www/adiumxtras.com 31:bb74074dac8b: Some truly terrible code by ...
commits at adium.im
commits at adium.im
Fri Dec 2 17:50:00 UTC 2011
details: http://hg.adium.im/www/adiumxtras.com/rev/bb74074dac8b
revision: 31:bb74074dac8b
branch: adiumxtras.com
author: Zachary West <zacw at adium.im>
date: Fri Dec 02 12:49:54 2011 -0500
Some truly terrible code by yours truly.
diffs (366 lines):
diff -r f6e34ccae5db -r bb74074dac8b include.php
--- a/include.php Mon Dec 06 12:34:19 2010 +0100
+++ b/include.php Fri Dec 02 12:49:54 2011 -0500
@@ -140,6 +140,8 @@
}
function commentsWithParent($cid) {
+ $cid = intval($cid);
+
$comments = array();
$comments[] = $cid;
$query = mysql_query("SELECT comment_id FROM comments WHERE parent_id='" . $cid . "%d'");
diff -r f6e34ccae5db -r bb74074dac8b manage.php
--- a/manage.php Mon Dec 06 12:34:19 2010 +0100
+++ b/manage.php Fri Dec 02 12:49:54 2011 -0500
@@ -13,10 +13,8 @@
// *pshew*, the user has the ability to do things.
switch ($_GET['do']) {
case "del_comment":
- if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
- $_GET['comment_id'] = intval($_GET['comment_id']);
-
- $commentsToDelete = commentsWithParent($_GET['comment_id']);
+ if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
+ $commentsToDelete = commentsWithParent(intval($_GET['comment_id']));
if (count($commentsToDelete) > 0)
$sql->query("DELETE FROM comments WHERE comment_id IN (%s)", implode(",", $commentsToDelete));
@@ -29,8 +27,7 @@
break;
case "request_approval":
- $_GET['xtra_id'] = intval($_GET['xtra_id']);
- $sql->query("SELECT xtras.*, assoc.cat_id FROM xtras, assoc WHERE assoc.xtra_id=xtras.xtra_id AND xtras.xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT xtras.*, assoc.cat_id FROM xtras, assoc WHERE assoc.xtra_id=xtras.xtra_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
$xtraDetail = $sql->fetch_assoc();
if ($currentUserID == $xtraDetail['user_id'] || array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
$readyForPending = 0;
@@ -48,7 +45,7 @@
$smarty->assign("message", "Failed to set pending: No binary file was uploaded");
if ($readyForPending) {
- $sql->query("UPDATE xtras SET status='Pending' WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("UPDATE xtras SET status='Pending' WHERE xtra_id='%d'", intval($_GET['xtra_id']));
$smarty->assign("title", "Now In Pending");
$smarty->assign("message", "Your Xtra is now classified as pending. Please wait a few days for a response from the moderators.");
$smarty->display('message.tpl');
@@ -64,31 +61,30 @@
break;
case "delete":
- $_GET['xtra_id'] = intval($_GET['xtra_id']);
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
list ($xtraOwner, $status) = $sql->fetch_row();
if ($sql->num_rows() < 0)
break;
if ($currentUserID == $xtraOwner || array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
if ($_GET['confirm']) {
- $sql->query("SELECT binary_name, thumbnail FROM xtras WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT binary_name, thumbnail FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
list ($binaryName, $thumbnail) = $sql->fetch_row();
checkAndDelete(sprintf("%s%s", $binaryLocation, $binaryName));
checkAndDelete(sprintf("%s%s", $thumbsLocation, $thumbnail));
- $sql->query("SELECT imgfile, thumbfile FROM images WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT imgfile, thumbfile FROM images WHERE xtra_id='%d'", intval($_GET['xtra_id']));
while (list ($imgfile, $thumbfile) = $sql->fetch_row()) {
checkAndDelete(sprintf("%s%s", $picturesLocation, $imgfile));
checkAndDelete(sprintf("%s%s", $picturesLocation, $thumbfile));
}
- $sql->query("DELETE FROM comments WHERE xtra_id='%d'", $_GET['xtra_id']);
- $sql->query("DELETE FROM assoc WHERE xtra_id='%d'", $_GET['xtra_id']);
- $sql->query("DELETE FROM xtras WHERE xtra_id='%d'", $_GET['xtra_id']);
- $sql->query("DELETE FROM ratings WHERE xtra_id='%d'", $_GET['xtra_id']);
- $sql->query("DELETE FROM images WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("DELETE FROM comments WHERE xtra_id='%d'", intval($_GET['xtra_id']));
+ $sql->query("DELETE FROM assoc WHERE xtra_id='%d'", intval($_GET['xtra_id']));
+ $sql->query("DELETE FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
+ $sql->query("DELETE FROM ratings WHERE xtra_id='%d'", intval($_GET['xtra_id']));
+ $sql->query("DELETE FROM images WHERE xtra_id='%d'", intval($_GET['xtra_id']));
header("Location: index.php");
} else {
$smarty->assign("title", "Confirm Delete");
- $smarty->assign("xtra_id", $_GET['xtra_id']);
+ $smarty->assign("xtra_id", intval($_GET['xtra_id']));
$smarty->display("confirmDelete.tpl");
}
} else {
@@ -99,20 +95,19 @@
break;
case "approve":
- $_GET['xtra_id'] = intval($_GET['xtra_id']);
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
list ($xtraOwner, $status) = $sql->fetch_row();
// Get the xtra's category, in case it's a plugin (and only Devs/Admins can approve it)
- $sql->query("SELECT cats.cat_name FROM assoc, cats WHERE assoc.xtra_id='%d' and cats.cat_id = assoc.cat_id", $_GET['xtra_id']);
+ $sql->query("SELECT cats.cat_name FROM assoc, cats WHERE assoc.xtra_id='%d' and cats.cat_id = assoc.cat_id", intval($_GET['xtra_id']));
list($cat_name) = $sql->fetch_row();
// Does the user have sufficient access to approve?
if (($cat_name == "Plugins" && array_search(userLevel($currentUserID), array("Admin", "Developer")) !== FALSE) || ($cat_name != "Plugins" && array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE)) {
- $sql->query("UPDATE xtras SET status='Approved', date_reviewed=NOW(), reviewer='%d' WHERE xtra_id='%d'", $currentUserID, $_GET['xtra_id']);
- $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("UPDATE xtras SET status='Approved', date_reviewed=NOW(), reviewer='%d' WHERE xtra_id='%d'", $currentUserID, intval($_GET['xtra_id']));
+ $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
$userInfo = $sql->fetch_assoc();
- mail($userInfo['email'], "Your Xtra Was Approved", sprintf("Your Xtra, %s, was just approved:\n\nhttp://adiumxtras.com/index.php?a=xtras&xtra_id=%d", $userInfo['title'], $_GET['xtra_id']), "From: xtras at adiumxtras.com");
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d", $_GET['xtra_id']));
+ mail($userInfo['email'], "Your Xtra Was Approved", sprintf("Your Xtra, %s, was just approved:\n\nhttp://adiumxtras.com/index.php?a=xtras&xtra_id=%d", $userInfo['title'], intval($_GET['xtra_id'])), "From: xtras at adiumxtras.com");
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
} else {
$smarty->assign("title", "Error Editing");
$smarty->assign("message", "You have invalid access to edit this Xtra. Remember: Only moderators can approve plugins.");
@@ -121,17 +116,16 @@
break;
case "enable":
- $_GET['xtra_id'] = intval($_GET['xtra_id']);
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
list ($xtraOwner, $status) = $sql->fetch_row();
// Does the user have sufficient access to disable?
// Admin/Moderator or *this Xtra's* contributor ONLY
if ($currentUserID == $xtraOwner && array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) === FALSE) {
- $sql->query("UPDATE xtras SET status='Pending' WHERE xtra_id='%d'", $_GET['xtra_id']);
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", $_GET['xtra_id']));
+ $sql->query("UPDATE xtras SET status='Pending' WHERE xtra_id='%d'", intval($_GET['xtra_id']));
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", intval($_GET['xtra_id'])));
} elseif (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
- $sql->query("UPDATE xtras SET status='Approved', disable_reason='' WHERE xtra_id='%d'", $_GET['xtra_id']);
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d", $_GET['xtra_id']));
+ $sql->query("UPDATE xtras SET status='Approved', disable_reason='' WHERE xtra_id='%d'", intval($_GET['xtra_id']));
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
} else {
$smarty->assign("title", "Error Editing");
$smarty->assign("message", "You have invalid access to edit this Xtra.");
@@ -140,25 +134,24 @@
break;
case "disable":
- $_GET['xtra_id'] = intval($_GET['xtra_id']);
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
list ($xtraOwner, $status) = $sql->fetch_row();
// Does the user have sufficient access to disable?
// Admin/Moderator or *this Xtra's* contributor ONLY
if ($currentUserID == $xtraOwner && array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) === FALSE) {
- $sql->query("UPDATE xtras SET status='Held' WHERE xtra_id='%d' AND status='Approved'", $_GET['xtra_id']);
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d", $_GET['xtra_id']));
+ $sql->query("UPDATE xtras SET status='Held' WHERE xtra_id='%d' AND status='Approved'", intval($_GET['xtra_id']));
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
} elseif (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
if ($_GET['disable_reason']) {
- $sql->query("UPDATE xtras SET status='Disabled', disable_reason='%s', reviewer='%d' WHERE xtra_id='%d'", strip_tags($_GET['disable_reason']), $currentUserID, $_GET['xtra_id']);
- $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("UPDATE xtras SET status='Disabled', disable_reason='%s', reviewer='%d' WHERE xtra_id='%d'", mysql_escape_string(strip_tags($_GET['disable_reason'])), $currentUserID, intval($_GET['xtra_id']));
+ $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
$userInfo = $sql->fetch_assoc();
mail($userInfo['email'], "Your Xtra Was Disabled", sprintf("Your Xtra, %s, was just disabled:\n\n%s\n\nPlease visit the My Xtras to resubmit your Xtra.", $userInfo['title'], $_GET['disable_reason']), "From: xtras at adiumxtras.com");
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", $_GET['xtra_id']));
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d&do=edit", intval($_GET['xtra_id'])));
} else {
$smarty->assign("do", "disable");
$smarty->assign("title", "Disable An Xtra");
- $smarty->assign("xtra_id", $_GET['xtra_id']);
+ $smarty->assign("xtra_id", intval($_GET['xtra_id']));
$smarty->display("disableForm.tpl");
}
} else {
@@ -169,22 +162,21 @@
break;
case "deny":
- $_GET['xtra_id'] = intval($_GET['xtra_id']);
- $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT user_id, status FROM xtras WHERE xtra_id='%d'", intval($_GET['xtra_id']));
list ($xtraOwner, $status) = $sql->fetch_row();
// Does the user have sufficient access to disable?
// Admin/Moderator ONLY
if (array_search(userLevel($currentUserID), array("Admin", "Moderator", "Developer")) !== FALSE) {
if ($_GET['disable_reason']) {
- $sql->query("UPDATE xtras SET status='Denied', deny_reason='%s', reviewer='%d' WHERE xtra_id='%d'", strip_tags($_GET['disable_reason']), $currentUserID, $_GET['xtra_id']);
- $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("UPDATE xtras SET status='Denied', deny_reason='%s', reviewer='%d' WHERE xtra_id='%d'", mysql_escape_string(strip_tags($_GET['disable_reason'])), $currentUserID, intval($_GET['xtra_id']));
+ $sql->query("SELECT users.*, xtras.title FROM users, xtras WHERE xtras.user_id=users.user_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
$userInfo = $sql->fetch_assoc();
mail($userInfo['email'], "Your Xtra Was Denied", sprintf("Your Xtra, %s, was just denied:\n\n%s\n\nPlease visit the My Xtras to resubmit your Xtra.", $userInfo['title'], $_GET['disable_reason']), "From: xtras at adiumxtras.com");
- header(sprintf("Location: index.php?a=xtras&xtra_id=%d", $_GET['xtra_id']));
+ header(sprintf("Location: index.php?a=xtras&xtra_id=%d", intval($_GET['xtra_id'])));
} else {
$smarty->assign("do", "deny");
$smarty->assign("title", "Deny An Xtra");
- $smarty->assign("xtra_id", $_GET['xtra_id']);
+ $smarty->assign("xtra_id", intval($_GET['xtra_id']));
$smarty->display("disableForm.tpl");
}
} else {
diff -r f6e34ccae5db -r bb74074dac8b search.php
--- a/search.php Mon Dec 06 12:34:19 2010 +0100
+++ b/search.php Fri Dec 02 12:49:54 2011 -0500
@@ -31,7 +31,7 @@
foreach ($arguments as $arg) {
if ($arg{0} == "-") { // Searches for results lacking this word.
$arg = substr($arg, 1);
- $where[] = sprintf("(xtras.title NOT LIKE '%%%s%%' AND xtras.description NOT LIKE '%%%s%%' AND xtras.credits NOT LIKE '%%%s%%')", $arg, $arg, $arg);
+ $where[] = sprintf("(xtras.title NOT LIKE '%%%s%%' AND xtras.description NOT LIKE '%%%s%%' AND xtras.credits NOT LIKE '%%%s%%')", mysql_escape_string($arg), mysql_escape_string($arg), mysql_escape_string($arg));
} else
$where[] = sprintf("(xtras.title LIKE '%%%s%%' OR xtras.description LIKE '%%%s%%' OR xtras.credits LIKE '%%%s%%')", $arg, $arg, $arg);
}
@@ -39,15 +39,14 @@
}
if ($_GET['user']) {
- $sql->query("SELECT user_id FROM users WHERE username LIKE '%s'", $_GET['user']);
+ $sql->query("SELECT user_id FROM users WHERE username LIKE '%s'", mysql_escape_string($_GET['user']));
$_GET['user_id'] = $sql->fetch_row_single();
}
// Only show approved Xtras, unless... (see below)
$showApproved = " AND xtras.status='Approved'";
if ($_GET['user_id']) {
- $_GET['user_id'] = intval($_GET['user_id']);
- $sql->query("SELECT username FROM users WHERE user_id='%d'", $_GET['user_id']);
+ $sql->query("SELECT username FROM users WHERE user_id='%d'", intval($_GET['user_id']));
$byUserName = $sql->fetch_row_single();
// If the user is searching themselves, show even unapproved Xtras.
$currentUserID = currentUID();
@@ -55,9 +54,9 @@
$showApproved = "";
if ($_GET['user_id'] == $currentUserID)
$smarty->assign("page", "myxtras");
- $smarty->assign("byUID", $_GET['user_id']);
+ $smarty->assign("byUID", intval($_GET['user_id']));
$smarty->assign("byUIDUsername", $byUserName);
- $searchTerms .= sprintf("xtras.user_id='%d' AND", $_GET['user_id']);
+ $searchTerms .= sprintf("xtras.user_id='%d' AND", intval($_GET['user_id']));
}
switch ($_GET['do']) {
@@ -101,7 +100,7 @@
$smarty->assign("curPage", $_GET["start"]);
$smarty->assign("perPage", PERPAGE);
- $smarty->assign("pagerURL", sprintf("index.php?a=search&cat_id=%s&sort=%s&user_id=%d&s=%s&start=%%d%s", $catInfo["cat_id"], $_GET["sort"], $_GET['user_id'], str_replace("%", "%%", $_GET["s"]), ($_GET['do'] == "queue") ? "&do=queue" : ""));
+ $smarty->assign("pagerURL", sprintf("index.php?a=search&cat_id=%s&sort=%s&user_id=%d&s=%s&start=%%d%s", $catInfo["cat_id"], $_GET["sort"], intval($_GET['user_id']), str_replace("%", "%%", $_GET["s"]), ($_GET['do'] == "queue") ? "&do=queue" : ""));
while ($row = $sql->fetch_assoc()) {
if ($_GET['type'] != "rss") {
diff -r f6e34ccae5db -r bb74074dac8b users.php
--- a/users.php Mon Dec 06 12:34:19 2010 +0100
+++ b/users.php Fri Dec 02 12:49:54 2011 -0500
@@ -38,7 +38,7 @@
case "reset":
$_GET['vcode'] = str_replace(" ", "", $_GET['vcode']);
- $sql->query("SELECT user_id FROM users WHERE vcode='%s' AND vcode != ''", $_GET['vcode']);
+ $sql->query("SELECT user_id FROM users WHERE vcode='%s' AND vcode != ''", mysql_escape_string($_GET['vcode']));
if ($sql->num_rows() == 0) {
$smarty->assign("title", "Error Resetting Password");
if (strlen($_GET['vcode']) != 32)
@@ -48,7 +48,7 @@
$smarty->display('error.tpl');
} else {
$smarty->assign("title", "Password Reset");
- $smarty->assign("vcode", $_GET['vcode']);
+ $smarty->assign("vcode", mysql_escape_string($_GET['vcode']));
$smarty->display("forgotPasswordReset.tpl");
}
break;
@@ -211,7 +211,7 @@
case "validate":
if ($_GET['vc']) {
- $sql->query("SELECT user_id FROM users WHERE status='Pending' and vcode='%s'", $_GET['vc']);
+ $sql->query("SELECT user_id FROM users WHERE status='Pending' and vcode='%s'", mysql_escape_string($_GET['vc']));
if ($sql->num_rows() > 0) {
$sql->query("UPDATE users SET status='Active', vcode='' WHERE user_id='%d'", $sql->fetch_row_single());
header("Location: index.php?a=users&do=account");
diff -r f6e34ccae5db -r bb74074dac8b xtras.php
--- a/xtras.php Mon Dec 06 12:34:19 2010 +0100
+++ b/xtras.php Fri Dec 02 12:49:54 2011 -0500
@@ -49,19 +49,17 @@
break;
case "rate":
- $_GET['xtra_id'] = intval($_GET['xtra_id']);
- $_GET['rating'] = intval($_GET['rating']);
if ($_GET['rating'] < 0 || $_GET['rating'] > 5) {
header(sprintf("Location: %s", $_SERVER['HTTP_REFERER']));
} else {
- $sql->query("DELETE FROM ratings WHERE ip='%s' AND xtra_id='%d'", $_SERVER['REMOTE_ADDR'], $_GET['xtra_id']);
- $sql->query("INSERT INTO ratings (rating, ip, ts, xtra_id) VALUES ('%d', '%s', NOW(), '%d')", $_GET['rating'], $_SERVER['REMOTE_ADDR'], $_GET['xtra_id']);
- $sql->query("UPDATE xtras SET ranking='%lf' WHERE xtra_id='%d'", (avgRating($_GET['xtra_id']) - 3) * log10(voteCount($_GET['xtra_id'])), $_GET['xtra_id']);
+ $sql->query("DELETE FROM ratings WHERE ip='%s' AND xtra_id='%d'", $_SERVER['REMOTE_ADDR'], intval($_GET['xtra_id']));
+ $sql->query("INSERT INTO ratings (rating, ip, ts, xtra_id) VALUES ('%d', '%s', NOW(), '%d')", intval($_GET['rating']), $_SERVER['REMOTE_ADDR'], intval($_GET['xtra_id']));
+ $sql->query("UPDATE xtras SET ranking='%lf' WHERE xtra_id='%d'", (avgRating(intval($_GET['xtra_id'])) - 3) * log10(voteCount(intval($_GET['xtra_id']))), intval($_GET['xtra_id']));
if ($_GET['html']) {
- $smarty->assign("xtraid", $_GET['xtra_id']);
- $smarty->assign("vote", $_GET['rating']);
- $smarty->assign("rating", avgRating($_GET["xtra_id"]));
- $smarty->assign("votes", voteCount($_GET["xtra_id"]));
+ $smarty->assign("xtraid", intval($_GET['xtra_id']);)
+ $smarty->assign("vote", intval($_GET['rating']));
+ $smarty->assign("rating", avgRating(intval($_GET["xtra_id"])));
+ $smarty->assign("votes", voteCount(intval($_GET["xtra_id"])));
$smarty->display("rating.tpl");
} else
header(sprintf("Location: %s", $_SERVER['HTTP_REFERER']));
@@ -70,11 +68,11 @@
case "report_comment":
$reportingUser = gethostbyaddr($_SERVER['REMOTE_ADDR']);
- $sql->query("SELECT * FROM comments WHERE comment_id='%d'", $_GET['comment_id']);
+ $sql->query("SELECT * FROM comments WHERE comment_id='%d'", intval($_GET['comment_id']));
if ($sql->num_rows() < 0 || strpos($reportingUser, "googlebot"))
break;
$comData = $sql->fetch_assoc();
- $sql->query("SELECT * FROM reported WHERE comment_id='%d'", $_GET['comment_id']);
+ $sql->query("SELECT * FROM reported WHERE comment_id='%d'", intval($_GET['comment_id']));
if ($sql->num_rows() > 0)
break;
@@ -87,19 +85,18 @@
break;
default:
- $_GET['xtra_id'] = intval($_GET['xtra_id']);
- $sql->query("SELECT xtras.*, cats.*, users.*, UNIX_TIMESTAMP(xtras.date_added) AS date_added, UNIX_TIMESTAMP(xtras.bin_updated) AS bin_updated, xtras.status as status FROM xtras, cats, users, assoc WHERE xtras.xtra_id=assoc.xtra_id AND xtras.user_id=users.user_id AND cats.cat_id = assoc.cat_id AND xtras.xtra_id='%d'", $_GET['xtra_id']);
+ $sql->query("SELECT xtras.*, cats.*, users.*, UNIX_TIMESTAMP(xtras.date_added) AS date_added, UNIX_TIMESTAMP(xtras.bin_updated) AS bin_updated, xtras.status as status FROM xtras, cats, users, assoc WHERE xtras.xtra_id=assoc.xtra_id AND xtras.user_id=users.user_id AND cats.cat_id = assoc.cat_id AND xtras.xtra_id='%d'", intval($_GET['xtra_id']));
$xtraDetail = $sql->fetch_assoc();
if (!$xtraDetail['xtra_id']) {
$smarty->assign("title", "Unknown Xtra");
- $smarty->assign("message", sprintf("The Xtra you have attempted to view (%s) does not exist.", $_GET['xtra_id']));
+ $smarty->assign("message", sprintf("The Xtra you have attempted to view (%s) does not exist.", intval($_GET['xtra_id'])));
$smarty->display('error.tpl');
exit();
}
- $xtraDetail['rating'] = avgRating($_GET['xtra_id']);
- $xtraDetail['votes'] = voteCount($_GET['xtra_id']);
+ $xtraDetail['rating'] = avgRating(intval($_GET['xtra_id']));
+ $xtraDetail['votes'] = voteCount(intval($_GET['xtra_id']));
if ($xtraDetail['cat_name'] == "Miscellaneous") {
$xtraDetail["showInstall"] = "No";
} else {
@@ -113,7 +110,7 @@
$smarty->assign("xtra", $xtraDetail);
- $sql->query("SELECT * FROM images WHERE xtra_id='%d' ORDER BY image_id", $_GET['xtra_id']);
+ $sql->query("SELECT * FROM images WHERE xtra_id='%d' ORDER BY image_id", intval($_GET['xtra_id']));
while ($row = $sql->fetch_assoc())
$images[] = $row;
$smarty->assign("images", $images);
@@ -153,7 +150,7 @@
$smarty->assign("title", sprintf("View Xtra: %s", $xtraDetail['title']));
include("minicat.php");
$smarty->assign("categories", $categories);
- $smarty->assign("comments", compileComments($_GET['xtra_id'], 0));
+ $smarty->assign("comments", compileComments(intval($_GET['xtra_id']), 0));
$smarty->display("xtras.tpl");
}
break;
More information about the commits
mailing list