Context Navigation

pages.php

Revision 48, 14.9 KB (checked in by daris, 3 years ago)
portal: fixed sql injetion in admin pages

Line
1	<?php
2	/***********************************************************************
3
4	PunBB extension
5	Portal
6	Daris <daris91@gmail.com>
7
8	************************************************************************/
9
10
11	if (!defined('FORUM_ROOT'))
12	define('FORUM_ROOT', '../../../');
13	require FORUM_ROOT.'include/common.php';
14	require FORUM_ROOT.'include/common_admin.php';
15
16	define('PORTAL_ROOT', '../');
17
18	($hook = get_hook('xn_portal_by_daris_apg_start')) ? eval($hook) : null;
19
20	if ($forum_user['g_id'] != FORUM_ADMIN)
21	message($lang_common['No permission']);
22
23	// Load the admin.php language file
24	require FORUM_ROOT.'lang/'.$forum_user['language'].'/admin_common.php';
25
26	if (file_exists(PORTAL_ROOT.'lang/'.$forum_user['language'].'/admin_pages.php'))
27	require PORTAL_ROOT.'lang/'.$forum_user['language'].'/admin_pages.php';
28	else
29	require PORTAL_ROOT.'lang/English/admin_pages.php';
30
31
32	// Add a "default" forum
33	if (isset($_POST['add_page']))
34	{
35	$page_title = forum_trim($_POST['page_title']);
36
37	($hook = get_hook('xn_portal_by_daris_apg_add_page_form_submitted')) ? eval($hook) : null;
38
39	if ($page_title == '')
40	message($lang_admin_pages['Must enter page message']);
41
42	$query = array(
43	'INSERT' => 'title',
44	'INTO' => 'pages',
45	'VALUES' => '\''.$forum_db->escape($page_title).'\''
46	);
47
48	($hook = get_hook('xn_portal_by_daris_apg_add_page_qr_add_forum')) ? eval($hook) : null;
49	$forum_db->query_build($query) or error(__FILE__, __LINE__);
50
51	($hook = get_hook('xn_portal_by_daris_apg_add_page_pre_redirect')) ? eval($hook) : null;
52
53	redirect(forum_link($forum_url['admin_pages']), $lang_admin_pages['Page added'].' '.$lang_admin_common['Redirect']);
54	}
55
56
57	// Delete a forum
58	else if (isset($_GET['del_page']))
59	{
60	$page_to_delete = intval($_GET['del_page']);
61	if ($page_to_delete < 1)
62	message($lang_common['Bad request']);
63
64	// User pressed the cancel button
65	if (isset($_POST['del_page_cancel']))
66	redirect(forum_link($forum_url['admin_pages']), $lang_admin_common['Cancel redirect']);
67
68	($hook = get_hook('xn_portal_by_daris_apg_del_page_form_submitted')) ? eval($hook) : null;
69
70	if (isset($_POST['del_page_comply'])) // Delete a forum with all posts
71	{
72
73	// Delete the forum and any forum specific group permissions
74	$query = array(
75	'DELETE' => 'pages',
76	'WHERE' => 'id='.$page_to_delete
77	);
78
79	($hook = get_hook('xn_portal_by_daris_apg_del_page_qr_delete_forum')) ? eval($hook) : null;
80	$forum_db->query_build($query) or error(__FILE__, __LINE__);
81
82	($hook = get_hook('xn_portal_by_daris_apg_del_page_pre_redirect')) ? eval($hook) : null;
83
84	redirect(forum_link($forum_url['admin_pages']), $lang_admin_pages['Page deleted'].' '.$lang_admin_common['Redirect']);
85	}
86	else // If the user hasn't confirmed the delete
87	{
88	$query = array(
89	'SELECT' => 'pg.title',
90	'FROM' => 'pages AS pg',
91	'WHERE' => 'pg.id='.$page_to_delete
92	);
93
94	($hook = get_hook('xn_portal_by_daris_apg_del_page_qr_get_page_name')) ? eval($hook) : null;
95	$result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
96	if (!$forum_db->num_rows($result))
97	message($lang_common['Bad request']);
98
99	$page_title = $forum_db->result($result);
100
101
102	// Setup breadcrumbs
103	$forum_page['crumbs'] = array(
104	array($forum_config['o_board_title'], forum_link($forum_url['index'])),
105	array($lang_admin_common['Forum administration'], forum_link($forum_url['admin_index'])),
106	array($lang_admin_pages['Pages'], forum_link($forum_url['admin_pages'])),
107	$lang_admin_pages['Delete page']
108	);
109
110	($hook = get_hook('xn_portal_by_daris_apg_del_page_pre_header_load')) ? eval($hook) : null;
111
112	define('FORUM_PAGE_SECTION', 'start');
113	define('FORUM_PAGE', 'admin-pages');
114	require FORUM_ROOT.'header.php';
115
116	// START SUBST - <!-- forum_main -->
117	ob_start();
118
119	($hook = get_hook('xn_portal_by_daris_apg_del_page_output_start')) ? eval($hook) : null;
120
121	?>
122	<div class="main-subhead">
123	<h2 class="hn"><span><?php printf($lang_admin_pages['Confirm delete page'], forum_htmlencode($page_title)) ?></span></h2>
124	</div>
125	<div class="main-content main-frm">
126	<form class="frm-form" method="post" accept-charset="utf-8" action="<?php echo forum_link($forum_url['admin_pages']) ?>?del_page=<?php echo $page_to_delete ?>">
127	<div class="hidden">
128	<input type="hidden" name="csrf_token" value="<?php echo generate_form_token(forum_link($forum_url['admin_pages']).'?del_page='.$page_to_delete) ?>" />
129	</div>
130	<div class="ct-box warn-box">
131	<p class="warn"><?php echo $lang_admin_pages['Delete page warning'] ?></p>
132	</div>
133	<div class="frm-buttons">
134	<span class="submit"><input type="submit" name="del_page_comply" value="<?php echo $lang_admin_pages['Delete page'] ?>" /></span>
135	<span class="cancel"><input type="submit" name="del_page_cancel" value="<?php echo $lang_admin_common['Cancel'] ?>" /></span>
136	</div>
137	</form>
138	</div>
139
140	<?php
141
142	($hook = get_hook('xn_portal_by_daris_apg_del_page_end')) ? eval($hook) : null;
143
144	$tpl_temp = forum_trim(ob_get_contents());
145	$tpl_main = str_replace('<!-- forum_main -->', $tpl_temp, $tpl_main);
146	ob_end_clean();
147	// END SUBST - <!-- forum_main -->
148
149	require FORUM_ROOT.'footer.php';
150	}
151	}
152
153
154	else if (isset($_GET['edit_page']))
155	{
156	$page_id = intval($_GET['edit_page']);
157	if ($page_id < 1)
158	message($lang_common['Bad request']);
159
160	($hook = get_hook('xn_portal_by_daris_apg_edit_page_selected')) ? eval($hook) : null;
161
162	// Fetch page info
163	$query = array(
164	'SELECT' => 'pg.id, pg.title, pg.content',
165	'FROM' => 'pages AS pg',
166	'WHERE' => 'pg.id='.$page_id
167	);
168
169	($hook = get_hook('xn_portal_by_daris_apg_edit_page_qr_get_page_details')) ? eval($hook) : null;
170	$result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
171	if (!$forum_db->num_rows($result))
172	message($lang_common['Bad request']);
173
174	$cur_page = $forum_db->fetch_assoc($result);
175
176	// Update group permissions for $page_id
177	if (isset($_POST['save']))
178	{
179	($hook = get_hook('xn_portal_by_daris_apg_save_page_form_submitted')) ? eval($hook) : null;
180
181	// Start with the forum details
182	$page_title = forum_trim($_POST['page_title']);
183	$page_content = forum_linebreaks(forum_trim($_POST['page_content']));
184
185	if ($page_title == '')
186	message($lang_admin_pages['Must enter page message']);
187
188	$query = array(
189	'UPDATE' => 'pages',
190	'SET' => 'title=\''.$forum_db->escape($page_title).'\', content=\''.$forum_db->escape($page_content).'\'',
191	'WHERE' => 'id='.$page_id
192	);
193
194	($hook = get_hook('xn_portal_by_daris_apg_save_page_qr_update_page')) ? eval($hook) : null;
195	$forum_db->query_build($query) or error(__FILE__, __LINE__);
196
197	($hook = get_hook('xn_portal_by_daris_apg_save_page_pre_redirect')) ? eval($hook) : null;
198
199	redirect(forum_link($forum_url['admin_pages']), $lang_admin_pages['Page updated'].' '.$lang_admin_common['Redirect']);
200	}
201
202
203	$forum_page['form_info'] = array();
204
205	// Setup the form
206	$forum_page['item_count'] = $forum_page['group_count'] = $forum_page['fld_count'] = 0;
207
208	// Setup breadcrumbs
209	$forum_page['crumbs'] = array(
210	array($forum_config['o_board_title'], forum_link($forum_url['index'])),
211	array($lang_admin_common['Forum administration'], forum_link($forum_url['admin_index'])),
212	array($lang_admin_pages['Pages'], forum_link($forum_url['admin_pages'])),
213	$lang_admin_pages['Edit page']
214	);
215
216	($hook = get_hook('xn_portal_by_daris_apg_edit_page_pre_header_load')) ? eval($hook) : null;
217
218	define('FORUM_PAGE_SECTION', 'start');
219	define('FORUM_PAGE', 'admin-pages');
220	require FORUM_ROOT.'header.php';
221
222	// START SUBST - <!-- forum_main -->
223	ob_start();
224
225	($hook = get_hook('xn_portal_by_daris_apg_edit_page_output_start')) ? eval($hook) : null;
226
227	?>
228	<div class="main-subhead">
229	<h2 class="hn"><span><?php printf($lang_admin_pages['Edit page head'], forum_htmlencode($cur_page['title'])) ?></span></h2>
230	</div>
231	<div class="main-content main-frm">
232	<form method="post" class="frm-form" accept-charset="utf-8" action="<?php echo forum_link($forum_url['admin_pages']) ?>?edit_page=<?php echo $page_id ?>">
233	<div class="hidden">
234	<input type="hidden" name="csrf_token" value="<?php echo generate_form_token(forum_link($forum_url['admin_pages']).'?edit_page='.$page_id) ?>" />
235	</div>
236	<div class="content-head">
237	<h3 class="hn"><span><?php echo $lang_admin_pages['Edit page details head'] ?></span></h3>
238	</div>
239	<?php ($hook = get_hook('xn_portal_by_daris_apg_edit_page_pre_details_fieldset')) ? eval($hook) : null; ?>
240	<fieldset class="frm-group group<?php echo ++$forum_page['group_count'] ?>">
241	<legend class="group-legend"><strong><?php echo $lang_admin_pages['Edit forum details legend'] ?></strong></legend>
242	<?php ($hook = get_hook('xn_portal_by_daris_apg_edit_page_pre_page_name')) ? eval($hook) : null; ?>
243	<div class="sf-set set<?php echo ++$forum_page['item_count'] ?>">
244	<div class="sf-box text">
245	<label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_admin_pages['Page title'] ?></span></label><br />
246	<span class="fld-input"><input type="text" id="fld<?php echo $forum_page['fld_count'] ?>" name="page_title" size="35" maxlength="80" value="<?php echo forum_htmlencode($cur_page['title']) ?>" /></span>
247	</div>
248	</div>
249	<?php ($hook = get_hook('xn_portal_by_daris_apg_edit_page_pre_page_content')) ? eval($hook) : null; ?>
250	<div class="txt-set set<?php echo ++$forum_page['item_count'] ?>">
251	<div class="txt-box textarea">
252	<label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_admin_pages['Page content'] ?></span> <small><?php echo $lang_admin_pages['Page content help'] ?></small></label><br />
253	<div class="txt-input"><span class="fld-input"><textarea id="fld<?php echo $forum_page['fld_count'] ?>" name="page_content" rows="10" cols="50"><?php echo forum_htmlencode($cur_page['content']) ?></textarea></span></div>
254	</div>
255	</div>
256
257	</fieldset>
258	<div class="frm-buttons">
259	<span class="submit"><input type="submit" name="save" value="<?php echo $lang_admin_common['Save changes'] ?>" /></span>
260	</div>
261	</form>
262	</div>
263	<?php
264
265	($hook = get_hook('xn_portal_by_daris_apg_edit_page_end')) ? eval($hook) : null;
266
267	$tpl_temp = forum_trim(ob_get_contents());
268	$tpl_main = str_replace('<!-- forum_main -->', $tpl_temp, $tpl_main);
269	ob_end_clean();
270	// END SUBST - <!-- forum_main -->
271
272	require FORUM_ROOT.'footer.php';
273	}
274
275	// Setup the form
276	$forum_page['fld_count'] = $forum_page['group_count'] = $forum_page['item_count'] = 0;
277
278	// Setup breadcrumbs
279	$forum_page['crumbs'] = array(
280	array($forum_config['o_board_title'], forum_link($forum_url['index'])),
281	array($lang_admin_common['Forum administration'], forum_link($forum_url['admin_index'])),
282	$lang_admin_pages['Pages']
283	);
284
285	($hook = get_hook('xn_portal_by_daris_apg_pre_header_load')) ? eval($hook) : null;
286
287	define('FORUM_PAGE_SECTION', 'start');
288	define('FORUM_PAGE', 'admin-pages');
289	require FORUM_ROOT.'header.php';
290
291	// START SUBST - <!-- forum_main -->
292	ob_start();
293
294	($hook = get_hook('xn_portal_by_daris_apg_main_output_start')) ? eval($hook) : null;
295
296	?>
297	<div class="main-subhead">
298	<h2 class="hn"><span><?php echo $lang_admin_pages['Add page head'] ?></span></h2>
299	</div>
300	<div class="main-content main-frm">
301	<form class="frm-form" method="post" accept-charset="utf-8" action="<?php echo forum_link($forum_url['admin_pages']) ?>?action=adddel">
302	<div class="hidden">
303	<input type="hidden" name="csrf_token" value="<?php echo generate_form_token(forum_link($forum_url['admin_pages']).'?action=adddel') ?>" />
304	</div>
305	<?php ($hook = get_hook('xn_portal_by_daris_apg_pre_add_page_fieldset')) ? eval($hook) : null; ?>
306	<fieldset class="frm-group set<?php echo ++$forum_page['group_count'] ?>">
307	<legend class="group-legend"><strong><?php echo $lang_admin_pages['Add page legend'] ?></strong></legend>
308	<?php ($hook = get_hook('xn_portal_by_daris_apg_pre_new_page_name')) ? eval($hook) : null; ?>
309	<div class="sf-set set<?php echo ++$forum_page['item_count'] ?>">
310	<div class="sf-box text">
311	<label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_admin_pages['Page title label'] ?></span></label><br />
312	<span class="fld-input"><input type="text" id="fld<?php echo $forum_page['fld_count'] ?>" name="page_title" size="35" maxlength="80" /></span>
313	</div>
314	</div>
315	<?php ($hook = get_hook('xn_portal_by_daris_apg_pre_add_page_fieldset_end')) ? eval($hook) : null; ?>
316	</fieldset>
317	<?php ($hook = get_hook('xn_portal_by_daris_apg_add_page_fieldset_end')) ? eval($hook) : null; ?>
318	<div class="frm-buttons">
319	<span class="submit"><input type="submit" class="button" name="add_page" value=" <?php echo $lang_admin_pages['Add page'] ?> " /></span>
320	</div>
321	</form>
322	</div>
323
324	<?php
325
326	// Display all the categories and forums
327	$query = array(
328	'SELECT' => 'pg.id, pg.title',
329	'FROM' => 'pages AS pg'
330	);
331
332	($hook = get_hook('xn_portal_by_daris_apg_qr_get_pages')) ? eval($hook) : null;
333	$result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
334
335	if ($forum_db->num_rows($result))
336	{
337	// Reset fieldset counter
338	$forum_page['set_count'] = 0;
339
340	?>
341	<div class="main-subhead">
342	<h2 class="hn"><span><?php echo $lang_admin_pages['Edit pages head'] ?></span></h2>
343	</div>
344	<div class="main-content main-frm">
345	<form class="frm-form" method="post" accept-charset="utf-8" action="<?php echo forum_link($forum_url['admin_pages']) ?>?action=edit">
346	<div class="hidden">
347	<input type="hidden" name="csrf_token" value="<?php echo generate_form_token(forum_link($forum_url['admin_pages']).'?action=edit') ?>" />
348	</div>
349
350	<div class="content-head">
351	<h3 class="hn"><span><?php echo $lang_admin_pages['Pages'] ?></span></h3>
352	</div>
353	<div class="frm-group frm-hdgroup group">
354
355	<?php
356
357	$i = 2;
358	$forum_page['item_count'] = 0;
359
360	while ($cur_page = $forum_db->fetch_assoc($result))
361	{
362
363	($hook = get_hook('xn_portal_by_daris_apg_pre_edit_cur_page_fieldset')) ? eval($hook) : null;
364
365	?>
366	<fieldset class="mf-set set<?php echo ++$forum_page['item_count'] ?><?php echo ($forum_page['item_count'] == 1) ? ' mf-head' : ' mf-extra' ?>">
367	<legend><span><?php printf($lang_admin_pages['Edit or delete'], '<a href="'.forum_link($forum_url['admin_pages']).'?edit_page='.$cur_page['id'].'">'.$lang_admin_pages['Edit'].'</a>', '<a href="'.forum_link($forum_url['admin_pages']).'?del_page='.$cur_page['id'].'">'.$lang_admin_pages['Delete'].'</a>') ?></span></legend>
368	<div class="mf-box">
369	<?php ($hook = get_hook('xn_portal_by_daris_apg_pre_edit_cur_page_name')) ? eval($hook) : null; ?>
370	<div class="mf-field mf-field1 forum-field">
371	<span class="aslabel"><?php echo $lang_admin_pages['Page name'] ?></span>
372	<span class="fld-input"><?php echo forum_htmlencode($cur_page['title']) ?></span>
373	</div>
374	</div>
375	<?php ($hook = get_hook('xn_portal_by_daris_apg_pre_edit_cur_page_fieldset_end')) ? eval($hook) : null; ?>
376	</fieldset>
377	<?php
378
379	($hook = get_hook('xn_portal_by_daris_apg_edit_cur_page_fieldset_end')) ? eval($hook) : null;
380
381	++$i;
382	}
383
384	?>
385	</div>
386	</form>
387	</div>
388	<?php
389
390	}
391
392
393	($hook = get_hook('xn_portal_by_daris_apg_end')) ? eval($hook) : null;
394
395	$tpl_temp = forum_trim(ob_get_contents());
396	$tpl_main = str_replace('<!-- forum_main -->', $tpl_temp, $tpl_main);
397	ob_end_clean();
398	// END SUBST - <!-- forum_main -->
399
400	require FORUM_ROOT.'footer.php';

Note: See TracBrowser for help on using the browser.

PunBB extensions

Context Navigation

root/branches/portal_by_daris/admin/pages.php

Download in other formats: