2977 if( !isset($_GET['side']) || ( isset($_GET['side']) && !preg_match('#^([0-9]+)$#', $_GET['side']) ) ) |
2977 if( !isset($_GET['side']) || ( isset($_GET['side']) && !preg_match('#^([0-9]+)$#', $_GET['side']) ) ) |
2978 { |
2978 { |
2979 echo '<div class="warning-box" style="margin: 10px 0;">$_GET[\'side\'] contained an SQL injection attempt</div>'; |
2979 echo '<div class="warning-box" style="margin: 10px 0;">$_GET[\'side\'] contained an SQL injection attempt</div>'; |
2980 break; |
2980 break; |
2981 } |
2981 } |
2982 $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . $db->escape($_GET['id']) . ';'); |
2982 $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . intval($_GET['id']) . ';'); |
2983 if(!$query) |
2983 if(!$query) |
2984 { |
2984 { |
2985 echo $db->get_error(); |
2985 echo $db->get_error(); |
2986 $template->footer(); |
2986 $template->footer(); |
2987 exit; |
2987 exit; |
2988 } |
2988 } |
2989 echo '<div class="info-box" style="margin: 10px 0;">Item moved.</div>'; |
2989 echo '<div class="info-box" style="margin: 10px 0;">Item moved.</div>'; |
2990 break; |
2990 break; |
2991 case 'delete': |
2991 case 'delete': |
2992 $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); // Already checked for injection attempts ;-) |
2992 $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); // Already checked for injection attempts ;-) |
2993 if(!$query) |
2993 if(!$query) |
2994 { |
2994 { |
2995 echo $db->get_error(); |
2995 echo $db->get_error(); |
2996 $template->footer(); |
2996 $template->footer(); |
2997 exit; |
2997 exit; |
3002 die('GOOD'); |
3002 die('GOOD'); |
3003 } |
3003 } |
3004 echo '<div class="error-box" style="margin: 10px 0;">Item deleted.</div>'; |
3004 echo '<div class="error-box" style="margin: 10px 0;">Item deleted.</div>'; |
3005 break; |
3005 break; |
3006 case 'disenable'; |
3006 case 'disenable'; |
3007 $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); |
3007 $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); |
3008 if(!$q) |
3008 if(!$q) |
3009 { |
3009 { |
3010 echo $db->get_error(); |
3010 echo $db->get_error(); |
3011 $template->footer(); |
3011 $template->footer(); |
3012 exit; |
3012 exit; |
3013 } |
3013 } |
3014 $r = $db->fetchrow(); |
3014 $r = $db->fetchrow(); |
3015 $db->free_result(); |
3015 $db->free_result(); |
3016 $e = ( $r['item_enabled'] == 1 ) ? '0' : '1'; |
3016 $e = ( $r['item_enabled'] == 1 ) ? '0' : '1'; |
3017 $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . $db->escape($_GET['id']) . ';'); |
3017 $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . intval($_GET['id']) . ';'); |
3018 if(!$q) |
3018 if(!$q) |
3019 { |
3019 { |
3020 echo $db->get_error(); |
3020 echo $db->get_error(); |
3021 $template->footer(); |
3021 $template->footer(); |
3022 exit; |
3022 exit; |
3025 { |
3025 { |
3026 ob_end_clean(); |
3026 ob_end_clean(); |
3027 die('GOOD'); |
3027 die('GOOD'); |
3028 } |
3028 } |
3029 break; |
3029 break; |
|
3030 case 'rename'; |
|
3031 $newname = $db->escape($_POST['newname']); |
|
3032 $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_name=\''.$newname.'\' WHERE item_id=' . intval($_GET['id']) . ';'); |
|
3033 if(!$q) |
|
3034 { |
|
3035 echo $db->get_error(); |
|
3036 $template->footer(); |
|
3037 exit; |
|
3038 } |
|
3039 if(isset($_GET['ajax'])) |
|
3040 { |
|
3041 ob_end_clean(); |
|
3042 die('GOOD'); |
|
3043 } |
|
3044 break; |
3030 case 'getsource': |
3045 case 'getsource': |
3031 $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); |
3046 $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); |
3032 if(!$q) |
3047 if(!$q) |
3033 { |
3048 { |
3034 echo $db->get_error(); |
3049 echo $db->get_error(); |
3035 $template->footer(); |
3050 $template->footer(); |
3036 exit; |
3051 exit; |
3058 else |
3073 else |
3059 { |
3074 { |
3060 $_POST['content'] = sanitize_html($_POST['content'], true); |
3075 $_POST['content'] = sanitize_html($_POST['content'], true); |
3061 } |
3076 } |
3062 } |
3077 } |
3063 $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . $db->escape($_GET['id']) . ';'); |
3078 $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . intval($_GET['id']) . ';'); |
3064 if(!$q) |
3079 if(!$q) |
3065 { |
3080 { |
3066 echo 'var status=unescape(\''.hexencode($db->get_error()).'\');'; |
3081 echo 'var status=unescape(\''.hexencode($db->get_error()).'\');'; |
3067 exit; |
3082 exit; |
3068 } |
3083 } |
3069 $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); |
3084 $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); |
3070 if(!$q) |
3085 if(!$q) |
3071 { |
3086 { |
3072 echo 'var status=unescape(\''.hexencode($db->get_error()).'\');'; |
3087 echo 'var status=unescape(\''.hexencode($db->get_error()).'\');'; |
3073 exit; |
3088 exit; |
3074 } |
3089 } |
3177 case BLOCK_PLUGIN: |
3192 case BLOCK_PLUGIN: |
3178 $parser = $template->makeParserText($vars['sidebar_section_raw']); |
3193 $parser = $template->makeParserText($vars['sidebar_section_raw']); |
3179 $c = ($template->fetch_block($row['block_content'])) ? $template->fetch_block($row['block_content']) : 'Can\'t find plugin block'; |
3194 $c = ($template->fetch_block($row['block_content'])) ? $template->fetch_block($row['block_content']) : 'Can\'t find plugin block'; |
3180 break; |
3195 break; |
3181 } |
3196 } |
3182 $t = $template->tplWikiFormat($row['block_name']); |
3197 $t = '<span title="Double-click to rename this block" id="sbrename_' . $row['item_id'] . '" ondblclick="ajaxRenameSidebarStage1(this, \''.$row['item_id'].'\'); return false;">' . $template->tplWikiFormat($row['block_name']) . '</span>'; |
3183 if($row['item_enabled'] == 0) $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red;">(disabled)</span>'; |
3198 if($row['item_enabled'] == 0) $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red;">(disabled)</span>'; |
3184 else $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red; display: none;">(disabled)</span>'; |
3199 else $t .= ' <span id="disabled_'.$row['item_id'].'" style="color: red; display: none;">(disabled)</span>'; |
3185 $side = ( $row['sidebar_id'] == SIDEBAR_LEFT ) ? SIDEBAR_RIGHT : SIDEBAR_LEFT; |
3200 $side = ( $row['sidebar_id'] == SIDEBAR_LEFT ) ? SIDEBAR_RIGHT : SIDEBAR_LEFT; |
3186 $tb = '<a title="Enable or disable this block" href="'.makeUrl($paths->page, 'action=disenable&id='.$row['item_id'].'' , true).'" onclick="ajaxDisenableBlock(\''.$row['item_id'].'\'); return false;" ><img alt="Enable/disable this block" style="border-width: 0;" src="'.scriptPath.'/images/disenable.png" /></a> |
3201 $tb = '<a title="Enable or disable this block" href="'.makeUrl($paths->page, 'action=disenable&id='.$row['item_id'].'' , true).'" onclick="ajaxDisenableBlock(\''.$row['item_id'].'\'); return false;" ><img alt="Enable/disable this block" style="border-width: 0;" src="'.scriptPath.'/images/disenable.png" /></a> |
3187 <a title="Edit the contents of this block" href="'.makeUrl($paths->page, 'action=edit&id='.$row['item_id'].'' , true).'" onclick="ajaxEditBlock(\''.$row['item_id'].'\', this); return false;"><img alt="Edit this block" style="border-width: 0;" src="'.scriptPath.'/images/edit.png" /></a> |
3202 <a title="Edit the contents of this block" href="'.makeUrl($paths->page, 'action=edit&id='.$row['item_id'].'' , true).'" onclick="ajaxEditBlock(\''.$row['item_id'].'\', this); return false;"><img alt="Edit this block" style="border-width: 0;" src="'.scriptPath.'/images/edit.png" /></a> |