$records = $app->db->queryAllRecords("SELECT web_domain.domain_id, CONCAT(web_domain.domain, ' :: ', server.server_name) AS parent_domain FROM web_domain, server WHERE web_domain.type = 'vhost' AND web_domain.server_id IN (".$server_ids.") AND web_domain.server_id = server.server_id AND ".$app->tform->getAuthSQL('r', 'web_domain')." ORDER BY web_domain.domain");
$records = $app->db->queryAllRecords("SELECT web_domain.domain_id, CONCAT(web_domain.domain, ' :: ', server.server_name) AS parent_domain FROM web_domain, server WHERE web_domain.type = 'vhost' AND web_domain.server_id IN (".$app->db->quote($server_ids).") AND web_domain.server_id = server.server_id AND ".$app->tform->getAuthSQL('r', 'web_domain')." ORDER BY web_domain.domain");
$records_new = array();
if(is_array($records)) {
......@@ -146,12 +146,12 @@ class custom_datasource {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$sql = "SELECT $server_type as server_id FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id";
$client = $app->db->queryOneRecord($sql);
if($client['server_id'] > 0) {
//* Select the default server for the client
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$client['server_id'];
$sql = "SELECT server_id,server_name FROM server WHERE server_id = ".$app->functions->intval($client['server_id']);
} else {
//* Not able to find the clients defaults, use this as fallback and add a warning message to the log
$app->log('Unable to find default server for client in custom_datasource.inc.php', 1);
......
<?php
die('Deprecated file: form.inc.php');
/*
Copyright (c) 2007, Till Brehm, projektfarm Gmbh
All rights reserved.
......
......@@ -108,8 +108,8 @@ class plugin_backuplist extends plugin_base {
}
//* Get the data
$web = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ".$this->form->id);
$sql = "SELECT * FROM web_backup WHERE parent_domain_id = ".$this->form->id." AND server_id = ".$web['server_id']." ORDER BY tstamp DESC, backup_type ASC";
$web = $app->db->queryOneRecord("SELECT server_id FROM web_domain WHERE domain_id = ".$app->functions->intval($this->form->id));
$sql = "SELECT * FROM web_backup WHERE parent_domain_id = ".$app->functions->intval($this->form->id)." AND server_id = ".$app->functions->intval($web['server_id'])." ORDER BY tstamp DESC, backup_type ASC";
$records = $app->db->queryAllRecords($sql);
$bgcolor = "#FFFFFF";
......
......@@ -51,7 +51,7 @@ if(isset($_GET['id'])) {
$client_id = $app->functions->intval($_GET['cid']);
$tmp_client = $app->db->queryOneRecord("SELECT username FROM client WHERE client_id = $client_id");
$tmp_sys_user = $app->db->queryOneRecord("SELECT userid FROM sys_user WHERE username = '".$app->db->quote($tmp_client['username'])."'");
$userId = $tmp_sys_user['userid'];
$userId = $app->functions->intval($tmp_sys_user['userid']);
unset($tmp_client);
unset($tmp_sys_user);
$backlink = 'client/client_list.php';
......
......@@ -81,7 +81,7 @@ if (1 == 0 && isset($_POST['server_select'])) {
foreach ($servers as $serverId) {
$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " .
"VALUES (".
(int)$serverId . ", " .
$app->functions->intval($serverId) . ", " .
time() . ", " .
"'ispc_update', " .
"'', " .
......
......@@ -76,7 +76,7 @@ if (isset($_POST['server_select'])) {
foreach ($servers as $serverId) {
$sql = "INSERT INTO sys_remoteaction (server_id, tstamp, action_type, action_param, action_state, response) " .
"VALUES (".
(int)$serverId . ", " .
$app->functions->intval($serverId) . ", " .
time() . ", " .
"'os_update', " .
"'', " .
......
......@@ -54,7 +54,7 @@ class page_action extends tform_actions {
global $app, $conf;
// Getting Servers
$sql = "SELECT server_id,server_name FROM server WHERE server_id != $this->id ORDER BY server_name";
$sql = "SELECT server_id,server_name FROM server WHERE server_id != ".$app->functions->intval($this->id)." ORDER BY server_name";
$mirror_servers = $app->db->queryAllRecords($sql);
$mirror_server_select = '<option value="0">'.$app->tform->lng('- None -').'</option>';
if(is_array($mirror_servers)) {
......
......@@ -56,7 +56,7 @@ class page_action extends tform_actions {
//* Check if the server has been changed
// We do this only for the admin or reseller users, as normal clients can not change the server ID anyway
if($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
$rec = $app->db->queryOneRecord("SELECT server_id from server_ip WHERE server_ip_id = ".$this->id);
$rec = $app->db->queryOneRecord("SELECT server_id from server_ip WHERE server_ip_id = ".$app->functions->intval($this->id));
if($rec['server_id'] != $this->dataRecord["server_id"]) {
//* Add a error message and switch back to old server
$app->tform->errorMessage .= $app->lng('The Server can not be changed.');
......
......@@ -56,7 +56,7 @@ class page_action extends tform_actions {
//* Check if the server has been changed
// We do this only for the admin or reseller users, as normal clients can not change the server ID anyway
if(($_SESSION["s"]["user"]["typ"] == 'admin' || $app->auth->has_clients($_SESSION['s']['user']['userid'])) && isset($this->dataRecord["server_id"])) {
$rec = $app->db->queryOneRecord("SELECT server_id from server_php WHERE server_php_id = ".$this->id);
$rec = $app->db->queryOneRecord("SELECT server_id from server_php WHERE server_php_id = ".$app->functions->intval($this->id));
if($rec['server_id'] != $this->dataRecord["server_id"]) {
//* Add a error message and switch back to old server
$app->tform->errorMessage .= $app->lng('The Server can not be changed.');
......
......@@ -50,7 +50,7 @@ $message_ok = '';
//* verify the key
if($package['package_installable'] == 'key' && $install_key != '') {
$repo = $app->db->queryOneRecord("SELECT * FROM software_repo WHERE software_repo_id = ".$package['software_repo_id']);
$repo = $app->db->queryOneRecord("SELECT * FROM software_repo WHERE software_repo_id = ".$app->db->quote($package['software_repo_id']));
$client = new SoapClient(null, array('location' => $repo['repo_url'],
'uri' => $repo['repo_url']));
......@@ -62,7 +62,7 @@ if($package['package_installable'] == 'key' && $install_key != '') {
$message_err = 'Verification of the key failed.';
} else {
// Store the verified key into the database
$app->db->datalogUpdate('software_package', "package_key = '$install_key'", 'package_id', $package['package_id']);
$app->db->datalogUpdate('software_package', "package_key = '".$app->db->quote($install_key)."'", 'package_id', $package['package_id']);
}
} else {
$message_ok = 'Please enter the software key for the package.';
......@@ -70,7 +70,7 @@ if($package['package_installable'] == 'key' && $install_key != '') {
//* Install packages, if all requirements are fullfilled.
if($install_server_id > 0 && $package_name != '' && ($package['package_installable'] == 'yes' || $install_key_verified == true)) {
$sql = "SELECT software_update_id, package_name, update_title FROM software_update WHERE type = 'full' AND package_name = '$package_name' ORDER BY v1 DESC, v2 DESC, v3 DESC, v4 DESC LIMIT 0,1";
$sql = "SELECT software_update_id, package_name, update_title FROM software_update WHERE type = 'full' AND package_name = '".$app->db->quote($package_name)."' ORDER BY v1 DESC, v2 DESC, v3 DESC, v4 DESC LIMIT 0,1";
$tmp = $app->db->queryOneRecord($sql);
$software_update_id = $tmp['software_update_id'];
......@@ -118,7 +118,7 @@ if($install_server_id > 0 && $package_name != '' && ($package['package_installab
$app->db->datalogUpdate('software_package', "package_config = '".$app->db->quote($package_config_str)."'", 'package_id', $package['package_id']);
$sql = "INSERT INTO `remote_user` (`sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `remote_username`, `remote_password`, `remote_functions`) VALUES
(1, 1, 'riud', 'riud', '', '$remote_user', '$remote_password_md5', '$remote_functions');";
(1, 1, 'riud', 'riud', '', '".$app->db->quote($remote_user)."', '".$app->db->quote($remote_password_md5)."', '".$app->db->quote($remote_functions)."');";
$app->db->query($sql);
......@@ -127,7 +127,7 @@ if($install_server_id > 0 && $package_name != '' && ($package['package_installab
}
//* Add the record to start the install process
$insert_data = "(package_name, server_id, software_update_id, status) VALUES ('$package_name', '$install_server_id', '$software_update_id','installing')";
$insert_data = "(package_name, server_id, software_update_id, status) VALUES ('".$app->db->quote($package_name)."', '".$app->db->quote($install_server_id)."', '".$app->db->quote($software_update_id)."','installing')";
$app->db->datalogInsert('software_update_inst', $insert_data, 'software_update_inst_id');
$message_ok = 'Starting package installation '."<a href=\"#\" onclick=\"submitForm('pageForm','admin/software_package_list.php');\">".$app->lng('next')."</a>";
......
......@@ -49,7 +49,7 @@ if(is_array($repos) && isset($_GET['action']) && $_GET['action'] == 'repoupdate'
if(is_array($packages)) {
foreach($packages as $p) {
$package_name = $app->db->quote($p['name']);
$tmp = $app->db->queryOneRecord("SELECT package_id FROM software_package WHERE package_name = '$package_name'");
$tmp = $app->db->queryOneRecord("SELECT package_id FROM software_package WHERE package_name = '".$app->db->quote($package_name)."'");
$package_title = $app->db->quote($p['title']);
$package_description = $app->db->quote($p['description']);
......@@ -150,7 +150,7 @@ if(is_array($packages) && count($packages) > 0) {
foreach($packages as $key => $p) {
$installed_txt = '';
foreach($servers as $s) {
$inst = $app->db->queryOneRecord("SELECT * FROM software_update, software_update_inst WHERE software_update_inst.software_update_id = software_update.software_update_id AND software_update_inst.package_name = '".addslashes($p["package_name"])."' AND server_id = '".$s["server_id"]."'");
$inst = $app->db->queryOneRecord("SELECT * FROM software_update, software_update_inst WHERE software_update_inst.software_update_id = software_update.software_update_id AND software_update_inst.package_name = '".$app->db->quote($p["package_name"])."' AND server_id = '".$app->functions->intval($s["server_id"])."'");
$version = $inst['v1'].'.'.$inst['v2'].'.'.$inst['v3'].'.'.$inst['v4'];
if($inst['status'] == 'installed') {
......
......@@ -161,11 +161,11 @@ if(is_array($installed_packages)) {
foreach($installed_packages as $ip) {
// Get version number of the latest installed version
$sql = "SELECT v1, v2, v3, v4 FROM software_update, software_update_inst WHERE software_update.software_update_id = software_update_inst.software_update_id AND server_id = ".$server_id." ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC LIMIT 0,1";
$sql = "SELECT v1, v2, v3, v4 FROM software_update, software_update_inst WHERE software_update.software_update_id = software_update_inst.software_update_id AND server_id = ".$app->functions->intval($server_id)." ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC LIMIT 0,1";
$lu = $app->db->queryOneRecord($sql);
// Get all installable updates
$sql = "SELECT * FROM software_update WHERE v1 >= $lu[v1] AND v2 >= $lu[v2] AND v3 >= $lu[v3] AND v4 >= $lu[v4] AND package_name = '$ip[package_name]' ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC";
$sql = "SELECT * FROM software_update WHERE v1 >= ".$app->functions->intval($lu['v1'])." AND v2 >= ".$app->functions->intval($lu['v2'])." AND v3 >= ".$app->functions->intval($lu['v3'])." AND v4 >= ".$app->functions->intval($lu['v4'])." AND package_name = '".$app->db->quote($ip['package_name'])."' ORDER BY v1 DESC , v2 DESC , v3 DESC , v4 DESC";
$updates = $app->db->queryAllRecords($sql);
//die($sql);
......
......@@ -178,7 +178,7 @@ class page_action extends tform_actions {
if($server_config_array['misc']['maintenance_mode'] == 'y'){
//print_r($_SESSION);
//echo $_SESSION['s']['id'];
$app->db->query("DELETE FROM sys_session WHERE session_id != '".$_SESSION['s']['id']."'");
$app->db->query("DELETE FROM sys_session WHERE session_id != '".$app->db->quote($_SESSION['s']['id'])."'");
}
}
......
......@@ -77,7 +77,7 @@ class page_action extends tform_actions {
global $app, $conf;
$client = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ".$this->id);
$client_id = $client['client_id'];
$client_id = $app->functions->intval($client['client_id']);
$username = $app->db->quote($this->dataRecord["username"]);
$old_username = $app->db->quote($this->oldDataRecord['username']);
......
......@@ -58,7 +58,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another website.
......
......@@ -65,7 +65,7 @@ if(isset($_POST) && count($_POST) > 1) {
$tmp_client_ids = explode(',', $circle['client_ids']);
$where = array();
foreach($tmp_client_ids as $tmp_client_id){
$where[] = 'client_id = '.$tmp_client_id;
$where[] = 'client_id = '.$app->functions->intval($tmp_client_id);
}
if(!empty($where)) $where_clause = ' AND ('.implode(' OR ', $where).')';
$sql = "SELECT * FROM client WHERE email != ''".$where_clause;
......
......@@ -60,7 +60,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user') {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another website.
......@@ -83,7 +83,7 @@ class page_action extends tform_actions {
if($_SESSION["s"]["user"]["typ"] == 'user' && $this->id == 0) {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT limit_client FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// Check if the user may add another website.
......@@ -156,7 +156,7 @@ class page_action extends tform_actions {
$username = $app->db->quote($this->dataRecord["username"]);
$password = $app->db->quote($this->dataRecord["password"]);
$modules = $conf['interface_modules_enabled'] . ',client';
$modules = $app->db->quote($conf['interface_modules_enabled'] . ',client');
$startmodule = (stristr($modules, 'dashboard'))?'dashboard':'client';
$usertheme = $app->db->quote($this->dataRecord["usertheme"]);
$type = 'user';
......@@ -247,7 +247,7 @@ class page_action extends tform_actions {
// reseller status changed
if(isset($this->dataRecord["limit_client"]) && $this->dataRecord["limit_client"] != $this->oldDataRecord["limit_client"]) {
$modules = $conf['interface_modules_enabled'] . ',client';
$modules = $app->db->quote($conf['interface_modules_enabled'] . ',client');
$modules = $app->db->quote($modules);
$client_id = $this->id;
$sql = "UPDATE sys_user SET modules = '$modules' WHERE client_id = $client_id";
......
......@@ -127,7 +127,7 @@ class dashlet_limits {
$tpl->setVar('is_admin', $user_is_admin);
if($user_is_admin == false) {
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT * FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
}
......@@ -157,7 +157,7 @@ class dashlet_limits {
function _get_limit_usage($limit) {
global $app;
$sql = "SELECT count(sys_userid) as number FROM ".$limit['db_table']." WHERE ";
$sql = "SELECT count(sys_userid) as number FROM ".$app->db->quote($limit['db_table'])." WHERE ";
if($limit['db_where'] != '') $sql .= $limit['db_where']." AND ";
$sql .= $app->tform->getAuthSQL('r');
$rec = $app->db->queryOneRecord($sql);
......
......@@ -31,7 +31,7 @@ class dashlet_mailquota {
}
//print_r($monitor_data);
if($_SESSION["s"]["user"]["typ"] != 'admin'){
$sql_where = " AND sys_groupid = ".$_SESSION['s']['user']['default_group'];
$sql_where = " AND sys_groupid = ".intval($_SESSION['s']['user']['default_group']);
}
$has_mailquota = false;
......
......@@ -25,7 +25,7 @@ class dashlet_quota {
}
//print_r($monitor_data);
if($_SESSION["s"]["user"]["typ"] != 'admin'){
$sql_where = " AND sys_groupid = ".$_SESSION['s']['user']['default_group'];
$sql_where = " AND sys_groupid = ".$app->functions->intval($_SESSION['s']['user']['default_group']);
}
$has_quota = false;
......
......@@ -98,14 +98,14 @@ if($_SESSION['s']['user']['typ'] == 'admin') {
if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSION['s']['user']['userid'])) {
// Get the limits of the client
$client_group_id = $_SESSION["s"]["user"]["default_group"];
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
$client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id");
// load the list of clients
$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$client['client_id'];
$sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ".$app->functions->intval($client['client_id']);
$clients = $app->db->queryAllRecords($sql);
$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".intval($client['client_id']));
$tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ".$app->functions->intval($client['client_id']));
$client_select = '<option value="'.$tmp['groupid'].'">'.$client['contactname'].'</option>';
if(is_array($clients)) {
foreach( $clients as $client) {
......@@ -118,7 +118,7 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO
}
$template_record = $app->db->queryOneRecord("SELECT * FROM dns_template WHERE template_id = '$template_id'");
$template_record = $app->db->queryOneRecord("SELECT * FROM dns_template WHERE template_id = '".$app->functions->intval($template_id)."'");
$fields = explode(',', $template_record['fields']);
if(is_array($fields)) {
foreach($fields as $field) {
......
......@@ -18,7 +18,7 @@ $app->uses('listform_actions');
// Optional limit
$hf_section = 0;
if(isset($_GET['hfs_id']))
$hf_section = preg_replace("/[^0-9]/", "", $_GET['hfs_id']);
$hf_section = $app->functions->intval(preg_replace("/[^0-9]/", "", $_GET['hfs_id']));
// if section id is not specified in the url, choose the first existing section
if(!$hf_section)
......
......@@ -33,7 +33,7 @@ class page_action extends tform_actions {
//* Get recipient email address
if($this->dataRecord['recipient_id'] > 1){
$sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$this->dataRecord['recipient_id']." AND sys_user.client_id = client.client_id";
$sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$app->functions->intval($this->dataRecord['recipient_id'])." AND sys_user.client_id = client.client_id";
$client = $app->db->queryOneRecord($sql);
$recipient_email = $client['email'];
} else {
......@@ -44,7 +44,7 @@ class page_action extends tform_actions {
//* Get sender email address
if($this->dataRecord['sender_id'] > 1){
$sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$this->dataRecord['sender_id']." AND sys_user.client_id = client.client_id";
$sql = "SELECT client.email FROM sys_user, client WHERE sys_user.userid = ".$app->functions->intval($this->dataRecord['sender_id'])." AND sys_user.client_id = client.client_id";
$client = $app->db->queryOneRecord($sql);
$sender_email = $client['email'];
} else {
......@@ -113,7 +113,7 @@ class page_action extends tform_actions {
global $app, $conf;
if($_SESSION['s']['user']['typ'] == 'admin') {
$app->db->query("UPDATE support_message SET sys_userid = ".$this->dataRecord['recipient_id']." WHERE support_message_id = ".$this->id);
$app->db->query("UPDATE support_message SET sys_userid = ".$app->functions->intval($this->dataRecord['recipient_id'])." WHERE support_message_id = ".$this->id);
}
}
......
......@@ -12,7 +12,7 @@ $app->auth->check_module_permissio